Document toolboxDocument toolbox

LDAP/AD

Preface

Do not confuse these instructions for implementations using Shibboleth with an Active Directory IdP.

LDAP/AD authentication is highly specific to the environment that PCR-360 is installed on so there's no one-size-fits-all set of options to cover every server. Every institution will have a System/Network Administrator that can provide the proper settings.

This examples on this page are for a basic Active Directory server.

Compatibility

As stated by the Zend Framework developers, the LDAP adapter "has been tested to work with Microsoft Active Directory and OpenLDAP, but it should also work with other LDAP service providers".

Requirements

The php-ldap module is Required.

Role Mapping

When auth.AUTH_ROLEMAPPING is set to "true", PCR-360 will try to match the AD/LDAP group to a PCR-360 Role. It requires the full DN of the group.

In this screenshot, the PCR-360 Role of SysAdmin is mapped to the AD CN=SysAdmin,CN=Users,DC=domain,DC=name group.

Configuration Options

In addition to some of the Authorization Parameters, PCR-360 utilizes various Zend Framework 1 Server Options.

Authorization Parameters

The following are of particular interest:

; Both LDAP & AD use the "Ldap" Adapter
auth.AUTH_ADAPTER = "Ldap"
auth.AUTH_IDENTITY = "sAMAccountName"
auth.AUTH_CREATE_USERS = true
auth.AUTH_UPDATE_USERS = true
auth.AUTH_ROLEMAPPING = true

; auth attribute mapping for LDAP system attributes
auth.AUTH_ATTRMAP_USERID = "username"
auth.AUTH_ATTRMAP_DISPLAYNAME = "displayName"
auth.AUTH_ATTRMAP_FIRSTNAME = "givenName"
auth.AUTH_ATTRMAP_LASTNAME = "sn"
auth.AUTH_ATTRMAP_EMAIL = "mail"
auth.AUTH_ATTRMAP_PHONE = "telephoneNumber"
auth.AUTH_ATTRMAP_GROUPS = "memberof"

Server Options

LDAP Server Options are prefixed with "ldap". The server name that follows (i.e. "server1" here) is arbitrary and is used to group settings together for a single server. When authenticating, PCR-360 will loop through all the available servers until it successfully authenticates.

ldap.server1.host = server.hostname
ldap.server1.port = 389
ldap.server1.accountFilterFormat = "(sAMAccountName=%s)"
ldap.server1.accountCanonicalForm = 2
ldap.server1.baseDn = "CN=Users,DC=domain,DC=name"
ldap.server1.useStartTls = false
ldap.server1.bindAnonymous = true
ldap.server1.bindRequiresDn = true
ldap.server1.accountDomainName = "domain.name"
ldap.server1.accountDomainNameShort = "domain"
ldap.server1.tryUsernameSplit = true

; The Bind DN user
ldap.server1.username = "CN=bind-dn-user,CN=Users,DC=domain,DC=name"

; The Bind DN user's password
ldap.server1.password = "bind-password"

; The following filter restricts access to a specific Active Directory Security Group
ldap.server1.bindAccountFilterFormat = "(&(objectCategory=Person)(sAMAccountName=%s)(memberOf:1.2.840.113556.1.4.1941:=CN=Users,DC=domain,DC=name))"

Troubleshooting

Any issues enabling SSL/TLS may be a configuration problem with the server's OpenLDAP client and are outside the scope of this document.


Help Desk Portal - Email: help@pcr.com - Phone: 616.259.9242