Set up phabricator with LDAP authentication on Debian Jessie

On a server running Debian 8, how can I set up phabricator so that users are authenticated using a local LDAP server?

(Choosing LDAP because the same accounts should also be used by other web applications on the same server later)

Solution

Replace all occurrences of ***** with secure passwords and store them safely.

Replace all occurrences of example.com with something sensible.

Use ssh X11 tunneling for the jxplorer application if you have no local X.

apt-get install emacs aptitude dbconfig-common debconf fonts-font-awesome jq \
    php5-fpm libjs-raphael php5-cli php5-curl mysql-server php5-mysql \
    php5-ldap po-debconf ucf nginx php5-apcu php5-gd npm python mc git \
    default-jdk jxplorer slapd xauth

New password for the mysql root user: *****

Admin password for LDAP: *****

mysql -u root -p
mysql> grant all privileges on `phabricator\_%`.* to 'phabricator'@localhost identified by '*****';
mysql> exit

dpkg-reconfigure slapd

Enter

domain: users.example.com,
company name: example
everywhere else, accept the defaults

start jxplorer, connect, enter

Base DN: dc=users,dc=example,dc=com
Level: user + password
User DN: cn=admin,dc=users,dc=example,dc=com
Password: What you used earlier

save connection settings if you like

Add new users below "users" with objectClass account,simpleSecurityObject:

uid=developer,userPassword=*****,submit
uid=reviewer,userPassword=*****,submit
uid=webadmin,userPassword=*****,submit
uid=anonymous,userPassword=*****,submit

Exit jxplorer

Download debian binary packages from testing distribution: phabricator, arcanist, libphutil. Use https://packages.debian.org/testing/phabricator to find the download links

# in the directory where these 3 packages have been downloaded to
dpkg -i *.deb

phabricator domain: phabricator.example.com web server: nginx MySQL administrator account username: phabricator

Setup DNS: Either have phabricator.example.com point to your server in DNS. Or add the ip address of the server to the client's /etc/hosts file as phabricator.example.com

service nginx restart

if this fails, then issue

nginx -t

to get the error message.

if the error message is

nginx: [emerg] could not build the server_names_hash, you should increase server_names_hash_bucket_size: 32 then edit /etc/nginx/nginx.conf to include something like

http {
    server_names_hash_bucket_size 64;
    ...
}

Open http://phabricator.example.com/ in a web browser. It displays:

Authentication Failure. Your login session is invalid. Try reloading the page and logging in again. If that does not work, clear your browser cookies.

So I reload.

On the web page:

Phabricator Username: webadmin
Real Name: webadmin
Password: *****
Email: webadmin@example.com

Open the Auth application,

Add Authentication Provider Username/Password
Add Authentication Provider LDAP
Check Trust Email Addresses
LDAP Host Name: localhost
Base Distinguished Name: dc=users,dc=example,dc=com
Search Attributes: uid
Anonymous Username: uid=anonymous,dc=users,dc=example,dc=com
Anonymous Password: what I used earlier
Add Provider

Go to phabricator startpage, Open the people application, choose webadmin Edit settings, Authentication External Accounts, Add External Account LDAP

LDAP Username: webadmin
LDAP Password: what I used earlier
Link Accounts
Confirm Account Link

Check if login via LDAP works:

Log out
Log in as webadmin over LDAP
works

The user/password Auth Provider can now be disabled. Log out and log in again to check

Check if user registration over LDAP works:

Log out,
LDAP Username: developer
LDAP Password: What I set earlier
Login/Register
Phabricator Username: developer
Real Name: developer
Email: developer@example.com
Register Phabricator account.

Account needs Approval

Log out and log in again as webadmin

Open the People Application
Approval Queue
Thumb up

Go to Phabricator start page

Open the Config Application
Authentication
auth.require-approval
Set value to false
save