LDAP
Authentication | Users | Password |
✔ | ✔ | ✔ |
Presentation
LL::NG can use an LDAP directory to:
This works with every LDAP v2 or v3 server, including Active Directory.
LL::NG is compatible with LDAP password policy:
LDAP server can check password strength, and
LL::NG portal will display correct errors (password too short, password in history, etc.)
LDAP sever can block brute-force attacks, and
LL::NG will display that account is locked
LDAP server can force password change on first connection, and
LL::NG portal will display a password change form before opening
SSO session
Configuration
In Manager, go in General Parameters
> Authentication modules
and choose LDAP for authentication, users and/or password modules.
Authentication level
The authentication level given to users authenticated with this module.
As LDAP is a login/password based module, the authentication level can be:
Exported variables
Connection
Server host: LDAP server hostname or
URI (by default: localhost). Accept some specificities:
More than one server can be set here separated by spaces or commas. They will be tested in the specified order.
To use TLS, set ldap+tls://server
and to use LDAPS, set ldaps://server
instead of server name.
If you use TLS, you can set any of the
Net::LDAP start_tls() sub like
ldap+tls://server/verify=none&capath=/etc/ssl
. You can also use cafile and capath parameters.
Server port: TCP port used by LDAP server. Can be overridden by an LDAP
URI in server host.
Users search base: Base of search in the LDAP directory.
Account:
DN used to connect to LDAP server. By default, anonymous bind is used.
Password: password to used to connect to LDAP server. By default, anonymous bind is used.
Timeout: server idle timeout.
Version: LDAP protocol version.
Binary attributes: regular expression matching binary attributes (see
Net::LDAP documentation).
LemonLDAP::NG need anonymous access to LDAP Directory RootDSE in order to check LDAP connection.
Filters
In LDAP filters, $user is replaced by user login, and $mail by user email.
Default filter: default LDAP filter for searches, should not be modified.
Authentication filter: Filter to find user from its login (default: (&(uid=$user)(objectClass=inetOrgPerson))
)
Mail filter: Filter to find user from its mail (default: (&(mail=$mail)(objectClass=inetOrgPerson))
)
Alias dereference: How to manage LDAP aliases. (default: find
)
For Active Directory, the default authentication filter is:
(&(sAMAccountName=$user)(objectClass=person))
And the mail filter is:
(&(mail=$mail)(objectClass=person))
Groups
Search base:
DN of groups branch. If no value, disable group searching.
Object class: objectClass of the groups (default: groupOfNames).
Target attribute: name of the attribute in the groups storing the link to the user (default: member).
User source attribute: name of the attribute in users entries used in the link (default: dn).
Searched attributes: name(s) of the attribute storing the name of the group, spaces separated (default: cn).
Decode searched value: with Active Directory, member
DN value is sometimes bad decoded and groups are not found, activate this option to force value decoding.
Recursive: activate recursive group functionality (default: 0). If enabled, if the user group is a member of another group (group of groups), all parents groups will be stored as user's groups.
Group source attribute: name of the attribute in groups entries used in the link, for recursive group search (default: dn).
Password
Password policy control: enable to use LDAP password policy. This requires at least Net::LDAP 0.38. (see ppolicy workflow below)
Password modify extended operation: enable to use the LDAP extended operation password modify
instead of standard modify operation.
Change as user: enable to perform password modification with credentials of connected user. This requires to request user old password (see
portal customization).
LDAP password encoding: can allow one to manage old LDAP servers using specific encoding for passwords (default: utf-8).
Use reset attribute: enable to use the password reset attribute. This attribute is set by LemonLDAP::NG when
password was reset by mail and the user choose to generate the password (default: enabled).
Reset attribute: name of password reset attribute (default: pwdReset).
Reset value: value to set in reset attribute to activate password reset (default: TRUE).
Allow a user to reset his expired password: if activated, the user will be prompted to change password if his password is expired (default: 0)
Password expiration warning workflow
Password expiration workflow