我已经迁移Jenkins以使用LDAP登录,并且没有问题。 但是当我尝试迁移phabricator以使用LDAP时,我得到了#34;用户名或密码不正确。"每一次,我都确定相同的用户名和passwd可以登录Jenkins。我使用相同的OpenLDAP服务器,并且LDAP具有只读DN:cn = readonly,dc = my-company,dc = com。 Phabricator配置列表如下:
允许:"允许登录"
LDAP主机名&端口:与我的Jenkins配置完全相同
基本专有名称:ou = user,dc = my-company,dc = com(而Jenkins根DN为dc = my-company,dc = com)
搜索属性:空白
始终搜索:未选中
匿名用户名:cn = readonly,dc = my-company,dc = com(与Jenkins Manager DN相同)
匿名密码:密码(与Jenkins Manager密码相同)
用户名属性:uid
Realname属性:空的
LDAP版本:3
这阻止了我两天,有什么我错过的吗?
感谢您的回答〜
答案 0 :(得分:0)
哦,我明白了。 Phabricator与Jenkins有不同的LDAP登录机制。 Phabricator始终将LDAP与用户的DN和密码绑定(以验证登录),然后搜索用户的DN本身。以下是LDAP登录代码中的注释:
// This is unusual (since the bind succeeded) but we've seen it at least
// once in the wild, where the anonymous user is allowed to search but
// the credentialed user is not.
// If we don't have anonymous credentials, raise an explicit exception
// here since we'll fail a typehint if we don't return an array anyway
// and this is a more useful error.
// If we do have anonymous credentials, we'll rebind and try the search
// again below. Doing this automatically means things work correctly more
// often without requiring additional configuration.
因此,LDAP用户必须具有搜索acl,例如:
olcAccess: {1}to *
by self write
by dn="cn=admin,dc=my-company,dc=com" write
by dn="cn=readonly,dc=my-company,dc=com" read
by users search
by * none
我没有'按用户搜索'选项,因此登录失败。