Zentyal ldap server and Timetrex ldap login [Solved]

[andygraybeal]

Greetings.  I am looking into "Timetrex" for payroll and scheduling.  I would like to get it to authenticate with Zentyal's LDAP.

I'm no good at this LDAP stuff... I guess i need more practice.  Here is Timetrex's LDAP Auth configuration settings directly from the admin module.  The stuff in parenthesis is explaining the field in Timetrex's words.:


1. Server: hostname, this one is easy
2. Port: 389, also easy
3. Bind User Name: ?? (Used to search for the Timetrex user, leave blank for anonymous binding)
4. Bind Password: ??
5. Base DN:  dc=zabulon,dc=casanueva,dc=com  ... I copied directly from my zentyal ldap master, I think this is what it needs.
6. Bind Attribute: ??  (For binding the LDAP user. ie: AD/openLDAP: userPrincipalName, Mac OSX: uid)  I think this is "Users" for zentyal, but I need some help here.
7. User filter: ?? (Additional filter parameters, ie is_timetrex_user=1)  I think this is just extra and not needed
8. Login Attribute: ?? (For searching the LDAP user.  ie: AD: sAMAccountName, openLDAP:dn, Mac OSX: dn)  I'm just going to assume that I should use "dn" like it says- but again I have no idea.


I'm hoping someone can connect the dots, I assume that no one has experience connecting Timetrex with Zentyal because google hasn't turned anything up and it doesn't exist yet in this forum.

Thanks,
Andy

[andygraybeal]

Hi,
I've got the TimeTrex to communicate with the Zentyal's LDAP, I'm still confused about Bind and Login Attributes.

The Timetrex config examples on the page say this:
Bind Attribute: (For binding the LDAP user. ie: AD/openLDAP: userPrincipalName, Mac OSX: uid)
Login Attribute: (For searching the LDAP user.  ie: AD: sAMAccountName, openLDAP:dn, Mac OSX: dn)

Any help would be appreciated.
Andy

[christian]

I assume wording you are using here is the one from Timetrex, which is a bit confusing it looks like they don't really understand LDAP protocol...

"bind attribute" is not as flexible as it looks to be.

Normal LDAP autrhentication process uses ldapsearch command aiming to retrieve unique entry in LDAP repository matching the LDAP filter. This filter may have any complexity but most of the time, it involves one attribute known as "login" (uid, samaccountname, userprincipalname)
Once entry is found and unique, then second step is to use ldap bind command. Assuming simple bind is used, ldapbind relies in "DN" and user's password. You have no choice and can not decide that you will bind using another attribute than the one identifying user's entry in the DIT. This is always (almost?) DN. Keep in mind that DN stands for "DistinguishName" meaning THE name permitting to uniquely identify each entry in the whole directory.

So, I suppose your previous post is mixing bind and login concepts and I strongly suggest you do not try to bind using anything else than DN. BTW, anything else will not work 
login attribute is, indeed "uid".

Regarding "bind username" and "bind password", these are used with directories that are not permitting anonymous search (the one I describe at the beginning of this post). Most of the time, anonymous search is authorized. You don't need to set it.

I hope this helps.

[andygraybeal]

okay, thank you for the information.  I will try this out.

[andygraybeal]

Figured it out, here's the setup:

Apache v2.2.14
Mysql v5.1.41-3
PHP v5.3.2-1
TimeTrex v3.7.0 from zip install (not bin)
Zentyal 2.2 w/ openldap directory server

TimeTrex settings to auth against Zentyal 2.2's LDAP:
LDAP Auth: Enabled w/ Local Fallback
Server: 192.168.122.110
Port: 389
Bind User Name: <blank>
Bind Password: <blank>
Base DN: ou=Users,dc=testdirectory01
Bind Attribute: uid
User Filter: <blank>
Login Attribute: <blank>

Andy