<liclass="level1"><divclass="li"> get user attributes</div>
</li>
<liclass="level1"><divclass="li"> get groups where user is registered</div>
</li>
<liclass="level1"><divclass="li"> change password (with server side password policy management)</div>
</li>
</ul>
<p>
This works with every LDAP v2 or v3 server, including <ahref="authad.html"class="wikilink1"title="documentation:2.0:authad">Active Directory</a>.
</p>
<p>
<abbrtitle="LemonLDAP::NG">LL::NG</abbr> is compatible with <ahref="https://opends.dev.java.net/public/standards/draft-behera-ldap-password-policy.txt"class="urlextern"title="https://opends.dev.java.net/public/standards/draft-behera-ldap-password-policy.txt"rel="nofollow">LDAP password policy</a>:
</p>
<ul>
<liclass="level1"><divclass="li"> LDAP server can check password strength, and <abbrtitle="LemonLDAP::NG">LL::NG</abbr> portal will display correct errors (password too short, password in history, etc.)</div>
</li>
<liclass="level1"><divclass="li"> LDAP sever can block brute-force attacks, and <abbrtitle="LemonLDAP::NG">LL::NG</abbr> will display that account is locked</div>
</li>
<liclass="level1"><divclass="li"> LDAP server can force password change on first connection, and <abbrtitle="LemonLDAP::NG">LL::NG</abbr> portal will display a password change form before opening <abbrtitle="Single Sign On">SSO</abbr> session</div>
In Manager, go in <code>General Parameters</code>><code>Authentication modules</code> and choose LDAP for authentication, users and/or password modules.
</p>
<divclass="notetip">For <ahref="authad.html"class="wikilink1"title="documentation:2.0:authad">Active Directory</a>, choose <code>Active Directory</code> instead of <code>LDAP</code>.
The authentication level given to users authenticated with this module.
</p>
<divclass="noteimportant">As LDAP is a login/password based module, the authentication level can be:<ul>
<liclass="level1"><divclass="li"> increased (+1) if portal is protected by SSL (HTTPS)</div>
</li>
<liclass="level1"><divclass="li"> decreased (-1) if the portal autocompletion is allowed (see <ahref="portalcustom.html"class="wikilink1"title="documentation:2.0:portalcustom">portal customization</a>)</div>
List of attributes to query to fill user session. See also <ahref="exportedvars.html"class="wikilink1"title="documentation:2.0:exportedvars">exported variables configuration</a>.
<liclass="level1"><divclass="li"><strong>Server host</strong>: LDAP server hostname or <abbrtitle="Uniform Resource Identifier">URI</abbr> (by default: localhost). Accept some specificities:</div>
<ul>
<liclass="level2"><divclass="li"> More than one server can be set here separated by spaces or commas. They will be tested in the specified order.</div>
</li>
<liclass="level2"><divclass="li"> To use TLS, set <code>ldap+tls://server</code> and to use LDAPS, set <code>ldaps://server</code> instead of server name.</div>
<liclass="level2"><divclass="li"> If you use TLS, you can set any of the <ahref="http://search.cpan.org/~gbarr/perl-ldap/lib/Net/LDAP.pod"class="urlextern"title="http://search.cpan.org/~gbarr/perl-ldap/lib/Net/LDAP.pod"rel="nofollow">Net::LDAP</a> start_tls() sub like <code>ldap+tls://server/verify=none&capath=/etc/ssl</code>. You can also use cafile and capath parameters.</div>
<liclass="level1"><divclass="li"><strong>Server port</strong>: TCP port used by LDAP server. Can be overridden by an LDAP <abbrtitle="Uniform Resource Identifier">URI</abbr> in server host.</div>
</li>
<liclass="level1"><divclass="li"><strong>Users search base</strong>: Base of search in the LDAP directory.</div>
</li>
<liclass="level1"><divclass="li"><strong>Account</strong>: <abbrtitle="Distinguished Name">DN</abbr> used to connect to LDAP server. By default, anonymous bind is used.</div>
</li>
<liclass="level1"><divclass="li"><strong>Password</strong>: password to used to connect to LDAP server. By default, anonymous bind is used.</div>
</li>
<liclass="level1"><divclass="li"><strong>Timeout</strong>: server idle timeout.</div>
<liclass="level1"><divclass="li"><strong>Authentication filter</strong>: Filter to find user from its login (default: <code>(&(uid=$user)(objectClass=inetOrgPerson))</code>)</div>
</li>
<liclass="level1"><divclass="li"><strong>Mail filter</strong>: Filter to find user from its mail (default: <code>(&(mail=$mail)(objectClass=inetOrgPerson))</code>)</div>
</li>
<liclass="level1"><divclass="li"><strong>Alias dereference</strong>: How to manage LDAP aliases. (default: <code>find</code>)</div>
</li>
</ul>
<divclass="notetip">For Active Directory, the default authentication filter is:
<liclass="level1"><divclass="li"><strong>Search base</strong>: <abbrtitle="Distinguished Name">DN</abbr> of groups branch. If no value, disable group searching.</div>
</li>
<liclass="level1"><divclass="li"><strong>Object class</strong>: objectClass of the groups (default: groupOfNames).</div>
</li>
<liclass="level1"><divclass="li"><strong>Target attribute</strong>: name of the attribute in the groups storing the link to the user (default: member).</div>
</li>
<liclass="level1"><divclass="li"><strong>User source attribute</strong>: name of the attribute in users entries used in the link (default: dn).</div>
</li>
<liclass="level1"><divclass="li"><strong>Searched attributes</strong>: name(s) of the attribute storing the name of the group, spaces separated (default: cn).</div>
<liclass="level1"><divclass="li"><strong>Decode searched value</strong>: with Active Directory, member <abbrtitle="Distinguished Name">DN</abbr> value is sometimes bad decoded and groups are not found, activate this option to force value decoding.</div>
<liclass="level1"><divclass="li"><strong>Recursive</strong>: activate recursive group functionality (default: 0). If enabled, if the user group is a member of another group (group of groups), all parents groups will be stored as user's groups.</div>
</li>
<liclass="level1"><divclass="li"><strong>Group source attribute</strong>: name of the attribute in groups entries used in the link, for recursive group search (default: dn).</div>
<liclass="level1"><divclass="li"><strong>Password policy control</strong>: enable to use LDAP password policy. This requires at least Net::LDAP 0.38. (see ppolicy workflow below)</div>
</li>
<liclass="level1"><divclass="li"><strong>Password modify extended operation</strong>: enable to use the LDAP extended operation <code>password modify</code> instead of standard modify operation.</div>
</li>
<liclass="level1"><divclass="li"><strong>Change as user</strong>: enable to perform password modification with credentials of connected user. This requires to request user old password (see <ahref="portalcustom.html"class="wikilink1"title="documentation:2.0:portalcustom">portal customization</a>).</div>
<liclass="level1"><divclass="li"><strong>LDAP password encoding</strong>: can allow one to manage old LDAP servers using specific encoding for passwords (default: utf-8).</div>
<liclass="level1"><divclass="li"><strong>Use reset attribute</strong>: enable to use the password reset attribute. This attribute is set by LemonLDAP::NG when <ahref="resetpassword.html"class="wikilink1"title="documentation:2.0:resetpassword">password was reset by mail</a> and the user choose to generate the password (default: enabled).</div>
</li>
<liclass="level1"><divclass="li"><strong>Reset attribute</strong>: name of password reset attribute (default: pwdReset).</div>
</li>
<liclass="level1"><divclass="li"><strong>Reset value</strong>: value to set in reset attribute to activate password reset (default: TRUE).</div>
</li>
<liclass="level1"><divclass="li"><strong>Allow a user to reset his expired password</strong>: if activated, the user will be prompted to change password if his password is expired (default: 0)</div>