ADVERTISEMENT

How can I set up Redmine => Active Directory authentication?

Okay, so here are the specific settings that I needed in order to make this work:

Host: ims.example.com
Port: 389
User: MYDOMAIN\accountName
Password: *******
Base DN: dc=mydomain,dc=example,dc=com

On-The-Fly User Creation: YES
Login: sAMAccountName
Firstname: givenName
Lastname: sN
Email: mail

The trick was removing cn=Users from the Base DN, after which it all sort of came together.

The other notable thing was the inclusion of a user to read the directory.

Lastly, the user that logs in uses their user name without domain qualification, and their domain password as usual. Our domain does not require an email address, so there is an additional step where the email address has to be set during user creation, but that's pretty straightforward.


A trick to find the Base DN for ActiveDirectory LDAP authentication is to check what the users fully qualified domain name is. you can check that with:

whoami /FQDN

if you are logged in as that user, which returns something like

CN=John Doe,OU=users,OU=department,DC=corp,DC=domain,DC=com

and the Base DN can be found by removing the first CN.

OU=users,OU=department,DC=corp,DC=domain,DC=com

I have no familiarity with Redmine, but it sure looks like you're trying to do an anonymous bind to Active Directory to validate credentials. That's not going to work. Having configured multiple products for LDAP integration with AD, this is a common problem that I've seen.

Out of the box, AD requires that clients authenticate when binding to the directory to perform queries.

Have a look at this Redmine wiki posting re: configuring LDAP authentication. They're talking about specifying an account and password for Redmine to use (one that has rights to read the directory-- a plain ol' "Domain User" will do) to bind to the directory.