Admin ldap

From TUTOS

Revision as of 09:36, 1 October 2009 by Gero (Talk | contribs)

Setting up LDAP Authentication

The way it works

To be able to authenticate your TUTOS users with a LDAP server, you will have first to configure the way to authenticate via this server, then to create the TUTOS users.

There's not one way of doing LDAP authentication, and you will need to know how LDAP is configured on your server to be able to configure it for TUTOS.

The scheme is always the same, you send the user name and password to the server, and it will accept or reject the connection. But here's 3 diferents ways of doing that with a LDAP server :

  1. Anonymous bind
You connect as the anonymous user on the LDAP server, then you retrieve the user name and passwd, in order to compare them to the given values ;
  1. User bind
You try to connect the LDAP server directly with the given user name and passwd, and you will get an accept or reject response ;
  1. Admin bind
On some LDAP servers, you will have to connect as admin to be able to get the password info. Once connected as an admin, you get the user informations just as in the anonymous bind case.

Of course, for each of those cases, the password can be stored « as is » or encrypted.

How to configure it

After reading the first part, the config options should be easy to set up. So here are the parts of the config file to edit :

config.pinc : enable the LDAP authentication

# LDAP configuration
#
# 0 = check standard database
# 1 = check ldauthserver for password verification 
$tutos[ldapauth] = 0;

config.pinc : say if the passwords are encrypted or not

# encrypted passwords 
# 1 = yes
$tutos[ldapauth_pw_enc] = 1;

config.pinc : The server host and port parameters...

$tutos[ldapauthserver]['host'] = "scd2ldap.siemens.net";
$tutos[ldapauthserver]['port'] = 389;

config.pinc : LDAP paths

$tutos[ldapauthserver]['basedn'] =  "ou=mail,ou=user,o=cvf";
$tutos[ldapauthserver]['userdn'] = "uid";

LDAP paths, without such an info you can't find the user infos on the server. If you don't know those values, just ask your LDAP admin. Here the userdn is the last part of the DN, in the example given we would find :

uid=username,ou=mail,ou=user,o=cvf

We still have to separate those values because of the way LDAP search and binding works.

config.pinc : LDAP auth for server connection

# use given user/passwd pair to bind the LDAP server 
# 0 = no
# 1 = yes
$tutos[ldapauth_user] = 0;

If you set this option, we will use the user name and password to connect to the LDAP tree.

config.pinc : LDAP anonymous server connection

# do anonymous bind to ldpauthserver
# 1 = yes
# 0 = use tutos[ldapauthserver]['binddn']
#     and tutos[ldapauthserver]['passwd']
$tutos[ldapauth_anonymous] = 1;

Here you can choose to make an anonymous bind to the LDAP server...

config.pinc : LDAP anonymous server connection

$tutos[ldapauthserver]['binddn'] = "ou=adminprs,ou=ldap,ou=user,o=cvf";
$tutos[ldapauthserver]['passwd'] = "h4ckm3";

In the case you would have to bind the LDAP server as an admin, you will have to provide another LDAP path, wich correspond to the admin (or say, privileged user) username. Then there is his password.

Adding the users to the tutos database

Now you have set up the authentication process, you still can't use TUTOS. In fact you can login, but nothing happens. You have to create TUTOS users with the same login as the LDAP ones.

I've made a php script to do that, ldap_getdata.php in php/admin directory. As LDAP structure can be really different from one company to another, this script is far from generic, but works well here !

You should make it fit with your own LDAP structure and then get all the wanted user to be created in TUTOS. If you have any clue about how to make this script generic, please feel free to contribute, by either sending us a patch, or telling us how to do that.