Changes

From SME Server
Jump to navigationJump to search
4,261 bytes removed ,  08:40, 14 January 2016
m
Split off Authentication for apps
Line 1: Line 1: −
== LDAP for SME Server 8==
  −
  −
=== Description ===
  −
LDAP authentication
  −
  −
For SME 8 only, LDAP is readonly
  −
  −
This allows  the use of SME user's database in other applications
  −
: either local, eg. a LAMP app
  −
: on the server itself, eg. egroupware
  −
: on the local network, eg. another server in the local network which runs an ERP, but uses SME server user/group database
  −
: or even a remote host, eg. a GLPI instance used to manage requests from several clients using SME server.
  −
  −
=== Installation ===
  −
SME 8 beta 5 onwards
  −
  −
=== Uninstall ===
  −
Be aware of the following:
  −
   
{{Warning box|If you enable ldap auth, it'll remove all your groups, users, ibay accounts from the unix databases so everything is only in LDAP.
 
{{Warning box|If you enable ldap auth, it'll remove all your groups, users, ibay accounts from the unix databases so everything is only in LDAP.
    
If you attempt to then disable LDAP Authentication this will break everything as you won't have any functioning accounts afterwards, and you will disable LDAP master auth functionality.}}
 
If you attempt to then disable LDAP Authentication this will break everything as you won't have any functioning accounts afterwards, and you will disable LDAP master auth functionality.}}
   −
=== Usage ===
+
LDAP authentication can be enabled (Experimental). Warning - Once enabled it cannot be disabled, so experiment with care. To enable:
Test with your email addressbook
  −
[[:SME_Server:Documentation:User_Manual:Chapter2]]
  −
 
  −
View your LDAP Schema, ObjectClasses and Attributes with [[:Phpldapadmin ]]
  −
 
  −
=== Authentication ===
  −
If you want to use the LDAP directory of your SME Server as authentication source on third party software, here are the parameters you need
  −
 
  −
User Base: ou=Users,dc=domain,dc=tld
  −
Group Base: ou=Groups,dc=domain,dc=tld
  −
Host: <the ip or hostname of your SME Server> (prefer the hostname or you'll have additional problem with certificate verification)
  −
 
  −
If you need to setup a filter to display only users, you can use the following:
  −
 
  −
(&(objectClass=inetOrgPerson)(objectClass=sambaSamAccount))
  −
 
  −
If you need to setup a filter to display only groups, you can use the following:
  −
 
  −
(&(objectClass=mailboxRelatedObject)(objectClass=posixGroup))
  −
 
  −
Optional - LDAP authentication can be enabled. Warning - Once enabled it cannot be disabled, so experiment with care. To enable:
   
  db configuration setprop ldap Authentication enabled
 
  db configuration setprop ldap Authentication enabled
    
{{Warning box|Do not attempt to disable LDAP Authentication once enabled as it will cause your server to become unuseable.}}
 
{{Warning box|Do not attempt to disable LDAP Authentication once enabled as it will cause your server to become unuseable.}}
  −
{{Note box|Most of the time, anonymous binds are sufficient, no need to configure the Admin DN and password. A few applications do require to bind as a valid user. This is needed when your application needs access attributes like uidNumber, gidNumber, homeDIrectory, loginShell etc... (for example, if you need to authenticate another Linux box using nss_ldap or sssd, you'll need to bind as a valid user). In this case, you can create a regular user (you may name it auth for example), set it a password, and use it's dn and credential to bind to your LDAP server}}
  −
  −
{{Note box|The LDAP directory can be consulted with plain text connections, but for security reason, authentication against LDAP is only allowed using SSL or TLS (or if your application runs directly on SME itself). So if you want to authenticate against LDAP on a remote box, you need to be sure to use LDAPs on port 636, or TLS on port 389. You also need to be sure your application can validate the certificate of your SME Server. If you try to authenticate over a plain text connection, SME will simply reject the authentication}}
  −
  −
Example setups for different types of clients
  −
  −
=== Example ===
  −
  −
Here are some example of working configurations
  −
  −
==== Redmine ====
  −
  −
:Name: LDAP_Linux
  −
:Host: '''<your server name or ip>'''
  −
:Port:  636 (LDAPS checked)
  −
:Base DN: ou=Users,dc='''yourdomain''',dc='''com'''
  −
:On the fly user creation: (checked)
  −
  −
:Login: uid
  −
:First name: givenName
  −
:Last name: sn
  −
:Email: mail
  −
  −
==== PaperCut ====
  −
: Host: localhost or IP of SME server
  −
: '''Use SSL (mark checkbox)'''
  −
: DN Base: dc=sampledomain,dc=com
  −
: DN Administrador: uid=admin,ou=Users,dc=sampledomain,dc=com
  −
  −
Use the TEST CONFIGURATION button to verify you can get profiles
  −
  −
  −
==== OpenFire ====
  −
: Host: localhost or IP of SME server
  −
: Porta: 389
  −
: DN Base: ou="Users",dc="sampledomain",dc="com"
  −
: DN Administrador: uid="admin",ou="Users",dc="sampledomain",dc="com"
  −
(when typing, you'll put no double quotes, but they will show later when you're reading the Server Configuration TAB.)
  −
  −
Use the TEST CONFIGURATION button to verify you can get profiles (not only administrator, press button twice and see other one!)
  −
  −
==== SugarCRM ====
  −
  −
Applications should use anonymous bind, there is no need to use the LDAP root password
  −
  −
: Enabled LDAP server
  −
: Server: IP of the SME server
  −
: Port Number: 389
  −
: Base DN: ou=Users,dc=sampledomain,dc=com
  −
: Bind Attribute: dn
  −
: Login Attribute: uid
  −
: Authenticated User: uid=root,ou=Users,dc=sampledomain,dc=com
  −
: Authenticated Password: ldaps admin's password
  −
: Enabled Auto Create Users
  −
  −
==== Synology NAS ====
  −
  −
:Enabled LDAP client
  −
:Server: IP of the SME server
  −
:Encryption: SSL
  −
:Base DN: dc=sampledomain,dc=tld
  −
:Bind DN:uid=admin,ou=Users,dc=sampledomain,dc=tld
  −
:Bind pass: your admin password
  −
  −
=== Bugs ===
  −
Please raise bugs under the SME Server 8 section
  −
      
----
 
----
 
[[Category:Howto]]
 
[[Category:Howto]]

Navigation menu