Difference between revisions of "LDAP Authentication"

From SME Server
Jump to navigationJump to search
m (Typo)
m (→‎Authentication: wrong LDAPs port corrected)
Line 41: Line 41:
 
{{Note box|Most of the time, anonymous binds are sufficient, no need to configure the Admin DN and password. A few applications do require to bind as a valid user. This is needed when your application needs access attributes like uidNumber, gidNumber, homeDIrectory, loginShell etc... (for example, if you need to authenticate another Linux box using nss_ldap or sssd, you'll need to bind as a valid user). In this case, you can create a regular user (you may name it auth for example), set it a password, and use it's dn and credential to bind to your LDAP server}}
 
{{Note box|Most of the time, anonymous binds are sufficient, no need to configure the Admin DN and password. A few applications do require to bind as a valid user. This is needed when your application needs access attributes like uidNumber, gidNumber, homeDIrectory, loginShell etc... (for example, if you need to authenticate another Linux box using nss_ldap or sssd, you'll need to bind as a valid user). In this case, you can create a regular user (you may name it auth for example), set it a password, and use it's dn and credential to bind to your LDAP server}}
  
{{Note box|The LDAP directory can be consulted with plain text connections, but for security reason, authentication against LDAP is only allowed using SSL or TLS (or if your application runs directly on SME itself). So if you want to authenticate against LDAP on a remote box, you need to be sure to use LDAPs on port 686, or TLS on port 389. You also need to be sure your application can validate the certificate of your SME Server. If you try to authenticate over a plain text connection, SME will simply reject the authentication}}
+
{{Note box|The LDAP directory can be consulted with plain text connections, but for security reason, authentication against LDAP is only allowed using SSL or TLS (or if your application runs directly on SME itself). So if you want to authenticate against LDAP on a remote box, you need to be sure to use LDAPs on port 636, or TLS on port 389. You also need to be sure your application can validate the certificate of your SME Server. If you try to authenticate over a plain text connection, SME will simply reject the authentication}}
  
 
Example setups for different types of clients
 
Example setups for different types of clients

Revision as of 14:59, 18 December 2012

LDAP for SME Server 8

Description

LDAP authentication

For SME 8 only, LDAP is readonly

This allows the use of SME user's database in other applications

either local, eg. a LAMP app
on the server itself, eg. egroupware
on the local network, eg. another server in the local network which runs an ERP, but uses SME server user/group database
or even a remote host, eg. a GLPI instance used to manage requests from several clients using SME server.

Installation

SME 8 beta 5 onwards

Uninstall

Not needed the new method is benign,

Usage

Test with your email addressbook SME_Server:Documentation:User_Manual:Chapter2

View your LDAP Schema, ObjectClasses and Attributes with Phpldapadmin

Authentication

If you want to use the LDAP directory of your SME Server as authentication source on third party software, here are the parameters you need 

User Base: ou=Users,dc=domain,dc=tld
Group Base: ou=Groups,dc=domain,dc=tld
Host: <the ip or hostname of your SME Server> (prefer the hostname or you'll have additional problem with certificate verification)

If you need to setup a filter to display only users, you can use the following: 

(&(objectClass=inetOrgPerson)(objectClass=sambaSamAccount))

If you need to setup a filter to display only groups, you can use the following: 

(&(objectClass=mailboxRelatedObject)(objectClass=posixGroup))


Important.png Note:
Most of the time, anonymous binds are sufficient, no need to configure the Admin DN and password. A few applications do require to bind as a valid user. This is needed when your application needs access attributes like uidNumber, gidNumber, homeDIrectory, loginShell etc... (for example, if you need to authenticate another Linux box using nss_ldap or sssd, you'll need to bind as a valid user). In this case, you can create a regular user (you may name it auth for example), set it a password, and use it's dn and credential to bind to your LDAP server



Important.png Note:
The LDAP directory can be consulted with plain text connections, but for security reason, authentication against LDAP is only allowed using SSL or TLS (or if your application runs directly on SME itself). So if you want to authenticate against LDAP on a remote box, you need to be sure to use LDAPs on port 636, or TLS on port 389. You also need to be sure your application can validate the certificate of your SME Server. If you try to authenticate over a plain text connection, SME will simply reject the authentication


Example setups for different types of clients

Example

Here are some example of working configurations

OpenFire

Host: localhost or IP of SME server
Porta: 389
DN Base: ou="Users",dc="sampledomain",dc="com"
DN Administrador: uid="admin",ou="Users",dc="sampledomain",dc="com"

(when typing, you'll put no double quotes, but they will show later when you're reading the Server Configuration TAB.)

Use the TEST CONFIGURATION button to verify you can get profiles (not only administrator, press button twice and see other one!)

SugarCRM

Applications should use anonymous bind, there is no need to use the LDAP root password

Enabled LDAP server
Server: IP of the SME server
Port Number: 389
Base DN: ou=Users,dc=sampledomain,dc=com
Bind Attribute: dn
Login Attribute: uid
Authenticated User: uid=root,ou=Users,dc=sampledomain,dc=com
Authenticated Password: ldaps admin's password
Enabled Auto Create Users

Bugs

Please raise bugs under the SME Server 8 section


Retrieved from "https://wiki.koozali.org/index.php?title=LDAP_Authentication&oldid=17118"