External Active Directory

Issue #69 resolved
Bernhard Millauer
created an issue


is there a way to connect to a external directory? I would need this functionality because my git-server is not in the domain.

thanks in advance and thanks for this great product!!

Comments (10)

  1. Sebastian Sebastian repo owner
    • changed status to open

    I think the best way to connect to an external Active-Directory, is the ldap-plugin. But it is a little bit complicated and you need to know how your ad/ldap is structured. First of all you need a user in the AD which has permissions to read the following attributes of each scm-manager user in the AD: sAMAccountName, cn, mail and memberOf for groups. This User is the bind user (Connection DN). You need also the "Base DN" and the "People Unit", the simplest way to get those information is to use an Ldap-Browser like http://directory.apache.org/studio/index.html

    Here are some ad configuration options for the ldap-plugin:

    • ID Attribute Name: sAMAccountName
    • Fullname Attribute Name: cn
    • Mail Attribute Name: mail
    • Group Attribute Name: memberOf
    • Base DN: OU=Organisation,DC=your company,DC=net
    • Connection DN: dn of your bind user
    • Connection Password: password of your bind user
    • Host URL: ldap:/ /ldap.server:389
    • Search Filter: (&(sAMAccountName={0})
    • Group Search Filter: <Blank>
    • Search Scope: sub
    • People Unit: OU=Users
    • Groups Unit: <Blank>
    • Enabled: True
  2. Sebastian Sebastian repo owner

    I know it is very complicated, but it is the only way i know. What you mean with correct login name? If you have configured the ldap plugin, then you should be able to login with an ad user and you can always login with the scmadmin (or other local users).

  3. Bernhard Millauer reporter

    hi sebastian,

    our domain usernames contain a space as seperator eg. "max muster" instead of "max.muster". i think scm manager cant handle this because my login attempts fails. sadly that i do not see any log messages to verify my suggest.

    can you confirm this issue?

  4. Bernhard Millauer reporter

    hi sebastian,

    i found a solution:

    id: mailNickname (this holds the format "firstname.lastname" because of exchange server. this is used to create the user)
    fullname: cn (for display)
    mail: mail
    groupAttributeName: memberOf
    base dn: DC=company,DC=com
    connection dn: CN=Username,OU=Users,DC=company,DC=com (NOT relative!)
    connection password: password
    host: ldap://server.com:389
    search filter: (&(SAMAccountName={0})(objectClass=user)) (the second is optional)
    group search filter: (objectClass=group)) (is needed, if not set an error occur)
    search scope: sub
    ppl unit: OU=Users
    groups unit: <empty> (no text entered!)
    enabled: true

    hope this helps others!!

  5. Log in to comment