LDAP
Authentication | Users | Password |
✔ | ✔ | ✔ |
Presentation
LL::NG can use an LDAP directory to:
This works with every LDAP v2 or v3 server, including Active Directory.
LL::NG is compatible with LDAP password policy:
LDAP server can check password strength, and
LL::NG portal will display correct errors (password too short, password in history, etc.)
LDAP sever can block brute-force attacks, and
LL::NG will display that account is locked
LDAP server can force password change on first connection, and
LL::NG portal will display a password change form before opening
SSO session
Configuration
In Manager, go in General Parameters
> Authentication modules
and choose LDAP for authentication, users and/or password modules.
Authentication level
The authentication level given to users authenticated with this module.
As LDAP is a login/password based module, the authentication level can be:
Exported variables
Connection
Server host: LDAP server hostname or
URI (by default: localhost). Accept some specificities:
More than one server can be set here separated by spaces or commas. They will be tested in the specified order.
To use TLS, set ldap+tls://server
and to use LDAPS, set ldaps://server
instead of server name.
If you use TLS, you can set any of the
Net::LDAP start_tls() sub like
ldap+tls://server/verify=none&capath=/etc/ssl
. You can also use caFile and caPath parameters.
Server port: TCP port used by LDAP server. Can be overridden by an LDAP
URI in server host.
Users search base: Base of search in the LDAP directory.
Account:
DN used to connect to LDAP server. By default, anonymous bind is used.
Password: password to used to connect to LDAP server. By default, anonymous bind is used.
Timeout: server idle timeout.
Version: LDAP protocol version.
Binary attributes: regular expression matching binary attributes (see
Net::LDAP documentation).
Filters
In LDAP filters, $user is replaced by user login, and $mail by user email.
Default filter: default LDAP fitler for searches, should not be modified.
Authentication filter: Filter to find user from its login (default: (&(uid=$user)(objectClass=inetOrgPerson))
)
Mail filter: Filter to find user from its mail (default: (&(mail=$mail)(objectClass=inetOrgPerson))
)
For Active Directory, the default authentication filter is:
(&(sAMAccountName=$user)(objectClass=person))
And the mail filter is:
(&(mail=$mail)(objectClass=person))
Groups
Search base:
DN of groups branch. If no value, disable group searching.
Object class: objectClass of the groups (default: groupOfNames).
Target attribute: name of the attribute in the groups storing the link to the user (default: member).
User source attribute: name of the attribute in users entries used in the link (default: dn).
Searched attributes: name(s) of the attribute storing the name of the group, spaces separated (default: cn).
Recursive: activate recursive group functionality (default: 0). If enabled, if the user group is a member of another group (group of groups), all parents groups will be stored as user's groups.
Group source attribute: name of the attribute in groups entries used in the link, for recursive group search (default: dn).
Password
Password policy control: enable to use LDAP password policy. This requires at least Net::LDAP 0.38. (see ppolicy workflow below)
Password modify extended operation: enable to use the LDAP extended operation password modify
instead of standard modify operation.
Change as user: enable to perform password modification with credentials of connected user. This requires to request user old password (see
portal customization).
LDAP password encoding: can allow to manage old LDAP servers using specific encoding for passwords (default: utf-8).
Use reset attribute: enable to use the password reset attribute. This attribute is set by LemonLDAP::NG when
password was reset by mail and the user choose to generate the password (default: enabled).
Reset attribute: name of password reset attribute (default: pwdReset).
Reset value: value to set in reset attribute to activate password reset (default: TRUE).
Password expiration warning workflow
Password expiration workflow
Schema extension
Standards attributes, like uid, cn or mail, are often enough to configure access rules and headers.
But sometimes other data are needed (in particular to use extended functions):
An application name (to allow access by applications and not by group of users)
A start date and an end date (to open or close the service even the entry already exists)
A time profile (allowed hours and day of the week)
One or more roles (to send to the protected applications)
Of course, standard LDAP attributes can be used to store these data, but LL::NG also provides an LDAP schema extension to manage them.
OID prefix
OpenLDAP schema
Just add this file to OpenLDAP schemas by including it in slapd.conf
:
include /usr/share/lemonldap-ng/ressources/sso.schema
This will provide the auxiliary object class ssoUser
with attributes:
ssoName
ssoRoles
ssoLogonHours
ssoStartDate
ssoEndDate
You can add this object class to any entry of your directory.