dani/lemonldap-ng
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
cc79680b89
lemonldap-ng/doc/pages/documentation/current/authldap.html
Xavier 39c968b215 Update doc
2019-09-23 22:41:16 +02:00

269 lines
15 KiB
HTML
Raw Blame History

<!DOCTYPE html>
<html lang="en" dir="ltr">
<head>
<meta charset="utf-8" />
<title>documentation:2.0:authldap</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="index,follow"/>
<meta name="keywords" content="documentation,2.0,authldap"/>
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="authldap.html"/>
<link rel="contents" href="authldap.html" title="Sitemap"/>
<link rel="stylesheet" type="text/css" href="lib/exe/css.php.t.bootstrap3.css"/>
<!-- //if:usedebianlibs
<link rel="stylesheet" type="text/css" href="/javascript/bootstrap/css/bootstrap.min.css" />
//elsif:useexternallibs
<link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css"></script>
//elsif:cssminified
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.min.css" />
//else -->
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.css" />
<!-- //endif -->
<script type="text/javascript">/*<![CDATA[*/var NS='documentation:2.0';var JSINFO = {"id":"documentation:2.0:authldap","namespace":"documentation:2.0"};
/*!]]>*/</script>
<script type="text/javascript" charset="utf-8" src="lib/exe/js.php.t.bootstrap3.js"></script>
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery/jquery.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/jquery-2.2.0.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.js"></script>
<!-- //endif -->
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery-ui/jquery-ui.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/ui/1.10.4/jquery-ui.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.js"></script>
<!-- //endif -->
</head>
<body>
<div class="dokuwiki export container">
<!-- TOC START -->
<div id="dw__toc">
<h3 class="toggle">Table of Contents</h3>
<div>
<ul class="toc">
<li class="level1"><div class="li"><a href="#presentation">Presentation</a></div></li>
<li class="level1"><div class="li"><a href="#configuration">Configuration</a></div>
<ul class="toc">
<li class="level2"><div class="li"><a href="#authentication_level">Authentication level</a></div></li>
<li class="level2"><div class="li"><a href="#exported_variables">Exported variables</a></div></li>
<li class="level2"><div class="li"><a href="#connection">Connection</a></div></li>
<li class="level2"><div class="li"><a href="#filters">Filters</a></div></li>
<li class="level2"><div class="li"><a href="#groups">Groups</a></div></li>
<li class="level2"><div class="li"><a href="#password">Password</a></div></li>
</ul></li>
</ul>
</div>
</div>
<!-- TOC END -->
<h1 class="sectionedit1" id="ldap">LDAP</h1>
<div class="level1">
<div class="table sectionedit2"><table class="inline table table-bordered table-striped">
<thead>
<tr class="row0 roweven">
<th class="col0 centeralign"> Authentication </th><th class="col1 centeralign"> Users </th><th class="col2 centeralign"> Password </th>
</tr>
</thead>
<tr class="row1 rowodd">
<td class="col0 centeralign"></td><td class="col1 centeralign"></td><td class="col2 centeralign"></td>
</tr>
</table></div>
<!-- EDIT2 TABLE [21-90] -->
</div>
<!-- EDIT1 SECTION "LDAP" [1-91] -->
<h2 class="sectionedit3" id="presentation">Presentation</h2>
<div class="level2">
<p>
<abbr title="LemonLDAP::NG">LL::NG</abbr> can use an LDAP directory to:
</p>
<ul>
<li class="level1"><div class="li"> authenticate user</div>
</li>
<li class="level1"><div class="li"> get user attributes</div>
</li>
<li class="level1"><div class="li"> get groups where user is registered</div>
</li>
<li class="level1"><div class="li"> change password (with server side password policy management)</div>
</li>
</ul>
<p>
This works with every LDAP v2 or v3 server, including <a href="authad.html" class="wikilink1" title="documentation:2.0:authad">Active Directory</a>.
</p>
<p>
<abbr title="LemonLDAP::NG">LL::NG</abbr> is compatible with <a href="https://opends.dev.java.net/public/standards/draft-behera-ldap-password-policy.txt" class="urlextern" title="https://opends.dev.java.net/public/standards/draft-behera-ldap-password-policy.txt" rel="nofollow">LDAP password policy</a>:
</p>
<ul>
<li class="level1"><div class="li"> LDAP server can check password strength, and <abbr title="LemonLDAP::NG">LL::NG</abbr> portal will display correct errors (password too short, password in history, etc.)</div>
</li>
<li class="level1"><div class="li"> LDAP sever can block brute-force attacks, and <abbr title="LemonLDAP::NG">LL::NG</abbr> will display that account is locked</div>
</li>
<li class="level1"><div class="li"> LDAP server can force password change on first connection, and <abbr title="LemonLDAP::NG">LL::NG</abbr> portal will display a password change form before opening <abbr title="Single Sign On">SSO</abbr> session</div>
</li>
</ul>
</div>
<!-- EDIT3 SECTION "Presentation" [92-903] -->
<h2 class="sectionedit4" id="configuration">Configuration</h2>
<div class="level2">
<p>
In Manager, go in <code>General Parameters</code> &gt; <code>Authentication modules</code> and choose LDAP for authentication, users and/or password modules.
</p>
<div class="notetip">For <a href="authad.html" class="wikilink1" title="documentation:2.0:authad">Active Directory</a>, choose <code>Active Directory</code> instead of <code>LDAP</code>.
</div>
</div>
<!-- EDIT4 SECTION "Configuration" [904-1169] -->
<h3 class="sectionedit5" id="authentication_level">Authentication level</h3>
<div class="level3">
<p>
The authentication level given to users authenticated with this module.
</p>
<div class="noteimportant">As LDAP is a login/password based module, the authentication level can be:<ul>
<li class="level1"><div class="li"> increased (+1) if portal is protected by SSL (HTTPS)</div>
</li>
<li class="level1"><div class="li"> decreased (-1) if the portal autocompletion is allowed (see <a href="portalcustom.html" class="wikilink1" title="documentation:2.0:portalcustom">portal customization</a>)</div>
</li>
</ul>
</div>
</div>
<!-- EDIT5 SECTION "Authentication level" [1170-1535] -->
<h3 class="sectionedit6" id="exported_variables">Exported variables</h3>
<div class="level3">
<p>
List of attributes to query to fill user session. See also <a href="exportedvars.html" class="wikilink1" title="documentation:2.0:exportedvars">exported variables configuration</a>.
</p>
</div>
<!-- EDIT6 SECTION "Exported variables" [1536-1676] -->
<h3 class="sectionedit7" id="connection">Connection</h3>
<div class="level3">
<ul>
<li class="level1"><div class="li"> <strong>Server host</strong>: LDAP server hostname or <abbr title="Uniform Resource Identifier">URI</abbr> (by default: localhost). Accept some specificities:</div>
<ul>
<li class="level2"><div class="li"> More than one server can be set here separated by spaces or commas. They will be tested in the specified order.</div>
</li>
<li class="level2"><div class="li"> To use TLS, set <code>ldap+tls://server</code> and to use LDAPS, set <code>ldaps://server</code> instead of server name.</div>
</li>
<li class="level2"><div class="li"> If you use TLS, you can set any of the <a href="http://search.cpan.org/~gbarr/perl-ldap/lib/Net/LDAP.pod" class="urlextern" title="http://search.cpan.org/~gbarr/perl-ldap/lib/Net/LDAP.pod" rel="nofollow">Net::LDAP</a> start_tls() sub like <code>ldap+tls://server/verify=none&amp;capath=/etc/ssl</code>. You can also use cafile and capath parameters.</div>
</li>
</ul>
</li>
<li class="level1"><div class="li"> <strong>Server port</strong>: TCP port used by LDAP server. Can be overridden by an LDAP <abbr title="Uniform Resource Identifier">URI</abbr> in server host.</div>
</li>
<li class="level1"><div class="li"> <strong>Users search base</strong>: Base of search in the LDAP directory.</div>
</li>
<li class="level1"><div class="li"> <strong>Account</strong>: <abbr title="Distinguished Name">DN</abbr> used to connect to LDAP server. By default, anonymous bind is used.</div>
</li>
<li class="level1"><div class="li"> <strong>Password</strong>: password to used to connect to LDAP server. By default, anonymous bind is used.</div>
</li>
<li class="level1"><div class="li"> <strong>Timeout</strong>: server idle timeout.</div>
</li>
<li class="level1"><div class="li"> <strong>Version</strong>: LDAP protocol version.</div>
</li>
<li class="level1"><div class="li"> <strong>Binary attributes</strong>: regular expression matching binary attributes (see <a href="http://search.cpan.org/~gbarr/perl-ldap/lib/Net/LDAP.pod" class="urlextern" title="http://search.cpan.org/~gbarr/perl-ldap/lib/Net/LDAP.pod" rel="nofollow">Net::LDAP</a> documentation).</div>
</li>
</ul>
<div class="noteimportant">LemonLDAP::NG need anonymous access to LDAP Directory RootDSE in order to check LDAP connection.
</div>
</div>
<!-- EDIT7 SECTION "Connection" [1677-2988] -->
<h3 class="sectionedit8" id="filters">Filters</h3>
<div class="level3">
<div class="notetip">In LDAP filters, $user is replaced by user login, and $mail by user email.
</div><ul>
<li class="level1"><div class="li"> <strong>Default filter</strong>: default LDAP filter for searches, should not be modified.</div>
</li>
<li class="level1"><div class="li"> <strong>Authentication filter</strong>: Filter to find user from its login (default: <code>(&amp;(uid=$user)(objectClass=inetOrgPerson))</code>)</div>
</li>
<li class="level1"><div class="li"> <strong>Mail filter</strong>: Filter to find user from its mail (default: <code>(&amp;(mail=$mail)(objectClass=inetOrgPerson))</code>)</div>
</li>
<li class="level1"><div class="li"> <strong>Alias dereference</strong>: How to manage LDAP aliases. (default: <code>find</code>)</div>
</li>
</ul>
<div class="notetip">For Active Directory, the default authentication filter is:
<pre class="code">(&amp;(sAMAccountName=$user)(objectClass=person))</pre>
<p>
And the mail filter is:
</p>
<pre class="code">(&amp;(mail=$mail)(objectClass=person))</pre>
</div>
</div>
<!-- EDIT8 SECTION "Filters" [2989-3710] -->
<h3 class="sectionedit9" id="groups">Groups</h3>
<div class="level3">
<ul>
<li class="level1"><div class="li"> <strong>Search base</strong>: <abbr title="Distinguished Name">DN</abbr> of groups branch. If no value, disable group searching.</div>
</li>
<li class="level1"><div class="li"> <strong>Object class</strong>: objectClass of the groups (default: groupOfNames).</div>
</li>
<li class="level1"><div class="li"> <strong>Target attribute</strong>: name of the attribute in the groups storing the link to the user (default: member).</div>
</li>
<li class="level1"><div class="li"> <strong>User source attribute</strong>: name of the attribute in users entries used in the link (default: dn).</div>
</li>
<li class="level1"><div class="li"> <strong>Searched attributes</strong>: name(s) of the attribute storing the name of the group, spaces separated (default: cn).</div>
</li>
<li class="level1"><div class="li"> <strong>Decode searched value</strong>: with Active Directory, member <abbr title="Distinguished Name">DN</abbr> value is sometimes bad decoded and groups are not found, activate this option to force value decoding.</div>
</li>
<li class="level1"><div class="li"> <strong>Recursive</strong>: activate recursive group functionality (default: 0). If enabled, if the user group is a member of another group (group of groups), all parents groups will be stored as user&#039;s groups.</div>
</li>
<li class="level1"><div class="li"> <strong>Group source attribute</strong>: name of the attribute in groups entries used in the link, for recursive group search (default: dn).</div>
</li>
</ul>
</div>
<!-- EDIT9 SECTION "Groups" [3711-4712] -->
<h3 class="sectionedit10" id="password">Password</h3>
<div class="level3">
<ul>
<li class="level1"><div class="li"> <strong>Password policy control</strong>: enable to use LDAP password policy. This requires at least Net::LDAP 0.38. (see ppolicy workflow below)</div>
</li>
<li class="level1"><div class="li"> <strong>Password modify extended operation</strong>: enable to use the LDAP extended operation <code>password modify</code> instead of standard modify operation.</div>
</li>
<li class="level1"><div class="li"> <strong>Change as user</strong>: enable to perform password modification with credentials of connected user. This requires to request user old password (see <a href="portalcustom.html" class="wikilink1" title="documentation:2.0:portalcustom">portal customization</a>).</div>
</li>
<li class="level1"><div class="li"> <strong>LDAP password encoding</strong>: can allow one to manage old LDAP servers using specific encoding for passwords (default: utf-8).</div>
</li>
<li class="level1"><div class="li"> <strong>Use reset attribute</strong>: enable to use the password reset attribute. This attribute is set by LemonLDAP::NG when <a href="resetpassword.html" class="wikilink1" title="documentation:2.0:resetpassword">password was reset by mail</a> and the user choose to generate the password (default: enabled).</div>
</li>
<li class="level1"><div class="li"> <strong>Reset attribute</strong>: name of password reset attribute (default: pwdReset).</div>
</li>
<li class="level1"><div class="li"> <strong>Reset value</strong>: value to set in reset attribute to activate password reset (default: TRUE).</div>
</li>
<li class="level1"><div class="li"> <strong>Allow a user to reset his expired password</strong>: if activated, the user will be prompted to change password if his password is expired (default: 0)</div>
</li>
<li class="level1"><div class="li"> <strong>IBM Tivoli DS support</strong>: enable this option if you use ITDS. <abbr title="LemonLDAP::NG">LL::NG</abbr> will then scan error message to return a more precise error to the user.</div>
</li>
</ul>
<p>
<div class="row"><div class="col-md-6">
<strong>Password expiration warning workflow</strong>
<a href="documentation/lemonldap-ng-password-expiration-warning.png_documentation_2.0_authldap.html" class="media" title="documentation:lemonldap-ng-password-expiration-warning.png"><img src="documentation/lemonldap-ng-password-expiration-warning.png" class="media" alt="" /></a>
</div>
<div class="col-md-6">
<strong>Password expiration workflow</strong>
<a href="documentation/lemonldap-ng-password-expired.png_documentation_2.0_authldap.html" class="media" title="documentation:lemonldap-ng-password-expired.png"><img src="documentation/lemonldap-ng-password-expired.png" class="media" alt="" /></a>
</div></div>
</p>
</div>
<!-- EDIT10 SECTION "Password" [4713-] --></div>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink