Integrating SpiraTest, SpiraPlan or SpiraTeam with your LDAP or ActiveDirectory direcory server makes a lot of sense. It allows you to have a single user authentication system, with all logins and passwords centrally managed. Spira includes integration out of the box with LDAP and this article provides help for some common issues that we have come across.
The Lightweight Directory Access Protocol (LDAP) is an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over the Internet. It allows one application (in this case SpiraTeam) to connect to a directory service (LDAP server) to find out if a user is authenticated and authorized.
In the case of SpiraTeam, we only use LDAP for authentication, so that a company can have a central list of usernames and passwords that SpiraTeam uses. For authorization, since SpiraTeam uses project, role based security, we don't rely on LDAP for user permissions or roles.
For a full understanding of LDAP structure, please refer to the guide, however in general, you have the following structure:
diagram reproduced from https://www.pks.mpg.de/~mueller/docs/suse10.1/suselinux-manual_en/manual/sec.ldap.tree.html
where LDAP trees have the following elements:
The path in an LDAP system is concatenated from bottom to top, separated by commas. In this example above, you would have:
Microsoft has provided an implementation of LDAP with Windows Server since Windows 2000 called Microsoft Active Directory (aka AD). ActiveDirectory is a specific implementation of LDAP that has some idiosyncrasies. One of the challenges of integrating with ActiveDirectory is that the built-in administration tools don't always display the LDAP names of objects and ActiveDirectory uses some custom attributes that we shall highlight in this article.
For the remainder of this article we shall use the term LDAP to include ActiveDirectory, but we shall include specific information on the differences where it affects the configuration.
To use SpiraTeam with LDAP, the first thing you need to do is go to the LDAP Configuration screen inside SpiraTeam:
You should put in the following attributes:
Here is an example setup:
If you are using Microsoft ActiveDirectory, you can get the Base DN path from the Windows Server Manager:
The following ActiveDirectory objects map to LDAP:
The next step is to populate the various attributes:
If you are using any LDAP server other than ActiveDirectory, these values are correct and should not be changed!
If you are using Microsoft ActiveDirectory, you need to change the following:
So it would look like:
If you want to test the configuration, in the Sample User and Sample User Password box, copy the LDAP Bind DN and LDAP Bind Password into the sample user box. Then click Save:
Assuming it passes, you can now move onto the next stage.
Once you have setup the LDAP connection (in the previous step), now you need to go to the View/Edit Users page in Administration:
Click on the button Import Users From an LDAP Server:
You will now have the option to import the selected users into SpiraTeam. The user list will be relative to the Base DN that you specified previously. Only users in the Base DN container / organizational unit (and any sub folders) will be displayed in the list. Also, any users that already have a login to SpiraTeam will be excluded from the list. If you want to convert an existing user to LDAP, please read the separate section below.
Once its imported, the user will be available as a new user in SpiraTeam and their user will have a profile that looks like the following:
Note that the user has the flag "LDAP Managed User" set to "Yes" and the password fields will be blank. The full LDAP Distinguished Name (aka LDAP DN) will be part of their profile. This is what SpiraTeam will use to connect to the LDAP server for authentication purposes, when the user tries to log in.
That means, if you change the location of the user in your LDAP directory (e.g. moving the user from being under CN=Users to being in OU=Headquarters Users), you will need to update the LDAP DN for their profile. You cannot re-import the user from LDAP, because their profile already exists.
If you have an existing SpiraTeam user that currently uses the built-in SpiraTeam password management features and you want to convert to an LDAP Managed User, you cannot use the Import Users from LDAP option described in the previous section.
Instead you need to find that user's profile inside SpiraTeam using the View/Edit Users list and manually set the LDAP Managed User flag to "Yes" and enter their LDAP DN in the appropriate field.
When using the LDAP integration, you may have an issue with the user not being able to login. Here are some common LDAP error messages that you may see in the SpiraTeam event log and their solutions:
In addition, if you see specific fields missing when trying to do the import, or no records appear, check that you have the correct LDAP attributes (uid, sAMAccountName) and that the Base DN is correct.
Selected files will be attached to any email sent on saving ticket.
Select files to upload
Or drag and drop files here
Save to upload the selected file(s)