Difference between revisions of "LDAP"

From RackTables Wiki
Jump to navigation Jump to search
m
Line 49: Line 49:
 
| List of LDAP protocol options as explained at http://php.net/manual/en/function.ldap-set-option.php
 
| List of LDAP protocol options as explained at http://php.net/manual/en/function.ldap-set-option.php
 
|}
 
|}
 +
 +
=== configuring for OpenLDAP ===
 +
=== configuring for eDirectory ===
 
<pre>
 
<pre>
 
$LDAP_options = array
 
$LDAP_options = array
 
(
 
(
  # MANDATORY. Hostname or IP address of LDAP server(s). When multiple
 
  # servers are listed (delimited with spaces), they are used in the order
 
  # of appearance until a successful connection is made.
 
 
   'server' => 'ldap.example.com',
 
   'server' => 'ldap.example.com',
 
  # OPTIONAL. This list of space-delimited attributes is used to build the
 
  # "displayed name" of a user, which is used to print a greeting message.
 
  'displayname_attrs' => 'givenname familyname',
 
 
  # NOT AVAILABLE IN VERSIONS 0.19.4 AND BEFORE
 
  # OPTIONAL. Group membership attribute. When it is configured, it is used
 
  # as the source of authenticated user's LDAP groups. Upon successful
 
  # authentication the groups are mapped into a set of autotags in the form
 
  # {$lgcn_LDAPGroup1}, {$lgcn_LDAPGroup2}, {$lgcn_LDAPGroup3}...
 
  'group_attr' => 'memberof',
 
 
  # NOT AVAILABLE IN VERSIONS 0.19.4 AND BEFORE
 
  # OPTIONAL. User groups filter regexp.
 
  'group_filter' => '/(cn)=(\w+),ou=RackTables,ou=IT,o=bogdan/i',
 
 
  # CONDITIONAL. When this option is set, it is used for "domain"
 
  # authentication mode specific to ActiveDirectory. In this mode the plain
 
  # username presented by a user is joined with the configured domain name
 
  # and the resulting string ("username@example.com") is used for password
 
  # validation.
 
  'domain' => 'example.com',
 
 
  # CONDITIONAL. This option enables "search" authentication mode, which is
 
  # more common for OpenLDAP and eDirectory servers. It is assumed, that
 
  # many nested organizational units (OUs) exist within within an
 
  # organization (O). Traditional LDAP implementations let each OU have its
 
  # own list of usernames, and some usernames remain unique only within
 
  # their OU. The following approach is used to distinguish the users.
 
  # Users with globally unique usernames present their plain username.
 
  # Other users know, that they have to use their UID instead. A LDAP
 
  # database is maintaned so, that UID is a little longer, than username,
 
  # but yet unique. To map presented UID into common name (CN, which is the
 
  # canonical, long form of user's identifier) LDAP search is performed.
 
  # All this works automatically, once the search DN and search attribute
 
  # are configured.
 
  'search_attr' => 'uid',
 
  'search_dn' => 'OU=people,O=YourCompany',
 
 
  # MANDATORY. LDAP cache, values in seconds. Refresh, retry and expiry
 
  # values are treated exactly as those for DNS SOA record. Example values
 
  # 300-15-600 mean: unconditionally remeber successful auth for 5 minutes,
 
  # after that still permit user access, but try to revalidate the password
 
  # on the server (not more often, than once in 15 seconds). After 10
 
  # minutes of unsuccessful retries give up and deny access until the LDAP
 
  # server gets fixed.
 
  #
 
  # Like in DNS, the following condition must be always met:
 
  # cache_retry <= cache_refresh <= cache_expiry
 
  #
 
  # To disable LDAP cache completely, set cache_refresh, cache_retry and
 
  # cache_expiry to 0.
 
 
   'cache_refresh' => 300,
 
   'cache_refresh' => 300,
 
   'cache_retry' => 15,
 
   'cache_retry' => 15,
 
   'cache_expiry' => 600,
 
   'cache_expiry' => 600,
 
+
   'search_attr' => 'uid',
  # OPTIONAL. List of LDAP protocol options. The example below enables
+
   'search_dn' => 'OU=people,O=YourCompany',
  # protocol version 3 (version 2, which is used by default, is often
 
  # refused by modern LDAP servers) and disables referrals (this makes LDAP
 
  # search happen in the base DN, but not in one of nested OUs/CNs, which
 
  # is important for some ActiveDirectory servers).
 
   'options' => array (LDAP_OPT_PROTOCOL_VERSION => 3, LDAP_OPT_REFERRALS => 0),
 
);
 
</pre>
 
 
 
=== configuring for OpenLDAP ===
 
=== configuring for eDirectory ===
 
<pre>
 
$LDAP_options = array
 
(
 
   'server' => 'ldap.example.com',
 
 
   'displayname_attrs' => 'givenname familyname',
 
   'displayname_attrs' => 'givenname familyname',
 
   'group_attr' => 'groupmembership',
 
   'group_attr' => 'groupmembership',
  'search_attr' => 'uid',
 
  'search_dn' => 'OU=people,O=YourCompany',
 
 
   'options' => array (LDAP_OPT_PROTOCOL_VERSION => 3),
 
   'options' => array (LDAP_OPT_PROTOCOL_VERSION => 3),
 
);
 
);
Line 140: Line 72:
 
(
 
(
 
   'server' => 'ldap.example.com',
 
   'server' => 'ldap.example.com',
 +
  'cache_refresh' => 300,
 +
  'cache_retry' => 15,
 +
  'cache_expiry' => 600,
 
   'domain' => 'example.com',
 
   'domain' => 'example.com',
   'displayname_attrs' => 'givenname familyname',
+
   'displayname_attrs' => 'givenname sn',
  'group_attr' => 'memberof',
 
 
   'options' => array (LDAP_OPT_PROTOCOL_VERSION => 3, LDAP_OPT_REFERRALS => 0),
 
   'options' => array (LDAP_OPT_PROTOCOL_VERSION => 3, LDAP_OPT_REFERRALS => 0),
 
);
 
);

Revision as of 13:17, 14 June 2011

There are different ways to make RackTables recognize LDAP accounts instead of local accounts. One way is to configure RackTables to communicate with an LDAP server directly. In this case both password validity and group membership information are available inside RackTables. Group membership can be used in permission rules to implement site's access control policy. Another way is to configure RackTables to trust the authentication already performed by httpd, which in turn is configured to authenticate HTTP(S) clients in LDAP. This is sometimes the case, when the system administrator wants to reuse a working httpd+mod_auth_ldap setup. The drawback of this method is that group membership information wouldn't be available at RackTables level.

direct access to LDAP

The following settings configure direct communication with LDAP server:

$user_auth_src = 'ldap';
$require_local_account = FALSE;

Further configuration is done through $LDAP_options array. Its contents varies in each particular environment depending on the type of LDAP server software, its schema and configuration. RackTables has been reported to work with OpenLDAP, ActiveDirectory and eDirectory servers. Meaning of each LDAP option is explained below.

option(s) mandatory? description
server yes Hostname or IP address of LDAP server(s). When multiple servers are listed (delimited with spaces), they are used in the order of appearance until a successful connection is made.
cache_refresh cache_retry cache_expiry yes LDAP cache parameters, values in seconds. Refresh, retry and expiry values are treated exactly as those for DNS SOA record. Example values 300-15-600 mean: unconditionally remeber successful auth for 5 minutes, after that still permit user access, but try to revalidate the password on the server (not more often, than once in 15 seconds). After 10 minutes of unsuccessful retries give up and deny access until the LDAP server gets fixed.

Like in DNS, the following condition must be always met: cache_retry <= cache_refresh <= cache_expiry To disable LDAP cache completely, set cache_refresh, cache_retry and cache_expiry to 0.

domain varies When this option is set, it is used for "domain" authentication mode specific to ActiveDirectory. In this mode the plain username presented by a user is joined with the configured domain name and the resulting string ("username@example.com") is used for password validation. Either "domain" or "search" mode must be enabled.
search_attr search_dn varies These options enable "search" authentication mode, which is more common for OpenLDAP and eDirectory servers. It is assumed, that many nested organizational units (OUs) exist within within an organization (O). Traditional LDAP implementations let each OU have its own list of usernames, and some usernames remain unique only within their OU. The following approach is used to distinguish the users. Users with globally unique usernames present their plain username. Other users know, that they have to use their UID instead. A LDAP database is maintaned so, that UID is a little longer, than username, but yet unique. To map presented UID into common name (CN, which is the canonical, long form of user's identifier) LDAP search is performed. All this works automatically, once the search DN and search attribute are configured. Either "domain" or "search" mode must be enabled.
displayname_attrs no This list of space-delimited attributes is used to build the "displayed name" of a user, which is used to print a greeting message.
group_attr no Group membership attribute. When it is configured, it is used as the source of authenticated user's LDAP groups. Upon successful authentication the groups are mapped into a set of autotags in the form {$lgcn_LDAPGroup1}, {$lgcn_LDAPGroup2}, {$lgcn_LDAPGroup3}...
group_filter no User groups filter regexp.
options no List of LDAP protocol options as explained at http://php.net/manual/en/function.ldap-set-option.php

configuring for OpenLDAP

configuring for eDirectory

$LDAP_options = array
(
  'server' => 'ldap.example.com',
  'cache_refresh' => 300,
  'cache_retry' => 15,
  'cache_expiry' => 600,
  'search_attr' => 'uid',
  'search_dn' => 'OU=people,O=YourCompany',
  'displayname_attrs' => 'givenname familyname',
  'group_attr' => 'groupmembership',
  'options' => array (LDAP_OPT_PROTOCOL_VERSION => 3),
);

configuring for ActiveDirectory

Note the additional protocol option, which disables referrals to make LDAP search happen in the base DN, but not in nested OUs/CNs. This is important for some ActiveDirectory servers.

$LDAP_options = array
(
  'server' => 'ldap.example.com',
  'cache_refresh' => 300,
  'cache_retry' => 15,
  'cache_expiry' => 600,
  'domain' => 'example.com',
  'displayname_attrs' => 'givenname sn',
  'options' => array (LDAP_OPT_PROTOCOL_VERSION => 3, LDAP_OPT_REFERRALS => 0),
);

trusting httpd

$user_auth_src = 'httpd';
$require_local_account = FALSE;