LDAP/AD
Preface
Do not confuse these instructions for implementations using Shibboleth with an Active Directory IdP.
LDAP/AD authentication is highly specific to the environment that PCR-360 is installed on so there's no one-size-fits-all set of options to cover every server. Every institution will have a System/Network Administrator that can provide the proper settings.
This examples on this page are for a basic Active Directory server.
Compatibility
As stated by the Zend Framework developers, the LDAP adapter "has been tested to work with Microsoft Active Directory and OpenLDAP, but it should also work with other LDAP service providers".
Requirements
The php-ldap module is Required.
Role Mapping
When auth.AUTH_ROLEMAPPING is set to "true", PCR-360 will try to match the AD/LDAP group to a PCR-360 Role. It requires the full DN of the group.
In this screenshot, the PCR-360 Role of SysAdmin is mapped to the AD CN=SysAdmin,CN=Users,DC=domain,DC=name group.
Configuration Options
In addition to some of the Authorization Parameters, PCR-360 utilizes various Zend Framework 1 Server Options.
Authorization Parameters
The following are of particular interest:
; Both LDAP & AD use the "Ldap" Adapter auth.AUTH_ADAPTER = "Ldap" auth.AUTH_IDENTITY = "sAMAccountName" auth.AUTH_CREATE_USERS = true auth.AUTH_UPDATE_USERS = true auth.AUTH_ROLEMAPPING = true ; auth attribute mapping for LDAP system attributes auth.AUTH_ATTRMAP_USERID = "username" auth.AUTH_ATTRMAP_DISPLAYNAME = "displayName" auth.AUTH_ATTRMAP_FIRSTNAME = "givenName" auth.AUTH_ATTRMAP_LASTNAME = "sn" auth.AUTH_ATTRMAP_EMAIL = "mail" auth.AUTH_ATTRMAP_PHONE = "telephoneNumber" auth.AUTH_ATTRMAP_GROUPS = "memberof"
Server Options
LDAP Server Options are prefixed with "ldap". The server name that follows (i.e. "server1" here) is arbitrary and is used to group settings together for a single server. When authenticating, PCR-360 will loop through all the available servers until it successfully authenticates.
ldap.server1.host = server.hostname ldap.server1.port = 389 ldap.server1.accountFilterFormat = "(sAMAccountName=%s)" ldap.server1.accountCanonicalForm = 2 ldap.server1.baseDn = "CN=Users,DC=domain,DC=name" ldap.server1.useStartTls = false ldap.server1.bindAnonymous = true ldap.server1.bindRequiresDn = true ldap.server1.accountDomainName = "domain.name" ldap.server1.accountDomainNameShort = "domain" ldap.server1.tryUsernameSplit = true ; The Bind DN user ldap.server1.username = "CN=bind-dn-user,CN=Users,DC=domain,DC=name" ; The Bind DN user's password ldap.server1.password = "bind-password" ; The following filter restricts access to a specific Active Directory Security Group ldap.server1.bindAccountFilterFormat = "(&(objectCategory=Person)(sAMAccountName=%s)(memberOf:1.2.840.113556.1.4.1941:=CN=Users,DC=domain,DC=name))"
Troubleshooting
Any issues enabling SSL/TLS may be a configuration problem with the server's OpenLDAP client and are outside the scope of this document.
Help Desk Portal - Email: help@pcr.com - Phone: 616.259.9242