Help to implement LDAP Auth

Author Message

Cristian Pacheco

Wednesday 20 February 2008 5:06:05 pm

Hello, I am implementing Ez Publish 4.0 at our University as Intranet and once in production as Official site, I find problems to enable authentication LDAP running on Windows Server 2003, EzPublish is running on Linux
(CentOS 5.0)

I tried editing these files:

Settings/override/ldap.ini.append.php

And

Settings/ldap.ini

Which file must be edited?

What is the function that performs EzPublish LDAP Auth:

Authenticate user against LDAP or import username/password and stored in the database and then the user uses the same password Active Directory.

LDAP is running because we have other applications running on Linux and Authenticating against LDAP/ActiveDirectory

This is my setting:

--------------------------------------------
#?ini charset="iso-8859-1"?
# eZ Publish configuration file for connection and authentication of users via LDAP
#
[LDAPSettings]
# Set LDAP version number
LDAPVersion=2
# Set to true if use LDAP server
LDAPEnabled=true
# LDAP host
LDAPServer=172.16.0.1
# Port nr for LDAP, default is 389
LDAPPort=389
# Specifies the base DN for the directory.
LDAPBaseDn=DC--delta,DC--utn
# If the server does not allow anonymous bind, specify the user name for the bind here.
LDAPBindUser= alumno
# If the server does not allow anonymous bind, specify the password for the bind here.
LDAPBindPassword= **********
# Could be sub, one, base.
LDAPSearchScope=sub
# Use the equla sign to replace "=" when specify LDAPBaseDn or LDAPSearchFilters
LDAPEqualSign=--
# Add extra search requirment. Uncomment it if you don't need it.
# Example LDAPSearchFilters[]=objectClass--inetOrgPerson
LDAPSearchFilters[]
# LDAP attribute for login. Normally, uid
#LDAPLoginAttribute=SAMAccountName
LDAPLoginAttribute=uid

# Could be id or name
LDAPUserGroupType=id
# Default place to store LDAP users. Could be content object id or group name for LDAP user group,
# depends on LDAPUserGroupType.
LDAPUserGroup[]=12
# LDAP attribute type for user group. Could be name or id
LDAPUserGroupAttributeType=name
# LDAP attribute for user group. For example, employeetype. If specified, LDAP users
# will be saved under the same group as in LDAP server.
LDAPUserGroupAttribute=employeetype
# LDAP attribute for First name. Normally, givenname
LDAPFirstNameAttribute=givenname
# LDAP attribute for Last name. Normally, sn
LDAPLastNameAttribute=sn
# LDAP attribute for email. Normally, mail
LDAPEmailAttribute=mail
# LDAP encoding is utf-8 or not
Utf8Encoding=false
# if 'enabled' you can move LDAP users to a different group and they will not
# be automatically moved back (to the group they are configured to be placed in)
# when the user logs in again.
KeepGroupAssignment=disabled
--------------------------------------------

There is a way to test whether this working?

We must modify / Configure something else? you can send any example

Thank you in advance, any help will be welcome

Cristian.
UTN Facultad Regional Delta
Campana, Bs. As. Argentina

UTN Facultad Regional Delta
Campana, Bs.As.-Argentina
http://www.frd.utn.edu.ar

Abdelkader RHOUATI

Thursday 21 February 2008 3:39:50 am

hi,

you need also , to configurate your site ez to the auth LDAP. you need edit the site.ini.

example for a configuration from a project (intranet) which I have already done.

[SiteSettings]
SiteName=Name Project
SiteURL=URL Project
DefaultPage=/content/view/full/2
LoginPage=custom

[UserSettings]
LoginHandler[]=LDAP
LoginHandler[]=standard

[SiteAccessSettings]
RequireUserLogin=true
RelatedSiteAccessList[]=site
RelatedSiteAccessList[]=site_admin

tks.

Abdelkader.

Abdelkader RHOUATI

Blog (french) : http://arhouati.com
----
Extension arh_jdebug : EzDebug using jquery

Cristian Pacheco

Thursday 21 February 2008 4:07:54 am

Hello, forget to mention it, but it was this change in settings/site.ini

--------------------------------
[UserSettings]
LoginHandler[]=LDAP
--------------------------------

It is also necessary to add this:
LoginHandler[]=standard

Thanks, Cristian.

UTN Facultad Regional Delta
Campana, Bs.As.-Argentina
http://www.frd.utn.edu.ar

Philip K.

Wednesday 26 May 2010 2:55:02 am

Hi there.

I am also trying to set up LDAP but it still doesn't work.

Here is what I did:

Users

I created a user with login id "eZLDAP" on our Domain-Controller (Windows SBS 2008). After that I created the same user inside of eZ Publish.

Settings in override/ldap.ini.append.php

[LDAPSettings]
LDAPDebugTrace=enabled
# Set LDAP version number
LDAPVersion=3
# Set to true if use LDAP server
LDAPEnabled=true
# LDAP host
LDAPServer=sbs2008
# Port nr for LDAP, default is 389
LDAPPort=389
# Specifies the base DN for the directory.
LDAPBaseDn=DC--Office,DC--local
# If the server does not allow anonymous bind, specify the user name for the bind here.
LDAPBindUser=eZLDAP
# If the server does not allow anonymous bind, specify the password for the bind here.
LDAPBindPassword=******
# Could be sub, one, base.
LDAPSearchScope=sub
# Use the equla sign to replace "=" when specify LDAPBaseDn or LDAPSearchFilters
LDAPEqualSign=--
# Add extra search requirment. Uncomment it if you don't need it.
# Example LDAPSearchFilters[]=objectClass--inetOrgPerson
LDAPSearchFilters[]
# LDAP attribute for login. Normally, uid
LDAPLoginAttribute=uid

# Could be id or name
LDAPUserGroupType=id
# Default place to store LDAP users. Could be content object id or group name for LDAP user group,
# depends on LDAPUserGroupType.
LDAPUserGroup[]=5
# LDAP attribute type for user group. Could be name or id
LDAPUserGroupAttributeType=name
# LDAP attribute for user group. For example, employeetype. If specified, LDAP users
# will be saved under the same group as in LDAP server.
LDAPUserGroupAttribute=employeetype
# LDAP attribute for First name. Normally, givenname
LDAPFirstNameAttribute=givenname
# LDAP attribute for Last name. Normally, sn
LDAPLastNameAttribute=sn
# LDAP attribute for email. Normally, mail
LDAPEmailAttribute=mail
# LDAP encoding is utf-8 or not
Utf8Encoding=false
# if 'enabled' you can move LDAP users to a different group and they will not
# be automatically moved back (to the group they are configured to be placed in)
# when the user logs in again.
KeepGroupAssignment=disabled

Settings in override/site.ini.append.php

[UserSettings]
LoginHandler[]=LDAP
LoginHandler[]=standard

If I want to login with my own username/password I get the fopllowing debug output:

 Notice: eZLDAPUser::loginUser      May 26 2010 11:40:35

array (
  'stage' => '1/5: Connecting and Binding to LDAP server',
  'LDAPServer' => 'sbs2008',
  'LDAPPort' => '389',
  'LDAPBindUser' => 'eZLDAP',
  'LDAPVersion' => '3',
)

Error: eZLDAPUser::loginUser()     May 26 2010 11:40:35

Cannot initialize connection for LDAP server

Is there anything to setup on servers' side?

Any ideas why I cannot connect?

Would be nice to get some help.

Thanks a lot!

Linux is like a wigwam; no windows, now gates, and apache inside!

Philip K.

Monday 31 May 2010 6:32:07 am

I found a solution!

Windows-AD requires the following settings:

[LDAPSettings]
# Enable tracing the the ldap login, outputs extensive debug info for use during setup
# NOTE: Do not keep this enabled on production setup as login name and passwords will be 
# logged to logfiles or outputted if DebugOutput settings are enabled. 
LDAPDebugTrace=enabled
# Set LDAP version number
LDAPVersion=3
# Set to true if use LDAP server
LDAPEnabled=true
# LDAP host
LDAPServer=<YourHostIP>
# Port nr for LDAP, default is 389
LDAPPort=389
# Specifies the base DN for the directory.
LDAPBaseDn=DC--Example,DC--com
# If the server does not allow anonymous bind, specify the user name for the bind here.
LDAPBindUser=<someone>@example.com
# If the server does not allow anonymous bind, specify the password for the bind here.
LDAPBindPassword=********
# Use the equla sign to replace "=" when specify LDAPBaseDn or LDAPSearchFilters
LDAPEqualSign=--
# LDAP attribute for login. Normally, uid
LDAPLoginAttribute=sAMAccountName

Linux is like a wigwam; no windows, now gates, and apache inside!

Powered by eZ Publish™ CMS Open Source Web Content Management. Copyright © 1999-2014 eZ Systems AS (except where otherwise noted). All rights reserved.