Geeks With Blogs

The Life and Times of a Dev Yes, we're really that weird

We want to use both subversion usernames and passwords as well as Active Directory for our authentication on our Collabnet subversion server.

This has proven to be more of a challenge than we thought, mostly because Collabnet’s documentation is weak in this area.

To supplement that documentation, I add my own.

The first thing to understand is that the attribute that you specify in the LDAP Login Attribute ONLY applies to lookups done for the user.  It does NOT apply to the LDAP Bind DN field.  Second, know that the debug logs (error is the one you want) don’t give you debug information for the bind DN, just the login attempts.  Third, by default, Active Directory does not allow anonymous binds, so you MUST put in a user that has the authority to query the Active Directory ldap.

Because of these items, the values to set in those fields can be somewhat confusing.  You’ll want to have ADSI Edit handy (I also used ldp, which is installed by default on server 2008), since ADSI Edit can help you find stuff in your active directory.  Be careful, you can also break stuff.

Here’s what should go into those fields.

LDAP Security Level:  Should be set to None

LDAP Server Host:  Should be set to the full name of a domain controller in your domain.  For example, dc.mydomain.com

LDAP Server Port:  Should be set to 3268.  The default port of 389 will only query that specific server, not the global catalog.  By setting it to 3268, the global catalog will be queried, which is probably what you want.

LDAP Base DN:  Should be set to the location where you want the search for users to begin.  By default, the search scope is set to sub, so all child organizational units below this setting will be searched.  In my case, I had created an OU specifically for users for group policies.  My value ended up being:  OU=MyOu,DC=domain,DC=org.   However, if you’re pointing it to the default Users folder, you may end up with something like CN=Users,DC=domain,DC=org (or com or whatever).  Again, use ADSI edit and use the Distinguished Name that it shows.

LDAP Bind DN:  This needs to be the Distinguished Name of the user that you’re going to use for binding (i.e. the user you’ll be impersonating) for doing queries.  In my case, it ended up being CN=svn svn,OU=MyOu,DC=domain,DC=org.  Why the double svn, you might ask?  That’s because the first and last name fields are set to svn and by default, the distinguished name is the first and last name fields!  That’s important.  Its NOT the username or account name!  Again, use ADSI edit, browse to the username you want to use, right click and select properties, and then search the attributes for the Distinguished Name.  Once you’ve found that, select it and click View and you can copy and paste that into this field.

LDAP Bind Password:  This is the password for the account in the Bind DN

LDAP login Attribute: sAMAccountName.  If you leave this blank, uid is used, which may not even be set.  This tells it to use the Account Name field that’s defined under the account tab for users in Active Directory Users and Computers.  Note that this attribute DOES NOT APPLY to the LDAP Bind DN.  You must use the full distinguished name of the bind DN.  This attribute allows users to type their username and password for authentication, rather than typing their distinguished name, which they probably don’t know.

LDAP Search Scope:  Probably should stay at sub, but could be different depending on your situation.

LDAP Filter:  I left mine blank, but you could provide one to limit what you want to see.  LDP would be helpful for determining what this is.

LDAP Server Certificate Verification:  I left it checked, but didn’t try it without it being checked.

Hopefully, this will save some others pain when trying to get Collabnet Subversion setup.

Technorati Tags: ,
Posted on Wednesday, January 12, 2011 2:15 PM | Back to top


Comments on this post: Understanding Collabnet’s LDAP binding

# re: Understanding Collabnet’s LDAP binding
Requesting Gravatar...
Thanks for the writeup, Robert! I've linked to it from the CollabNet help pages, here:
http://help.collab.net/topic/teamforge540/action/setupsiteldap.html
There is a CollabNet SVN wiki here:
https://ctf.open.collab.net/sf/go/projects.svnedge/wiki
You might also check out Jeremy Whitlck's blog on this kind of topic, e.g. http://www.thoughtspark.org/node/26
Left by Ted on Jan 13, 2011 2:04 PM

# re: Understanding Collabnet’s LDAP binding
Requesting Gravatar...
Thanks - this howto really helped and worked exactly as described.
Left by Christian on Jan 27, 2011 3:29 AM

# re: Understanding Collabnet’s LDAP binding
Requesting Gravatar...
Just wanted to say thanks, Your article helped out a lot. I had misinterpreted one of the settings so real world examples pointed out my mistake. Also changing the port number makes it a whole lot easier.
Left by Crisis on Nov 14, 2011 7:14 PM

# re: Understanding Collabnet’s LDAP binding
Requesting Gravatar...
Just wanted to say thanks as well. Very helpful!
Left by IT Guy on Nov 21, 2011 9:27 AM

# re: Understanding Collabnet’s LDAP binding
Requesting Gravatar...
Fantastic post. Solved the issue in a few mins for me.
Left by Ashutosh on Sep 12, 2012 11:18 PM

# re: Understanding Collabnet’s LDAP binding
Requesting Gravatar...
To everyone who has little to no knowledge about LDAP like I before I dug deeper into this.

It is important that you enter your whole LDAP information for LDAP Base DN. If you can't do your binding anonymously then you need to define a user for LDAP Bind DN as well and a password respectively. Here as well the whole LDAP information.

There is a command line tool which I found out about here: http://www.dscentral.in/2011/08/17/ldap-collabnet-subversion-active-directory/

Just enter 'dsquery user -samid "<user>"' in a command console (put in your user name instead of <user>) and you will get a listing of the whole LDAP hierarchy of your organisation. E. g. CN=LastName FirstName,OU=Department,OU=City,OU=Country,DC=DomainName,DC=com
You must not leave out any part in the middle of the hierarchy but may generalize your hirarchy for LDAP Base DN by ommitting from the left side in order to grant a bigger part of your company access to your repository.
Left by Markus on Mar 19, 2015 12:46 AM

Your comment:
 (will show your gravatar)


Copyright © Robert May | Powered by: GeeksWithBlogs.net