Difference between revisions of "Configuration/hooks/Authentication/LDAP"

From Davical
Jump to navigationJump to search
(Create page)
 
(page is outdatet and replaced and should be deleted)
 
Line 1: Line 1:
Here should sit the documentation for the LDAP authentication driver which is coded in 'inc/drivers_ldap.php'.
 
  
== LDAP Settings ==
 
 
The settings for the LDAP connection go in the config file <tt>/etc/davical/<servername>-conf.php</tt> (this file might be in <tt>/etc/rscds/</tt> if you upgraded from an older installation).
 
 
<pre>
 
  $c->authenticate_hook['call'] = 'LDAP_check';
 
  $c->authenticate_hook['config'] = array(
 
    'host'          => '<LDAP SERVER>', //host name of your LDAP Server
 
    'port'          => '<PORT>', //port
 
    'bindDN'        => '<BIND-CONTAINER/USERNAME>', //DN to bind request to this server (if required)
 
    'passDN'        => '<PASSWORD>', //Password of request bind
 
    'baseDNUsers'  => 'cn=Users,dc=company,dc=com', //where to look for valid user
 
    'filterUsers' => 'objectClass=inetOrgPerson', //filter which must validate a user according to RFC4515, i.e. surrounded by brackets
 
    'baseDNGroups' => 'ou=Groups,dc=company,dc=com', //where to look for groups
 
    'filterGroups' => 'objectClass=posixGroup', //filter with same rules as filterUsers, could also be groupOfUniqueNames
 
    'protocolVersion' => 3, // important for simple auth (no sasl)
 
//    'startTLS'    => true, // securing your LDAP connection
 
    'mapping_field' => array(
 
                            'username' => 'uid',
 
                            'updated'  => 'modifyTimestamp',
 
                            'fullname' => 'cn', // "Common Name"
 
//                          'user_no'  => 'uidNumber', // Set DAViCAL user no to match Unix uid from LDAP
 
                            'email'    => 'mail'), //used to create the user based on his LDAP properties
 
    'group_mapping_field' => array('username' => 'cn',
 
                            'updated' => 'modifyTimestamp',
 
                            'fullname' => 'cn' ,
 
                            'members' =>'memberUid'
 
                            ), //used to create the group based on the ldap properties
 
    'format_updated'=> array('Y' => array(0,4),
 
                            'm' => array(4,2),
 
                            'd' => array(6,2),
 
                            'H' => array(8,2),
 
                            'M' => array(10,2),
 
                            'S' => array(12,2)), // map LDAP "modifyTimestamp" field to SQL "updated" field
 
    'scope' => 'subtree', // Search scope to use, defaults to subtree ( applies to BOTH user and group mappings )
 
                          // Allowed values: base, onelevel, subtree.
 
  );
 
  include('drivers_ldap.php');
 
</pre>
 
 
=== Explanation ===
 
 
When a user logs in for the first time, an SQL record is created from the LDAP data using the mappings above (a ''cn'' entry in LDAP becomes ''username'' in SQL, etc.)
 
 
Group import added in 0.9.9, you need the baseDNGroups, filterGroups and group_mapping_field set in the config to import groups, see above or the example-config.php in the source.
 
Import/sync users and groups via the Administration > Import Calendars menu in the web interface
 
 
== Working Example ==
 
 
If your OpenLDAP server allows authentication from Apache 2.0 with an httpd config like:
 
 
<pre>
 
<IfModule mod_auth_ldap.c>
 
  AuthLDAPURL ldap://ldap.example.com/o=example
 
  AuthName "Example Inc. users"
 
  AuthType Basic
 
</IfModule>
 
order deny,allow
 
deny from all
 
require valid-user
 
satisfy any
 
</pre>
 
 
Then the following config allows authentication from DAViCal via LDAP:
 
<pre>
 
<?php
 
$c->pg_connect[] = 'dbname=davical port=5432 user=general';
 
$c->authenticate_hook['call'] = 'LDAP_check';
 
$c->authenticate_hook['config'] = array(
 
    'host' => 'ldap.example.com',
 
    'port' => '389',
 
    // 'startTLS' => true, // enable this if your LDAP server wants TLS
 
    'filterUsers' => 'objectclass=*',    // we need this to successfully search users
 
    'baseDNUsers' => 'o=example',  // most orgs have more fields
 
    'protocolVersion' => 3,
 
    'mapping_field' => array("username" => "uid",
 
                              "updated" => "modifyTimestamp",
 
                              "fullname" => "cn" ,  // "Common Name"
 
                              // "user_no" => "uidNumber" ,  // set DAViCal user no to match Unix uid from LDAP, may cause sql_from_object problems if these user ids do not actually match...
 
                              "email" => "mail"
 
                              ), //used to create the user based on his LDAP properties
 
    'format_updated'=> array('Y' => array(0,4),
 
                              'm' => array(4,2),
 
                              'd' => array(6,2),
 
                              'H' => array(8,2),
 
                              'M' => array(10,2),
 
                              'S' => array(12,2)), // map LDAP "modifyTimestamp" field to SQL "updated" field
 
  );
 
include('drivers_ldap.php');
 
?>
 
</pre>
 
 
== Kerberos Authentication ==
 
 
You can use mod_auth_kerb in apache to get kerberos authentication for your davical accounts. Apache-Config Snippet:
 
<pre>
 
  <Directory /usr/share/davical/htdocs/>
 
      AuthType Kerberos
 
      AuthName "Calendar Login"
 
      AllowOverride None
 
      Order allow,deny
 
      Allow from all
 
 
      Require valid-user
 
      # the following is available since mod_auth_kerb 5.4, it maps full kerberos principal "foo@FOOBAR.COM" to "foo"
 
      KrbLocalUserMapping On
 
  </Directory>
 
</pre>
 
 
The ldap configuration has to be extended with a:
 
 
<pre>
 
  $c->authenticate_hook['config'] = array(
 
    // ...
 
    'i_use_mode_kerberos' => "i_know_what_i_am_doing",
 
    // ...
 
  );
 
</pre>
 
 
[[Category:Configuration]]
 

Latest revision as of 23:41, 8 January 2015