authldap.html 14.2 KB
Newer Older
Clément OUDOT's avatar
Clément OUDOT committed
1 2 3 4 5 6
<!DOCTYPE html>
<html lang="en" dir="ltr">
<head>
  <meta charset="utf-8" />
  <title>documentation:2.0:authldap</title>
<meta name="generator" content="DokuWiki"/>
Xavier Guimard's avatar
Xavier Guimard committed
7
<meta name="robots" content="index,follow"/>
Clément OUDOT's avatar
Clément OUDOT committed
8 9 10 11 12
<meta name="keywords" content="documentation,2.0,authldap"/>
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="authldap.html"/>
<link rel="contents" href="authldap.html" title="Sitemap"/>
<link rel="stylesheet" type="text/css" href="lib/exe/css.php.t.bootstrap3.css"/>
Xavier Guimard's avatar
Xavier Guimard committed
13 14 15 16 17 18 19 20 21
<!-- //if:usedebianlibs
  <link rel="stylesheet" type="text/css" href="/javascript/bootstrap/css/bootstrap.min.css" />
//elsif:useexternallibs
  <link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css"></script>
//elsif:cssminified
  <link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.min.css" />
//else -->
  <link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.css" />
<!-- //endif -->
Clément OUDOT's avatar
Clément OUDOT committed
22 23 24
<script type="text/javascript">/*<![CDATA[*/var NS='documentation:2.0';var JSINFO = {"id":"documentation:2.0:authldap","namespace":"documentation:2.0"};
/*!]]>*/</script>
<script type="text/javascript" charset="utf-8" src="lib/exe/js.php.t.bootstrap3.js"></script>
Xavier Guimard's avatar
Xavier Guimard committed
25 26 27 28 29 30 31 32 33 34 35 36 37 38
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery/jquery.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/jquery-2.2.0.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.js"></script>
<!-- //endif -->
<!-- //if:usedebianlibs
  <script type="text/javascript" src="/javascript/jquery-ui/jquery-ui.min.js"></script>
//elsif:useexternallibs
  <script type="text/javascript" src="http://code.jquery.com/ui/1.10.4/jquery-ui.min.js"></script>
//elsif:jsminified
Xavier Guimard's avatar
Xavier Guimard committed
39
  <script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.min.js"></script>
Xavier Guimard's avatar
Xavier Guimard committed
40
//else -->
Xavier Guimard's avatar
Xavier Guimard committed
41
  <script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.js"></script>
Xavier Guimard's avatar
Xavier Guimard committed
42
<!-- //endif -->
Clément OUDOT's avatar
Clément OUDOT committed
43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160
</head>
<body>
<div class="dokuwiki export container">
<!-- TOC START -->
<div id="dw__toc">
<h3 class="toggle">Table of Contents</h3>
<div>

<ul class="toc">
<li class="level1"><div class="li"><a href="#presentation">Presentation</a></div></li>
<li class="level1"><div class="li"><a href="#configuration">Configuration</a></div>
<ul class="toc">
<li class="level2"><div class="li"><a href="#authentication_level">Authentication level</a></div></li>
<li class="level2"><div class="li"><a href="#exported_variables">Exported variables</a></div></li>
<li class="level2"><div class="li"><a href="#connection">Connection</a></div></li>
<li class="level2"><div class="li"><a href="#filters">Filters</a></div></li>
<li class="level2"><div class="li"><a href="#groups">Groups</a></div></li>
<li class="level2"><div class="li"><a href="#password">Password</a></div></li>
</ul></li>
</ul>
</div>
</div>
<!-- TOC END -->

<h1 class="sectionedit1" id="ldap">LDAP</h1>
<div class="level1">
<div class="table sectionedit2"><table class="inline table table-bordered table-striped">
	<thead>
	<tr class="row0 roweven">
		<th class="col0 centeralign">  Authentication  </th><th class="col1 centeralign">  Users  </th><th class="col2 centeralign">  Password  </th>
	</tr>
	</thead>
	<tr class="row1 rowodd">
		<td class="col0 centeralign"></td><td class="col1 centeralign"></td><td class="col2 centeralign"></td>
	</tr>
</table></div>
<!-- EDIT2 TABLE [21-90] -->
</div>
<!-- EDIT1 SECTION "LDAP" [1-91] -->
<h2 class="sectionedit3" id="presentation">Presentation</h2>
<div class="level2">

<p>
<abbr title="LemonLDAP::NG">LL::NG</abbr> can use an LDAP directory to:
</p>
<ul>
<li class="level1"><div class="li"> authenticate user</div>
</li>
<li class="level1"><div class="li"> get user attributes</div>
</li>
<li class="level1"><div class="li"> get groups where user is registered</div>
</li>
<li class="level1"><div class="li"> change password (with server side password policy management)</div>
</li>
</ul>

<p>
This works with every LDAP v2 or v3 server, including <a href="authad.html" class="wikilink1" title="documentation:2.0:authad">Active Directory</a>.
</p>

<p>
<abbr title="LemonLDAP::NG">LL::NG</abbr> is compatible with <a href="https://opends.dev.java.net/public/standards/draft-behera-ldap-password-policy.txt" class="urlextern" title="https://opends.dev.java.net/public/standards/draft-behera-ldap-password-policy.txt"  rel="nofollow">LDAP password policy</a>:
</p>
<ul>
<li class="level1"><div class="li"> LDAP server can check password strength, and <abbr title="LemonLDAP::NG">LL::NG</abbr> portal will display correct errors (password too short, password in history, etc.)</div>
</li>
<li class="level1"><div class="li"> LDAP sever can block brute-force attacks, and <abbr title="LemonLDAP::NG">LL::NG</abbr> will display that account is locked</div>
</li>
<li class="level1"><div class="li"> LDAP server can force password change on first connection, and <abbr title="LemonLDAP::NG">LL::NG</abbr> portal will display a password change form before opening <abbr title="Single Sign On">SSO</abbr> session</div>
</li>
</ul>

</div>
<!-- EDIT3 SECTION "Presentation" [92-903] -->
<h2 class="sectionedit4" id="configuration">Configuration</h2>
<div class="level2">

<p>
In Manager, go in <code>General Parameters</code> &gt; <code>Authentication modules</code> and choose LDAP for authentication, users and/or password modules.
</p>
<div class="notetip">For <a href="authad.html" class="wikilink1" title="documentation:2.0:authad">Active Directory</a>, choose <code>Active Directory</code> instead of <code>LDAP</code>.
</div>
</div>
<!-- EDIT4 SECTION "Configuration" [904-1169] -->
<h3 class="sectionedit5" id="authentication_level">Authentication level</h3>
<div class="level3">

<p>
The authentication level given to users authenticated with this module.
</p>
<div class="noteimportant">As LDAP is a login/password based module, the authentication level can be:<ul>
<li class="level1"><div class="li"> increased (+1) if portal is protected by SSL (HTTPS)</div>
</li>
<li class="level1"><div class="li"> decreased (-1) if the portal autocompletion is allowed (see <a href="portalcustom.html" class="wikilink1" title="documentation:2.0:portalcustom">portal customization</a>)</div>
</li>
</ul>

</div>
</div>
<!-- EDIT5 SECTION "Authentication level" [1170-1535] -->
<h3 class="sectionedit6" id="exported_variables">Exported variables</h3>
<div class="level3">

<p>
List of attributes to query to fill user session. See also <a href="exportedvars.html" class="wikilink1" title="documentation:2.0:exportedvars">exported variables configuration</a>.
</p>

</div>
<!-- EDIT6 SECTION "Exported variables" [1536-1676] -->
<h3 class="sectionedit7" id="connection">Connection</h3>
<div class="level3">
<ul>
<li class="level1"><div class="li"> <strong>Server host</strong>: LDAP server hostname or <abbr title="Uniform Resource Identifier">URI</abbr> (by default: localhost). Accept some specificities:</div>
<ul>
<li class="level2"><div class="li"> More than one server can be set here separated by spaces or commas. They will be tested in the specified order.</div>
</li>
<li class="level2"><div class="li"> To use TLS, set <code>ldap+tls://server</code> and to use LDAPS, set <code>ldaps://server</code> instead of server name.</div>
</li>
Clément OUDOT's avatar
Clément OUDOT committed
161
<li class="level2"><div class="li"> If you use TLS, you can set any of the <a href="http://search.cpan.org/~gbarr/perl-ldap/lib/Net/LDAP.pod" class="urlextern" title="http://search.cpan.org/~gbarr/perl-ldap/lib/Net/LDAP.pod"  rel="nofollow">Net::LDAP</a> start_tls() sub like <code>ldap+tls://server/verify=none&amp;capath=/etc/ssl</code>. You can also use cafile and capath parameters.</div>
Clément OUDOT's avatar
Clément OUDOT committed
162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179
</li>
</ul>
</li>
<li class="level1"><div class="li"> <strong>Server port</strong>: TCP port used by LDAP server. Can be overridden by an LDAP <abbr title="Uniform Resource Identifier">URI</abbr> in server host.</div>
</li>
<li class="level1"><div class="li"> <strong>Users search base</strong>: Base of search in the LDAP directory.</div>
</li>
<li class="level1"><div class="li"> <strong>Account</strong>: <abbr title="Distinguished Name">DN</abbr> used to connect to LDAP server. By default, anonymous bind is used.</div>
</li>
<li class="level1"><div class="li"> <strong>Password</strong>: password to used to connect to LDAP server. By default, anonymous bind is used.</div>
</li>
<li class="level1"><div class="li"> <strong>Timeout</strong>: server idle timeout.</div>
</li>
<li class="level1"><div class="li"> <strong>Version</strong>: LDAP protocol version.</div>
</li>
<li class="level1"><div class="li"> <strong>Binary attributes</strong>: regular expression matching binary attributes (see <a href="http://search.cpan.org/~gbarr/perl-ldap/lib/Net/LDAP.pod" class="urlextern" title="http://search.cpan.org/~gbarr/perl-ldap/lib/Net/LDAP.pod"  rel="nofollow">Net::LDAP</a> documentation).</div>
</li>
</ul>
Clément OUDOT's avatar
Clément OUDOT committed
180 181
<div class="noteimportant">LemonLDAP::NG need anonymous access to LDAP Directory RootDSE in order to check LDAP connection.
</div>
Clément OUDOT's avatar
Clément OUDOT committed
182
</div>
Clément OUDOT's avatar
Clément OUDOT committed
183
<!-- EDIT7 SECTION "Connection" [1677-2988] -->
Clément OUDOT's avatar
Clément OUDOT committed
184 185 186 187
<h3 class="sectionedit8" id="filters">Filters</h3>
<div class="level3">
<div class="notetip">In LDAP filters, $user is replaced by user login, and $mail by user email.
</div><ul>
Xavier Guimard's avatar
Xavier Guimard committed
188
<li class="level1"><div class="li"> <strong>Default filter</strong>: default LDAP filter for searches, should not be modified.</div>
Clément OUDOT's avatar
Clément OUDOT committed
189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206
</li>
<li class="level1"><div class="li"> <strong>Authentication filter</strong>: Filter to find user from its login (default: <code>(&amp;(uid=$user)(objectClass=inetOrgPerson))</code>)</div>
</li>
<li class="level1"><div class="li"> <strong>Mail filter</strong>: Filter to find user from its mail (default: <code>(&amp;(mail=$mail)(objectClass=inetOrgPerson))</code>)</div>
</li>
<li class="level1"><div class="li"> <strong>Alias dereference</strong>: How to manage LDAP aliases. (default: <code>find</code>)</div>
</li>
</ul>
<div class="notetip">For Active Directory, the default authentication filter is:
<pre class="code">(&amp;(sAMAccountName=$user)(objectClass=person))</pre>

<p>
And the mail filter is:
</p>
<pre class="code">(&amp;(mail=$mail)(objectClass=person))</pre>

</div>
</div>
Clément OUDOT's avatar
Clément OUDOT committed
207
<!-- EDIT8 SECTION "Filters" [2989-3710] -->
Clément OUDOT's avatar
Clément OUDOT committed
208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227
<h3 class="sectionedit9" id="groups">Groups</h3>
<div class="level3">
<ul>
<li class="level1"><div class="li"> <strong>Search base</strong>: <abbr title="Distinguished Name">DN</abbr> of groups branch. If no value, disable group searching.</div>
</li>
<li class="level1"><div class="li"> <strong>Object class</strong>: objectClass of the groups (default: groupOfNames).</div>
</li>
<li class="level1"><div class="li"> <strong>Target attribute</strong>: name of the attribute in the groups storing the link to the user (default: member).</div>
</li>
<li class="level1"><div class="li"> <strong>User source attribute</strong>: name of the attribute in users entries used in the link (default: dn).</div>
</li>
<li class="level1"><div class="li"> <strong>Searched attributes</strong>: name(s) of the attribute storing the name of the group, spaces separated (default: cn).</div>
</li>
<li class="level1"><div class="li"> <strong>Recursive</strong>: activate recursive group functionality (default: 0). If enabled, if the user group is a member of another group (group of groups), all parents groups will be stored as user&#039;s groups.</div>
</li>
<li class="level1"><div class="li"> <strong>Group source attribute</strong>: name of the attribute in groups entries used in the link, for recursive group search (default: dn).</div>
</li>
</ul>

</div>
Clément OUDOT's avatar
Clément OUDOT committed
228
<!-- EDIT9 SECTION "Groups" [3711-4545] -->
Clément OUDOT's avatar
Clément OUDOT committed
229 230 231 232 233 234 235 236 237
<h3 class="sectionedit10" id="password">Password</h3>
<div class="level3">
<ul>
<li class="level1"><div class="li"> <strong>Password policy control</strong>: enable to use LDAP password policy. This requires at least Net::LDAP 0.38. (see ppolicy workflow below)</div>
</li>
<li class="level1"><div class="li"> <strong>Password modify extended operation</strong>: enable to use the LDAP extended operation <code>password modify</code> instead of standard modify operation.</div>
</li>
<li class="level1"><div class="li"> <strong>Change as user</strong>: enable to perform password modification with credentials of connected user. This requires to request user old password (see <a href="portalcustom.html" class="wikilink1" title="documentation:2.0:portalcustom">portal customization</a>).</div>
</li>
Xavier Guimard's avatar
Xavier Guimard committed
238
<li class="level1"><div class="li"> <strong>LDAP password encoding</strong>: can allow one to manage old LDAP servers using specific encoding for passwords (default: utf-8).</div>
Clément OUDOT's avatar
Clément OUDOT committed
239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261
</li>
<li class="level1"><div class="li"> <strong>Use reset attribute</strong>: enable to use the password reset attribute. This attribute is set by LemonLDAP::NG when <a href="resetpassword.html" class="wikilink1" title="documentation:2.0:resetpassword">password was reset by mail</a> and the user choose to generate the password (default: enabled).</div>
</li>
<li class="level1"><div class="li"> <strong>Reset attribute</strong>: name of password reset attribute (default: pwdReset).</div>
</li>
<li class="level1"><div class="li"> <strong>Reset value</strong>: value to set in reset attribute to activate password reset (default: TRUE).</div>
</li>
<li class="level1"><div class="li"> <strong>Allow a user to reset his expired password</strong>: if activated, the user will be prompted to change password if his password is expired (default: 0)</div>
</li>
</ul>

<p>
<div class="row"><div class="col-md-6">
<strong>Password expiration warning workflow</strong>
<a href="documentation/lemonldap-ng-password-expiration-warning.png_documentation_2.0_authldap.html" class="media" title="documentation:lemonldap-ng-password-expiration-warning.png"><img src="documentation/lemonldap-ng-password-expiration-warning.png" class="media" alt="" /></a>
</div>
<div class="col-md-6">
<strong>Password expiration workflow</strong>
<a href="documentation/lemonldap-ng-password-expired.png_documentation_2.0_authldap.html" class="media" title="documentation:lemonldap-ng-password-expired.png"><img src="documentation/lemonldap-ng-password-expired.png" class="media" alt="" /></a>
</div></div>
</p>

</div>
Clément OUDOT's avatar
Clément OUDOT committed
262
<!-- EDIT10 SECTION "Password" [4546-] --></div>
Clément OUDOT's avatar
Clément OUDOT committed
263 264
</body>
</html>