Skip to content

LDAP and Active Directory

LDAP and Active Directory connectors allow you to externalize the management of authentication to Squash TM. The management of user permissions remains inside of Squash TM.

Configure LDAP and AD

LDAP and AD connectors support both simple and multi-domain configurations. You can find examples of standard configurations in the following files, in the plugin's 'config' folder:

  • Simple domain: squash.tm.cfg.properties

  • Multi-domain: multi-ldap(or ad).squash.tm.cfg.properties

After installing the LDAP or AD .jar files in Squash TM's 'plugins' folder, you must copy and paste this standard configuration in the file squash.tm.cfg.properties to complete it. You can find this file in Squash TM's 'conf' folder.

LDAP Connector Properties

The LDAP connector allows for a more advanced configuration thanks to the following properties:

  • authentication.ldap.server.url: directory URL. Can be ldap:// or ldaps:// for a secured connection
  • authentication.ldap.server.managerDn: ID with the permission to browse the directory when it cannot be browsed in anonymous mode
  • authentication.ldap.server.managerPassword: password of the user who has the permission to browse the directory
  • authentication.ldap.user.searchBase : location where you can find the users who will be able to connect to Squash
  • authentication.ldap.user.searchFilter : allows you to search the user's attribute, which will be their login in Squash

Use the LDAP Connector with an AD

You can use the LDAP connector to connect it to an AD and enjoy more advanced configuration options.

The configuration you must enter for an AD or LDAP connector is basically the same.
The main difference lies in the authentication property ldap.user.searchFilter:

  • For an AD, it generally is the attribute samAccountName or UserPrincipalName
  • For a LDAP directory, there are more possibilities: it can be uid, id, uniqueMember, etc.

Operate the Connection

To connect to Squash TM, you must create at least one user in the LDAP directory or AD with a login that is identical to the one of the default Squash TM administrator: "admin". With this user, you can then connect to Squash TM with an administrator profile. The administrator will then be able to add permissions for the other users.

Info

When you first use Squash TM, an administrator account is created. The login is "admin".

For other users to be able to connect to Squash TM using the LDAP connector or AD, they must be in the directory:

  • If the user is missing from the LDAP directory or AD, they cannot authenticate to Squash TM. The connection is impossible.

  • If the user is already in the LDAP directory or AD, they can authenticate to Squash TM. The password is managed by the directory, whereas project permissions are managed in Squash TM. Two cases are then possible:

    • The user already has a user account in Squash TM: when they log in, they will have the permissions that go with their account

    • The user does not have any user account in Squash TM: when they first log in, a user account is automatically created in Squash TM, but they will have no permission granted to them. Subsequently, permissions can be granted to them by a Squash TM administrator.

Focus

When authentication is delegated to a directory, passwords can no longer be managed in Squash TM. The options [Reset] password (administrator) and change [Local password] (user) are deactivated.

Multi-Sources Authentication

You can authenticate into Squash TM using multiple sources (directory + local)

For this:

  • Install and configure the LDAP or AD plugins

  • In the file 'squash.tm.cfg.properties', complete the following property by adding 'internal' as an authentication source:

    authentication.provider=ldap,internal
    

Users will then be able to connect to the app using accounts that are in the directory and Squash TM local accounts.

Autoconnect to Bugtrackers

In the precise case where the Squash TM and bugtrackers logins credentials are managed by the same directory service, you can activate autoconnect to bugtrackers in Squash TM. In the 'System Parameters' available from Squash TM's administration, you must activate the option that is in the block 'Automatic authentication to bugtracker at login".

Autoconnect

Once the option is activated, Squash TM tries to authenticate automatically the user on the different bugtrackers they are linked to via the projects they are authorized. The information saved in the "My Account" workspace are then ignored. If that option is deactivated, there is no attempt to automatically connect to the bugtracker. The login credentials taken into account are the ones entered in "My Account".

Uninstall LDAP and AD

To uninstall the plugins LDAP and AD, you have to:

  1. Stop Squash TM

  2. In the file 'squash.tm.cfg.properties', delete or comment using a # the specific configuration lines of the plugins

  3. Remove plugin .jar files from Squash TM's 'plugins' folder