lemonldap-ng/doc/pages/documentation/1.3/authldap.html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"
 lang="en" dir="ltr">

<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title></title>
<!-- metadata -->
<meta name="generator" content="Offline" />
<meta name="version" content="Offline 0.1" />
<!-- style sheet links -->
<link rel="stylesheet" media="all" type="text/css" href="../../../css/all.css" />
<link rel="stylesheet" media="screen" type="text/css" href="../../../css/screen.css" />
<link rel="stylesheet" media="print" type="text/css" href="../../../css/print.css" />

</head>
<body>
<div class="dokuwiki export">


<h1><a name="ldap" id="ldap">LDAP</a></h1>
<div class="level1">
<table class="inline">
	<tr class="row0 roweven">
		<th class="col0">Authentication </th><th class="col1"> Users </th><th class="col2"> Password </th>
	</tr>
	<tr class="row1 rowodd">
		<td class="col0 centeralign">  ✔  </td><td class="col1 centeralign">  ✔  </td><td class="col2 centeralign">  ✔  </td>
	</tr>
</table>

</div>
<!-- SECTION "LDAP" [1-84] -->
<h2><a name="presentation" id="presentation">Presentation</a></h2>
<div class="level2">

<p>

<acronym title="LemonLDAP::NG">LL::NG</acronym> can use an <acronym title="Lightweight Directory Access Protocol">LDAP</acronym> directory to:
</p>
<ul>
<li class="level1"><div class="li"> authenticate user</div>
</li>
<li class="level1"><div class="li"> get user attributes</div>
</li>
<li class="level1"><div class="li"> get groups where user is registered</div>
</li>
<li class="level1"><div class="li"> change password (with server side password policy management)</div>
</li>
</ul>

<p>

This works with every <acronym title="Lightweight Directory Access Protocol">LDAP</acronym> v2 or v3 server, including Active Directory.
</p>

<p>
<acronym title="LemonLDAP::NG">LL::NG</acronym> is compatible with <a href="https://opends.dev.java.net/public/standards/draft-behera-ldap-password-policy.txt" class="urlextern" title="https://opends.dev.java.net/public/standards/draft-behera-ldap-password-policy.txt"  rel="nofollow">LDAP password policy</a>:
</p>
<ul>
<li class="level1"><div class="li"> <acronym title="Lightweight Directory Access Protocol">LDAP</acronym> server can check password strength, and <acronym title="LemonLDAP::NG">LL::NG</acronym> portal will display correct errors (password too short, password in history, etc.)</div>
</li>
<li class="level1"><div class="li"> <acronym title="Lightweight Directory Access Protocol">LDAP</acronym> sever can block brute-force attacks, and <acronym title="LemonLDAP::NG">LL::NG</acronym> will display that account is locked</div>
</li>
<li class="level1"><div class="li"> <acronym title="Lightweight Directory Access Protocol">LDAP</acronym> server can force password change on first connection, and <acronym title="LemonLDAP::NG">LL::NG</acronym> portal will display a password change form before opening <acronym title="Single Sign On">SSO</acronym> session</div>
</li>
</ul>

</div>
<!-- SECTION "Presentation" [85-885] -->
<h2><a name="configuration" id="configuration">Configuration</a></h2>
<div class="level2">

<p>

In Manager, go in <code>General Parameters</code> &gt; <code>Authentication modules</code> and choose <acronym title="Lightweight Directory Access Protocol">LDAP</acronym> for authentication, users and/or password modules.
</p>

</div>
<!-- SECTION "Configuration" [886-1050] -->
<h3><a name="authentication_level" id="authentication_level">Authentication level</a></h3>
<div class="level3">

<p>

The authentication level given to users authenticated with this module.
</p>

<p>
<p><div class="noteimportant">
As <acronym title="Lightweight Directory Access Protocol">LDAP</acronym> is a login/password based module, the authentication level can be:
</p>
<ul>
<li class="level1"><div class="li"> increased (+1) if portal is protected by <acronym title="Secure Sockets Layer">SSL</acronym> (HTTPS)</div>
</li>
<li class="level1"><div class="li"> decreased (-1) if the portal autocompletion is allowed (see <a href="../../documentation/1.3/portalcustom.html" class="wikilink1" title="documentation:1.3:portalcustom">portal customization</a>)</div>
</li>
</ul>

<p>

</div></p>
</p>

</div>
<!-- SECTION "Authentication level" [1051-1416] -->
<h3><a name="connection" id="connection">Connection</a></h3>
<div class="level3">
<ul>
<li class="level1"><div class="li"> <strong>Server host</strong>: <acronym title="Lightweight Directory Access Protocol">LDAP</acronym> server hostname or <acronym title="Uniform Resource Identifier">URI</acronym> (by default: localhost). Accept some specificities:</div>
<ul>
<li class="level2"><div class="li"> More than one server can be set here separated by spaces or commas. They will be tested in the specified order.</div>
</li>
<li class="level2"><div class="li"> To use TLS, set <code>ldap+tls://server</code> and to use LDAPS, set <code>ldaps://server</code> instead of server name.</div>
</li>
<li class="level2"><div class="li"> If you use TLS, you can set any of the <a href="http://search.cpan.org/~gbarr/perl-ldap/lib/Net/LDAP.pod" class="urlextern" title="http://search.cpan.org/~gbarr/perl-ldap/lib/Net/LDAP.pod"  rel="nofollow">Net::LDAP</a> start_tls() sub like <code>ldap+tls://server/verify=none&amp;capath=/etc/ssl</code>. You can also use caFile and caPath parameters.</div>
</li>
</ul>
</li>
<li class="level1"><div class="li"> <strong>Server port</strong>: TCP port used by <acronym title="Lightweight Directory Access Protocol">LDAP</acronym> server. Can be overridden by an <acronym title="Lightweight Directory Access Protocol">LDAP</acronym> <acronym title="Uniform Resource Identifier">URI</acronym> in server host.</div>
</li>
<li class="level1"><div class="li"> <strong>Users search base</strong>: Base of search in the <acronym title="Lightweight Directory Access Protocol">LDAP</acronym> directory.</div>
</li>
<li class="level1"><div class="li"> <strong>Account</strong>: <acronym title="Distinguished Name">DN</acronym> used to connect to <acronym title="Lightweight Directory Access Protocol">LDAP</acronym> server. By default, anonymous bind is used.</div>
</li>
<li class="level1"><div class="li"> <strong>Password</strong>: password to used to connect to <acronym title="Lightweight Directory Access Protocol">LDAP</acronym> server. By default, anonymous bind is used.</div>
</li>
<li class="level1"><div class="li"> <strong>Timeout</strong>: server idle timeout.</div>
</li>
<li class="level1"><div class="li"> <strong>Version</strong>: <acronym title="Lightweight Directory Access Protocol">LDAP</acronym> protocol version.</div>
</li>
<li class="level1"><div class="li"> <strong>Binary attributes</strong>: regular expression matching binary attributes (see <a href="http://search.cpan.org/~gbarr/perl-ldap/lib/Net/LDAP.pod" class="urlextern" title="http://search.cpan.org/~gbarr/perl-ldap/lib/Net/LDAP.pod"  rel="nofollow">Net::LDAP</a> documentation).</div>
</li>
</ul>

</div>
<!-- SECTION "Connection" [1417-2608] -->
<h3><a name="filters" id="filters">Filters</a></h3>
<div class="level3">

<p>

<p><div class="notetip">In <acronym title="Lightweight Directory Access Protocol">LDAP</acronym> filters, $user is replaced by user login, and $mail by user email.
</div></p>

</p>
<ul>
<li class="level1"><div class="li"> <strong>Default filter</strong>: default <acronym title="Lightweight Directory Access Protocol">LDAP</acronym> fitler for searches, should not be modified.</div>
</li>
<li class="level1"><div class="li"> <strong>Authentication filter</strong>: Filter to find user from its login (default: <code>(&amp;(uid=$user)(objectClass=inetOrgPerson))</code>)</div>
</li>
<li class="level1"><div class="li"> <strong>Mail filter</strong>: Filter to find user from its mail (default: <code>(&amp;(mail=$mail)(objectClass=inetOrgPerson))</code>)</div>
</li>
</ul>

<p>

<p><div class="notetip">
For Active Directory, use this as authentication filter:

</p>
<pre class="code">
(&amp;(sAMAccountName=$user)(objectClass=person))
</pre>

<p>

And this as mail filter:

</p>
<pre class="code">
(&amp;(mail=$mail)(objectClass=person))
</pre>

<p>


</div></p>
</p>

</div>
<!-- SECTION "Filters" [2609-3253] -->
<h3><a name="groups" id="groups">Groups</a></h3>
<div class="level3">
<ul>
<li class="level1"><div class="li"> <strong>Search base</strong>: <acronym title="Distinguished Name">DN</acronym> of groups branch. If no value, disable group searching.</div>
</li>
<li class="level1"><div class="li"> <strong>Object class</strong>: objectClass of the groups (default: groupOfNames).</div>
</li>
<li class="level1"><div class="li"> <strong>Target attribute</strong>: name of the attribute in the groups storing the link to the user (default: member).</div>
</li>
<li class="level1"><div class="li"> <strong>User source attribute</strong>: name of the attribute in users entries used in the link (default: dn).</div>
</li>
<li class="level1"><div class="li"> <strong>Searched attributes</strong>: name(s) of the attribute storing the name of the group, spaces separated (default: cn).</div>
</li>
<li class="level1"><div class="li"> <strong>Recursive</strong>: activate recursive group functionality (default: 0). If enabled, if the user group is a member of another group (group of groups), all parents groups will be stored as user&#039;s groups.</div>
</li>
<li class="level1"><div class="li"> <strong>Group source attribute</strong>: name of the attribute in groups entries used in the link, for recursive group search (default: dn).</div>
</li>
</ul>

</div>
<!-- SECTION "Groups" [3254-4088] -->
<h3><a name="password" id="password">Password</a></h3>
<div class="level3">
<ul>
<li class="level1"><div class="li"> <strong>Password policy control</strong>: enable to use <acronym title="Lightweight Directory Access Protocol">LDAP</acronym> password policy. This requires at least Net::<acronym title="Lightweight Directory Access Protocol">LDAP</acronym> 0.38.</div>
</li>
<li class="level1"><div class="li"> <strong>Password modify extended operation</strong>: enable to use the <acronym title="Lightweight Directory Access Protocol">LDAP</acronym> extended operation <code>password modify</code> instead of standard modify operation.</div>
</li>
<li class="level1"><div class="li"> <strong>Change as user</strong>: enable to perform password modification with credentials of connected user. This requires to request user old password (see <a href="../../documentation/1.3/portalcustom.html" class="wikilink1" title="documentation:1.3:portalcustom">portal customization</a>).</div>
</li>
<li class="level1"><div class="li"> <strong><acronym title="Lightweight Directory Access Protocol">LDAP</acronym> password encoding</strong>: can allow to manage old <acronym title="Lightweight Directory Access Protocol">LDAP</acronym> servers using specific encoding for passwords (default: utf-8).</div>
</li>
<li class="level1"><div class="li"> <strong>Use reset attribute</strong>: enable to use the password reset attribute. This attribute is set by LemonLDAP::NG when <a href="../../documentation/1.3/resetpassword.html" class="wikilink1" title="documentation:1.3:resetpassword">password was reset by mail</a> and the user choose to generate the password (default: enabled).</div>
</li>
<li class="level1"><div class="li"> <strong>Reset attribute</strong>: name of password reset attribute (default: pwdReset).</div>
</li>
<li class="level1"><div class="li"> <strong>Reset value</strong>: value to set in reset attribute to activate password reset (default: TRUE).</div>
</li>
</ul>

</div>
<!-- SECTION "Password" [4089-5077] -->
<h2><a name="schema_extension" id="schema_extension">Schema extension</a></h2>
<div class="level2">

<p>

Standards attributes, like uid, cn or mail, are often enough to configure access rules and headers.
</p>

<p>
But sometimes other data are needed (in particular to use <a href="../../documentation/1.3/extendedfunctions.html" class="wikilink1" title="documentation:1.3:extendedfunctions">extended functions</a>):
</p>
<ul>
<li class="level1"><div class="li"> An application name (to allow access by applications and not by group of users)</div>
</li>
<li class="level1"><div class="li"> A start date and an end date (to open or close the service even the entry already exists)</div>
</li>
<li class="level1"><div class="li"> A time profile (allowed hours and day of the week)</div>
</li>
<li class="level1"><div class="li"> One or more roles (to send to the protected applications)</div>
</li>
</ul>

<p>

Of course, standard <acronym title="Lightweight Directory Access Protocol">LDAP</acronym> attributes can be used to store these data, but <acronym title="LemonLDAP::NG">LL::NG</acronym> also provides an <acronym title="Lightweight Directory Access Protocol">LDAP</acronym> schema extension to manage them.
</p>

</div>
<!-- SECTION "Schema extension" [5078-5741] -->
<h3><a name="oid_prefix" id="oid_prefix">OID prefix</a></h3>
<div class="level3">

<p>
Extended attributes and object classes use this prefix: 1.3.6.1.4.1.10943.10.2.
</p>

<p>
The prefix 1.3.6.1.4.1.10943 is owned by <a href="http://www.linagora.com" class="urlextern" title="http://www.linagora.com"  rel="nofollow">LINAGORA</a> (See <a href="http://www.iana.org/assignments/enterprise-numbers" class="urlextern" title="http://www.iana.org/assignments/enterprise-numbers"  rel="nofollow">http://www.iana.org/assignments/enterprise-numbers</a>).
</p>

</div>
<!-- SECTION "OID prefix" [5742-5986] -->
<h3><a name="openldap_schema" id="openldap_schema">OpenLDAP schema</a></h3>
<div class="level3">

<p>

Just add this file to OpenLDAP schemas by including it in <code>slapd.conf</code>:

</p>
<pre class="file">
include /usr/share/lemonldap-ng/ressources/sso.schema
</pre>

<p>
This will provide the auxiliary object class <code>ssoUser</code> with attributes:
</p>
<ul>
<li class="level1"><div class="li"> ssoName</div>
</li>
<li class="level1"><div class="li"> ssoRoles</div>
</li>
<li class="level1"><div class="li"> ssoLogonHours</div>
</li>
<li class="level1"><div class="li"> ssoStartDate</div>
</li>
<li class="level1"><div class="li"> ssoEndDate</div>
</li>
</ul>

<p>

You can add this object class to any entry of your directory.
</p>

<p>
<p><div class="noteimportant">To get attributes values in session, declare them in <a href="../../documentation/1.3/exportedvars.html" class="wikilink1" title="documentation:1.3:exportedvars">exported variables</a>
</div></p>

</p>

</div>
<!-- SECTION "OpenLDAP schema" [5987-] --></div><!-- closes <div class="dokuwiki export">-->
Update doc.pl script to use the current documentation version (#442) 2012-02-25 23:45:20 +01:00
			`<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"`
			`"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">`
			`<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"`
			`lang="en" dir="ltr">`

			`<head>`
			`<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />`
			`<title></title>`
			`<!-- metadata -->`
			`<meta name="generator" content="Offline" />`
			`<meta name="version" content="Offline 0.1" />`
			`<!-- style sheet links -->`
			`<link rel="stylesheet" media="all" type="text/css" href="../../../css/all.css" />`
			`<link rel="stylesheet" media="screen" type="text/css" href="../../../css/screen.css" />`
			`<link rel="stylesheet" media="print" type="text/css" href="../../../css/print.css" />`

			`</head>`
			`<body>`
			`<div class="dokuwiki export">`




			`<h1><a name="ldap" id="ldap">LDAP</a></h1>`
			`<div class="level1">`
			`<table class="inline">`
			`<tr class="row0 roweven">`
			`<th class="col0">Authentication </th><th class="col1"> Users </th><th class="col2"> Password </th>`
			`</tr>`
			`<tr class="row1 rowodd">`
			`<td class="col0 centeralign"> ✔ </td><td class="col1 centeralign"> ✔ </td><td class="col2 centeralign"> ✔ </td>`
			`</tr>`
			`</table>`

			`</div>`
			`<!-- SECTION "LDAP" [1-84] -->`
			`<h2><a name="presentation" id="presentation">Presentation</a></h2>`
			`<div class="level2">`

			`<p>`

			`<acronym title="LemonLDAP::NG">LL::NG</acronym> can use an <acronym title="Lightweight Directory Access Protocol">LDAP</acronym> directory to:`
			`</p>`
			`<ul>`
			`<li class="level1"><div class="li"> authenticate user</div>`
			`</li>`
			`<li class="level1"><div class="li"> get user attributes</div>`
			`</li>`
			`<li class="level1"><div class="li"> get groups where user is registered</div>`
			`</li>`
			`<li class="level1"><div class="li"> change password (with server side password policy management)</div>`
			`</li>`
			`</ul>`

			`<p>`

			`This works with every <acronym title="Lightweight Directory Access Protocol">LDAP</acronym> v2 or v3 server, including Active Directory.`
			`</p>`

			`<p>`
			`<acronym title="LemonLDAP::NG">LL::NG</acronym> is compatible with <a href="https://opends.dev.java.net/public/standards/draft-behera-ldap-password-policy.txt" class="urlextern" title="https://opends.dev.java.net/public/standards/draft-behera-ldap-password-policy.txt" rel="nofollow">LDAP password policy</a>:`
			`</p>`
			`<ul>`
			`<li class="level1"><div class="li"> <acronym title="Lightweight Directory Access Protocol">LDAP</acronym> server can check password strength, and <acronym title="LemonLDAP::NG">LL::NG</acronym> portal will display correct errors (password too short, password in history, etc.)</div>`
			`</li>`
			`<li class="level1"><div class="li"> <acronym title="Lightweight Directory Access Protocol">LDAP</acronym> sever can block brute-force attacks, and <acronym title="LemonLDAP::NG">LL::NG</acronym> will display that account is locked</div>`
			`</li>`
			`<li class="level1"><div class="li"> <acronym title="Lightweight Directory Access Protocol">LDAP</acronym> server can force password change on first connection, and <acronym title="LemonLDAP::NG">LL::NG</acronym> portal will display a password change form before opening <acronym title="Single Sign On">SSO</acronym> session</div>`
			`</li>`
			`</ul>`

			`</div>`
			`<!-- SECTION "Presentation" [85-885] -->`
			`<h2><a name="configuration" id="configuration">Configuration</a></h2>`
			`<div class="level2">`

			`<p>`

			`In Manager, go in <code>General Parameters</code> > <code>Authentication modules</code> and choose <acronym title="Lightweight Directory Access Protocol">LDAP</acronym> for authentication, users and/or password modules.`
			`</p>`

			`</div>`
			`<!-- SECTION "Configuration" [886-1050] -->`
			`<h3><a name="authentication_level" id="authentication_level">Authentication level</a></h3>`
			`<div class="level3">`

			`<p>`

			`The authentication level given to users authenticated with this module.`
			`</p>`

			`<p>`
			`<p><div class="noteimportant">`
			`As <acronym title="Lightweight Directory Access Protocol">LDAP</acronym> is a login/password based module, the authentication level can be:`
			`</p>`
			`<ul>`
			`<li class="level1"><div class="li"> increased (+1) if portal is protected by <acronym title="Secure Sockets Layer">SSL</acronym> (HTTPS)</div>`
			`</li>`
Update doc in trunk for version 1.3 2012-06-18 12:33:45 +02:00			`<li class="level1"><div class="li"> decreased (-1) if the portal autocompletion is allowed (see <a href="../../documentation/1.3/portalcustom.html" class="wikilink1" title="documentation:1.3:portalcustom">portal customization</a>)</div>`
Update doc.pl script to use the current documentation version (#442) 2012-02-25 23:45:20 +01:00			`</li>`
			`</ul>`

			`<p>`

			`</div></p>`
			`</p>`

			`</div>`
			`<!-- SECTION "Authentication level" [1051-1416] -->`
			`<h3><a name="connection" id="connection">Connection</a></h3>`
			`<div class="level3">`
			`<ul>`
			`<li class="level1"><div class="li"> <strong>Server host</strong>: <acronym title="Lightweight Directory Access Protocol">LDAP</acronym> server hostname or <acronym title="Uniform Resource Identifier">URI</acronym> (by default: localhost). Accept some specificities:</div>`
			`<ul>`
			`<li class="level2"><div class="li"> More than one server can be set here separated by spaces or commas. They will be tested in the specified order.</div>`
			`</li>`
			`<li class="level2"><div class="li"> To use TLS, set <code>ldap+tls://server</code> and to use LDAPS, set <code>ldaps://server</code> instead of server name.</div>`
			`</li>`
			`<li class="level2"><div class="li"> If you use TLS, you can set any of the <a href="http://search.cpan.org/~gbarr/perl-ldap/lib/Net/LDAP.pod" class="urlextern" title="http://search.cpan.org/~gbarr/perl-ldap/lib/Net/LDAP.pod" rel="nofollow">Net::LDAP</a> start_tls() sub like <code>ldap+tls://server/verify=none&capath=/etc/ssl</code>. You can also use caFile and caPath parameters.</div>`
			`</li>`
			`</ul>`
			`</li>`
			`<li class="level1"><div class="li"> <strong>Server port</strong>: TCP port used by <acronym title="Lightweight Directory Access Protocol">LDAP</acronym> server. Can be overridden by an <acronym title="Lightweight Directory Access Protocol">LDAP</acronym> <acronym title="Uniform Resource Identifier">URI</acronym> in server host.</div>`
			`</li>`
			`<li class="level1"><div class="li"> <strong>Users search base</strong>: Base of search in the <acronym title="Lightweight Directory Access Protocol">LDAP</acronym> directory.</div>`
			`</li>`
			`<li class="level1"><div class="li"> <strong>Account</strong>: <acronym title="Distinguished Name">DN</acronym> used to connect to <acronym title="Lightweight Directory Access Protocol">LDAP</acronym> server. By default, anonymous bind is used.</div>`
			`</li>`
			`<li class="level1"><div class="li"> <strong>Password</strong>: password to used to connect to <acronym title="Lightweight Directory Access Protocol">LDAP</acronym> server. By default, anonymous bind is used.</div>`
			`</li>`
			`<li class="level1"><div class="li"> <strong>Timeout</strong>: server idle timeout.</div>`
			`</li>`
			`<li class="level1"><div class="li"> <strong>Version</strong>: <acronym title="Lightweight Directory Access Protocol">LDAP</acronym> protocol version.</div>`
			`</li>`
			`<li class="level1"><div class="li"> <strong>Binary attributes</strong>: regular expression matching binary attributes (see <a href="http://search.cpan.org/~gbarr/perl-ldap/lib/Net/LDAP.pod" class="urlextern" title="http://search.cpan.org/~gbarr/perl-ldap/lib/Net/LDAP.pod" rel="nofollow">Net::LDAP</a> documentation).</div>`
			`</li>`
			`</ul>`

			`</div>`
			`<!-- SECTION "Connection" [1417-2608] -->`
			`<h3><a name="filters" id="filters">Filters</a></h3>`
			`<div class="level3">`

			`<p>`

			`<p><div class="notetip">In <acronym title="Lightweight Directory Access Protocol">LDAP</acronym> filters, $user is replaced by user login, and $mail by user email.`
			`</div></p>`

			`</p>`
			`<ul>`
			`<li class="level1"><div class="li"> <strong>Default filter</strong>: default <acronym title="Lightweight Directory Access Protocol">LDAP</acronym> fitler for searches, should not be modified.</div>`
			`</li>`
			`<li class="level1"><div class="li"> <strong>Authentication filter</strong>: Filter to find user from its login (default: <code>(&(uid=$user)(objectClass=inetOrgPerson))</code>)</div>`
			`</li>`
			`<li class="level1"><div class="li"> <strong>Mail filter</strong>: Filter to find user from its mail (default: <code>(&(mail=$mail)(objectClass=inetOrgPerson))</code>)</div>`
			`</li>`
			`</ul>`

			`<p>`

			`<p><div class="notetip">`
			`For Active Directory, use this as authentication filter:`

			`</p>`
			`<pre class="code">`
			`(&(sAMAccountName=$user)(objectClass=person))`
			`</pre>`

			`<p>`

			`And this as mail filter:`

			`</p>`
			`<pre class="code">`
			`(&(mail=$mail)(objectClass=person))`
			`</pre>`

			`<p>`


			`</div></p>`
			`</p>`

			`</div>`
			`<!-- SECTION "Filters" [2609-3253] -->`
			`<h3><a name="groups" id="groups">Groups</a></h3>`
			`<div class="level3">`
			`<ul>`
			`<li class="level1"><div class="li"> <strong>Search base</strong>: <acronym title="Distinguished Name">DN</acronym> of groups branch. If no value, disable group searching.</div>`
			`</li>`
			`<li class="level1"><div class="li"> <strong>Object class</strong>: objectClass of the groups (default: groupOfNames).</div>`
			`</li>`
			`<li class="level1"><div class="li"> <strong>Target attribute</strong>: name of the attribute in the groups storing the link to the user (default: member).</div>`
			`</li>`
			`<li class="level1"><div class="li"> <strong>User source attribute</strong>: name of the attribute in users entries used in the link (default: dn).</div>`
			`</li>`
			`<li class="level1"><div class="li"> <strong>Searched attributes</strong>: name(s) of the attribute storing the name of the group, spaces separated (default: cn).</div>`
			`</li>`
			`<li class="level1"><div class="li"> <strong>Recursive</strong>: activate recursive group functionality (default: 0). If enabled, if the user group is a member of another group (group of groups), all parents groups will be stored as user's groups.</div>`
			`</li>`
			`<li class="level1"><div class="li"> <strong>Group source attribute</strong>: name of the attribute in groups entries used in the link, for recursive group search (default: dn).</div>`
			`</li>`
			`</ul>`

			`</div>`
			`<!-- SECTION "Groups" [3254-4088] -->`
			`<h3><a name="password" id="password">Password</a></h3>`
			`<div class="level3">`
			`<ul>`
			`<li class="level1"><div class="li"> <strong>Password policy control</strong>: enable to use <acronym title="Lightweight Directory Access Protocol">LDAP</acronym> password policy. This requires at least Net::<acronym title="Lightweight Directory Access Protocol">LDAP</acronym> 0.38.</div>`
			`</li>`
			`<li class="level1"><div class="li"> <strong>Password modify extended operation</strong>: enable to use the <acronym title="Lightweight Directory Access Protocol">LDAP</acronym> extended operation <code>password modify</code> instead of standard modify operation.</div>`
			`</li>`
Update doc in trunk for version 1.3 2012-06-18 12:33:45 +02:00			`<li class="level1"><div class="li"> <strong>Change as user</strong>: enable to perform password modification with credentials of connected user. This requires to request user old password (see <a href="../../documentation/1.3/portalcustom.html" class="wikilink1" title="documentation:1.3:portalcustom">portal customization</a>).</div>`
Update doc.pl script to use the current documentation version (#442) 2012-02-25 23:45:20 +01:00			`</li>`
			`<li class="level1"><div class="li"> <strong><acronym title="Lightweight Directory Access Protocol">LDAP</acronym> password encoding</strong>: can allow to manage old <acronym title="Lightweight Directory Access Protocol">LDAP</acronym> servers using specific encoding for passwords (default: utf-8).</div>`
			`</li>`
Update doc in trunk for version 1.3 2012-06-18 12:33:45 +02:00			`<li class="level1"><div class="li"> <strong>Use reset attribute</strong>: enable to use the password reset attribute. This attribute is set by LemonLDAP::NG when <a href="../../documentation/1.3/resetpassword.html" class="wikilink1" title="documentation:1.3:resetpassword">password was reset by mail</a> and the user choose to generate the password (default: enabled).</div>`
Update doc.pl script to use the current documentation version (#442) 2012-02-25 23:45:20 +01:00			`</li>`
			`<li class="level1"><div class="li"> <strong>Reset attribute</strong>: name of password reset attribute (default: pwdReset).</div>`
			`</li>`
			`<li class="level1"><div class="li"> <strong>Reset value</strong>: value to set in reset attribute to activate password reset (default: TRUE).</div>`
			`</li>`
			`</ul>`

			`</div>`
			`<!-- SECTION "Password" [4089-5077] -->`
			`<h2><a name="schema_extension" id="schema_extension">Schema extension</a></h2>`
			`<div class="level2">`

			`<p>`

			`Standards attributes, like uid, cn or mail, are often enough to configure access rules and headers.`
			`</p>`

			`<p>`
Update doc in trunk for version 1.3 2012-06-18 12:33:45 +02:00			`But sometimes other data are needed (in particular to use <a href="../../documentation/1.3/extendedfunctions.html" class="wikilink1" title="documentation:1.3:extendedfunctions">extended functions</a>):`
Update doc.pl script to use the current documentation version (#442) 2012-02-25 23:45:20 +01:00			`</p>`
			`<ul>`
			`<li class="level1"><div class="li"> An application name (to allow access by applications and not by group of users)</div>`
			`</li>`
			`<li class="level1"><div class="li"> A start date and an end date (to open or close the service even the entry already exists)</div>`
			`</li>`
			`<li class="level1"><div class="li"> A time profile (allowed hours and day of the week)</div>`
			`</li>`
			`<li class="level1"><div class="li"> One or more roles (to send to the protected applications)</div>`
			`</li>`
			`</ul>`

			`<p>`

			`Of course, standard <acronym title="Lightweight Directory Access Protocol">LDAP</acronym> attributes can be used to store these data, but <acronym title="LemonLDAP::NG">LL::NG</acronym> also provides an <acronym title="Lightweight Directory Access Protocol">LDAP</acronym> schema extension to manage them.`
			`</p>`

			`</div>`
			`<!-- SECTION "Schema extension" [5078-5741] -->`
			`<h3><a name="oid_prefix" id="oid_prefix">OID prefix</a></h3>`
			`<div class="level3">`

			`<p>`
			`Extended attributes and object classes use this prefix: 1.3.6.1.4.1.10943.10.2.`
			`</p>`

			`<p>`
			`The prefix 1.3.6.1.4.1.10943 is owned by <a href="http://www.linagora.com" class="urlextern" title="http://www.linagora.com" rel="nofollow">LINAGORA</a> (See <a href="http://www.iana.org/assignments/enterprise-numbers" class="urlextern" title="http://www.iana.org/assignments/enterprise-numbers" rel="nofollow">http://www.iana.org/assignments/enterprise-numbers</a>).`
			`</p>`

			`</div>`
			`<!-- SECTION "OID prefix" [5742-5986] -->`
			`<h3><a name="openldap_schema" id="openldap_schema">OpenLDAP schema</a></h3>`
			`<div class="level3">`

			`<p>`

			`Just add this file to OpenLDAP schemas by including it in <code>slapd.conf</code>:`

			`</p>`
			`<pre class="file">`
			`include /usr/share/lemonldap-ng/ressources/sso.schema`
			`</pre>`

			`<p>`
			`This will provide the auxiliary object class <code>ssoUser</code> with attributes:`
			`</p>`
			`<ul>`
			`<li class="level1"><div class="li"> ssoName</div>`
			`</li>`
			`<li class="level1"><div class="li"> ssoRoles</div>`
			`</li>`
			`<li class="level1"><div class="li"> ssoLogonHours</div>`
			`</li>`
			`<li class="level1"><div class="li"> ssoStartDate</div>`
			`</li>`
			`<li class="level1"><div class="li"> ssoEndDate</div>`
			`</li>`
			`</ul>`

			`<p>`

			`You can add this object class to any entry of your directory.`
			`</p>`

			`<p>`
Update doc in trunk for version 1.3 2012-06-18 12:33:45 +02:00			`<p><div class="noteimportant">To get attributes values in session, declare them in <a href="../../documentation/1.3/exportedvars.html" class="wikilink1" title="documentation:1.3:exportedvars">exported variables</a>`
Update doc.pl script to use the current documentation version (#442) 2012-02-25 23:45:20 +01:00			`</div></p>`

			`</p>`

			`</div>`
			`<!-- SECTION "OpenLDAP schema" [5987-] --></div><!-- closes <div class="dokuwiki export">-->`