Home Contact Buy
Sitemap Contact
Home Download Video Free Buy Sitemap Contact

LDAP Authentication with OpenLDAP Server

This document describes how to configure LDAP Authentication in Time Tracker against OpenLDAP Server.

Change Authentication Parameters in config.php

To enable LDAP authentication set AUTH_MODULE value in WEB-INF/config.php file as so:
define('AUTH_MODULE', 'ldap');

You also need to define the following authentication parameters in the same file.
$GLOBALS['AUTH_MODULE_PARAMS'] = array(
  'server' => '127.0.0.1',
  'type' => 'openldap',
  'base_dn' => 'ou=people,dc=example,dc=com',
  'default_domain' => 'example.com',
  'member_of' => array());
The parameters here are:

server - IP address or name of your LDAP server. If you installed Time Tracker on the same machine it can be localhost, or 127.0.0.1.

type - type of LDAP server. Set it to openldap for OpenLDAP, Oracle Directory Server, or other non-Windows LDAP server.

base_dn - base distinguished name in LDAP catalog. For example, if your users belong to this organizational unit: ou=people,dc=example,dc=com configure it as so.

default_domain - default domain name Time Tracker will use to append to logins when they are specified without the domain part. For example, you may login to Time Tracker as johndoe without domain name or other identifiers at the end. Internally, Time Tracker will use the following syntax to identify you with OpenLDAP server: uid=johndoe,ou=people,dc=example,dc=com. But your login in Time Tracker will be johndoe@example.com.

member_of - comma-separated list of groups, membership in which is required for user to be authenticated. It can be empty. (Note: for Oracle Directory Server it must be empty.)

Enable php_ldap Extension

Enable php_ldap extension in your php.ini. Usually, it is just a matter of un-commenting one line in php.ini so that it becomes:
extension=php_ldap.dll
Do not forget to restart your web server after changing php.ini.

How to Set User Accounts with LDAP Authentication

It is very important to set Time Tracker users correctly for LDAP authentication. User identifiers (logins) are different in Time Tracker and OpenLDAP server.

User Logins in Time Tracker

Logins for managers, co-managers, and users must be in the form username@domain.com in Time Tracker, otherwise users will not be able to login. The only exception is for admin. Admin's login is always just admin. If you already have a database of Time Tracker users you need to change their logins accordingly.

User Identifiers in OpenLDAP

User distinguished names in OpenLDAP server are in the following format: uid=username,ou=people,dc=domain,dc=com. The username part in Time Tracker login matches the same part in OpenLDAP server user distinguished name.

  1. Create an OpenLDAP account with uid=admin. Login to your Time Tracker as admin. When LDAP authentication is used only admin can create teams.
  2. If you need to create a new team go to the Teams page in admin's interface and create a new team. Use username@domain.com format for manager login.
  3. At this point you may need to create an LDAP account for the team manager if it does not exist. Without LDAP accounts users are not able to login to Time Tracker.
  4. Log out admin. Login as new team manager to Time Tracker. Go to Users page and create logins for users in format username@domain.com. Remember, that all Time Tracker users must have their LDAP accounts.

If you don't want to mess with the admin account configure Time Tracker with db authentication first. Make sure that user logins are in the username@domain.com format. When this part is working make sure that LDAP accounts for users exist. Then change authentication parameters in Time Tracker config.php file.

Debugging

If you have problems with LDAP authentication enable debug output in config.php file as so:
define('AUTH_DEBUG', 1);
This will allow you to see values being passed to LDAP server and understand potential issues. Another option is to examine LDAP server logs to see at which point authentication fails.

OpenLDAP Configuration Example

Here is an example of configurations parameters and user names / logins for OpenLDAP:
define('AUTH_MODULE', 'ldap');

$GLOBALS['AUTH_MODULE_PARAMS'] = array(
  'server' => 'localhost',
  'type' => 'openldap',
  'base_dn' => 'ou=people,dc=mydomain,dc=com',
  'default_domain' => 'mydomain.com',
  'member_of' => array());

OpenLDAP Distinguished Names - Example

These user distinguished names are configured in LDAP directory.
uid=admin,ou=people,dc=mydomain,dc=com
uid=manager,ou=people,dc=mydomain,dc=com
uid=comanager,ou=people,dc=mydomain,dc=com
uid=user1,ou=people,dc=mydomain,dc=com

Corresponding Time Tracker Logins - Example

These logins are configured in Time Tracker for corresponding OpenLDAP example entries above.
admin
manager@mydomain.com
comanager@mydomain.com
user1@mydomain.com

Time Tracker Install Guide