This works with every <acronymtitle="Lightweight Directory Access Protocol">LDAP</acronym> v2 or v3 server, including <ahref="../../documentation/2.0/authad.html"class="wikilink1"title="documentation:2.0:authad">Active Directory</a>.
<acronymtitle="LemonLDAP::NG">LL::NG</acronym> is compatible with <ahref="https://opends.dev.java.net/public/standards/draft-behera-ldap-password-policy.txt"class="urlextern"title="https://opends.dev.java.net/public/standards/draft-behera-ldap-password-policy.txt"rel="nofollow">LDAP password policy</a>:
</p>
<ul>
<liclass="level1"><divclass="li"><acronymtitle="Lightweight Directory Access Protocol">LDAP</acronym> server can check password strength, and <acronymtitle="LemonLDAP::NG">LL::NG</acronym> portal will display correct errors (password too short, password in history, etc.)</div>
</li>
<liclass="level1"><divclass="li"><acronymtitle="Lightweight Directory Access Protocol">LDAP</acronym> sever can block brute-force attacks, and <acronymtitle="LemonLDAP::NG">LL::NG</acronym> will display that account is locked</div>
</li>
<liclass="level1"><divclass="li"><acronymtitle="Lightweight Directory Access Protocol">LDAP</acronym> server can force password change on first connection, and <acronymtitle="LemonLDAP::NG">LL::NG</acronym> portal will display a password change form before opening <acronymtitle="Single Sign On">SSO</acronym> session</div>
In Manager, go in <code>General Parameters</code>><code>Authentication modules</code> and choose <acronymtitle="Lightweight Directory Access Protocol">LDAP</acronym> for authentication, users and/or password modules.
<liclass="level1"><divclass="li"> decreased (-1) if the portal autocompletion is allowed (see <ahref="../../documentation/2.0/portalcustom.html"class="wikilink1"title="documentation:2.0:portalcustom">portal customization</a>)</div>
List of attributes to query to fill user session. See also <ahref="../../documentation/2.0/exportedvars.html"class="wikilink1"title="documentation:2.0:exportedvars">exported variables configuration</a>.
<liclass="level1"><divclass="li"><strong>Server host</strong>: <acronymtitle="Lightweight Directory Access Protocol">LDAP</acronym> server hostname or <acronymtitle="Uniform Resource Identifier">URI</acronym> (by default: localhost). Accept some specificities:</div>
<ul>
<liclass="level2"><divclass="li"> More than one server can be set here separated by spaces or commas. They will be tested in the specified order.</div>
</li>
<liclass="level2"><divclass="li"> To use TLS, set <code>ldap+tls://server</code> and to use LDAPS, set <code>ldaps://server</code> instead of server name.</div>
</li>
<liclass="level2"><divclass="li"> If you use TLS, you can set any of the <ahref="http://search.cpan.org/~gbarr/perl-ldap/lib/Net/LDAP.pod"class="urlextern"title="http://search.cpan.org/~gbarr/perl-ldap/lib/Net/LDAP.pod"rel="nofollow">Net::LDAP</a> start_tls() sub like <code>ldap+tls://server/verify=none&capath=/etc/ssl</code>. You can also use caFile and caPath parameters.</div>
</li>
</ul>
</li>
<liclass="level1"><divclass="li"><strong>Server port</strong>: TCP port used by <acronymtitle="Lightweight Directory Access Protocol">LDAP</acronym> server. Can be overridden by an <acronymtitle="Lightweight Directory Access Protocol">LDAP</acronym><acronymtitle="Uniform Resource Identifier">URI</acronym> in server host.</div>
</li>
<liclass="level1"><divclass="li"><strong>Users search base</strong>: Base of search in the <acronymtitle="Lightweight Directory Access Protocol">LDAP</acronym> directory.</div>
</li>
<liclass="level1"><divclass="li"><strong>Account</strong>: <acronymtitle="Distinguished Name">DN</acronym> used to connect to <acronymtitle="Lightweight Directory Access Protocol">LDAP</acronym> server. By default, anonymous bind is used.</div>
</li>
<liclass="level1"><divclass="li"><strong>Password</strong>: password to used to connect to <acronymtitle="Lightweight Directory Access Protocol">LDAP</acronym> server. By default, anonymous bind is used.</div>
</li>
<liclass="level1"><divclass="li"><strong>Timeout</strong>: server idle timeout.</div>
<p><divclass="notetip">In <acronymtitle="Lightweight Directory Access Protocol">LDAP</acronym> filters, $user is replaced by user login, and $mail by user email.
</div></p>
</p>
<ul>
<liclass="level1"><divclass="li"><strong>Default filter</strong>: default <acronymtitle="Lightweight Directory Access Protocol">LDAP</acronym> fitler for searches, should not be modified.</div>
</li>
<liclass="level1"><divclass="li"><strong>Authentication filter</strong>: Filter to find user from its login (default: <code>(&(uid=$user)(objectClass=inetOrgPerson))</code>)</div>
</li>
<liclass="level1"><divclass="li"><strong>Mail filter</strong>: Filter to find user from its mail (default: <code>(&(mail=$mail)(objectClass=inetOrgPerson))</code>)</div>
<liclass="level1"><divclass="li"><strong>Search base</strong>: <acronymtitle="Distinguished Name">DN</acronym> of groups branch. If no value, disable group searching.</div>
</li>
<liclass="level1"><divclass="li"><strong>Object class</strong>: objectClass of the groups (default: groupOfNames).</div>
</li>
<liclass="level1"><divclass="li"><strong>Target attribute</strong>: name of the attribute in the groups storing the link to the user (default: member).</div>
</li>
<liclass="level1"><divclass="li"><strong>User source attribute</strong>: name of the attribute in users entries used in the link (default: dn).</div>
</li>
<liclass="level1"><divclass="li"><strong>Searched attributes</strong>: name(s) of the attribute storing the name of the group, spaces separated (default: cn).</div>
</li>
<liclass="level1"><divclass="li"><strong>Recursive</strong>: activate recursive group functionality (default: 0). If enabled, if the user group is a member of another group (group of groups), all parents groups will be stored as user's groups.</div>
</li>
<liclass="level1"><divclass="li"><strong>Group source attribute</strong>: name of the attribute in groups entries used in the link, for recursive group search (default: dn).</div>
<liclass="level1"><divclass="li"><strong>Password policy control</strong>: enable to use <acronymtitle="Lightweight Directory Access Protocol">LDAP</acronym> password policy. This requires at least Net::<acronymtitle="Lightweight Directory Access Protocol">LDAP</acronym> 0.38.</div>
</li>
<liclass="level1"><divclass="li"><strong>Password modify extended operation</strong>: enable to use the <acronymtitle="Lightweight Directory Access Protocol">LDAP</acronym> extended operation <code>password modify</code> instead of standard modify operation.</div>
<liclass="level1"><divclass="li"><strong>Change as user</strong>: enable to perform password modification with credentials of connected user. This requires to request user old password (see <ahref="../../documentation/2.0/portalcustom.html"class="wikilink1"title="documentation:2.0:portalcustom">portal customization</a>).</div>
<liclass="level1"><divclass="li"><strong><acronymtitle="Lightweight Directory Access Protocol">LDAP</acronym> password encoding</strong>: can allow to manage old <acronymtitle="Lightweight Directory Access Protocol">LDAP</acronym> servers using specific encoding for passwords (default: utf-8).</div>
<liclass="level1"><divclass="li"><strong>Use reset attribute</strong>: enable to use the password reset attribute. This attribute is set by LemonLDAP::NG when <ahref="../../documentation/2.0/resetpassword.html"class="wikilink1"title="documentation:2.0:resetpassword">password was reset by mail</a> and the user choose to generate the password (default: enabled).</div>
But sometimes other data are needed (in particular to use <ahref="../../documentation/2.0/extendedfunctions.html"class="wikilink1"title="documentation:2.0:extendedfunctions">extended functions</a>):
<liclass="level1"><divclass="li"> An application name (to allow access by applications and not by group of users)</div>
</li>
<liclass="level1"><divclass="li"> A start date and an end date (to open or close the service even the entry already exists)</div>
</li>
<liclass="level1"><divclass="li"> A time profile (allowed hours and day of the week)</div>
</li>
<liclass="level1"><divclass="li"> One or more roles (to send to the protected applications)</div>
</li>
</ul>
<p>
Of course, standard <acronymtitle="Lightweight Directory Access Protocol">LDAP</acronym> attributes can be used to store these data, but <acronymtitle="LemonLDAP::NG">LL::NG</acronym> also provides an <acronymtitle="Lightweight Directory Access Protocol">LDAP</acronym> schema extension to manage them.
Extended attributes and object classes use this prefix: 1.3.6.1.4.1.10943.10.2.
</p>
<p>
The prefix 1.3.6.1.4.1.10943 is owned by <ahref="http://www.linagora.com"class="urlextern"title="http://www.linagora.com"rel="nofollow">LINAGORA</a> (See <ahref="http://www.iana.org/assignments/enterprise-numbers"class="urlextern"title="http://www.iana.org/assignments/enterprise-numbers"rel="nofollow">http://www.iana.org/assignments/enterprise-numbers</a>).
<p><divclass="noteimportant">To get attributes values in session, declare them in <ahref="../../documentation/2.0/exportedvars.html"class="wikilink1"title="documentation:2.0:exportedvars">exported variables</a>