TestLink

Greetings,

I have set up TestLink 1.9.5 on a fresh CentOS 6 64bit using MySQL as the database. I have configured for LDAP authentication. Everything works great with one exception - it won't authenticate uses in trusted domain/forests. Users in the domain where LDAP points are fine - it's just the trusted domain. Is this possible?

never used this concept (is new for me)
Our LDAP auth is based on work done on Mantis.

I've been looking at the /lib/functions/ldap_api.php script (and my PHP is pretty rusty) and I have an idea. It looks like the authentication process works like this:

1. Binds to LDAP using username/password provided in configuration
2. Search for account in root OU
3. Attempt to bind using password provided and all matching results

The problem is that if the user is in a trusted domain they won't come up in the search (step 2) even though the username/password provided are good.

My question is, does it need to search for the account first? I understand it's translating the short account name to the full DN of the user but Active Directory does not require that. In fact, since all we're doing in checking if the password is valid - could the script be adjusted to simply see if it can bind using the username/password provided by the user without pre-binding?

The normal way to authenticate a user against a LDAP server is:

1) Bind to the LDAP server with DN name and password
2) Search for the user (login name from the loginpage)
3) If user exist get the DN name for the user
4) Bind to the LDAP server with DN name of the user and the password from the login page

This way you don't need to know where in your LDAP tree your users is. And the program can supprort generic LDAP server.