Active Directory and LDAP Connection Wizard

  Administration > System administration > System > System properties > Authentication properties >

Active Directory and LDAP Connection Wizard

Previous pageNext page Print this topic! Mail us feedback on this topic!

In order to add licensed users to Jama that authenticate to an AD or LDAP server, a valid connection must be established using the AD and LDAP Connection Wizard. The AD and LDAP Connection Wizard provides a guided process of adding or editing a connection to AD or LDAP.

Active Directory or LDAP Server Information

The first stage of the AD and LDAP Connection Wizard is to provide server information used to connect to the AD or LDAP server.

Name: Name of the connection that will appear in the Jama interface.

Description: Description of the connection that will appear in the Jama interface.

URL: The URL to the Active Directory or LDAP server.

Bind DN: The reference to the account that Jama will use to perform all actions against the Active Directory or LDAP server. This field accepts the Distinguished Name of the account ("cn=John Doe,ou=Users,dc=jamasoftware,dc=com").

Note: Some Active Directory servers support the use of Full Name ("John Doe") or Email ("jdoe@domain.com").

Bind Password: The password of the Bind DN account.

Test Configuration Button: This option will test for a successful connection to the specified server and bind account information. If successful, a "Configuration Successful" message will display in the window and the Base DN selection screen will expand.

Select the Base DN: The Base DN is the directory where users in Active Directory or LDAP exist that need to be added to Jama. Successfully tested configurations will load a radio button selection list of all available Base DNs.

 

ldap_wizard_1

Mapping AD and LDAP User Attributes to Jama User Attributes

The final stage of the AD and LDAP Connection Wizard is to specify the attributes in AD and LDAP that should auto-populate into Jama user attributes.

Username: The username of a sample user that exists within the specified Base DN.

Username Attribute: The attribute where the username value is stored. Ex: AD commonly uses "samaccountname".

Next Button: Selecting the Next button will validate that the provided username and username attribute exist. If successful, the window will expand providing a selection list of all available attributes for each of the Jama user attributes.

Jama User Attributes: First Name, Last Name, Full Name, Email, Location, Phone, Title.

The selection drop-down displays all available directory attributes that are connected to the provided username. Select the correct value in the selection list that matches the Jama user attribute.

Save: Select Save once you have completed the mapping.

ldap_wizard_2

Advanced setup

Users can enter the advanced setup of the connection wizard at any point in time by selecting the Advanced Setup button. The Advanced Setup presents all of the available options from the wizard in a single screen but requires users to know all of the details of the connection and user attribute values. When in this screen, the user must add the Full Name Attribute or errors will result.

ldap_wizard_detailed

 

Troubleshooting Tips

Depending on the type of LDAP you are configuring the information entered is different. Below are examples of the two options (The key differences are highlighted):

Active Directory:
URL: 'ldap://localhost:389',
Base Dn: 'ou=Users,dc=jamasoftware,dc=com',
Bind Dn: 'cn=Admin,ou=Admin Users,dc=jamasoftware,dc=com',
Bind Password: 'password',
Login Name Attribute: 'sAmAccountName',
Email Attribute: 'email',
User Name Attribute: 'displayName',
Sample User: 'admin',
Sample User Password: 'password'
 
LDAP:
URL: 'ldap://localhost:389'
Base Dn: 'ou=Users,dc=jamasoftware,dc=com'
Bind Dn: 'cn=Admin,ou=Admin Users,dc=jamasoftware,dc=com'
Bind Password: 'password'
Login Name Attribute: 'uid'
Email Attribute: 'mail'
User Name Attribute: 'cn'
Sample User: 'admin'
Sample User Password: 'password'

 

Note: If you are using SSL then it will be necessary to use the ldaps protocol. Example: ldaps://myserver.example.com:636

 

The Base Dn and Bind Dn values do not accept a domain only value. At least one additional level is required such as the 'ou=Users' seen in the example above.
Take note of the "Can't Find/Authenticate User" errors. These often indicate a successful connection but that the Sample User/Password are incorrect.

Note: The Sample User and Password fields are deleted every time the configuration window is closed.

Exceptions

When configuring LDAP there are different possible errors you may see. The list below should help identify the cause of the error.

Exception: "Unable to communicate with LDAP server; nested exception is javax.naming.CommunicationException: localhost:389 [Root exception is java.net.ConnectException: Connection refused: connect]"

Reason: Can't connect to the server. Check the URL and make sure port 389 is open.

 

Exception: "Operation failed; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials]"

Reason: Either the BindDn or password is not correct.

 

Exception: "Can't find user"

Reason: This indicates the Base Dn, Bind Dn, and Bind Password can be connected to accurately (a good connection to LDAP). Either the Login Name Attribute was not filled in correctly or the Sample User does not exist in the Base Dn indicated.

 

Exception: "Can't Authenticate User''

Reason: The sample user password is incorrect however this indicates a successful connection to LDAP and that the sample user was found in the Base Dn.

 

Exception: "Operation failed; nested exception is javax.naming.PartialResultException: Unprocessed Continuation Reference(s); remaining name ''

Reason: The cause is usually the base URL is not complete (too broad).

 

Exception: "Operation failed; nested exception is javax.naming.ServiceUnavailableException: adunit:636; socket closed. Port 636 is for SSL."

Reason: Either SSL is not supported by Spring LDAP or Certificate is not correct. Try use ldaps protocol, eg. : ldaps://myserver.example.com:636.