Difference between revisions of "Configuration/Authentication Settings/LDAP"

From Davical
Jump to navigationJump to search
m
m (LDAP Settings)
Line 77: Line 77:
 
   include('drivers_ldap.php');
 
   include('drivers_ldap.php');
 
</pre>
 
</pre>
 +
 +
Explanation of parameters:
 +
{{Tlist}}
 +
{{TRlist}}host
 +
{{TDlist}}The hostname of the LDAP server. Use DNS names or IP addresses or use URI notation for more specific ways to connect (e.g. ldap over SSL)
 +
{{TRlist}}port
 +
{{TDlist}}The port to connect to the LDAP server on
 +
{{TRlist}}bindDN
 +
{{TDlist}}The DN to bind to - leave this empty for anonymous authentication
 +
{{TRlist}}passDN
 +
{{TDlist}}The password for the bind - leave this empty for anonymous authentication
 +
{{TRlist}}baseDNUsers
 +
{{TDlist}}The base DN to look in for valid users
 +
{{TRlist}}filterUsers
 +
{{TDlist}}A filter which must pass for this to be a valid user
 +
{{TRlist}}baseDNGroups
 +
{{TDlist}}The base DN to look in for valid groups
 +
{{TRlist}}filterGroups
 +
{{TDlist}}A filter which must pass for this to be a valid group
 +
{{TRlist}}mapping_field
 +
{{TDlist}}An array of DAViCal field names vs. their LDAP mappings
 +
{{TRlist}}group_mapping_field
 +
{{TDlist}}An array of DAViCal field names vs. their LDAP mappings
 +
{{TRlist}}default_value
 +
{{TDlist}}An array of DAViCal field names vs. fixed default values
 +
{{TRlist}}format_updated
 +
{{TDlist}}An array, keyed on Y, m, d, H, M and S with the values being arrays of (start,length) for substring operations on the DAViCal 'updated' field sourced from LDAP.
 +
{{TRlist}}scope
 +
{{TDlist}}The search scope for all LDAP searches (users and groups)
 +
|}
  
 
== Working Example ==
 
== Working Example ==

Revision as of 09:38, 9 January 2015

DAViCal supports LDAP Authentication. This page provides configuration settings and an example of configuring DAViCal with LDAP at version 0.9.3 and newer (the code itself sits in inc/drivers_ldap.php).

Some authentication examples, including LDAP, are also shown in Configuration, and in the config directory in the tarball.

For LDAP Authentication, it's important to install the LDAP modules for PHP (the php5-ldap package under debian/ubuntu).

Introduction

DAViCal has it's own user database. Even if you configure DAViCal to authenticate against your LDAP server, all it's going to do is trying to synchronize it's own database with the part of your LDAP tree you specified. The reason for that is simply, that DAViCal will always try to protect it's data and it won't take a missing LDAP user as enough of a reason to purge all his calendars and contacts. Instead it will render him 'inactive', so if you really wan't to get rid of a user you'll have to delete him twice: in your LDAP structure and via the DAViCal admin interface.

When a user logs in for the first time, an SQL record is created from the LDAP data using the mappings above: a cn entry in LDAP becomes username in SQL, all other attributes are mapped accordingly to your configuration file. If LDAP authentication is activated and configured DAViCal won't save the users password in the database! LDAP is to do the authentication after all. That also means that if you loose your LDAP data for some reason, your users won't be able to access their calendar or contacts either (but at least they'll still be there, which should be good news for you at this point.)

You import/sync users and groups via the "Administration --> Tools --> Sync with LDAP" menu in the web interface. It will check both, the users in your LDAP tree and the ones in it's own database. As said, if a user is absent in LDAP but active in DAViCal it will render him 'inactive' and thereby deny him access to any calendar ressources. Does the user exist on both sides, DAViCal will try to update the user according to the changes in its LDAP attributes, if any. If DAViCal finds users in your LDAP that it doesn't know about it will create a new user in it's SQL database. Therefor you should try to be precise when you define the user tree in the LDAP section of your DAViCal configuration - otherwise you'll end up with all sorts of useless accounts and ressources in your DAViCal database.

Support for group import was added in 0.9.9. You'll need the baseDNGroups, filterGroups and group_mapping_field set in the config to import groups (see the example below or the example-config.php in the source).

Supported features

OpenLDAP and ActiveDirectory support
SSL, TLS and Unix socket support all in URI notation e.g. ldapi:// over Unix socket, ldaps://:636 over SSL and ldap://:389 over TLS
Support for both anonymous and non-anonymous bind
No dependency at all on the schema that is being used you define the attribute mapping
Group Mapping see LDAP_groups for slightly more information
Support for filtered LDAP searches allows to save bandwith and ressources by querying the LDAP server for a smaller subset of information
Support for both the native application authentication and LDAP the current authentication hook allows for authentication to fall back to the local database
User defined timeout durations for LDAP connections
User sync via CRON script

LDAP Settings

The settings for the LDAP connection go in the config file /etc/davical/config.php (or perhaps /etc/davical/<servername>-conf.php).

  $c->authenticate_hook['call'] = 'LDAP_check';
  $c->authenticate_hook['config'] = array(
    'host'          => '<LDAP SERVER>', //host name of your LDAP Server, use URI notation for LDAP over SSL on port 636
    'port'          => '<PORT>', //port
    'bindDN'        => '<BIND-CONTAINER/USERNAME>', //DN to bind request to this server (if required)
    'passDN'        => '<PASSWORD>', //Password of request bind
    'baseDNUsers'   => 'cn=Users,dc=company,dc=com', //where to look for valid user
    'filterUsers' => 'objectClass=inetOrgPerson', //filter which must validate a user according to RFC4515, i.e. surrounded by brackets
    'baseDNGroups' => 'ou=Groups,dc=company,dc=com', //where to look for groups
    'filterGroups' => 'objectClass=posixGroup', //filter with same rules as filterUsers, could also be groupOfUniqueNames
    'protocolVersion' => 3, // important for simple auth (no sasl)
//    'startTLS'    => true, // securing your LDAP connection
    'mapping_field' => array(
                             'username' => 'uid',
                             'modified'  => 'modifyTimestamp',
                             'fullname' => 'cn', // "Common Name"
//                           'user_no'  => 'uidNumber', // Set DAViCAL user no to match Unix uid from LDAP
                             'email'    => 'mail'), //used to create the user based on his LDAP properties
    'group_mapping_field' => array('username' => 'cn',
                             'modified' => 'modifyTimestamp',
                             'fullname' => 'cn' ,
                             'members' =>'memberUid'
                             ), //used to create the group based on the ldap properties
    'format_updated'=> array('Y' => array(0,4),
                             'm' => array(4,2),
                             'd' => array(6,2),
                             'H' => array(8,2),
                             'M' => array(10,2),
                             'S' => array(12,2)), // map LDAP "modifyTimestamp" field to SQL "updated" field
     'scope' => 'subtree', // Search scope to use, defaults to subtree ( applies to BOTH user and group mappings )
                           // Allowed values: base, onelevel, subtree.
  );
  include('drivers_ldap.php');

Explanation of parameters:

host The hostname of the LDAP server. Use DNS names or IP addresses or use URI notation for more specific ways to connect (e.g. ldap over SSL)
port The port to connect to the LDAP server on
bindDN The DN to bind to - leave this empty for anonymous authentication
passDN The password for the bind - leave this empty for anonymous authentication
baseDNUsers The base DN to look in for valid users
filterUsers A filter which must pass for this to be a valid user
baseDNGroups The base DN to look in for valid groups
filterGroups A filter which must pass for this to be a valid group
mapping_field An array of DAViCal field names vs. their LDAP mappings
group_mapping_field An array of DAViCal field names vs. their LDAP mappings
default_value An array of DAViCal field names vs. fixed default values
format_updated An array, keyed on Y, m, d, H, M and S with the values being arrays of (start,length) for substring operations on the DAViCal 'updated' field sourced from LDAP.
scope The search scope for all LDAP searches (users and groups)

Working Example

If your OpenLDAP server allows authentication from Apache 2.0 with an httpd config like:

 <IfModule mod_auth_ldap.c>
   AuthLDAPURL ldap://ldap.example.com/o=example
   AuthName "Example Inc. users"
   AuthType Basic
 </IfModule>
 order deny,allow
 deny from all
 require valid-user
 satisfy any

Then the following config allows authentication from DAViCal via LDAP:

<?php
 $c->pg_connect[] = 'dbname=davical port=5432 user=general';
 $c->authenticate_hook['call'] = 'LDAP_check';
 $c->authenticate_hook['config'] = array(
     'host' => 'ldap.example.com',
     'port' => '389',
     // 'startTLS' => true, // enable this if your LDAP server wants TLS
     // note that for LDAP over SSL on port 636 you'll have to use URI syntax: ldaps:///
     'filterUsers' => 'objectclass=*',    // we need this to successfully search users
     'baseDNUsers' => 'o=example',  // most orgs have more fields
     'protocolVersion' => 3, 
     'mapping_field' => array("username" => "uid",
                              "modified" => "modifyTimestamp",
                              "fullname" => "cn" ,  // "Common Name" 
                              // "user_no" => "uidNumber" ,  // set DAViCal user no to match Unix uid from LDAP, may cause sql_from_object problems if these user ids do not actually match...
                              "email" => "mail"
                              ), //used to create the user based on his LDAP properties
     'format_updated'=> array('Y' => array(0,4),
                              'm' => array(4,2),
                              'd' => array(6,2),
                              'H' => array(8,2),
                              'M' => array(10,2),
                              'S' => array(12,2)), // map LDAP "modifyTimestamp" field to SQL "updated" field
   );
 include('drivers_ldap.php');
?>

Kerberos Authentication

You can use mod_auth_kerb in apache to get kerberos authentication for your davical accounts. Apache-Config Snippet:

  <Directory /usr/share/davical/htdocs/>
      AuthType Kerberos
      AuthName "Calendar Login"
      AllowOverride None
      Order allow,deny
      Allow from all

      Require valid-user
      # the following is available since mod_auth_kerb 5.4, it maps full kerberos principal "foo@FOOBAR.COM" to "foo"
      KrbLocalUserMapping On 
  </Directory>

The ldap configuration has to be extended with a:

  $c->authenticate_hook['config'] = array(
    // ...
    'i_use_mode_kerberos' => "i_know_what_i_am_doing",
    // ...
  );

Prevent single users from being synced from LDAP

If there is some user you do not want to sync from LDAP, put their username in this list:

For example:

$c->do_not_sync_from_ldap = array( 'admin' => true, 'mrbond' => true );

This would set user's 'admin' & 'mrbond' to not be synchronised from your LDAP data. This can be useful if you want to retain a DAViCal specific Administrative user without having a user of that name in your LDAP database, or any other reason you can think up for wanting to have DAViCal users who are not in LDAP...

Available from DAViCal version: 0.9.8.4 and later