I write this message for two reasons: (1) to express my frustration about the really bad documentation of this software and (2) to help others, not to waste hours of research to get the beast running.
I am using the current latest software version 3.4.4 and the current latest technical docu 3.4 from January 2022. (That even sounds odd to have a current documentation which is 2 years old.)
LDAP is easy to setup if you DON’T follow the manual. Just follow this 3 steps:
- Do a
./cmdbuild.sh restws setconfig -username admin -password admin org.cmdbuild.auth.ldap.enabled true.This is not mentioned in the docs. Instead in section 8.2 you might get the impression that the keyorg.cmdbuild.auth.modules.ldap.enabledhas to be set (with the “modules” string). You can configure it and no error message is created. Only in the log file you can see a warning about the wrong key. - Define
./cmdbuild.sh restws setconfig -username admin -password admin org.cmdbuild.auth.ldap.server.url 'ldap://ldap1.sld.tld:389/cn=users,cn=accounts,dc=compay,dc=tld??sub?(objectClass=person)'. - If your users are defined in your LDAP server with “uid” instead of the default “cn” like in freeIPA, you have to set the key
org.cmdbuild.auth.ldap.bind.attributeto “uid”. BTW: The description in the manual is wrong. The key will not be used for a bind operation, it will be used for a search operation.
That’s all. No restart of tomcat needed. And of course, you have to create the users with the uids in the webinterface.
To be productive and in case someone of Tecnoteca srl is reading, here are some in my view useful improvements for the documentation:
- Explain in section 8 / 8.1 the following terms: “authentication mode” vs. “authentication type” vs. “authentication methods”.
- Explain what a “ModuleName” is.
- In the table of section 8.2. explain what values the “{ModuleName}” can take.
- Explain the difference in the WebUI (Administration module → System config → Authentication) between “Login modules” and “Auth Modules”.