264 lines
14 KiB
HTML
264 lines
14 KiB
HTML
<!DOCTYPE html>
|
|
<html lang="en" dir="ltr">
|
|
<head>
|
|
<meta charset="utf-8" />
|
|
<title>documentation:2.0:authldap</title>
|
|
<meta name="generator" content="DokuWiki"/>
|
|
<meta name="robots" content="index,follow"/>
|
|
<meta name="keywords" content="documentation,2.0,authldap"/>
|
|
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
|
|
<link rel="start" href="authldap.html"/>
|
|
<link rel="contents" href="authldap.html" title="Sitemap"/>
|
|
<link rel="stylesheet" type="text/css" href="lib/exe/css.php.t.bootstrap3.css"/>
|
|
<!-- //if:usedebianlibs
|
|
<link rel="stylesheet" type="text/css" href="/javascript/bootstrap/css/bootstrap.min.css" />
|
|
//elsif:useexternallibs
|
|
<link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css"></script>
|
|
//elsif:cssminified
|
|
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.min.css" />
|
|
//else -->
|
|
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.css" />
|
|
<!-- //endif -->
|
|
<script type="text/javascript">/*<![CDATA[*/var NS='documentation:2.0';var JSINFO = {"id":"documentation:2.0:authldap","namespace":"documentation:2.0"};
|
|
/*!]]>*/</script>
|
|
<script type="text/javascript" charset="utf-8" src="lib/exe/js.php.t.bootstrap3.js"></script>
|
|
<!-- //if:usedebianlibs
|
|
<script type="text/javascript" src="/javascript/jquery/jquery.min.js"></script>
|
|
//elsif:useexternallibs
|
|
<script type="text/javascript" src="http://code.jquery.com/jquery-2.2.0.min.js"></script>
|
|
//elsif:jsminified
|
|
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.min.js"></script>
|
|
//else -->
|
|
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.js"></script>
|
|
<!-- //endif -->
|
|
<!-- //if:usedebianlibs
|
|
<script type="text/javascript" src="/javascript/jquery-ui/jquery-ui.min.js"></script>
|
|
//elsif:useexternallibs
|
|
<script type="text/javascript" src="http://code.jquery.com/ui/1.10.4/jquery-ui.min.js"></script>
|
|
//elsif:jsminified
|
|
<script type="text/javascript" src="/lib/scripts/jquery-ui.min.js"></script>
|
|
//else -->
|
|
<script type="text/javascript" src="/lib/scripts/jquery-ui.js"></script>
|
|
<!-- //endif -->
|
|
</head>
|
|
<body>
|
|
<div class="dokuwiki export container">
|
|
<!-- TOC START -->
|
|
<div id="dw__toc">
|
|
<h3 class="toggle">Table of Contents</h3>
|
|
<div>
|
|
|
|
<ul class="toc">
|
|
<li class="level1"><div class="li"><a href="#presentation">Presentation</a></div></li>
|
|
<li class="level1"><div class="li"><a href="#configuration">Configuration</a></div>
|
|
<ul class="toc">
|
|
<li class="level2"><div class="li"><a href="#authentication_level">Authentication level</a></div></li>
|
|
<li class="level2"><div class="li"><a href="#exported_variables">Exported variables</a></div></li>
|
|
<li class="level2"><div class="li"><a href="#connection">Connection</a></div></li>
|
|
<li class="level2"><div class="li"><a href="#filters">Filters</a></div></li>
|
|
<li class="level2"><div class="li"><a href="#groups">Groups</a></div></li>
|
|
<li class="level2"><div class="li"><a href="#password">Password</a></div></li>
|
|
</ul></li>
|
|
</ul>
|
|
</div>
|
|
</div>
|
|
<!-- TOC END -->
|
|
|
|
<h1 class="sectionedit1" id="ldap">LDAP</h1>
|
|
<div class="level1">
|
|
<div class="table sectionedit2"><table class="inline table table-bordered table-striped">
|
|
<thead>
|
|
<tr class="row0 roweven">
|
|
<th class="col0 centeralign"> Authentication </th><th class="col1 centeralign"> Users </th><th class="col2 centeralign"> Password </th>
|
|
</tr>
|
|
</thead>
|
|
<tr class="row1 rowodd">
|
|
<td class="col0 centeralign"> ✔ </td><td class="col1 centeralign"> ✔ </td><td class="col2 centeralign"> ✔ </td>
|
|
</tr>
|
|
</table></div>
|
|
<!-- EDIT2 TABLE [21-90] -->
|
|
</div>
|
|
<!-- EDIT1 SECTION "LDAP" [1-91] -->
|
|
<h2 class="sectionedit3" id="presentation">Presentation</h2>
|
|
<div class="level2">
|
|
|
|
<p>
|
|
<abbr title="LemonLDAP::NG">LL::NG</abbr> can use an LDAP directory to:
|
|
</p>
|
|
<ul>
|
|
<li class="level1"><div class="li"> authenticate user</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> get user attributes</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> get groups where user is registered</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> change password (with server side password policy management)</div>
|
|
</li>
|
|
</ul>
|
|
|
|
<p>
|
|
This works with every LDAP v2 or v3 server, including <a href="authad.html" class="wikilink1" title="documentation:2.0:authad">Active Directory</a>.
|
|
</p>
|
|
|
|
<p>
|
|
<abbr title="LemonLDAP::NG">LL::NG</abbr> is compatible with <a href="https://opends.dev.java.net/public/standards/draft-behera-ldap-password-policy.txt" class="urlextern" title="https://opends.dev.java.net/public/standards/draft-behera-ldap-password-policy.txt" rel="nofollow">LDAP password policy</a>:
|
|
</p>
|
|
<ul>
|
|
<li class="level1"><div class="li"> LDAP server can check password strength, and <abbr title="LemonLDAP::NG">LL::NG</abbr> portal will display correct errors (password too short, password in history, etc.)</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> LDAP sever can block brute-force attacks, and <abbr title="LemonLDAP::NG">LL::NG</abbr> will display that account is locked</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> LDAP server can force password change on first connection, and <abbr title="LemonLDAP::NG">LL::NG</abbr> portal will display a password change form before opening <abbr title="Single Sign On">SSO</abbr> session</div>
|
|
</li>
|
|
</ul>
|
|
|
|
</div>
|
|
<!-- EDIT3 SECTION "Presentation" [92-903] -->
|
|
<h2 class="sectionedit4" id="configuration">Configuration</h2>
|
|
<div class="level2">
|
|
|
|
<p>
|
|
In Manager, go in <code>General Parameters</code> > <code>Authentication modules</code> and choose LDAP for authentication, users and/or password modules.
|
|
</p>
|
|
<div class="notetip">For <a href="authad.html" class="wikilink1" title="documentation:2.0:authad">Active Directory</a>, choose <code>Active Directory</code> instead of <code>LDAP</code>.
|
|
</div>
|
|
</div>
|
|
<!-- EDIT4 SECTION "Configuration" [904-1169] -->
|
|
<h3 class="sectionedit5" id="authentication_level">Authentication level</h3>
|
|
<div class="level3">
|
|
|
|
<p>
|
|
The authentication level given to users authenticated with this module.
|
|
</p>
|
|
<div class="noteimportant">As LDAP is a login/password based module, the authentication level can be:<ul>
|
|
<li class="level1"><div class="li"> increased (+1) if portal is protected by SSL (HTTPS)</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> decreased (-1) if the portal autocompletion is allowed (see <a href="portalcustom.html" class="wikilink1" title="documentation:2.0:portalcustom">portal customization</a>)</div>
|
|
</li>
|
|
</ul>
|
|
|
|
</div>
|
|
</div>
|
|
<!-- EDIT5 SECTION "Authentication level" [1170-1535] -->
|
|
<h3 class="sectionedit6" id="exported_variables">Exported variables</h3>
|
|
<div class="level3">
|
|
|
|
<p>
|
|
List of attributes to query to fill user session. See also <a href="exportedvars.html" class="wikilink1" title="documentation:2.0:exportedvars">exported variables configuration</a>.
|
|
</p>
|
|
|
|
</div>
|
|
<!-- EDIT6 SECTION "Exported variables" [1536-1676] -->
|
|
<h3 class="sectionedit7" id="connection">Connection</h3>
|
|
<div class="level3">
|
|
<ul>
|
|
<li class="level1"><div class="li"> <strong>Server host</strong>: LDAP server hostname or <abbr title="Uniform Resource Identifier">URI</abbr> (by default: localhost). Accept some specificities:</div>
|
|
<ul>
|
|
<li class="level2"><div class="li"> More than one server can be set here separated by spaces or commas. They will be tested in the specified order.</div>
|
|
</li>
|
|
<li class="level2"><div class="li"> To use TLS, set <code>ldap+tls://server</code> and to use LDAPS, set <code>ldaps://server</code> instead of server name.</div>
|
|
</li>
|
|
<li class="level2"><div class="li"> If you use TLS, you can set any of the <a href="http://search.cpan.org/~gbarr/perl-ldap/lib/Net/LDAP.pod" class="urlextern" title="http://search.cpan.org/~gbarr/perl-ldap/lib/Net/LDAP.pod" rel="nofollow">Net::LDAP</a> start_tls() sub like <code>ldap+tls://server/verify=none&capath=/etc/ssl</code>. You can also use caFile and caPath parameters.</div>
|
|
</li>
|
|
</ul>
|
|
</li>
|
|
<li class="level1"><div class="li"> <strong>Server port</strong>: TCP port used by LDAP server. Can be overridden by an LDAP <abbr title="Uniform Resource Identifier">URI</abbr> in server host.</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> <strong>Users search base</strong>: Base of search in the LDAP directory.</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> <strong>Account</strong>: <abbr title="Distinguished Name">DN</abbr> used to connect to LDAP server. By default, anonymous bind is used.</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> <strong>Password</strong>: password to used to connect to LDAP server. By default, anonymous bind is used.</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> <strong>Timeout</strong>: server idle timeout.</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> <strong>Version</strong>: LDAP protocol version.</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> <strong>Binary attributes</strong>: regular expression matching binary attributes (see <a href="http://search.cpan.org/~gbarr/perl-ldap/lib/Net/LDAP.pod" class="urlextern" title="http://search.cpan.org/~gbarr/perl-ldap/lib/Net/LDAP.pod" rel="nofollow">Net::LDAP</a> documentation).</div>
|
|
</li>
|
|
</ul>
|
|
|
|
</div>
|
|
<!-- EDIT7 SECTION "Connection" [1677-2868] -->
|
|
<h3 class="sectionedit8" id="filters">Filters</h3>
|
|
<div class="level3">
|
|
<div class="notetip">In LDAP filters, $user is replaced by user login, and $mail by user email.
|
|
</div><ul>
|
|
<li class="level1"><div class="li"> <strong>Default filter</strong>: default LDAP filter for searches, should not be modified.</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> <strong>Authentication filter</strong>: Filter to find user from its login (default: <code>(&(uid=$user)(objectClass=inetOrgPerson))</code>)</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> <strong>Mail filter</strong>: Filter to find user from its mail (default: <code>(&(mail=$mail)(objectClass=inetOrgPerson))</code>)</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> <strong>Alias dereference</strong>: How to manage LDAP aliases. (default: <code>find</code>)</div>
|
|
</li>
|
|
</ul>
|
|
<div class="notetip">For Active Directory, the default authentication filter is:
|
|
<pre class="code">(&(sAMAccountName=$user)(objectClass=person))</pre>
|
|
|
|
<p>
|
|
And the mail filter is:
|
|
</p>
|
|
<pre class="code">(&(mail=$mail)(objectClass=person))</pre>
|
|
|
|
</div>
|
|
</div>
|
|
<!-- EDIT8 SECTION "Filters" [2869-3590] -->
|
|
<h3 class="sectionedit9" id="groups">Groups</h3>
|
|
<div class="level3">
|
|
<ul>
|
|
<li class="level1"><div class="li"> <strong>Search base</strong>: <abbr title="Distinguished Name">DN</abbr> of groups branch. If no value, disable group searching.</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> <strong>Object class</strong>: objectClass of the groups (default: groupOfNames).</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> <strong>Target attribute</strong>: name of the attribute in the groups storing the link to the user (default: member).</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> <strong>User source attribute</strong>: name of the attribute in users entries used in the link (default: dn).</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> <strong>Searched attributes</strong>: name(s) of the attribute storing the name of the group, spaces separated (default: cn).</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> <strong>Recursive</strong>: activate recursive group functionality (default: 0). If enabled, if the user group is a member of another group (group of groups), all parents groups will be stored as user's groups.</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> <strong>Group source attribute</strong>: name of the attribute in groups entries used in the link, for recursive group search (default: dn).</div>
|
|
</li>
|
|
</ul>
|
|
|
|
</div>
|
|
<!-- EDIT9 SECTION "Groups" [3591-4425] -->
|
|
<h3 class="sectionedit10" id="password">Password</h3>
|
|
<div class="level3">
|
|
<ul>
|
|
<li class="level1"><div class="li"> <strong>Password policy control</strong>: enable to use LDAP password policy. This requires at least Net::LDAP 0.38. (see ppolicy workflow below)</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> <strong>Password modify extended operation</strong>: enable to use the LDAP extended operation <code>password modify</code> instead of standard modify operation.</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> <strong>Change as user</strong>: enable to perform password modification with credentials of connected user. This requires to request user old password (see <a href="portalcustom.html" class="wikilink1" title="documentation:2.0:portalcustom">portal customization</a>).</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> <strong>LDAP password encoding</strong>: can allow one to manage old LDAP servers using specific encoding for passwords (default: utf-8).</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> <strong>Use reset attribute</strong>: enable to use the password reset attribute. This attribute is set by LemonLDAP::NG when <a href="resetpassword.html" class="wikilink1" title="documentation:2.0:resetpassword">password was reset by mail</a> and the user choose to generate the password (default: enabled).</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> <strong>Reset attribute</strong>: name of password reset attribute (default: pwdReset).</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> <strong>Reset value</strong>: value to set in reset attribute to activate password reset (default: TRUE).</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> <strong>Allow a user to reset his expired password</strong>: if activated, the user will be prompted to change password if his password is expired (default: 0)</div>
|
|
</li>
|
|
</ul>
|
|
|
|
<p>
|
|
<div class="row"><div class="col-md-6">
|
|
<strong>Password expiration warning workflow</strong>
|
|
<a href="documentation/lemonldap-ng-password-expiration-warning.png_documentation_2.0_authldap.html" class="media" title="documentation:lemonldap-ng-password-expiration-warning.png"><img src="documentation/lemonldap-ng-password-expiration-warning.png" class="media" alt="" /></a>
|
|
</div>
|
|
<div class="col-md-6">
|
|
<strong>Password expiration workflow</strong>
|
|
<a href="documentation/lemonldap-ng-password-expired.png_documentation_2.0_authldap.html" class="media" title="documentation:lemonldap-ng-password-expired.png"><img src="documentation/lemonldap-ng-password-expired.png" class="media" alt="" /></a>
|
|
</div></div>
|
|
</p>
|
|
|
|
</div>
|
|
<!-- EDIT10 SECTION "Password" [4426-] --></div>
|
|
</body>
|
|
</html>
|