LDAP / Active Directory Integration

   Previous topic Next topic JavaScript is required for the print function Mail us feedback on this topic! Mail us feedback on this topic!  

This feature requires user to be logged in as System Admin

Contour includes a built in integration to LDAP (Lightweight Directory Access Protocol) which includes Microsoft Active Directory.  LDAP is a tool for Organizations to centralize the management of user accounts. If  you utilize Atlassian Crowd or are interested in the integration, please contact sales@jamasoftware.com for additional information.

By default, Contour is not configured to use LDAP. Instead, all user data is stored in Contour's database and authentication is performed within Contour.  When LDAP is selected as the authentication system, Contour will authenticate users against your LDAP server.

You’ll need to log into Contour as the System Admin (root).

Configuring Contour to Use LDAP

1.Click on System Properties -> Authentication Properties.  By default Contour handles authentication.

ldapStart

2.Click on the LDAP tab and check the Enable LDAP checkbox.  Once the configuration is save the Contour authentication will be turned off.

Hint: If you select "Enable Self Registration" then users can register themselves by logging into Contour using their LDAP credentials. If authenticated they will be prompted to register for Contour. If your installation has multiple Organizations please contact Jama Support for integration details.

3.Select the Organization for self-registered users.
4.Select the default User Group to assign self-registered users.

ldap

5.Select either Add AD Provider or Add LDAP Provider depending on if your using Active Directory or other LDAP tools to enter the Active Directory and LDAP Connection Wizard.
6.After saving the connection, click on the "Synchronize Now" button to manually sync all existing users in Contour to LDAP.  This will update their information with attributes from LDAP. Note: This will also disable any users in Contour who are not registered in LDAP.
7.Once a connection is established with your LDAP or Active Directory server, System Admins may search the directory for users to add to Contour. Click the "Add User from LDAP" button from the Users tab.

Note: Contour searches the configured directory against the "Login Name Attribute" and the "User Name Attribute". Users can add wildcards to a search but wildcards at the beginning of a search will often result in poor performance (for large directories, expect several minutes).

8.When a user is created in Contour from the LDAP directory, they may then be added to other user groups and Projects.  Contour will query the LDAP server to authenticate the user’s password at login.
9.Existing Users from Contour Authentication with the same username in LDAP do not need to be re-added. After enabled, Contour will attempt to authenticate existing Users to LDAP / Active Directory.

Note: Users who are registered in Contour, but not in LDAP, will be disabled from any use in Contour.  Other users will not be able to add disabled users to reviews or notifications.

Troubleshooting Tips

Depending on the type of LDAP you are configuring the information entered is different. Below are examples of the two options (The key differences are highlighted):

Active Directory:
URL: 'ldap://localhost:389',
Base Dn: 'ou=Users,dc=jamasoftware,dc=com',
Bind Dn: 'cn=Admin,ou=Admin Users,dc=jamasoftware,dc=com',
Bind Password: 'password',
Login Name Attribute: 'sAmAccountName',
Email Attribute: 'email',
User Name Attribute: 'displayName',
Sample User: 'admin',
Sample User Password: 'password'
 
LDAP:
URL: 'ldap://localhost:389'
Base Dn: 'ou=Users,dc=jamasoftware,dc=com'
Bind Dn: 'cn=Admin,ou=Admin Users,dc=jamasoftware,dc=com'
Bind Password: 'password'
Login Name Attribute: 'uid'
Email Attribute: 'mail'
User Name Attribute: 'cn'
Sample User: 'admin'
Sample User Password: 'password'

 

 Note: If you are using SSL the it will be necessary to use the ldaps protocol. Example: ldaps://myserver.example.com:636

 

The Base Dn and Bind Dn values do not accept a domain only value. At least one additional level is required such as the 'ou=Users' seen in the example above.
Take note of the "Can't Find/Authenticate User" errors. These often indicate a successful connection but that the Sample User/Password are incorrect.

Note: The Sample User and Password fields are deleted every time the configuration window is closed.

Exceptions

When configuring LDAP there are different possible errors you may see. The list below should help identify the cause of the error.

Exception: "Unable to communicate with LDAP server; nested exception is javax.naming.CommunicationException: localhost:389 [Root exception is java.net.ConnectException: Connection refused: connect]"

Reason: Can't connect to the server. Check the URL and make sure port 389 is open.

 

Exception: "Operation failed; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials]"

Reason: Either the BindDn or password is not correct.

 

Exception: "Can't find user"

Reason: This indicates the Base Dn, Bind Dn, and Bind Password can be connected to accurately (a good connection to LDAP). Either the Login Name Attribute was not filled in correctly or the Sample User does not exist in the Base Dn indicated.

 

Exception: "Can't Authenticate User''

Reason: The sample user password is incorrect however this indicates a successful connection to LDAP and that the sample user was found in the Base Dn.

 

Exception: "Operation failed; nested exception is javax.naming.PartialResultException: Unprocessed Continuation Reference(s); remaining name ''

Reason: The cause is usually the base URL is not complete (too broad).

 

Exception: "Operation failed; nested exception is javax.naming.ServiceUnavailableException: adunit:636; socket closed. Port 636 is for SSL."

Reason: Either SSL is not supported by Spring LDAP or Certificate is not correct.  Try use ldaps protocol, eg. : ldaps://myserver.example.com:636.