Yes, you can have your TeamForge installation
authenticate against an LDAP server.
This is handy when users want to use a variety of different resources without having to
maintain credentials for each one separately.
Overview
CollabNet TeamForge is a JBoss2 based application and relies on the JBoss JAAS service for
user authentication. This enables a TeamForge site
to authenticate users internally or externally.
- Internal user authentication
- Out of the box, TeamForge relies on its local database to manage user accounts. This
includes username, password, full name, email address and a variety of other meta data
values. Passwords are stored in the database using the standard MD5 Password hashing
algorithm1. The database is only accessible by the application itself and a user with
root access to the physical server. While running in this default configuration users
are allowed to change their passwords in TeamForge, and any user with site
administration privileges can create and approve new user accounts.
- External user authentication
- The JAAS service comes with several standard providers that allow TeamForge to be
integrated with services such as LDAP, Active Directory and Kerberos. The JAAS service
allows more than one source to be configured in the event several sources are needed.
Note: It is possible to use both types of authentication with a single TeamForge installation. See your
CollabNet representative for
details.
To ensure that you are not locked out of your site, the site administrator account is
always validated by TeamForge, not by LDAP.
LDAP accounts must conform to the TeamForge rules
for user names and passwords. For example:
- If a password is used in LDAP that is shorter than the minimum allowable password length
in TeamForge, you cannot create the user in
TeamForge.
- A user name that starts with a special character, such as an underscore, will not be
accepted by TeamForge, even if it is valid in
LDAP.
(For detailed TeamForge user name and password
rules, see Create a new user account.)
How is life different for the user under external authentication?
- When you turn external integration on, every user account (except the site administrator
account) must have a matching LDAP entry to log in. This may require changing some
existing accounts to match their corresponding LDAP records. (Accounts created after LDAP
is in place are validated with the LDAP server when they are created, so you don't have to
worry about this.)
- Every login attempt (Web UI and SOAP access) is passed to the external provider. This
means that any changes to the user status in the external system take effect immediately.
Users who have already logged in and have valid sessions are not affected.
- When TeamForge is using internal authentication, a site administrator can change a
user's password. This is disabled for external authentication.
- Under external authentication, passwords can't be changed in the TeamForge web UI. Users
have to use the interface provided by the third-party authentication source to change
their password. Such password changes are available immediately to TeamForge for the next
login attempt.
- Site administrators can no longer create user accounts. The end user must create their
own account by logging into TeamForge just like a user who already has an account. At that
point TeamForge detects that a new account needs to be created and presents the new user
with a registration form, which requests the user's password n the external authentication
system. On submit, TeamForge verifies the user account with the external system, and only
if the username/password is verified does TeamForge create the new account.
- Once a new user has created their account, TeamForge can optionally be configured to put
every new account in a pending status so that a site administrator can approve the new
account. By default, new users will have immediate access to the system.
LDAP for source control
LDAP is integrated into your TeamForge source
control services.
- For Subversion, the integration server queries TeamForge as needed.
- CVS authentication is not managed directly by LDAP, but each TeamForge user's SCM password is synchronized
automatically with the user's LDAP password upon logging into TeamForge.
What can go wrong?
When TeamForge is configured to authenticate
against an LDAP server and the LDAP server is down, all TeamForge authentication is disabled until the LDAP
server is restored.
If a user does not exist on the LDAP server, or is deleted from the server, that user
cannot log into TeamForge.