Setting up TeamForge for LDAP authentication

In this section, you can see how to make LDAP as an IdP in TeamForge and how to configure TeamForge for enabling LDAP driven authentication.

Important: Contact CollabNet Support before you set up the TeamForge LDAP on your site.

Preparing TeamForge for LDAP integration

USE_EXTERNAL_USER_AUTHENTICATION - Set this token to True.
ALLOW DATABASE AUTHENTICATION IF LDAP IS ENABLED - Select this check box to have LDAP credentials stored in TeamForge and have users authenticated via TeamForge every time a user logs in. This helps improve performance by optimizing the number of authentication calls between TeamForge and LDAP server. To select this check box, navigate to My Workspace > Admin and then to Projects > System Tools > Configure Application page. This parameter is shown under the section External Authentication.
Important: Enabling this parameter is mandatory for sites with internally managed CVS servers.

Note: TeamForge administrators can restrict the users from logging into TeamForge using database authentication after a specific duration by setting the timeout period after which the users would be forced to log on to TeamForge only via LDAP authentication. The parameter "Forge Re-authentication with LDAP Server" parameter denotes the timeout period after which the user authentication into TeamForge is done via LDAP authentication. For more information on this parameter, see FORCE RE-AUTHENTICATION WITH LDAP SERVER.
APPROVE_NEW_USER_ACCOUNTS - Set this token to False .
REQUIRE_PASSWORD_SECURITY - Set this token to False.
LINUX_USERNAME_MODE_ENABLED - Set this token to True.
MINIMUM_PASSWORD_LENGTH - Set the value of this token to '0'.
PASSWORD_REQUIRES_MIXED_CASE - Set this token to False.
PASSWORD_REQUIRES_NON_ALPHANUM - Set this token to False.
PASSWORD_REQUIRES_NUMBER - Set this token to False.
REQUIRE_USER_PASSWORD_CHANGE - Set to token to False.

Enabling LDAP as an IdP

You need to enable LDAP as an IdP to facilitate LDAP based authentication for TeamForge users.

Log on to TeamForge as a Site Administrator.
Select My Workspace > Admin.
Select Projects > Identity.
Select the Federation tab.
Select the Use Federated Login check box and select LDAP as the IdP from the drop-down list.
Click Save.

Select the LDAP tab. This page provides the basic configuration required to integrate LDAP with TeamForge.

This table provides the parameters used in the LDAP configuration page and and their corresponding description.

Parameter Name	Description
PROVIDER URL	Defines the string that encapsulates the IP address and port of a directory server.
SECURITY AUTHENTICATION	Authentication method used to bind to LDAP server. There are 3 types of security authentication in LDAP: Anonymous - When a client sends a LDAP request without binding, then it is called an "anonymous client". Simple - In this type of authentication, the LDAP server sends the fully qualified DN (Distinguished Name) and the clear text password of the client. Note: Currently, TeamForge supports only the simple authentication method. SASL - SASL (Simple Authentication and Security Layer) authentication provides a challenge response protocol to exchange data between the client and server for the authentication and establishment of security layer to carry out further communication.
SECURITY PRINCIPAL	Specifies the distinguished name of the user to authenticate. Example: "uid=admin,ou=accounts"
SECURITY CREDENTIALS	Specifies the password or other security credentials of the user to authenticate.
Note: If the Security Principal and Security Credentials should be used when a LDAP user tries to log on to TeamForge for the first time, you need to select the <<token_name>> check box in `Configure your site's settings` page.
BASE DN	Specifies the base distinguished name from where a server will search for users. This is a sequence of related distinguished names connected by commas and with the format "attribute=value". Example: dc=help,dc=collab,dc=net
USERNAME	Defines the name used to connect to the LDAP service on the specified LDAP server. Example: ldapuser@collab.net
SERVER TIMEOUT	Specifies the read timeout in milliseconds for an LDAP operation. This is used to control the LDAP request made by a client in a timely manner, so that the client does not wait for a long time for the server to respond. For example, if the search timeout value is 5000 milliseconds, the LDAP service provider can abort the read timeout if the server does not respond within this 5 seconds.
SERVER SCOPE	Specifies the starting point of an LDAP search and the depth from the base DN to the levels until which the search should occur. There are three types of search scope in an LDAP search: OBJECT_SCOPE: This limits the search scope only to the base object or base DN. ONELEVEL_SCOPE: This enables search only up to the immediate children objects under the base DN in a search tree. SUBTREE_SCOPE: This searches the entire subtree including the base DN. TeamForge recommends this as the default search scope in its LDAP configuration.

Click Save to save the configuration. Click Cancel to discard the changes.