WANdisco LDAP Plug-in Setup Guide

1. Introduction

WANdisco offers the LDAP/NIS plug-in as a free, unsupported plug-in that allows you to automatically synchronize user properties (user id, password) from an LDAP/NIS database.

1.1 Requirements for using the plugin

You must have a production license. User passwords must be stored as plain text in the LDAP server

WANdisco's products do not handle user authentication, although you can configure them to periodically connect with the LDAP/NIS database server to pull user information. You can also use the admin console to select any new users that appeared during the synchronization with LDAP/NIS.

You will need to querying LDAP according to the WANdisco user fields;
Username,First,Last,Email,Add,Ignore

2.2 Password Control

To make full use of the LDAP integration you must set your WANdisco product to control the Subversion password. You must be running WANdisco (Access Control or MuliSite) on the same server as Subversion.

Is WANdisco Controlling the Password File?
During setup, you enter settings that relate to your Subversion. There's a checkbox that relates to "Manage Password File:" (see below)

You can update your these settings after setup by going to the Proxy tab(1) and clicking on SVN settings(2), then editing the Repository settings(3).

1.3 Download the plug-in at this link:

http://wandisco.com/php/support_downloads.php?fdetail=ldap_nis.jar.

2. Using the Plug-in

You only need to do this at one site. As with any users in WANdisco, WANdisco replicates any users imported with this plug-in to other sites.

Refer also to the Basic Example at the end of this document.

1. Download the plug-in file.
2. Put the file in the <WANdisco product>/lib directory.
3. Shut down WANdisco at this site. In the Proxy tab, click Shut Down Node.
4. Wait a moment, then start up WANdisco. At <WANdisco product>/bin, type the start up command. For example, for Subversion MultiSite, type:
```
perl svnreplicator
```
5. On the Security tab, the plug-in has added new commands to the bottom left side menu.

6. Click LDAP / NIS. The LDAP / NIS Properties window displays, first asking for External Authorization Type.

7. Specify the Authorization details:

Auth Type: Select LDAP or NIS
Update SVN Password File:Select whether you user information that is pulled in from your LDAP server will be added to the Subversion password file.

You can then add the new users to WANdisco's user database if:
- for Subversion: You'll need to update the password file, and as stated, WANdisco must be managing the password file.
- for CVS: the CVS repository properties are configured correctly, and you click the Yes radio button for Yes, update the password file in the procedure that follows, and WANdisco is managing the password file.
Update Inverval: Initially, you probably want to set a short interval.
When you've finished, click Continue. You can edit these settings later by clicking Change Type.

Test Connection This button lets you confirm that you can connect to your LDAP server with the details you've entered.

Save Click this to store your LDAP settings before closing the screen.
8. Fill in the fields in the Properties section, according to your own directory structure. See the charts in the following pages for required fields. See the list below for more information about the LDAP properties.

2.2 LDAP Properties For Subversion

To set up integration with LDAP, you must specify the following properties. An asterisk (*) indicates the field is mandatory.

Host:: * The hostname or the IP address of the LDAP server.
Port:: The port of the LDAP server. If none specified, it defaults to 1389
Login DN:: * The string to log into the LDAP server. It could be a 'username' or ROOTDN. An example of DN is cn=Manager,dc=example,dc=com
Login Password:: * The password for Login DN 'username' or ROOTDN.
Base DN:: The string to log in to LDAP server. It could be a 'username' or ROOTDN. An example of DN is cn=Manager,dc=example,dc=com
Search objectClass:: The search object. If none specified, it defaults to 'person'
Username Field:: With a non-standard schema, this field lets you specify which file to map to Wandisco's username field.
Password Field:: With a non-standard schema, this field lets you specify which file to map to Wandisco's password field.
First Name Field:: With a non-standard schema, this field lets you specify which file to map to Wandisco's first name field.
Last Name Field:: With a non-standard schema, this field lets you specify which file to map to Wandisco's last name field.
Email Field:: With a non-standard schema, this field lets you specify which file to map to Wandisco's email address field.

WANdisco does not support customer integration of LDAP / NIS databases. Customers are responsible for their own integration.

9. Click Save.
10. Wait for the interval you specified in step 7. See the users that WANdisco imported. Click New Users.

11. If you want all listed users added to Access Control, click Process Users. When new users are found in the LDAP server, they are added to the New Users screen, where you need to manually add them to the Access Control users.
12. Click List Users to verify the users have been added.
If there are users listed in the table that you do not want to add to WANdisco, click the Ignore radio button next to their names.
13.Click Ignored Users to see any users you identified in the previous step with the Ignore button. These users stay in this category unless you change them to the Add category.
14. While the daemon is running, Access Control queries the authentication database at the specified interval. You may want to modify the process interval, in accordance with your system administration schedule. Remember, you still need to manually process any new uses, before they are added to the Access Control users lists (see step 11, above).

Store the password in clear text on LDAP server as required by Subversion only if the Update Passwords flag is set and auto-update of $SVNROOT/conf/passwd is turned on.

3. Example Setup

1. A basic example of how to use the plug-in is illustrated in the following screen shots.

First, use an LDAP browser to see the directory structure of your LDAP server.

2. Configure the daemon process that connects to the LDAP server. Choose an interval for the initial data retrieval that suits your platform requirements. Go to the Security tab and click LDAP/NIS.

3. Fill in the LDAP / NIS properties according to your directory structure.

4. Click Save to store your entries. Click Start Daemon. When the daemon is started it will check for new users, and then check at whatever interval you specified in the setup. If you ever want to trigger a check, stop, then restart the daemon. Click New Users. The page shows all the users retrieved from your LDAP server. Check the Add radio button next to each name you wish to add. Click Process Users.

5. Access Control will confirm what action has been taken, as illustration below.

6. Verify the users were added. Click List Users.

7. The LDAP integration is complete. You may want to modify the daemon process interval, in accordance with your system administration schedule.

2.2 LDAP Properties For Subversion

To set up integration with LDAP, you must specify the following properties. An asterisk (*) indicates the field is mandatory.