documentation:1.3:authldap

LDAP

Authentication Users Password

LL::NG can use an LDAP directory to:

  • authenticate user
  • get user attributes
  • get groups where user is registered
  • change password (with server side password policy management)

This works with every LDAP v2 or v3 server, including Active Directory.

LL::NG is compatible with LDAP password policy:

  • LDAP server can check password strength, and LL::NG portal will display correct errors (password too short, password in history, etc.)
  • LDAP sever can block brute-force attacks, and LL::NG will display that account is locked
  • LDAP server can force password change on first connection, and LL::NG portal will display a password change form before opening SSO session

In Manager, go in General Parameters > Authentication modules and choose LDAP for authentication, users and/or password modules.

For Active Directory, choose Active Directory instead of LDAP.

The authentication level given to users authenticated with this module.

As LDAP is a login/password based module, the authentication level can be:
  • increased (+1) if portal is protected by SSL (HTTPS)
  • decreased (-1) if the portal autocompletion is allowed (see portal customization)
  • Server host: LDAP server hostname or URI (by default: localhost). Accept some specificities:
    • More than one server can be set here separated by spaces or commas. They will be tested in the specified order.
    • To use TLS, set ldap+tls://server and to use LDAPS, set ldaps://server instead of server name.
    • If you use TLS, you can set any of the Net::LDAP start_tls() sub like ldap+tls://server/verify=none&capath=/etc/ssl. You can also use caFile and caPath parameters.
  • Server port: TCP port used by LDAP server. Can be overridden by an LDAP URI in server host.
  • Users search base: Base of search in the LDAP directory.
  • Account: DN used to connect to LDAP server. By default, anonymous bind is used.
  • Password: password to used to connect to LDAP server. By default, anonymous bind is used.
  • Timeout: server idle timeout.
  • Version: LDAP protocol version.
  • Binary attributes: regular expression matching binary attributes (see Net::LDAP documentation).
In LDAP filters, $user is replaced by user login, and $mail by user email.
  • Default filter: default LDAP fitler for searches, should not be modified.
  • Authentication filter: Filter to find user from its login (default: (&(uid=$user)(objectClass=inetOrgPerson)))
  • Mail filter: Filter to find user from its mail (default: (&(mail=$mail)(objectClass=inetOrgPerson)))
For Active Directory, the default authentication filter is:
(&(sAMAccountName=$user)(objectClass=person))

And the mail filter is:

(&(mail=$mail)(objectClass=person))
  • Search base: DN of groups branch. If no value, disable group searching.
  • Object class: objectClass of the groups (default: groupOfNames).
  • Target attribute: name of the attribute in the groups storing the link to the user (default: member).
  • User source attribute: name of the attribute in users entries used in the link (default: dn).
  • Searched attributes: name(s) of the attribute storing the name of the group, spaces separated (default: cn).
  • Recursive: activate recursive group functionality (default: 0). If enabled, if the user group is a member of another group (group of groups), all parents groups will be stored as user's groups.
  • Group source attribute: name of the attribute in groups entries used in the link, for recursive group search (default: dn).
  • Password policy control: enable to use LDAP password policy. This requires at least Net::LDAP 0.38.
  • Password modify extended operation: enable to use the LDAP extended operation password modify instead of standard modify operation.
  • Change as user: enable to perform password modification with credentials of connected user. This requires to request user old password (see portal customization).
  • LDAP password encoding: can allow to manage old LDAP servers using specific encoding for passwords (default: utf-8).
  • Use reset attribute: enable to use the password reset attribute. This attribute is set by LemonLDAP::NG when password was reset by mail and the user choose to generate the password (default: enabled).
  • Reset attribute: name of password reset attribute (default: pwdReset).
  • Reset value: value to set in reset attribute to activate password reset (default: TRUE).

Standards attributes, like uid, cn or mail, are often enough to configure access rules and headers.

But sometimes other data are needed (in particular to use extended functions):

  • An application name (to allow access by applications and not by group of users)
  • A start date and an end date (to open or close the service even the entry already exists)
  • A time profile (allowed hours and day of the week)
  • One or more roles (to send to the protected applications)

Of course, standard LDAP attributes can be used to store these data, but LL::NG also provides an LDAP schema extension to manage them.

Extended attributes and object classes use this prefix: 1.3.6.1.4.1.10943.10.2.

The prefix 1.3.6.1.4.1.10943 is owned by LINAGORA (See http://www.iana.org/assignments/enterprise-numbers).

Just add this file to OpenLDAP schemas by including it in slapd.conf:

include /usr/share/lemonldap-ng/ressources/sso.schema

This will provide the auxiliary object class ssoUser with attributes:

  • ssoName
  • ssoRoles
  • ssoLogonHours
  • ssoStartDate
  • ssoEndDate

You can add this object class to any entry of your directory.

To get attributes values in session, declare them in exported variables