Configuration/Authentication Settings/Active Directory
Using Active Directory for Authentication
This Section proceeds from where the base installation described in Installation Guide Update (Feb 2008) leaves off.
The goal is to have DAViCal refer to Windows Active Directory when a new user logs in.
Getting the Correct LDAP Driver
The 0.9.4 installation does not come with the correct ldap driver to connect with Windows Active Directory. Please obtain the correct driver either from the Soureforge Forumn or contacting the developers, they can be reached through the IRC channel.
Backup the existing ldap driver (filename, drivers_ldap.php) found in the /usr/share/rscds/inc/ directory and copy the obtained driver into it.
Configuring to Use Active Directory
Configuring DAViCal to use Active Directory for Authentication is done in the conf file found at /etc/davical/. The name of the file follows the format of XXXX-conf.php, where XXXX is the hostname used in the URL to access calendars. (See Installation Guide Update (Feb 2008), section "DAViCal Configuration" for details.)
A detailed explanation for the syntax of this file can be at Configuration.
For the purpose of this section I've attached my configuration (with a few edits to mask sensitive information) here below;
<?php $c->sysabbr = 'DAViCal'; $c->admin_email= 'email@example.com' $c->dbg["ALL"] =1; $c->pg_connect = 'dbname=davical port=5432 user=davical_dba'; $c->authenticate_hook['call'] = 'LDAP_check'; $c->authenticate_hook['config'] = array( 'host' => 'ldap://domain_controller.example.com', 'bindDN' => 'firstname.lastname@example.org', 'passDN' => 'xxxxxxxx', 'baseDNUsers' => 'OU=Accounts,DC=example,DC=com', 'protocolVersion' => 3, 'optReferrels' => 0, 'filterUsers' => '(&(objectclass=person)(objectclass=user))', 'mapping_field' => array("username" => "sAMAccountName", "fullname" => "cn" , "email" =>"mail"), 'default_value' => array("date_format_type" => "E","locale" => "en_NZ"), 'format_updated'=> array('Y' => array(0,4), 'm' => array(4,2), 'd' => array(6,2), 'H' => array(8,2), 'M' => array(10,2), 'S' => array(12,2)), ); include_once('drivers_ldap.php'); ?>
When you use Active Directory (or more generally LDAP) to authenticate, there are 2 parts to the process. Part 1 is the "bind/search" phase and Part 2 is called the "authentication" phase.
In the bind/search phase, the application you are using "binds" to the LDAP service creating a bridge between your application and the authentication service. It then searches for the user whose credentials are being provided for authentication.
Then in authentication phase, the authentication service authenticates the user based on the credentials passed to it by the bridge and sends back a reply to the application.
The configuration file above provides the information needed to do these 2 acts.
To explain some key entries;
- 'host' : This is where to specify the host that provides authentication, in this case the Active Directory server.
- 'bindDN' : This is the ID needed to perform the bind part of the "bind/search" phase. You will have to prepare a functional ID in Active Directory specifically for the purpose of letting DAViCal bind to the LDAP Service provided by Active Directory. Have your Windows Active Directory Administrator prepare one for you, then put the login ID for that account here. Format here should be "username@domainname".
- 'passDN' : The login password for the Functional ID used above.
- 'baseDNUsers' : This is the LDAP path used in the second half of the"bind/search" phase for the login ID provided the application for authentication. If the user trying to login does not have a login ID under this LDAP path, authentication will fail.
- 'filterUsers' : This is used to specify only real users when performing the search. If you have a small user base it's not really important, but specifying the filter will exclude any ID for things like Security Groups and Distribution lists you may have in AD.
- 'mapping_field' : This is used to map AD attributes to DAViCal attributes. "sAMAccountName" is AD jargon for "login ID".
The finale step is to configure apache to use its LDAP modules.
Navigate to the directory /etc/apache2/mods-enabled" do the following;
>sudo su >ln -s ../mods-available/auth_ldap.load . >ln -s ../mods-available/ldap.load .
This will cause Apache2 to load its LDAP modules when starting up. Remember to restart Apache2 after enabling the LDAP modules.
You can access your DAViCal calendar either through a CALDAV compatible client or through your browser. Please note however that if you use your browser to access a calendar with no events or entries in it you will get a "page not found" error.
After accessing the calendar through a CALDAV client such as Sunbird, you will be able to download an iCal file through the browser interface as well.