Difference between revisions of "LDAP Authentication"
m (→Redmine: formatting) |
|||
| Line 18: | Line 18: | ||
Be aware of the following: | Be aware of the following: | ||
| − | If you enable ldap auth, it'll remove all your groups, users, ibay accounts from the unix databases so everything is only in LDAP | + | {{Warning box|If you enable ldap auth, it'll remove all your groups, users, ibay accounts from the unix databases so everything is only in LDAP. |
| − | If you attempt to then disable LDAP Authentication this will break everything as you won't have any functioning accounts afterwards, and you will disable LDAP master auth | + | If you attempt to then disable LDAP Authentication this will break everything as you won't have any functioning accounts afterwards, and you will disable LDAP master auth functionality.}} |
=== Usage === | === Usage === | ||
Revision as of 08:25, 16 April 2014
LDAP for SME Server 8
Description
LDAP authentication
For SME 8 only, LDAP is readonly
This allows the use of SME user's database in other applications
- either local, eg. a LAMP app
- on the server itself, eg. egroupware
- on the local network, eg. another server in the local network which runs an ERP, but uses SME server user/group database
- or even a remote host, eg. a GLPI instance used to manage requests from several clients using SME server.
Installation
SME 8 beta 5 onwards
Uninstall
Be aware of the following:
Usage
Test with your email addressbook SME_Server:Documentation:User_Manual:Chapter2
View your LDAP Schema, ObjectClasses and Attributes with Phpldapadmin
Authentication
If you want to use the LDAP directory of your SME Server as authentication source on third party software, here are the parameters you need
User Base: ou=Users,dc=domain,dc=tld Group Base: ou=Groups,dc=domain,dc=tld Host: <the ip or hostname of your SME Server> (prefer the hostname or you'll have additional problem with certificate verification)
If you need to setup a filter to display only users, you can use the following:
(&(objectClass=inetOrgPerson)(objectClass=sambaSamAccount))
If you need to setup a filter to display only groups, you can use the following:
(&(objectClass=mailboxRelatedObject)(objectClass=posixGroup))
Optional - LDAP authentication can be enabled. Warning - Once enabled it cannot be disabled, so experiment with care. To enable:
db configuration setprop ldap Authentication enabled
Example setups for different types of clients
Example
Here are some example of working configurations
Redmine
- Name: LDAP_Linux
- Host: <your server name or ip>
- Port: 636 (LDAPS checked)
- Base DN: ou=Users,dc=yourdomain,dc=com
- On the fly user creation: (checked)
- Login: uid
- First name: givenName
- Last name: sn
- Email: mail
PaperCut
- Host: localhost or IP of SME server
- Use SSL (mark checkbox)
- DN Base: dc=sampledomain,dc=com
- DN Administrador: uid=admin,ou=Users,dc=sampledomain,dc=com
Use the TEST CONFIGURATION button to verify you can get profiles
OpenFire
- Host: localhost or IP of SME server
- Porta: 389
- DN Base: ou="Users",dc="sampledomain",dc="com"
- DN Administrador: uid="admin",ou="Users",dc="sampledomain",dc="com"
(when typing, you'll put no double quotes, but they will show later when you're reading the Server Configuration TAB.)
Use the TEST CONFIGURATION button to verify you can get profiles (not only administrator, press button twice and see other one!)
SugarCRM
Applications should use anonymous bind, there is no need to use the LDAP root password
- Enabled LDAP server
- Server: IP of the SME server
- Port Number: 389
- Base DN: ou=Users,dc=sampledomain,dc=com
- Bind Attribute: dn
- Login Attribute: uid
- Authenticated User: uid=root,ou=Users,dc=sampledomain,dc=com
- Authenticated Password: ldaps admin's password
- Enabled Auto Create Users
Synology NAS
- Enabled LDAP client
- Server: IP of the SME server
- Encryption: SSL
- Base DN: dc=sampledomain,dc=tld
- Bind DN:uid=admin,ou=Users,dc=sampledomain,dc=tld
- Bind pass: your admin password
Bugs
Please raise bugs under the SME Server 8 section
