LDAP structure Example for Kimai and OpenLDAP
This is an example LDAP data structure, which was used for testing the Kimai LDAP integration with Kimai 1.18 and 2.0.
It demo nstrates a possible setup and the matching LDAP connection configuration.
Creating the structure files
You can create the files manually or clone an example repository.
Manual creation
Wanna take the hard road? Ok, here we go 😁
Create the file ou-root.ldiff
and add this:
dn:dc=kimai,dc=org
objectClass:dcObject
objectClass:organizationalUnit
dc:kimai
ou:KIMAI
Create the file ou-users.ldiff
and add this:
dn: ou=users,dc=kimai,dc=org
objectClass: organizationalUnit
ou: users
Create the file ou-groups.ldiff
and add this:
dn: ou=groups,dc=kimai,dc=org
objectClass: organizationalUnit
ou: groups
The hashed password {SSHA}aHxzKxwoAV46MQ4gAv9n+ISm7kD53Tzq
(generated with slappasswd
) from the following files are in plain text kitten
.
Create the file user-user.ldiff
and add this:
dn: uid=user-ldap,ou=users,dc=kimai,dc=org
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
uid: user-ldap
sn: LDAP-User
givenName: LDAP-User Example
cn: user-ldap
displayName: LDAP User (User)
mail: user-ldap@example.com
userPassword: {SSHA}+/Ir5pqpe09B07Xz8IT5AS+swJ5s29QS
Create the file teamlead-user.ldiff
and add this:
dn: uid=teamlead-ldap,ou=users,dc=kimai,dc=org
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
uid: teamlead-ldap
sn: LDAP-Teamlead
givenName: LDAP-Teamlead Example
cn: teamlead-ldap
displayName: LDAP User (Teamlead)
mail: teamlead-ldap@example.com
userPassword: {SSHA}+/Ir5pqpe09B07Xz8IT5AS+swJ5s29QS
Create the file teamlead-group.ldiff
and add this:
dn: cn=teamlead,ou=groups,dc=kimai,dc=org
objectClass: top
objectClass: groupOfNames
cn: Teamleads
member: uid=teamlead-ldap,ou=users,dc=kimai,dc=org
Create the file admin-user.ldiff
and add this:
dn: uid=admin-ldap,ou=users,dc=kimai,dc=org
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
uid: admin-ldap
sn: LDAP-Administrator
givenName: LDAP-Admin Example
cn: admin-ldap
displayName: LDAP User (Administrator)
mail: admin-ldap@example.com
userPassword: {SSHA}+/Ir5pqpe09B07Xz8IT5AS+swJ5s29QS
Create the file admin-group.ldiff
and add this:
dn: cn=admin,ou=groups,dc=kimai,dc=org
objectClass: top
objectClass: groupOfNames
cn: Admins
member: uid=admin-ldap,ou=users,dc=kimai,dc=org
Create the file super-user.ldiff
and add this:
dn: uid=super-ldap,ou=users,dc=kimai,dc=org
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
uid: super-ldap
sn: LDAP-SuperAdmin
givenName: LDAP-Teamlead Example
cn: super-ldap
displayName: LDAP User (Super-Admin)
mail: super-ldap@example.com
userPassword: {SSHA}+/Ir5pqpe09B07Xz8IT5AS+swJ5s29QS
Create the file super-group.ldiff
and add this:
dn: cn=super,ou=groups,dc=kimai,dc=org
objectClass: top
objectClass: groupOfNames
cn: Super-Admins
member: uid=super-ldap,ou=users,dc=kimai,dc=org
The local.yaml settings
kimai:
ldap:
activate: true
connection:
host: 127.0.0.1
user:
baseDn: ou=users, dc=kimai, dc=org
attributes:
- { ldap_attr: uid, user_method: setUserIdentifier }
- { ldap_attr: givenName, user_method: setAlias }
- { ldap_attr: mail, user_method: setEmail }
role:
baseDn: ou=groups, dc=kimai, dc=org
filter: (&(objectClass=groupOfNames)(|(cn=Admins)(cn=Super-Admins)(cn=Teamleads)))
userDnAttribute: member
usernameAttribute: dn
groups:
- { ldap_value: Teamleads, role: ROLE_TEAMLEAD }
- { ldap_value: Admins, role: ROLE_ADMIN }
- { ldap_value: Super-Admins, role: ROLE_SUPER_ADMIN }
Setup on MacOS Sonoma (ARM) with Homebrew
brew install openldap
mkdir /opt/homebrew/var/openldap-data
chmod 777 /opt/homebrew/var/openldap-data
vim /opt/homebrew/etc/openldap/slapd.conf
Comment the entire MDB database definitions
section and add this:
include /private/etc/openldap/schema/cosine.schema
include /private/etc/openldap/schema/nis.schema
include /private/etc/openldap/schema/inetorgperson.schema
database ldif
suffix "dc=kimai,dc=org"
rootdn "cn=admin,dc=kimai,dc=org"
# clear text password: kitten (generated with slappasswd)
rootpw {SSHA}aHxzKxwoAV46MQ4gAv9n+ISm7kD53Tzq
directory /private/var/db/openldap/openldap-data
Now change the configuration:
vim /opt/homebrew/etc/openldap/ldap.conf
Replace BASE
and URI
with these values:
BASE dc=kimai,dc=org
URI ldap://127.0.0.1:389
Start the service:
/usr/libexec/slapd -d3 -f /opt/homebrew/etc/openldap/slapd.conf
Importing the data
ldapadd -D "cn=admin,dc=kimai,dc=org" -W -x -f ou-root.ldif
ldapadd -D "cn=admin,dc=kimai,dc=org" -W -x -f ou-users.ldiff
ldapadd -D "cn=admin,dc=kimai,dc=org" -W -x -f ou-groups.ldiff
ldapadd -D "cn=admin,dc=kimai,dc=org" -W -x -f user-user.ldiff
ldapadd -D "cn=admin,dc=kimai,dc=org" -W -x -f teamlead-user.ldiff
ldapadd -D "cn=admin,dc=kimai,dc=org" -W -x -f teamlead-group.ldiff
ldapadd -D "cn=admin,dc=kimai,dc=org" -W -x -f admin-user.ldiff
ldapadd -D "cn=admin,dc=kimai,dc=org" -W -x -f admin-group.ldiff
ldapadd -D "cn=admin,dc=kimai,dc=org" -W -x -f super-user.ldiff
ldapadd -D "cn=admin,dc=kimai,dc=org" -W -x -f super-group.ldiff
Links
OpenLDAP is not the simplet service to setup and these links helped me finding a working configuration: