LDAP Remote Authentication

From GeeklogWiki
Revision as of 09:02, 10 May 2008 by Dirk (talk | contribs) (An attempt to describe the LDAP module)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Background

Remote Authentication was introduced in Geeklog 1.4.0. It allows for authenticating a user against a remote user database.

The LDAP module for Geeklog was kindly provided by Jessica Blank / MTV Networks. It is shipped with Geeklog 1.5.0 and later but will also work with Geeklog 1.4.x.


Configuration

The LDAP module comes with its own config.php file located in

/path/to/geeklog/system/classes/authentication/ldap

Note: You will need some knowledge about LDAP in order to be able to configure this module correctly. If in doubt, try asking your system administrator for help.

In most cases, you will only need to edit the following portion of the configuration:

// Basic LDAP variables
$_LDAP_CONF['user_ou'] = "People";
$_LDAP_CONF['group_ou'] = "Group";
$_LDAP_CONF['branch'] = "dc=mydc,dc=com";
$_LDAP_CONF['user_branch'] = "ou={$_LDAP_CONF['user_ou']}," . $_LDAP_CONF['branch'];
$_LDAP_CONF['user_attributes'] = array("uid","cn","ou","objectClass","shadowLastChange",
  "loginShell","uidnumber","gidNumber","homeDirectory","gecos","userPassword","givenName",
  "sn","mail");

// LDAP server configuration
$_LDAP_CONF['servers'][0]['bind_dn'] = "cn=mycn,ou=LDAPusers,dc=mydc,dc=com";
$_LDAP_CONF['servers'][0]['password'] = "mypassword";
$_LDAP_CONF['servers'][0]['host'] = "localhost";

Details will depend heavily on your organisation's structure and how your LDAP server is configured, so it's hard to provide an example configuration.

Example

Here's one (anonymized) setup:

// Basic LDAP variables
$_LDAP_CONF['user_ou'] = "People";
$_LDAP_CONF['group_ou'] = "users";
$_LDAP_CONF['branch'] = "o=companyname,c=de";
$_LDAP_CONF['user_branch'] = "ou={$_LDAP_CONF['user_ou']}," . $_LDAP_CONF['branch'];
$_LDAP_CONF['user_attributes'] = array("uid","cn","ou","objectClass","shadowLastChange",
  "loginShell","uidnumber","gidNumber","homeDirectory","gecos","userPassword","givenName",
  "sn","mail");

// LDAP server configuration
$_LDAP_CONF['servers'][0]['bind_dn'] = "uid=username,ou=People,ou=users,o=companyname,c=de";
$_LDAP_CONF['servers'][0]['password'] = "password";
$_LDAP_CONF['servers'][0]['host'] = "ldapserver";

... where 'companyname', 'ldapserver', 'username', and 'password' are, of course, not the real values. Also note the "c=de" (for Germany) that you probably want to change.

In this example, the LDAP server required a valid user account ("uid=username") and password to even be able to talk to it. This is not a typical setup, but shows how flexible (and, therefore, complex) the setup is.


Active Directory

To quote Wikipedia:

Active Directory (AD) is an implementation of LDAP directory services by Microsoft for use primarily in Windows environments.

It should therefore be possible to use the LDAP module in a Windows / AD environment. If you have such a setup working, please let us know.