...
Do not confuse these instructions for implementations using Shibboleth with an Active Directory IdP.
LDAP/AD authentication is highly specific to the environment that PCR-360 is installed on so there's no one-size-fits-all set of options to cover every server. Every institution will have a System/Network Administrator that can provide the proper settings.
...
In this screenshot, the PCR-360 Role of SysAdmin is mapped to the AD CN=SysAdmin,CN=Users,DC=domain,DC=name group.
...
Configuration Options
In addition to some of the Authorization Parameters, PCR-360 utilizes various Zend Framework 1 Server Options.
...
The following are of particular interest:
Code Block | ||||
---|---|---|---|---|
| ||||
; Both LDAP & AD use the "Ldap" Adapter auth.AUTH_ADAPTER = "Ldap" auth.AUTH_IDENTITY = "sAMAccountName" auth.AUTH_CREATE_USERS = true auth.AUTH_UPDATE_USERS = true auth.AUTH_ROLEMAPPING = true ; auth attribute mapping for LDAP system attributes auth.AUTH_ATTRMAP_USERID = "username" auth.AUTH_ATTRMAP_DISPLAYNAME = "displayName" auth.AUTH_ATTRMAP_FIRSTNAME = "givenName" auth.AUTH_ATTRMAP_LASTNAME = "sn" auth.AUTH_ATTRMAP_EMAIL = "mail" auth.AUTH_ATTRMAP_PHONE = "telephoneNumber" auth.AUTH_ATTRMAP_GROUPS = "memberof" |
...
LDAP Server Options are prefixed with "ldap". The server name that follows (i.e. "server1" here) is arbitrary and is used to group settings together for a single server. When authenticating, PCR-360 will loop through all the available servers until it successfully authenticates.
Code Block | ||||
---|---|---|---|---|
| ||||
ldap.server1.host = server.hostname ldap.server1.port = 389 ldap.server1.accountFilterFormat = "(sAMAccountName=%s)" ldap.server1.accountCanonicalForm = 2 ldap.server1.baseDn = "CN=Users,DC=domain,DC=name" ldap.server1.useStartTls = false ldap.server1.bindAnonymous = true ldap.server1.bindRequiresDn = true ldap.server1.accountDomainName = "domain.name" ldap.server1.accountDomainNameShort = "domain" ldap.server1.tryUsernameSplit = true ; The Bind DN user ldap.server1.username = "CN=bind-dn-user,CN=Users,DC=domain,DC=name" ; The Bind DN user's password ldap.server1.password = "bind-password" ; The following filter restricts access to a specific Active Directory Security Group ldap.server1.bindAccountFilterFormat = "(&(objectCategory=Person)(sAMAccountName=%s)(memberOf:1.2.840.113556.1.4.1941:=CN=Users,DC=domain,DC=name))" |
Troubleshooting
Any issues enabling SSL/TLS may be a configuration problem with the server's OpenLDAP client and are outside the scope of this document.