LDAP structure Example for Kimai and OpenLDAP

This is an example LDAP data structure, which was used for testing the Kimai LDAP integration with Kimai 1.18 and 2.0.

It demo nstrates a possible setup and the matching LDAP connection configuration.

Creating the structure files

You can create the files manually or clone an example repository.

Manual creation

Wanna take the hard road? Ok, here we go 😁

Create the file ou-root.ldiff and add this:

dn:dc=kimai,dc=org
objectClass:dcObject
objectClass:organizationalUnit
dc:kimai
ou:KIMAI

Create the file ou-users.ldiff and add this:

dn: ou=users,dc=kimai,dc=org
objectClass: organizationalUnit
ou: users

Create the file ou-groups.ldiff and add this:

dn: ou=groups,dc=kimai,dc=org
objectClass: organizationalUnit
ou: groups

The hashed password {SSHA}aHxzKxwoAV46MQ4gAv9n+ISm7kD53Tzq (generated with slappasswd) from the following files are in plain text kitten.

Create the file user-user.ldiff and add this:

dn: uid=user-ldap,ou=users,dc=kimai,dc=org
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
uid: user-ldap
sn: LDAP-User
givenName: LDAP-User Example
cn: user-ldap
displayName: LDAP User (User)
mail: user-ldap@example.com
userPassword: {SSHA}+/Ir5pqpe09B07Xz8IT5AS+swJ5s29QS

Create the file teamlead-user.ldiff and add this:

dn: uid=teamlead-ldap,ou=users,dc=kimai,dc=org
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
uid: teamlead-ldap
sn: LDAP-Teamlead
givenName: LDAP-Teamlead Example
cn: teamlead-ldap
displayName: LDAP User (Teamlead)
mail: teamlead-ldap@example.com
userPassword: {SSHA}+/Ir5pqpe09B07Xz8IT5AS+swJ5s29QS

Create the file teamlead-group.ldiff and add this:

dn: cn=teamlead,ou=groups,dc=kimai,dc=org
objectClass: top
objectClass: groupOfNames
cn: Teamleads
member: uid=teamlead-ldap,ou=users,dc=kimai,dc=org

Create the file admin-user.ldiff and add this:

dn: uid=admin-ldap,ou=users,dc=kimai,dc=org
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
uid: admin-ldap
sn: LDAP-Administrator
givenName: LDAP-Admin Example
cn: admin-ldap
displayName: LDAP User (Administrator)
mail: admin-ldap@example.com
userPassword: {SSHA}+/Ir5pqpe09B07Xz8IT5AS+swJ5s29QS

Create the file admin-group.ldiff and add this:

dn: cn=admin,ou=groups,dc=kimai,dc=org
objectClass: top
objectClass: groupOfNames
cn: Admins
member: uid=admin-ldap,ou=users,dc=kimai,dc=org

Create the file super-user.ldiff and add this:

dn: uid=super-ldap,ou=users,dc=kimai,dc=org
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
uid: super-ldap
sn: LDAP-SuperAdmin
givenName: LDAP-Teamlead Example
cn: super-ldap
displayName: LDAP User (Super-Admin)
mail: super-ldap@example.com
userPassword: {SSHA}+/Ir5pqpe09B07Xz8IT5AS+swJ5s29QS

Create the file super-group.ldiff and add this:

dn: cn=super,ou=groups,dc=kimai,dc=org
objectClass: top
objectClass: groupOfNames
cn: Super-Admins
member: uid=super-ldap,ou=users,dc=kimai,dc=org

The local.yaml settings

kimai:
    ldap:
        activate: true
        connection:
            host: 127.0.0.1
        user:
            baseDn: ou=users, dc=kimai, dc=org
            attributes:
                - { ldap_attr: uid, user_method: setUserIdentifier }
                - { ldap_attr: givenName, user_method: setAlias }
                - { ldap_attr: mail, user_method: setEmail }
        role:
            baseDn: ou=groups, dc=kimai, dc=org
            filter: (&(objectClass=groupOfNames)(|(cn=Admins)(cn=Super-Admins)(cn=Teamleads)))
            userDnAttribute: member
            usernameAttribute: dn
            groups:
                - { ldap_value: Teamleads, role: ROLE_TEAMLEAD }
                - { ldap_value: Admins, role: ROLE_ADMIN }
                - { ldap_value: Super-Admins, role: ROLE_SUPER_ADMIN }

Setup on MacOS Sonoma (ARM) with Homebrew

brew install openldap
mkdir /opt/homebrew/var/openldap-data
chmod 777 /opt/homebrew/var/openldap-data
vim /opt/homebrew/etc/openldap/slapd.conf

Comment the entire MDB database definitions section and add this:

include         /private/etc/openldap/schema/cosine.schema
include         /private/etc/openldap/schema/nis.schema
include         /private/etc/openldap/schema/inetorgperson.schema

database ldif
suffix "dc=kimai,dc=org"
rootdn "cn=admin,dc=kimai,dc=org"
# clear text password: kitten (generated with slappasswd)
rootpw {SSHA}aHxzKxwoAV46MQ4gAv9n+ISm7kD53Tzq
directory /private/var/db/openldap/openldap-data

Now change the configuration:

vim /opt/homebrew/etc/openldap/ldap.conf

Replace BASE and URI with these values:

BASE dc=kimai,dc=org
URI ldap://127.0.0.1:389

Start the service:

/usr/libexec/slapd -d3 -f /opt/homebrew/etc/openldap/slapd.conf

Importing the data

ldapadd -D "cn=admin,dc=kimai,dc=org" -W -x -f ou-root.ldif
ldapadd -D "cn=admin,dc=kimai,dc=org" -W -x -f ou-users.ldiff
ldapadd -D "cn=admin,dc=kimai,dc=org" -W -x -f ou-groups.ldiff
ldapadd -D "cn=admin,dc=kimai,dc=org" -W -x -f user-user.ldiff
ldapadd -D "cn=admin,dc=kimai,dc=org" -W -x -f teamlead-user.ldiff
ldapadd -D "cn=admin,dc=kimai,dc=org" -W -x -f teamlead-group.ldiff
ldapadd -D "cn=admin,dc=kimai,dc=org" -W -x -f admin-user.ldiff
ldapadd -D "cn=admin,dc=kimai,dc=org" -W -x -f admin-group.ldiff
ldapadd -D "cn=admin,dc=kimai,dc=org" -W -x -f super-user.ldiff
ldapadd -D "cn=admin,dc=kimai,dc=org" -W -x -f super-group.ldiff

OpenLDAP is not the simplet service to setup and these links helped me finding a working configuration:

Top