Configuration/Authentication Settings/Active Directory

From Davical
Jump to navigationJump to search

Using Active Directory for Authentication

The goal is to have DAViCal refer to Windows Active Directory when a new user logs in.

Configuring to Use Active Directory

Configuring DAViCal to use Active Directory for Authentication is done in the conf file found at /etc/davical/. A detailed explanation for the syntax of this file can be at Configuration.

For the purpose of this section I've attached my configuration (with a few edits to mask sensitive information) here below;

 <?php
   $c->sysabbr    = 'DAViCal';
   $c->admin_email= 'administrator@example.com';
 
   $c->pg_connect[] = 'dbname=davical port=5432 user=davical_dba';
   $c->authenticate_hook['call'] = 'LDAP_check';
   $c->authenticate_hook['config'] = array(
       'host'            => 'ldap://domain_controller.example.com',
       'bindDN'          => 'bind_user@example.com',
       'passDN'          => 'xxxxxxxx',
       'baseDNUsers'     => 'OU=Accounts,DC=example,DC=com',
       'protocolVersion' => 3,
       'optReferrals'    => 0,
       'filterUsers'     => '(&(objectclass=person)(objectclass=user))',
       'mapping_field' => array("username" => "sAMAccountName",
                            "modified" => "whenChanged" ,
                            "fullname" => "cn" ,
                            "email" =>"mail"),
       'default_value' => array("date_format_type" => "E","locale" => "en_NZ"),
       'format_updated'=> array('Y' => array(0,4),
                                'm' => array(4,2),
                                'd' => array(6,2),
                                'H' => array(8,2),
                                'M' => array(10,2),
                                'S' => array(12,2)),
 
   );
   include_once('drivers_ldap.php');


When you use Active Directory (or more generally LDAP) to authenticate, there are 2 parts to the process. Part 1 is the "bind/search" phase and Part 2 is called the "authentication" phase.

In the bind/search phase, the application you are using "binds" to the LDAP service creating a bridge between your application and the authentication service. It then searches for the user whose credentials are being provided for authentication.

Then in authentication phase, the authentication service authenticates the user based on the credentials passed to it by the bridge and sends back a reply to the application.

The configuration file above provides the information needed to do these 2 acts.

To explain some key entries;

  • 'host' : This is where to specify the host that provides authentication, in this case the Active Directory server.
  • 'bindDN' : This is the ID needed to perform the bind part of the "bind/search" phase. You will have to prepare a functional ID in Active Directory specifically for the purpose of letting DAViCal bind to the LDAP Service provided by Active Directory. Have your Windows Active Directory Administrator prepare one for you, then put the login ID for that account here. Format here should be "username@domainname".
  • 'passDN' : The login password for the Functional ID used above.
  • 'baseDNUsers' : This is the LDAP path used in the second half of the"bind/search" phase for the login ID provided the application for authentication. If the user trying to login does not have a login ID under this LDAP path, authentication will fail.
  • 'filterUsers' : This is used to specify only real users when performing the search. If you have a small user base it's not really important, but specifying the filter will exclude any ID for things like Security Groups and Distribution lists you may have in AD.
  • 'mapping_field' : This is used to map AD attributes to DAViCal attributes. "sAMAccountName" is AD jargon for "login ID".

Configuring Apache2

The finale step is to configure apache to use its LDAP modules.

Navigate to the directory /etc/apache2/mods-enabled and do the following;

>sudo su
>ln -s ../mods-available/auth_ldap.load .
>ln -s ../mods-available/ldap.load .

This will cause Apache2 to load its LDAP modules when starting up. Remember to restart Apache2 after enabling the LDAP modules.

>/etc/init.d/apache2 restart

Accessing Calendars

You can access your DAViCal calendar either through a CALDAV compatible client or through your browser. Please note however that if you use your browser to access a calendar with no events or entries in it you will get a "page not found" error.

After accessing the calendar through a CALDAV client such as Sunbird, you will be able to download an iCal file through the browser interface as well.