Help

Mingle LDAP Authentication

This authentication plugin only supports LDAP, LDAPS and LDAP/TLS.

Installation

IMPORTANT: As of the 2.0.1. release it is no longer necessary to copy the LDAP plugin directory to vendor/plugins in order to install. The LDAP plugin is now pre-installed, but now must be explicitly enabled in config/auth_config.yml. See step 4 below.

  1. Before you can use Mingle LDAP authentication, you must first complete the standard Mingle installation and configuration. Make sure that you setup a user with both full Mingle administrative privileges and a login that is also contained in your LDAP directory.
  2. Stop Mingle server.
  3. Edit mingle_data_directory/config/auth_config.yml to contain your configuration:

    4. For Active Directory: 
      authentication: ldap
  ldap_settings:
    ldapserver: hostname
    ldapport: port
    ldapbinduser: user
    ldapbindpasswd: password
    ldapbasedn: ou=Users,dc=MyCompany,dc=COM
    ldapfilter: sAMAccountName
    ldapobjectclass: organizationalPerson
    ldap_map_fullname: cn
    ldap_map_mail: mail
    ldapgroupdn : cn=MingleUsers,ou=Groups,dc=MyCompany,dc=COM
    ldapgroupobjectclass : group
    ldapgroupattribute : member
    auto_enroll: true
    auto_enroll_as_mingle_admin: false

    For OpenLDAP: 
      authentication: ldap
  ldap_settings:
    ldapserver: hostname
    ldapport: port
    ldapbinduser: user
    ldapbindpasswd: password
    ldapbasedn: ou=People,dc=MyCompany,dc=COM
    ldapfilter: uid
    ldapobjectclass: posixAccount
    ldap_map_fullname: cn
    ldap_map_mail: mail
    ldapgroupdn : cn=MingleUsers,ou=Groups,dc=MyCompany,dc=COM
    ldapgroupobjectclass : posixGroup
    ldapgroupattribute : memberUid
    auto_enroll: true
    auto_enroll_as_mingle_admin: false

  4. Notice the first line of each configuration above, as of 2.0.1 it is now necessary to explicitly state an authentication of type 'ldap' in order to use the LDAP authentication plugin.

    If you have enabled basic authentication, it will also be necessary to state that basic_authentication is of type 'ldap:' 

    5.   basic_authentication_enabled: true
  basic_authentication: ldap
  authentication: ldap 
  ldap_settings: 
    ldapserver: ...
    ...

  5. Start Mingle server.
  6. Login as the user you configured in Step 1, but this time using the LDAP password rather than the Mingle password. This user will still have full Mingle admin privileges. This user can make future Mingle users Mingle admins if you wish to grant others that privilege.

  7. Any users enrolled in your LDAP directory can now login to Mingle. When they login to Mingle, a Mingle account will be automatically created if it does not already exist. Once a user has logged in for the first time s/he can be granted access to projects.

    If for some reason, you did not wish for Mingle users to be automatically created, you could set 'auto_enroll' to false in your configuration. Note that this would require anyone logging in to already exist in the Mingle database. This setting would typically never be used. The default value of 'auto_enroll' is true.

  8. If auto_enroll_as_mingle_admin was set to true, any new users in your LDAP directory can not only log into Mingle, they will also be made administrators by default. The default value of 'auto_enroll_as_mingle_admin' is false.

    9. If the maximum number of Mingle users has been added to the Mingle instance auto_enroll and auto_enroll_as_mingle_admin will not create accounts for new users logging in via LDAP. These users will be informed that the instance has reached the maximum number of users. When the maximum number of users is increased or existing users are deleted or deactivated auto_enroll and auto_enroll_as_mingle_admin will automatically create accounts for new users again.

  9. New in 2.0: ldapgroupdn, ldapgroupobjectclass and ldapgroupattribute are for group authentication. If the user is not in the group specific in ldapgroupdn, user will not be able to login to Mingle even if user has valid username/password. In order to disable this group feature, comment out or remove these three attributes.
  10. Should you ever wish to turn off LDAP authentication, simply change the values of 'authentication' and 'basic_authentication' in the config/auth_config.yml file to the type of authentication you wish to switch to, either 'cas' or 'mingle' (Note: cas will not work for basic_authentication). After restarting the Mingle server, users will then be able to use the Mingle password recovery feature in order to set a Mingle password.
  11. To enable SSL support, add "ldapusessl: true"
  12. To enable TLS support, add "ldapusetls: true". If the system use self-signed certificate, add "ldaptruststore: <path to your jdk/jre truststore&ht;"; otherwise, mingle will use default JDK/JRE truststore
  13. Either ldapusessl or ldapusetls can be set to true. All authentication will fail if both options are enable and set to true
  14. Since Mingle ships with a bundled JRE in the Windows version, if LDAP/SSL is enabled and self-signed certificate is used, please run keytool to install self-signed certificate to <mingle_installed_directory>/jre/lib/security/cacert. Install self-security to this keystore on every upgrade.

Uninstall

Should you ever wish to turn off LDAP authentication, simply change the values of 'authentication' and 'basic_authentication' in the config/auth_config.yml file to the type of authentication you wish to switch to, either 'cas' or 'mingle' (Note: cas will not work for basic_authentication). After restarting the Mingle server, users will then be able to use the Mingle password recovery feature in order to set a Mingle password.

If you are going to turn off LDAP authentication, be absolutely sure that you configure Mingle SMTP successfully before turning off LDAP authentication. This will ensure that the password recovery feature is available, allowing users to continue to use Mingle with Mingle's built-in authentication mechanism.