9 1:Configuration project.net to use an LDAP or Active Directory

From Pnet-Community

Jump to: navigation, search


[edit] Configuring Project.net to use LDAP or Active Directory Authentication

[edit] Overview

When the Project.net software is first installed, a single authentication domain is defined called "Global Domain." Since there is only a single authentication domain, all users register with and log in against this domain. The Global Domain is based on Project.net's native authentication, that is, the software stores the password and authenticates the user when they log in.

As an alternative, Project.net can authenticate against one or more LDAP or Active Directory servers. In fact, Project.net can select among alternate LDAP/AD servers based upon the active configuration (For more information on configurations see Basic Description of Configurations). This document covers the steps necessary to configure Project.net to use an LDAP domain or Active Directory (AD) server; where Active Directory configuration differs from LDAP the difference are called out.

[edit] Prerequisites

  • There are two user entries you will need in the LDAP server in order to configure Project.net and test its connection to the LDAP server:
    • A user in the directory that Project.net will use to authenticate itself and run queries to authenticate people logging into Project.net. This entry does not need an email address, phone number or other user attributes.
    • A regular user account that can be used to test Project.net's LDAP configuration - either a "test" user or regular user. The important thing is that this entry have the full attributes of a regular user. Also, it should not be the same user as above.
  • Make sure to read through the following instructions and have the information outlined in the tables below.

[edit] Create a new Domain for LDAP authentication

  1. Log in as an application administrator
  2. Navigate to the Application Administration space
  3. Click the Domains link in the navigation bar
  4. Click the Create Action Toolbar icon.
  5. Enter the following values
Field Description
Domain Name This name will be displayed in the domain dropdown on the Project.net login page
Description Optional description
Directory & Authentication Provider Select LDAP from the drop-down for LDAP authentication
Supported Configurations Select the configurations under which this domain should be available, include Project.net Configuration to have it available in the default configuration.
Require verification of email address after registration? Check this option to ensure the email address specified by a user during registration actually belongs to that user. Only uncheck this option when the email address is automatically specified by the directory provider during registration and cannot be changed by the user until after he or she has logged in.
Allow users to purchase licenses via credit card? Uncheck this option
Registration Instructions Enter the instructions Project.net will display when a user registers and is asked to choose a domain. The instructions should indicate the circumstances under which a user would select this domain. The instructions can include references to token values. For example, to refer to the Submit button include {@all.global.toolbar.action.submit}
  1. Click the Submit button

Note: Currently you must submit the Edit Domain page before changing the Directory Provider Configuration settings. Clicking on the Directory Provider Configuration tab without first submitting will cause an error

[edit] Configure Access to the LDAP Directory

  1. Navigate to the Application Administration space and click the Domains link
  2. Click on the LDAP domain to configure
  3. Click the Modify Action Toolbar icon.
  4. Click the Directory Provider Configuration sub-tab
  5. Enter the following values:
Field Description
Hostname List Enter one or more LDAP hostnames, separated by commas (ex. ldap.project.net, ldap2.project.net)If your LDAP or AD service is served on a non-default port (the default is port 389) you must also specify the port number (ex. ldap1.project.net:389, ldap2.project.net:389
Use SSL Leave unchecked unless you are using a Secure Socket Layer (SSL) connection to your LDAP server.
SSL Hostname List If you are using SSL, list the hostnames and ports here.
Search Base DN Enter the root of the LDAP Server below which all searches will occur, for example dc=arius, dc=com.
When looking up users The configuration settings allow you to either use the entire LDAP directory or a specific branch of the directory. Note, searching is used even during the authentication process - since a user enters only his or her username, Project.net must first search the LDAP directory to locate the full DN.In the case of an Active Directory configuration, it is most common to specify Look in this subtree below Search Base DN with the value cn=Users
Object Limit Filter This filter is required irrespective of the radio option selected above. Enter an LDAP search filter that will ensure only Person-type objects are returned; if a search returns other kinds of LDAP objects the behavior will be undefined. This filter is appended to any other search filters.For example, to limit results to person type objects: (objectclass=person)To limit results to person type objects that have an email address:(&(objectclass=person)(mail=*))Note: The actual values for the filter depend upon how the LDAP server is set-up, these examples are given for an iPlanet server.Note: For Active Directory installations, the most common default is: (objectclass=person)
Login Name Attribute Enter the LDAP attribute id that corresponds to a person’s login name. The value of this attribute will be entered by a user in order to log into the application. For example, uid.Note: For Active Directory Installations, the Login Name Attribute is commonly: sAMAccountName
For access without authentication If your LDAP server support anonymous read access, then select the first radio option.For any LDAP or AD service which requires authenticated access, specify an account (and password) that has search access to the Directory Service. A common practice is to define a "Project.net" user for this purpose.Note: For default AD configurations, user DN’s are specified as: cn=Project.net User, cn=Users
Allow Automatic Registration for this Domain If a user already exists in the LDAP domain when first logging in to Project.net, should that user be automatically registered with Project.net?
"Make available for searching..." & Display Name Check this box to allow Project.net to search this LDAP server when inviting someone to a business or project. If you chose this option, enter a short display name for this LDAP server, which will be displayed in a dropdown list when searching for a user.
  1. Click the Submit button to save the changes.

[edit] Test the LDAP Connection

  1. Navigate to the Application Administration space and click the Domains link
  2. Click on the LDAP domain to configure
  3. Click the Modify Action Toolbar icon.
  4. Click the Directory Provider Configuration sub-tab
  5. Ensure that at least the Email Address property has been mapped, for example, map it to the mail LDAP attribute.
  6. Click the Submit & Test button
  7. Enter a Login Name and Password of an LDAP user
  8. Click Authenticate

[edit] Setup the attribute map

Only one mapping is mandatory: Email address, which is required during the registration process.

  1. Navigate to the Application Administration space and click the Domains link
  2. Click on the LDAP domain to configure
  3. Click the Modify Action Toolbar icon.
  4. Click the Directory Provider Configuration sub-tab
  5. Scroll down to the Attribute Mapping section
  6. Enter the username of an existing LDAP user (This is the value contained within the LDAP attribute defined by the Username attribute value in the settings).
  7. Click the Search icon, the current LDAP settings will be used to access the directory and lookup the available attributes for that user. The attributes will be built as a dropdown list and presented for mapping below.
  8. Map the following values:
Profile Property MAP to LDAP Attribute Required?
Email Address mail Y
First Name givenName N
Last Name ss N
Display Name cn N
  1. Click the Submit button to save the changes.

Project.net is now configured to use this LDAP server. Users will have the option of chosing this server for authentication whenever the specified configuration(s) are activated.

[edit] Migrating Users from One Domain to Another

[edit] Overview

Occasionally, you may need to migrate users from one authentication domain to another. This commonly occurs if you set up an LDAP server but have users who already have accounts on the Project.net Global Domain who now need to be authenticated by the LDAP domain. This also applies if you have multiple LDAP servers and have moved some or all of the users to a different server.

Project.net provides a wizard to help migrate users from one domain to another. The process is initiated by an administrator, but each user completes the wizard themselves. Additionally, anyone logged-in may choose to migrate him- or herself to another domain.

[edit] Setup

Create and configure the LDAP domain to which the users will migrate.

[edit] Initiating a Domain Migration

  1. Log in as an application administrator
  2. Navigate to the Application Space
  3. Click the Domains link in the navigation bar
  4. Click on the domain FROM which the users should migrate
  5. Click on the Manage Users tab
  6. Click the Initiate Domain Migration for All Users link to open a wizard screen.
  7. Click Next
  8. Select the target domain from the dropdown list box
  9. Enter instructions that will be displayed to the user
  10. Click Next
  11. The next page shows which Project.net configurations do not include the target domain in their dropdown box of domains on their login page. Make sure the configuration you use is NOT listed here, if it is check the box next to it.
  12. Click Next
  13. Click Finish
  14. Click OK to the confirmation message that appears

[edit] Migration Wizard

  1. Log in as a user who is currently registered in the FROM domain.
  2. You will see a prompt that a domain migration has been initiated.
  3. Select Continue with Domain Migration and click Next.
  4. Project.net will prompt for information appropriate to the domain you are migrating to. If it is an LDAP-based domain enter your LDAP username and password (these may be different from your current Project.net username and password). When finished click Next.
  5. Review the profile information and ensure it is correct, then click Next.
  6. Select Finish.
  7. Click OK to confirm the migration.
  8. Now, log in using your new username and password in the target domain.

[edit] Self-Migration

A user can choose to migrate to another domain shown by Project.net at any time by following these steps:

  1. Log in as a user who will be migrating from the current domain.
  2. Click Setup in the navigation bar.
  3. Click Personal Profile.
  4. Click the Domain Migration tab.
  5. Select the domain to migrate to.
  6. Click the Migrate Domain button.
  7. Click Next.

The rest of the process is similar to the previously described process.

[edit] More Help

Personal tools