How to set up LDAP on Windows or Linux server with TACTIC

How to set up LDAP on Windows or Linux server with TACTIC

This document applies to TACTIC 3.8 and onwards.

LDAP Instructions
 
These are the steps for LDAP set-up given you already have TACTIC Enterprise installed.
 
Assumptions:  TACTIC_BASE_DIR is /home/apache, TACTIC_DATA_DIR is /home/apache/tactic_data
 
1. For LDAP integration, download and install the python-ldap for your python version
 
 
In your tactic config file for the Enterprise <TACTIC_DATA_DIR>\config\tactic-conf.xml
 
2. Fill in a custom path where you can put custom python logic in it, for instance,
e.g. <python_path>/home/apache/custom</python_path>
 
3. Fill in under security section
<authenticate_class>security.CustomLdapAuthenticate</authenticate_class>
 
Optionally, if you use domain in your network, add the following line as well. It can support | separated multiple domains:
  <authenticate_domains>some_domain_name</authenticate_domains>
 
4. In <TACITC_BASE_DIR>/custom, unzip the attached file there. you should now see as contents of this folder:
__init__.py
security
      ldap_authenticate.py
      __init__.py
 
 
5. Edit the file ldap_authenticate.py, at the top there are a few lines:
 
LDAP_SERVER =  'ldap://somecompany.com'
LDAP_USER =  'some_domain_name\user_name'
LDAP_PASSWORD = 'xxxxxxx'
BASE_DN = "dc=somecompany,dc=com"
 
please change the value to the right for a particular user already in your ldap server. replace the word somecompany, some_domain_name, and user_name with the corresponding ones in your network.
 
then run in Command Prompt
in this folder <TACITC_BASE_DIR>/custom/security
python ldap_authenticate.py
 
If it runs fine, write down what you have as LDAP_USER and LDAP SERVER, for LDAP_USER, you will be using {login} to replace the name portion.
 
6. Open the file <TACTIC_DATA_DIR>\config\tactic-conf.xml
and add the following: (remember to replace value for somecompany and some_domain_name)  
 
<ldap_server>ldap://somecompany.com</ldap_server>
<ldap_path>some_domain_name\{login}</ldap_path>
 
7. Within the same  <security> section, set this:
<authenticate_mode>autocreate</authenticate_mode>
 
8. Save the file and exit. You can now try logging in with your LDAP credentials. A login entry will be created in the sthpw/login table (Global > Users)  in TACTIC the first time you log in.
 
Note: *You may modify the method search_ldap_info in the file ldap_authenticate.py to accomodate how the name and email are retrieved in your LDAP server.  
         **For Active Directory set-up on a linux server, you may need to uncomment these 2 lines in the file:
 
#l.protocol_version = 3
#l.set_option(ldap.OPT_REFERRALS, 0)
 
 
 
 
 
 
 
 
 
 
 
System-Admin
File general: 

Comments

Submitted by roy6160 on

I'm running tactic enterprise 3.9v05 on centos 6.2 and the following line does not seem to work:
<authenticate_class>security.CustomLdapAuthenticate</authenticate_class>
Wondering if these instructions have been test on centos 6

oboreo's picture
Submitted by oboreo on

remember this assumption and step 4 go hand in hand. If you have TACTIC installed somewhere else, you have to adjust accordingly:
Assumptions:  TACTIC_BASE_DIR is /home/apache, TACTIC_DATA_DIR is /home/apache/tactic_data
Try posting what you have set up in the config file maybe. And what was your input and output to prove that it doesn't work?
 

Submitted by chantk on

Hi I'm new to Tactic. Trying out the VMWare image 4.0.0rc02. I couldn't seem to get it authenticate againt our AD. It gave me the following error:

Login/Password combination incorrect. {'info': '80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1', 'desc': 'Invalid credentials'}

I followed the instructions on the Active Directory Integation article and this page.

In step 5, I had to escape the back slash to get it authenticated.

LDAP_USER= 'mydomain\\myuser'
> python ldap_authenticate.py
login succeeded
More than 1 login entry found in LDAP. Exit!
INFO  {}

Then I followed the rest of the instructions. Tried with escaped/non-escaped back slash at the <ldap_path> line. Both have the same error as above.

The services and active_directory sections of my tactic_conf.xml:

  <security>
    <version>2</version>
    <ticket_expiry>10 hour</ticket_expiry>
    <authenticate_mode>autocreate</authenticate_mode>
    <authenticate_class>security.CustomLdapAuthenticate</authenticate_class>
    <authenticate_domains>mydomain.com</authenticate_domains>
    <authenticate_version>2</authenticate_version>
    <auto_create_user>true</auto_create_user>
    <case_insensitive_login>true</case_insensitive_login>
    <ldap_server>ldap://dc1.mydomain.com</ldap_server>
    <ldap_path>mydomain\{login}</ldap_path>
    <api_require_password>true</api_require_password>
    <api_password/>
  </security>
  <active_directory>
    <domains>mydomain.com</domains>
    <allow>all</allow>
    <default_groups>client</default_groups>
    <default_license_type>default</default_license_type>
  </active_directory>

Any help appreciated.

oboreo's picture
Submitted by oboreo on

You can see in your ldap_authenticate.py file, These 2 lines were commented out in the verify() method. You would need to uncomment them for Active Directory setup. 
 

  #l.protocol_version = 3
  #l.set_option(ldap.OPT_REFERRALS, 0)
 
The other issue you have is that more than one entry is found in your AD with that login name. It doesn't affect login.. but it affects the filling in of info post logging in. 

Submitted by supporto.sb on

Hi,
I installed TACTIC with the version for VMWARE (Fedora).
I followed all procedures, but in step 5 I still get the error LdapErr: DSID-0C0903A9.

LDAP_SERVER =  'ldap://mydomain.com' (also with 'ldap://myserver.mydomain.com')
LDAP_USER =  'MYDOMAIN\myADuser'
LDAP_PASSWORD = 'mypassword'
BASE_DN = 'DC=myserver,DC=mydomain,DC=com'

I tried with AD Administrator user, with specific AD user, but always with "Invalid credential".
I tried with upper and lower case, with and without "DC=myserver", with and without "CN,OU"
I modified my tactic_config.xml with the instructions.
Someone have got another idea or another example please?
Thank you.

Submitted by Nick Jacka on

Hi there,
I was wondering if you or anyone else found a souloution to this error.
I have gone over my setup multiple times, with numorus sugestions for fixes to no avail.
We are using 4.1.0 v05 on Centos 7.
Cheers

Submitted by krs on

hi 
 
I
I tried every configuration with using user and password, but i always received error code 37 with DN syntax Error.
 But at last i tried  connect ldap with no creditenials and it seems server allows to use anonymous login.
 
When i edit ldap_authenticate.py with this
LDAP_SERVER = 'ldap://myserverIP'
LDAP USER= ' ' 
LDAP PASSWORD= ' ' 
BASE_DN'dc = myserverdomain',dc=com'
 
It finally connected with result as setep 5.
 
Anybody go idea how to fill tactic-conf.xml in that matter.
 
 

Pan@nma's picture
Submitted by Pan@nma on

Step 4, In <TACITC_BASE_DIR>/custom, unzip the attached file there.
Attached file is mean? I can't find any file there.