LDAP and Active Directory
LDAP and Active Directory connectors allow you to externalize the management of authentication to Squash TM. The management of user permissions remains inside of Squash TM.
Configure LDAP and AD
LDAP and AD connectors support both simple and multi-domain configurations. You can find examples of standard configurations in the following files, in the plugin's config
folder:
-
Simple domain:
squash.tm.cfg.properties
; -
Multi-domain:
multi-ldap(or ad).squash.tm.cfg.properties
.
After installing the LDAP or AD .jar
files in Squash TM's plugins
folder, you must copy and paste this standard configuration in the file squash.tm.cfg.properties
to complete it. You can find this file in Squash TM's conf
folder.
LDAP Connector Properties
The LDAP connector allows for a more advanced configuration thanks to the following properties:
authentication.ldap.server.url
: directory URL. Can beldap://
orldaps://
for a secured connection;authentication.ldap.server.managerDn
: ID with the permission to browse the directory when it cannot be browsed in anonymous mode;authentication.ldap.server.managerPassword
: password of the user who has the permission to browse the directory;authentication.ldap.user.searchBase
: location where you can find the users who will be able to connect to Squash;authentication.ldap.user.searchFilter
: allows you to search the user's attribute, which will be their login in Squash.
Use the LDAP Connector with an AD
You can use the LDAP connector to connect it to an AD and enjoy more advanced configuration options.
The configuration you must enter for an AD or LDAP connector is basically the same.
The main difference lies in the authentication property ldap.user.searchFilter
:
- For an AD, it generally is the attribute
samAccountName
orUserPrincipalName
; - For a LDAP directory, there are more possibilities: it can be
uid
,id
,uniqueMember
, etc.
Operate the Connection
To connect to Squash TM, you must create at least one user in the LDAP directory or AD with a login that is identical to the one of the default Squash TM administrator: admin
. With this user, you can then connect to Squash TM with an administrator profile. The administrator will then be able to add permissions for the other users.
Info
When you first use Squash TM, an administrator account is created. The login is admin
.
For other users to be able to connect to Squash TM using the LDAP connector or AD, they must be in the directory:
-
If the user is missing from the LDAP directory or AD, they cannot authenticate to Squash TM. The connection is impossible;
-
If the user is already in the LDAP directory or AD, they can authenticate to Squash TM. The password is managed by the directory, whereas project permissions are managed in Squash TM. Two cases are then possible:
-
The user already has a user account in Squash TM: when they log in, they will have the permissions that go with their account
-
The user does not have any user account in Squash TM: when they first log in, a user account is automatically created in Squash TM, but they will have no permission granted to them. Subsequently, permissions can be granted to them by a Squash TM administrator.
-
Focus
When authentication is delegated to a directory, passwords can no longer be managed in Squash TM. The options [Reset] password (administrator) and change [Local password] (user) are deactivated.
Multi-Sources Authentication
You can authenticate into Squash TM using multiple sources (directory + local).
For this:
-
Install and configure the LDAP or AD plugins;
-
In the file
squash.tm.cfg.properties
, complete the following property by addinginternal
as an authentication source:authentication.provider=ldap,internal
Users will then be able to connect to the app using accounts that are in the directory and Squash TM local accounts.
Autoconnect to Bugtrackers
In the case where the Squash TM and bugtrackers logins credentials are managed by the same directory service, you can activate autoconnect to bugtrackers in Squash TM. In the System Parameters available from Squash TM's Administration workspace, you must activate the option that is in the block Automatic authentication to bugtracker at connection.
Once the option is activated, Squash TM tries to authenticate automatically the user on the different bugtrackers they are linked to via the projects they are authorized. The information saved in the My Account workspace are then ignored. If that option is deactivated, there is no attempt to automatically connect to the bugtracker. The login credentials taken into account are the ones entered in My Account.
Uninstall LDAP and AD
To uninstall the plugins LDAP and AD, you have to:
-
Stop Squash TM;
-
In the file
squash.tm.cfg.properties
, delete or comment using a#
the specific configuration lines of the plugins; -
Remove plugin
.jar
files from Squash TM'splugins
folder.