Versions Compared

Old Version 1

changes.mady.by.user David Engblom

Saved on

compared with

New Version Current

changes.mady.by.user Brian Dixon

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Do not confuse these instructions for implementations using Shibboleth with an Active Directory IdP.

LDAP/AD authentication is highly specific to the environment that PCR-360 is installed on so there's no one-size-fits-all set of options to cover every server. Every institution will have a System/Network Administrator that can provide the proper settings.

...

In this screenshot, the PCR-360 Role of SysAdmin is mapped to the AD CN=SysAdmin,CN=Users,DC=domain,DC=name group.Image Removed

...

Configuration Options

In addition to some of the (2024.1) Authorization Parameters, PCR-360 utilizes various Zend Framework 1 Server Options.

...

The following are of particular interest:

Code Block
languagetextthemeRDark
; Both LDAP & AD use the "Ldap" Adapter
auth.AUTH_ADAPTER = "Ldap"
auth.AUTH_IDENTITY = "sAMAccountName"
auth.AUTH_CREATE_USERS = true
auth.AUTH_UPDATE_USERS = true
auth.AUTH_ROLEMAPPING = true

; auth attribute mapping for LDAP system attributes
auth.AUTH_ATTRMAP_USERID = "username"
auth.AUTH_ATTRMAP_DISPLAYNAME = "displayName"
auth.AUTH_ATTRMAP_FIRSTNAME = "givenName"
auth.AUTH_ATTRMAP_LASTNAME = "sn"
auth.AUTH_ATTRMAP_EMAIL = "mail"
auth.AUTH_ATTRMAP_PHONE = "telephoneNumber"
auth.AUTH_ATTRMAP_GROUPS = "memberof"

...

LDAP Server Options are prefixed with "ldap". The server name that follows (i.e. "server1" here) is arbitrary and is used to group settings together for a single server. When authenticating, PCR-360 will loop through all the available servers until it successfully authenticates.

Code Block
languagetextthemeRDark
ldap.server1.host = server.hostname
ldap.server1.port = 389
ldap.server1.accountFilterFormat = "(sAMAccountName=%s)"
ldap.server1.accountCanonicalForm = 2
ldap.server1.baseDn = "CN=Users,DC=domain,DC=name"
ldap.server1.useStartTls = false
ldap.server1.bindAnonymous = true
ldap.server1.bindRequiresDn = true
ldap.server1.accountDomainName = "domain.name"
ldap.server1.accountDomainNameShort = "domain"
ldap.server1.tryUsernameSplit = true

; The Bind DN user
ldap.server1.username = "CN=bind-dn-user,CN=Users,DC=domain,DC=name"

; The Bind DN user's password
ldap.server1.password = "bind-password"

; The following filter restricts access to a specific Active Directory Security Group
ldap.server1.bindAccountFilterFormat = "(&(objectCategory=Person)(sAMAccountName=%s)(memberOf:1.2.840.113556.1.4.1941:=CN=Users,DC=domain,DC=name))"

Troubleshooting

Any issues enabling SSL/TLS may be a configuration problem with the server's OpenLDAP client and are outside the scope of this document.