Appunti su LDAP (Bozza) (Documento scaduto)

Riferimenti e documenti utili:

  • [|Net::LDAP]
  • [| Re: web user authentication using Net::LDAP]
  • [|Re: LDAP authentication with Net::LDAP]
  • [|LDAP HowTo (IT)]
  • [|SugarCRM configuration screenshot]

Se lo scopo è solo autenticare la password di un utente dovrebbe bastare connettersi al server LDAP con le credenziali dell'utente e la relativa password; se la connessione riesce allora l'utente è autenticato.

In questo modo bisogna comunque creare e gestire l'utente nel DB di IGSuite.

Per svincolarsi si potrebbe, credo, utilizzare il server LDAP per memorizzare le informazioni che normalmente sono mantenute in nella tabella 'users' del db di IGSuite.

Lucas (08.05.2009): Quello che non so come gestire è proprio la sincronia tra i dati contenuti nel server LDAP e quelli contenuti in IG. Chi vuole utilizzare un server LDAP in genere lo fa per accentrare i dati degli utenti sul server LDAP e non per doverli gestire sui vari software che si collegano al server LDAP, giusto? se è così dal momento che l'amministratore configurerà IGSuite per autenticarsi con LDAP dobbiamo forse gestire la tabella "users" mantenendo i dati d'accesso a IGSuite (e lasciando la sincronia a senso unico: da LDAP a IG) sul server LDAP e quelli puramente anagrafici fruibili e modificabili dal modulo "Personale". Ma chi crea gli utenti? LDAP al momento della prima richiesta di autenticazione?


sub autenticazione
  if ( IG non trova abbinamento login e password in "users")
    # prova con LDAP
    if ( ($login,$pwd,$NomeCognome) = interroga LDAP )
      # LDAP dice OK
      if ( $login non esiste in "users")
        inserisce_in_users( $login, $NomeCognome) # senza pwd


TUTOS WAY (configuration)

The way it works

To be able to authenticate your TUTOS users with a LDAP server, you will have first to configure the way to authenticate via this server, then to create the TUTOS users.

There's not one way of doing LDAP authentication, and you will need to know how LDAP is configured on your server to be able to configure it for TUTOS.

The scheme is always the same, you send the user name and password to the server, and it will accept or reject the connection. But here's 3 diferents ways of doing that with a LDAP server :

Anonymous bind
You connect as the anonymous user on the LDAP server, then you retrieve the user name and passwd, in order to compare them to the given values ;

User bind
You try to connect the LDAP server directly with the given user name and passwd, and you will get an accept or reject response ;

Admin bind
On some LDAP servers, you will have to connect as admin to be able to get the password info. Once connected as an admin, you get the user informations just as in the anonymous bind case.

Of course, for each of those cases, the password can be stored « as is » or encrypted.

How to configure it

After reading the first part, the config options should be easy to set up. So here are the parts of the config file to edit :

 # LDAP configuration
 # 0 = check standard database
 # 1 = check ldauthserver for password verification 
 $tutos[ldapauth] = 0;

 # encrypted passwords 
 # 1 = yes
 $tutos[ldapauth_pw_enc] = 1;

 $tutos[ldapauthserver]['host'] = "";
 $tutos[ldapauthserver]['port'] = 389;

 $tutos[ldapauthserver]['basedn'] =  "ou=mail,ou=user,o=cvf";
 $tutos[ldapauthserver]['userdn'] = "uid";

LDAP paths, without such an info you can't find the user infos on the server. If you don't know those values, just ask your LDAP admin. Here the userdn is the last part of the DN, in the example given we would find : uid=username,ou=mail,ou=user,o=cvf

We still have to separate those values because of the way LDAP search and binding works.

 # use given user/passwd pair to bind the LDAP server 
 # 0 = no
 # 1 = yes
 $tutos[ldapauth_user] = 0;

If you set this option, we will use the user name and password to connect to the LDAP tree.

 # do anonymous bind to ldpauthserver
 # 1 = yes
 # 0 = use tutos[ldapauthserver]['binddn']
 #     and tutos[ldapauthserver]['passwd']
 $tutos[ldapauth_anonymous] = 1;

Here you can choose to make an anonymous bind to the LDAP server...

 $tutos[ldapauthserver]['binddn'] = "ou=adminprs,ou=ldap,ou=user,o=cvf";
 $tutos[ldapauthserver]['passwd'] = "h4ckm3";

In the case you would have to bind the LDAP server as an admin, you will have to provide another LDAP path, wich correspond to the admin (or say, privileged user) username. Then there is his password.

Adding the users to the tutos database

Now you have set up the authentication process, you still can't use TUTOS. In fact you can login, but nothing happens. You have to create TUTOS users with the same login as the LDAP ones.

I've made a php script to do that, ldap_getdata.php in php/admin directory. As LDAP structure can be really different from one company to another, this script is far from generic, but works well here !

You should make it fit with your own LDAP structure and then get all the wanted user to be created in TUTOS. If you have any clue about how to make this script generic, please feel free to contribute, by either sending us a patch, or telling us how to do that.

Simple Groupware WAY

LDAP / Active Directory

Normally Simple Groupware authenticates all users against a table in the database containing the usernames/password pairs. This table is named "simple_sys_users".
But Simple Groupware can also use LDAP or Active Directory (AD) services for user authentication.

To enable LDAP, open your webbrowser with the Simple Groupware page and log in as super administrator (username "admin" by default). Navigate to "/Workspace/System" and choose "Change setup settings". Choose "LDAP" as authentication mode and specify the IP address of your LDAP or AD server (secure connections use "ldaps://server/", unencrypted connections use "server"). By default, the connection is done to port 389. When using "ldaps://server/", port 636 will be used instead.

Using Active Directory, you need to specify the windows domain which is added to the username for the authentication (for example when the domain is set to "mydomain.local", the username "administrator" is changed to "administrator@mydomain.local", note that this field should be empty for LDAP).

In order to handle authentication, an entry point in the LDAP directory tree is required. This entry point is called a base DN and Simple Groupware tries to detect it automatically by using NamingContexts (this was successfully tested with openLDAP and Active Directory). However if this technique is not working for you or you want to choose a different "base DN", then you can specify another value in the "base DN" field.

Using LDAP you can use anonymous connections to resolve the DN of a user or provide the necessary credentials which allow searching the LDAP tree (user DN and password). The username is searched by default in the "uid" attribute within LDAP (can be changed in setup settings). For Active Directory, this attribute is automatically set to "sAMAccountName".

Also every user still needs an account within Simple Groupware. You can create these accounts manually or check the option "Enable automatic user creation" to let Simple Groupware create (or update) all accounts automatically. After making changes to setup settings, click "Save" and you're done. Automatic creation uses these fields from LDAP/AD to create or update accounts in Simple Groupware:

 LDAP / AD                         Simple Groupware
 sAMAccountName /    username
 mail                              email
 sn                                lastname
 givenname                         firstname
 telephonenumber                   phone
 mobile                            mobile
 pager                             pager
 fax / facsimiletelephonenumber    fax
 ipphone                           skype
 street / streetaddress            street
 postalcode                        zipcode
 l                                 city
 st                                state
 c                                 country
 department                        department
 description                       jobdesc
 wwwhomepage                       homepage

Automatic user creation does not include group memberships. You can create these groups manually or (beginning with Simple Groupware 0.310) check the option "Use LDAP Groups" together with "Enable automatic user creation" to let Simple Groupware create (or update) all users and groups automatically. After making changes to Setup settings, click "Save" and you're done. When a user logs into Simple Groupware, his user account and his groups are automatically created (or updated) within Simple Groupware. The attribute used to identify group memberships is by default "memberOf", but can be changed in setup settings.

Note: Nested groups (groups as member of other groups) are not replicated from LDAP/AD to Simple Groupware.

Note: The super administrator is not authenticated over LDAP/AD. It still uses the username and password defined during Setup. The super administrator username/password can also be changed using "Change setup settings".