Forums / Setup & design / Need help with LDAP integration

Need help with LDAP integration

Next topic

Author	Message
Jason Senich	Monday 29 November 2004 8:40:18 am I've looked through every forum posting and still can't seem to figure out why I cant get LDAP authentication working. I suspect that either the way I'm structuring my directory in LDAP or my users/groups in eZ publish are incorrect or both. Can somebody post an example of how the data needs to be structured on both sides to get this to work and a sample of a working ldap.ini for this structure? If not, can somebody point me in the right direction to find this information?
Jonny Bergkvist	Monday 29 November 2004 10:39:25 pm First make sure you have the ldap-functions available in php. Then edit your ini-files: settings/override/site.ini.append.php: [UserSettings] LoginHandler[]=LDAP settings/override/ldap.ini.append.php: [LDAPSettings] # Set to true if use LDAP server LDAPEnabled=true # LDAP host # This example uses stunnel from localhost to ldap-server. LDAPServer=ldapserverhostname # Port nr for LDAP, default is 389 # 636 is ldaps (ldap over SSL/TLS) LDAPPort=389 # Specifies the base DN for the directory. # Ex: dc=example,dc=com LDAPBaseDn=<your base DN> # LDAP attribute for login. Normally, uid LDAPLoginAttribute=uid # Could be id or name LDAPUserGroupType=id # Default place to store LDAP users. Could be content object id or group name for LDAP user group, depends on LDAPUserGroupType. LDAPUserGroup=<your content object id where you store ldap-users in eZ> # LDAP attribute type for user group. Could be name or id. Optional # Having different user-type (ie. Employees and students? Then you could put them into different user-groups in eZ to assign different roles/rights. LDAPUserGroupAttributeType= # LDAP attribute for user group. For example, employeetype. If specified, LDAP users will be saved under the same group as in LDAP server. Depends on LDAPUserGroupAttributeType. LDAPUserGroupAttribute= Start doing a test with ie. ldapsearch on your ez-server to check that it has access to getting information from the ldap-server. The structure of objects in the ldap-server is not important. eZ-ldap-handler can do a sub-tree search on your ldap-server starting at the base-dn. There is also some issues with the ldap-ssl functionality. Try non-ssl first is my tip (port 389).
Jason Senich	Tuesday 30 November 2004 11:05:11 am Okay, I have it working now but I still think there is something that I am doing wrong. In order for me to log in using LDAP authentication I had to enter the id as the username rather than the username and once I did this and logged in, a duplicate user was created in eZ Publish based on the information that was stored in LDAP. Is this what is supposed to happen? If not, what am I doing wrong? If it is supposed to work like this, how can I change it to log in with the username rather than the id?
Jonny Bergkvist	Wednesday 01 December 2004 3:47:43 am Yes, it is supposed to create a local eZ-users for several reasons: -content is stamped with the user that created/edited it. -have the possibility to manage user-groups within eZ if you don't have that information in ldap-directory. There is also a cron-job that sync's the local eZ-users against ldap-directory (ldapusermanage.php). If a user is deleted from ldap, then this script will disable the eZ-user (but not delete it). For the login-name try changing LDAPLoginAttribute to the attribute you use in your ldap-directory that store the usernames. (Ex: In Novell it would often be the CN attribute).