Forums / Setup & design / Need help with LDAP integration
Jason Senich
Monday 29 November 2004 8:40:18 am
I've looked through every forum posting and still can't seem to figure out why I cant get LDAP authentication working. I suspect that either the way I'm structuring my directory in LDAP or my users/groups in Exponential are incorrect or both. Can somebody post an example of how the data needs to be structured on both sides to get this to work and a sample of a working ldap.ini for this structure? If not, can somebody point me in the right direction to find this information?
Jonny Bergkvist
Monday 29 November 2004 10:39:25 pm
First make sure you have the ldap-functions available in php.
Then edit your ini-files: settings/override/site.ini.append.php: [UserSettings]LoginHandler[]=LDAP
settings/override/ldap.ini.append.php: [LDAPSettings] # Set to true if use LDAP server LDAPEnabled=true # LDAP host # This example uses stunnel from localhost to ldap-server. LDAPServer=ldapserverhostname # Port nr for LDAP, default is 389 # 636 is ldaps (ldap over SSL/TLS) LDAPPort=389 # Specifies the base DN for the directory. # Ex: dc=example,dc=com LDAPBaseDn=<your base DN> # LDAP attribute for login. Normally, uid LDAPLoginAttribute=uid # Could be id or name LDAPUserGroupType=id # Default place to store LDAP users. Could be content object id or group name for LDAP user group, depends on LDAPUserGroupType. LDAPUserGroup=<your content object id where you store ldap-users in eZ> # LDAP attribute type for user group. Could be name or id. Optional # Having different user-type (ie. Employees and students? Then you could put them into different user-groups in eZ to assign different roles/rights. LDAPUserGroupAttributeType= # LDAP attribute for user group. For example, employeetype. If specified, LDAP users will be saved under the same group as in LDAP server. Depends on LDAPUserGroupAttributeType.LDAPUserGroupAttribute=
Start doing a test with ie. ldapsearch on your ez-server to check that it has access to getting information from the ldap-server.
The structure of objects in the ldap-server is not important. eZ-ldap-handler can do a sub-tree search on your ldap-server starting at the base-dn.
There is also some issues with the ldap-ssl functionality. Try non-ssl first is my tip (port 389).
Tuesday 30 November 2004 11:05:11 am
Okay, I have it working now but I still think there is something that I am doing wrong. In order for me to log in using LDAP authentication I had to enter the id as the username rather than the username and once I did this and logged in, a duplicate user was created in Exponential based on the information that was stored in LDAP. Is this what is supposed to happen? If not, what am I doing wrong? If it is supposed to work like this, how can I change it to log in with the username rather than the id?
Wednesday 01 December 2004 3:47:43 am
Yes, it is supposed to create a local eZ-users for several reasons: -content is stamped with the user that created/edited it.-have the possibility to manage user-groups within eZ if you don't have that information in ldap-directory.
There is also a cron-job that sync's the local eZ-users against ldap-directory (ldapusermanage.php). If a user is deleted from ldap, then this script will disable the eZ-user (but not delete it).
For the login-name try changing LDAPLoginAttribute to the attribute you use in your ldap-directory that store the usernames. (Ex: In Novell it would often be the CN attribute).