Configuration/Authentication Settings/Active Directory

From Davical
Jump to navigationJump to search

Using Active Directory for Authentication

This Section proceeds from where the base installation described in Installation Guide Update (Feb 2008) leaves off.

The goal is to have DAViCal refer to Windows Active Directory when a new user logs in.

Getting the Correct LDAP Driver

The 0.9.4 installation does not come with the correct ldap driver to connect with Windows Active Directory. Please obtain the correct driver either from the Soureforge Forumn or contacting the developers, they can be reached through the IRC channel.

Backup the existing ldap driver (filename, drivers_ldap.php) found in the /usr/share/rscds/inc/ directory and copy the obtained driver into it.

Configuring to Use Active Directory

Configuring DAViCal to use Active Directory for Authentication is done in the conf file found at /etc/davical/. The name of the file follows the format of XXXX-conf.php, where XXXX is the hostname used in the URL to access calendars. (See Installation Guide Update (Feb 2008), section "DAViCal Configuration" for details.)

A detailed explanation for the syntax of this file can be at Configuration.

For the purpose of this section I've attached my configuration (with a few edits to mask sensitive information) here below;

 <?php
   $c->sysabbr    = 'DAViCal';
   $c->admin_email= 'administrator@example.com'
   $c->dbg["ALL"] =1;
 
   $c->pg_connect[] = 'dbname=davical port=5432 user=davical_dba';
   $c->authenticate_hook['call'] = 'LDAP_check';
   $c->authenticate_hook['config'] = array(
       'host'            => 'ldap://domain_controller.example.com',
       'bindDN'          => 'bind_user@example.com',
       'passDN'          => 'xxxxxxxx',
       'baseDNUsers'     => 'OU=Accounts,DC=example,DC=com',
       'protocolVersion' => 3,
       'optReferrels'    => 0,
       'filterUsers'     => '(&(objectclass=person)(objectclass=user))',
       'mapping_field' => array("username" => "sAMAccountName",
                            "fullname" => "cn" ,
                            "email" =>"mail"),
       'default_value' => array("date_format_type" => "E","locale" => "en_NZ"),
       'format_updated'=> array('Y' => array(0,4),
                                'm' => array(4,2),
                                'd' => array(6,2),
                                'H' => array(8,2),
                                'M' => array(10,2),
                                'S' => array(12,2)),
 
   );
   include_once('drivers_ldap.php');
 ?>

When you use Active Directory (or more generally LDAP) to authenticate, there are 2 parts to the process. Part 1 is called the "bind" process and Part 2 is called the "search" process.

In the bind process, the application you are using "binds" to the LDAP service creating a bridge between your application and the authentication service.

Then in the search process, your application uses the bridge created in the bind process to search for the username provided by the application.

The configuration file above provides the information needed to do these 2 acts.

To explain some key entries;

  • 'host' : This is where to specify the host that provides authentication, in this case the Active Directory server.
  • 'bindDN' : This is the ID needed to perform the "bind" process. You will have to prepare a functional ID in Active Directory specifically for the purpose of letting DAViCal bind to the LDAP Service provided by Active Directory. Have your Windows Active Directory Administrator prepare one for you, then put the login ID for that account here. Format here should be "username@domainname".
  • 'passDN' : The login password for the Functional ID used above.
  • 'baseDNUsers' : This is the LDAP path used in the "search" process for the login ID provided the application for authentication. If the user trying to login does not have a login ID under this LDAP path, authentication will fail.
  • 'filterUsers' : This is used to specify only real users when performing the search. If you have a small user base it's not really important, but specifying the filter will exclude any ID for things like Security Groups and Distribution lists you may have in AD.
  • 'mapping_field' : This is used to map AD attributes to DAViCal attributes. "sAMAccountName" is AD jargon for "login ID".