Continuous Integration Part 1: LDAP Authentication

This is the first of a series on setting up a Continuous Integration workflow for Java and PHP. It's a project I've been working on both personally and professionally recently and hopefully my experience will be helpful to others.

The goal of this setup is to install and integrate the following tools into a singe system with common authentication provided through LDAP.

  1. LDAP and Crowd for User Management
  2. Subversion or Mercurial for Source Control
  3. Fisheye/Crucible for source code browsing / code review
  4. JIRA for issue tracking and Confluence for a wiki
  5. Hudson CI

You'll notice I'm using a lot of Atlassian's tools, which aren't free (unless you have an active open source project), this is because they're the tools we use at work and in my experience they're well designed and equivalent to all the alternatives I've tried. However, I will try to provide a list of free alternatives, since not everyone can afford Atlassian's tools.

In part one of this series I'm looking at the core of the whole system, LDAP authentication. Once setup, this will allow all the other tools to use a common set of authentication credentials and allow central management of all the users in the system.

I've chosen to use OpenLDAP since it's solid, well supported and easy to install in any Linux distro. My instructions are specific to Ubuntu or Debian but the process is basically the same for any other distribution.

Step 1. Install OpenLDAP

$ sudo apt-get install slapd ldap-utils

Step 2. Configure OpenLDAP

Ubuntu provides dpkg configuration that make the initial setup easy.

$ sudo dpkg-reconfigure slapd

Omit OpenLDAP server configuration? ... No
DNS domain name:
Name of your organization: ACME Corporation
Admin Password: ********
Confirm Password: ********
Do you want your database to be removed when slapd is purged? ... No
Move old database? ... No
Allow LDAPv2 Protocol? ... No

Once the initial configuration is finished you can change some of the LDAP options in /etc/ldap/slapd.conf

I also suggest making sure the LDAP server is indexing attributes such as email and cn. If you don't, you'll take a hit on performance (however small) whenever someone searches the directory or logs in. I also had issues with log files getting very large with warning messages about searching non-indexed fields. To set this, add/update the index option in the slapd.conf configuration file to the following.

index cn,gn,mail eq,sub

Step 3: Load Base Directory Structure

Now that the configuration is complete you need to start the slapd service.

$ sudo /etc/init.d/slapd start

Once the OpenLDAP server is running, you need to load a base structure into the LDAP directory for storing users and groups.
Place the following into a new file "base.ldif" (This assume you used as your domain, you should update it with what you set)

dn: ou=people, dc=example, dc=com
ou: people
objectclass: organizationalUnit
dn: ou=groups, dc=example, dc=com
ou: groups
objectclass: organizationalUnit

Now use ldap_add to add the entries to the directory:

$ ldapadd -x -W -D "cn=admin,dc=example,dc=com" -f base.ldif

A quick overview of ldapadd options used:
-x: Disable SASL authentication
-W: Prompt for password
-D "...": The user to authenticate with (again, assuming
-f "...": The LDIF file to add entries from

Once the base structure is in place, your directory is ready for use. You have a choice of tools for managing the directory, my preference is Atlassian Crowd, a Java-based web application. It's not free, but from my experience it's most convenient tool I've tried for managing a user directory. If you want a free alternative, take a look at Wikipedia's list of LDAP software.

Step 4: Directory Management

Installing Crowd is pretty straightforward and well documented in Atlassian's Dragon Quest. You should follow their directions for the initial setup.

Once you have Crowd installed, you need to add a directory connector for OpenLDAP. See Atlassian's documentation again for more detail on adding a directory. The only things I suggest you do in addition to the provided instructions are:

  • Connector Tab
  • Check "Use Nested Groups" to enable subgroups
  • Configuration Tab
  • Use "ou=people" for the User DN field
  • Use "ou=groups" for the Group DN field

Note: enabling nested groups has limited use since not all of the tools support it, but it does come in handy for Atlassian's tools.

Once you've added the LDAP directory you're ready to begin adding users and groups. My suggestion is to use three groups for each project you're going to be working on, once for project administrators, one for developers and one for users. I use the following pattern:

  • projectname-admin
  • projectname-dev
  • projectname-users

Once you have groups like these for each project you can set access permissions on the groups in each tool, and then the process of adding a user to a project is as simple as adding them to the appropriate group.

With this setup, you now have a common authentication system that will work with all the tools in a continuous integration pipeline. You also get an OpenID server if you installed Crowd (CrowdID), which you can use anywhere on the web that supports OpenID.

The next part of this series will cover LDAP access control for Subversion repositories. I also have a working prototype of LDAP controlled Mercurial repositories that I plan on integrating into this series once I have a little longer to experiment with it.