Details Print

ActiveDirectory

EmForge and Active Directory Integration

It is possible to configure EmForge to use your windows domain Active Directory for authentication and as users storage. In this case EmForge will perform authentication and get all info about users from your domain, so, you will able to control user roles via Active Directory, as well as users don't need to register and create new profiles.

Even EmForge is worked with ActiveDirectory via LDAP protocol followed instructions followed the ActiveDirectory configuration. Some details on OpenLDAP (for example) configuration you can find on OpenLDAP page

Configure Active Directory to use with EmForge

Actually, one 1 thing you need to do in your ActiveDirectory to use it in EmForge - is create specific roles. In my case (very simple test example) Directory looks very simple:

So, to work with EmForge you need to create three groups:

• EmForgeUser - this group should include ALL users, allowed to work with EmForge. By this way you van control - who from all of your users allowed to work with EmForge - and who is not allowed. These users will able to login into EmForge, place comments, create new tasks.
• EmForgeAdmin - this group should contains users, who will receive admin rights (be careful to assign this role only to proper users since admin received full-granted access to EmForge!)
• WikiWriter - users, included into this role will be able to create/edit/delete wiki-pages and attachments (normal users can edit/add attachments only to task-descriptions they created or assigned to)

Then you created new roles - it is important to set specific names to Group Name (pre-Windows 2000) - group name itself may be any on your taste (looks a picture with create new group dialog example):

Then new groups created - just include proper users into them.

Roles Mapping

If by some reasons you need to use non-standard role names (for example, two EmForge instances used same ActiveDirectory and it is required to separate users of one instance from users of another) - you should change mapping of role-names in config.properties. Default values are:

security.ldap.userRole=EmForgeUser
security.ldap.adminRole=EmForgeAdmin
security.ldap.writerRole=WikiWriter

LDAP

It is important to understand what EmForge used LDAP protocol to connect to ActiveDirectory. If everything will work - you do no need to know about it, but, if something will go wrong - you need to use it for problem investigation.

So, since EmForge used LDAP protocol to connect to ActiveDirectory, and it does not work, first of all - check -are you able to connect to your ActiveDirectory with any LDAP client (in my cases I've used Eclipse + Apache LDAP plugin). In my case my ActiveDirectory looks like on the picture

Configure EmForge to use ActiveDirectory

To configure EmForge to use ActiveDirectory you will need to edit config.properties - please, check EmForge Setup Guide to information how to find it (as well as for general information about this file)

First of all - you will need to set some security.ldap.* settings. In my case it was configured like:

# LDAP/ActiveDirectory settings
security.ldap.enabled=true
security.ldap.url=ldap://localhost/
security.ldap.managerDn=CN=Alexey Kakunin,CN=Users,DC=emdev,DC=ru
security.ldap.managerPassword=12345
security.ldap.usersBase=CN=Users,DC=emdev,DC=ru
security.ldap.searchFilter=sAMAccountName={0}
security.ldap.groupBase=CN=Users,DC=emdev,DC=ru
security.ldap.groupRoleAttribute=sAMAccountName

Important settings here are:

• security.ldap.url - url of you active-directory server
• security.ldap.managerDn & security.ldap.managerPassword - user DN and password to connect Active Directory. Unfortunately, you need to specify some domain's username and password to make it possible EmForge to connect ActiveDirectory (since ActiveDirectory required authentication during connection by LDAP protocol). Please, keep these settings secure!
• security.ldap.usersBase - parent, containsed all Users
• security.ldap.searchFilter - you can leave without changes for ActiveDirectory
• security.ldap.groupBase - parent, contained all groups (actually - there 3 groups you created for EmForge created)
• security.ldap.groupRoleAttribute - you can leave like this for ActiveDirectory

Now, you need to enable ActiveDirectory authentication provider and user-service, so, EmForge will know what it should use ActiveDirectory for authentication, and as source of users information.

To do it - edit two options in same file:

security.providers=ldapAuthProvider, rememberMeAuth
security.userServices=adUserService

This example will configure EmForge to use ONLY ActiveDirectory to authentication (plus RememberMe service for web-interface).

What is all! Restart your EmForge and try to login with your ActiveDirectory user! If something will not work - try to ask in EmForge Forum