1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
|
<!DOCTYPE html>
<html lang="en" dir="ltr">
<head>
<meta charset="utf-8" />
<title>documentation:1.9:authldap</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="index,follow"/>
<meta name="keywords" content="documentation,1.9,authldap"/>
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="authldap.html"/>
<link rel="contents" href="authldap.html" title="Sitemap"/>
<link rel="stylesheet" type="text/css" href="lib/exe/css.php.t.bootstrap3.css"/>
<!-- //if:usedebianlibs
<link rel="stylesheet" type="text/css" href="/javascript/bootstrap/css/bootstrap.min.css" />
//elsif:useexternallibs
<link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css"></script>
//elsif:cssminified
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.min.css" />
//else -->
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.css" />
<!-- //endif -->
<script type="text/javascript">/*<![CDATA[*/var NS='documentation:1.9';var JSINFO = {"id":"documentation:1.9:authldap","namespace":"documentation:1.9"};
/*!]]>*/</script>
<script type="text/javascript" charset="utf-8" src="lib/exe/js.php.t.bootstrap3.js"></script>
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery/jquery.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/jquery-2.2.0.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.js"></script>
<!-- //endif -->
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery-ui/jquery-ui.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/ui/1.10.4/jquery-ui.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/lib/scripts/jquery-ui.min.js"></script>
//else -->
<script type="text/javascript" src="/lib/scripts/jquery-ui.js"></script>
<!-- //endif -->
</head>
<body>
<div class="dokuwiki export container">
<!-- TOC START -->
<div id="dw__toc">
<h3 class="toggle">Table of Contents</h3>
<div>
<ul class="toc">
<li class="level1"><div class="li"><a href="#presentation">Presentation</a></div></li>
<li class="level1"><div class="li"><a href="#configuration">Configuration</a></div>
<ul class="toc">
<li class="level2"><div class="li"><a href="#authentication_level">Authentication level</a></div></li>
<li class="level2"><div class="li"><a href="#exported_variables">Exported variables</a></div></li>
<li class="level2"><div class="li"><a href="#connection">Connection</a></div></li>
<li class="level2"><div class="li"><a href="#filters">Filters</a></div></li>
<li class="level2"><div class="li"><a href="#groups">Groups</a></div></li>
<li class="level2"><div class="li"><a href="#password">Password</a></div></li>
</ul></li>
</ul>
</div>
</div>
<!-- TOC END -->
<h1 class="sectionedit1" id="ldap">LDAP</h1>
<div class="level1">
<div class="table sectionedit2"><table class="inline table table-bordered table-striped">
<thead>
<tr class="row0 roweven">
<th class="col0 centeralign"> Authentication </th><th class="col1 centeralign"> Users </th><th class="col2 centeralign"> Password </th>
</tr>
</thead>
<tr class="row1 rowodd">
<td class="col0 centeralign"> ✔ </td><td class="col1 centeralign"> ✔ </td><td class="col2 centeralign"> ✔ </td>
</tr>
</table></div>
<!-- EDIT2 TABLE [21-90] -->
</div>
<!-- EDIT1 SECTION "LDAP" [1-91] -->
<h2 class="sectionedit3" id="presentation">Presentation</h2>
<div class="level2">
<p>
<abbr title="LemonLDAP::NG">LL::NG</abbr> can use an LDAP directory to:
</p>
<ul>
<li class="level1"><div class="li"> authenticate user</div>
</li>
<li class="level1"><div class="li"> get user attributes</div>
</li>
<li class="level1"><div class="li"> get groups where user is registered</div>
</li>
<li class="level1"><div class="li"> change password (with server side password policy management)</div>
</li>
</ul>
<p>
This works with every LDAP v2 or v3 server, including <a href="authad.html" class="wikilink1" title="documentation:1.9:authad">Active Directory</a>.
</p>
<p>
<abbr title="LemonLDAP::NG">LL::NG</abbr> is compatible with <a href="https://opends.dev.java.net/public/standards/draft-behera-ldap-password-policy.txt" class="urlextern" title="https://opends.dev.java.net/public/standards/draft-behera-ldap-password-policy.txt" rel="nofollow">LDAP password policy</a>:
</p>
<ul>
<li class="level1"><div class="li"> LDAP server can check password strength, and <abbr title="LemonLDAP::NG">LL::NG</abbr> portal will display correct errors (password too short, password in history, etc.)</div>
</li>
<li class="level1"><div class="li"> LDAP sever can block brute-force attacks, and <abbr title="LemonLDAP::NG">LL::NG</abbr> will display that account is locked</div>
</li>
<li class="level1"><div class="li"> LDAP server can force password change on first connection, and <abbr title="LemonLDAP::NG">LL::NG</abbr> portal will display a password change form before opening <abbr title="Single Sign On">SSO</abbr> session</div>
</li>
</ul>
</div>
<!-- EDIT3 SECTION "Presentation" [92-903] -->
<h2 class="sectionedit4" id="configuration">Configuration</h2>
<div class="level2">
<p>
In Manager, go in <code>General Parameters</code> > <code>Authentication modules</code> and choose LDAP for authentication, users and/or password modules.
</p>
<div class="notetip">For <a href="authad.html" class="wikilink1" title="documentation:1.9:authad">Active Directory</a>, choose <code>Active Directory</code> instead of <code>LDAP</code>.
</div>
</div>
<!-- EDIT4 SECTION "Configuration" [904-1169] -->
<h3 class="sectionedit5" id="authentication_level">Authentication level</h3>
<div class="level3">
<p>
The authentication level given to users authenticated with this module.
</p>
<div class="noteimportant">As LDAP is a login/password based module, the authentication level can be:<ul>
<li class="level1"><div class="li"> increased (+1) if portal is protected by SSL (HTTPS)</div>
</li>
<li class="level1"><div class="li"> decreased (-1) if the portal autocompletion is allowed (see <a href="portalcustom.html" class="wikilink1" title="documentation:1.9:portalcustom">portal customization</a>)</div>
</li>
</ul>
</div>
</div>
<!-- EDIT5 SECTION "Authentication level" [1170-1535] -->
<h3 class="sectionedit6" id="exported_variables">Exported variables</h3>
<div class="level3">
<p>
List of attributes to query to fill user session. See also <a href="exportedvars.html" class="wikilink1" title="documentation:1.9:exportedvars">exported variables configuration</a>.
</p>
</div>
<!-- EDIT6 SECTION "Exported variables" [1536-1676] -->
<h3 class="sectionedit7" id="connection">Connection</h3>
<div class="level3">
<ul>
<li class="level1"><div class="li"> <strong>Server host</strong>: LDAP server hostname or <abbr title="Uniform Resource Identifier">URI</abbr> (by default: localhost). Accept some specificities:</div>
<ul>
<li class="level2"><div class="li"> More than one server can be set here separated by spaces or commas. They will be tested in the specified order.</div>
</li>
<li class="level2"><div class="li"> To use TLS, set <code>ldap+tls://server</code> and to use LDAPS, set <code>ldaps://server</code> instead of server name.</div>
</li>
<li class="level2"><div class="li"> If you use TLS, you can set any of the <a href="http://search.cpan.org/~gbarr/perl-ldap/lib/Net/LDAP.pod" class="urlextern" title="http://search.cpan.org/~gbarr/perl-ldap/lib/Net/LDAP.pod" rel="nofollow">Net::LDAP</a> start_tls() sub like <code>ldap+tls://server/verify=none&capath=/etc/ssl</code>. You can also use caFile and caPath parameters.</div>
</li>
</ul>
</li>
<li class="level1"><div class="li"> <strong>Server port</strong>: TCP port used by LDAP server. Can be overridden by an LDAP <abbr title="Uniform Resource Identifier">URI</abbr> in server host.</div>
</li>
<li class="level1"><div class="li"> <strong>Users search base</strong>: Base of search in the LDAP directory.</div>
</li>
<li class="level1"><div class="li"> <strong>Account</strong>: <abbr title="Distinguished Name">DN</abbr> used to connect to LDAP server. By default, anonymous bind is used.</div>
</li>
<li class="level1"><div class="li"> <strong>Password</strong>: password to used to connect to LDAP server. By default, anonymous bind is used.</div>
</li>
<li class="level1"><div class="li"> <strong>Timeout</strong>: server idle timeout.</div>
</li>
<li class="level1"><div class="li"> <strong>Version</strong>: LDAP protocol version.</div>
</li>
<li class="level1"><div class="li"> <strong>Binary attributes</strong>: regular expression matching binary attributes (see <a href="http://search.cpan.org/~gbarr/perl-ldap/lib/Net/LDAP.pod" class="urlextern" title="http://search.cpan.org/~gbarr/perl-ldap/lib/Net/LDAP.pod" rel="nofollow">Net::LDAP</a> documentation).</div>
</li>
</ul>
</div>
<!-- EDIT7 SECTION "Connection" [1677-2868] -->
<h3 class="sectionedit8" id="filters">Filters</h3>
<div class="level3">
<div class="notetip">In LDAP filters, $user is replaced by user login, and $mail by user email.
</div><ul>
<li class="level1"><div class="li"> <strong>Default filter</strong>: default LDAP fitler for searches, should not be modified.</div>
</li>
<li class="level1"><div class="li"> <strong>Authentication filter</strong>: Filter to find user from its login (default: <code>(&(uid=$user)(objectClass=inetOrgPerson))</code>)</div>
</li>
<li class="level1"><div class="li"> <strong>Mail filter</strong>: Filter to find user from its mail (default: <code>(&(mail=$mail)(objectClass=inetOrgPerson))</code>)</div>
</li>
<li class="level1"><div class="li"> <strong>Alias dereference</strong>: How to manage LDAP aliases. (default: <code>find</code>)</div>
</li>
</ul>
<div class="notetip">For Active Directory, the default authentication filter is:
<pre class="code">(&(sAMAccountName=$user)(objectClass=person))</pre>
<p>
And the mail filter is:
</p>
<pre class="code">(&(mail=$mail)(objectClass=person))</pre>
</div>
</div>
<!-- EDIT8 SECTION "Filters" [2869-3590] -->
<h3 class="sectionedit9" id="groups">Groups</h3>
<div class="level3">
<ul>
<li class="level1"><div class="li"> <strong>Search base</strong>: <abbr title="Distinguished Name">DN</abbr> of groups branch. If no value, disable group searching.</div>
</li>
<li class="level1"><div class="li"> <strong>Object class</strong>: objectClass of the groups (default: groupOfNames).</div>
</li>
<li class="level1"><div class="li"> <strong>Target attribute</strong>: name of the attribute in the groups storing the link to the user (default: member).</div>
</li>
<li class="level1"><div class="li"> <strong>User source attribute</strong>: name of the attribute in users entries used in the link (default: dn).</div>
</li>
<li class="level1"><div class="li"> <strong>Searched attributes</strong>: name(s) of the attribute storing the name of the group, spaces separated (default: cn).</div>
</li>
<li class="level1"><div class="li"> <strong>Recursive</strong>: activate recursive group functionality (default: 0). If enabled, if the user group is a member of another group (group of groups), all parents groups will be stored as user's groups.</div>
</li>
<li class="level1"><div class="li"> <strong>Group source attribute</strong>: name of the attribute in groups entries used in the link, for recursive group search (default: dn).</div>
</li>
</ul>
</div>
<!-- EDIT9 SECTION "Groups" [3591-4425] -->
<h3 class="sectionedit10" id="password">Password</h3>
<div class="level3">
<ul>
<li class="level1"><div class="li"> <strong>Password policy control</strong>: enable to use LDAP password policy. This requires at least Net::LDAP 0.38. (see ppolicy workflow below)</div>
</li>
<li class="level1"><div class="li"> <strong>Password modify extended operation</strong>: enable to use the LDAP extended operation <code>password modify</code> instead of standard modify operation.</div>
</li>
<li class="level1"><div class="li"> <strong>Change as user</strong>: enable to perform password modification with credentials of connected user. This requires to request user old password (see <a href="portalcustom.html" class="wikilink1" title="documentation:1.9:portalcustom">portal customization</a>).</div>
</li>
<li class="level1"><div class="li"> <strong>LDAP password encoding</strong>: can allow to manage old LDAP servers using specific encoding for passwords (default: utf-8).</div>
</li>
<li class="level1"><div class="li"> <strong>Use reset attribute</strong>: enable to use the password reset attribute. This attribute is set by LemonLDAP::NG when <a href="resetpassword.html" class="wikilink1" title="documentation:1.9:resetpassword">password was reset by mail</a> and the user choose to generate the password (default: enabled).</div>
</li>
<li class="level1"><div class="li"> <strong>Reset attribute</strong>: name of password reset attribute (default: pwdReset).</div>
</li>
<li class="level1"><div class="li"> <strong>Reset value</strong>: value to set in reset attribute to activate password reset (default: TRUE).</div>
</li>
<li class="level1"><div class="li"> <strong>Allow a user to reset his expired password</strong>: if activated, the user will be prompted to change password if his password is expired (default: 0)</div>
</li>
</ul>
<p>
<div class="row"><div class="col-md-6">
<strong>Password expiration warning workflow</strong>
<a href="documentation/lemonldap-ng-password-expiration-warning.png_documentation_1.9_authldap.html" class="media" title="documentation:lemonldap-ng-password-expiration-warning.png"><img src="documentation/lemonldap-ng-password-expiration-warning.png" class="media" alt="" /></a>
</div>
<div class="col-md-6">
<strong>Password expiration workflow</strong>
<a href="documentation/lemonldap-ng-password-expired.png_documentation_1.9_authldap.html" class="media" title="documentation:lemonldap-ng-password-expired.png"><img src="documentation/lemonldap-ng-password-expired.png" class="media" alt="" /></a>
</div></div>
</p>
</div>
<!-- EDIT10 SECTION "Password" [4426-] --></div>
</body>
</html>
|
