|
|
| Line 1: |
Line 1: |
| <languages /> <translate>
| | #REDIRECT [[LDAP settings#LDAP configuration examples]] |
| | |
| Ldap server e.g. ldap://ldap.mydomain.com: ldap://ldap.mydomain.com
| |
| Port number (default when omtopicitted is 389):
| |
| LDAP version (LDAPv2 = 2), e.g. 3: 3 | |
| Username prefix cn= or uid=: cn=
| |
| Username suffix e.g. @mydomain.com or remaining part of ldap query: ,OU=people,DC=mydomain,DC=com
| |
| Create a LimeSurvey administrator with the same name as a AD(active directory) user account.
| |
| Log in using the AD credentials(username and password).
| |
| | |
| === Example settings AD2008 & 2.05+ ===
| |
| | |
| '''Settings working with Active Directory 2008 and 2.05+ (build 140520) with AuthLDAP plugin '''.
| |
| | |
| ==== Authentication with LDAP and ''userPrincipalName'' attribute ====
| |
| | |
| '''Note''': Authentication with ''userPrincipalName'' attribute (ie: firstname.lastname@example.intra). Create a LimeSurvey user with the same name as a AD(active directory) user account :
| |
| | |
| ''Username'': '''firstname.lastname@example.intra'''
| |
| === Simple Example settings ===
| |
| Ldap server e.g. ldap://ldap.mydomain.com: ldap://ldap.mydomain.com
| |
| Port number (default when omtopicitted is 389):
| |
| LDAP version (LDAPv2 = 2), e.g. 3: 3
| |
| Username prefix cn= or uid=: cn=
| |
| Username suffix e.g. @mydomain.com or remaining part of ldap query: ,OU=people,DC=mydomain,DC=com
| |
| Create a LimeSurvey administrator with the same name as a AD(active directory) user account.
| |
| Log in using the AD credentials(username and password).
| |
| | |
| === Example settings AD2008 & 2.05+ ===
| |
| | |
| '''Settings working with Active Directory 2008 and 2.05+ (build 140520) with AuthLDAP plugin '''.
| |
| | |
| ==== Authentication with LDAP and ''userPrincipalName'' attribute ====
| |
| | |
| '''Note''': Authentication with ''userPrincipalName'' attribute (ie: firstname.lastname@example.intra). Create a LimeSurvey user with the same name as a AD(active directory) user account :
| |
| | |
| ''Username'': '''firstname.lastname@exaom: ldap://ldap.mydomain.com
| |
| Port number (default when omtopicitted is 389):
| |
| LDAP version (LDAPv2 = 2), e.g. 3: 3
| |
| Username prefix cn= or uid=: cn=
| |
| Username suffix e.g. @mydomain.com or remaining part of ldap query: ,OU=people,DC=mydomain,DC=com
| |
| Create a LimeSurvey administrator with the same name as a AD(active directory) user account.
| |
| Log in using the AD credentials(username and password).
| |
| | |
| === Example settings AD2008 & 2.05+ ===
| |
| | |
| '''Settings working with Active Directory 20tra'''
| |
| | |
| ''Full name'': '''Firstname LASTNAME'''
| |
| | |
| Then configure the plugin : ''Plugin Manager > LDAP > Configure''.
| |
| | |
| ''Ldap server e.g. ldap://ldap.example.intra'': '''ldap://ldap.example.intra'''
| |
| | |
| ''Port number (default when omitted is 389)'': '''389'''
| |
| | |
| ''LDAP version (LDAPv2 = 2), e.g. 3'': '''LDAPv3'''
| |
| | |
| ''Username prefix cn= or uid=: cn='': '''empty'''
| |
| | |
| ''Username suffix e.g. @example.intra or remaining part of ldap query'': '''empty'''
| |
| | |
| Log in using the AD credentials (username: '''firstname.lastname@example.intra''' and password).
| |
| | |
| ==== Authentication with LDAP and ''sAMaccountName'' attribute ====
| |
| | |
| '''Note''': Authentication with ''sAMaccountName'' attribute (ie: firstname.lastname). Create a LimeSurvey user with the same name as a AD(active directory) user account :
| |
| | |
| ''Username'': '''firstname.lastname'''
| |
| | |
| ''Email'': '''firstname.lastname@example.intra'''
| |
| | |
| ''Full name'': '''Firstname LASTNAME'''
| |
| | |
| Then configure the plugin : ''Plugin Manager > LDAP > Configure''.
| |
| | |
| ''Ldap server e.g. ldap://ldap.example.com'': '''ldap://ldap.example.intra'''
| |
| | |
| ''Port number (default when omitted is 389)'': '''389'''
| |
| | |
| ''LDAP version (LDAPv2 = 2), e.g. 3'': '''LDAPv3'''
| |
| | |
| ''Username prefix cn= or uid=: cn='': '''empty'''
| |
| | |
| ''Username suffix e.g. @example.com or remaining part of ldap query'': '''@example.intra'''
| |
| | |
| Log in using the AD credentials (username: '''firstname.lastname''' and password).
| |
| | |
| ==== Authentication with LDAPS and ''sAMaccountName'' attribute ====
| |
| | |
| '''Note''': Authentication with ''sAMaccountName'' attribute (ie: firstname.lastname). Create a LimeSurvey user with the same name as a AD(active directory) user account :
| |
| | |
| ''Username'': '''firstname.lastname'''
| |
| | |
| ''Email'': '''firstname.lastname@example.intra'''
| |
| | |
| ''Full name'': '''Firstname LASTNAME'''
| |
| | |
| Then configure the plugin : ''Plugin Manager > LDAP > Configure''.
| |
| | |
| ''Ldap server e.g. ldap://ldap.example.com'': '''ldaps://ldap.example.intra'''
| |
| | |
| ''Port number (default when omitted is 389)'': '''636'''
| |
| | |
| ''LDAP version (LDAPv2 = 2), e.g. 3'': '''LDAPv3'''
| |
| | |
| ''Username prefix cn= or uid=: cn='': '''empty'''
| |
| | |
| ''Username suffix e.g. @example.intra or remaining part of ldap query'': '''@example.intra'''
| |
| | |
| Log in using the AD credentials (username: '''firstname.lastname''' and password).
| |
| | |
| === Example settings OpenLDAP & 2.05+ ===
| |
| | |
| '''Settings working with OpenLDAP and 2.05+ (git version Feb. 2015) with AuthLDAP plugin '''.
| |
| | |
| ==== Authentication with LDAP and ''uid'' attribute ====
| |
| | |
| '''Note''': Authentication with ''uid'' attribute. Create a LimeSurvey user with the same name as a the LDAP user account.
| |
| | |
| Then configure the plugin : ''Plugin Manager > LDAP > Configure''.
| |
| | |
| * ''Ldap server e.g. ldap://ldap.mydomain.com'': '''ldap://ldap.mydomain.com'''
| |
| * ''Port number (default when omitted is 389)'': '''(389 or leave blank)'''
| |
| * ''LDAP version (LDAPv2 = 2), e.g. 3'': '''LDAPv3'''
| |
| * ''Select true if referrals must be followed (use false for ActiveDirectory)'': '''(leave blank)'''
| |
| * ''Check to enable Start-TLS encryption When using LDAPv3'': '''False'''
| |
| * ''Select how to perform authentication'': '''Search and bind'''
| |
| * ''Attribute to compare to the given login can be uid, cn, mail, ...'': '''uid'''
| |
| * ''Base DN for the user search operation'': '''ou=people,dc=mydomain,dc=com'''
| |
| * ''Optional extra LDAP filter to be ANDed to the basic (searchuserattribute=username) filter. Don't forget the outmost enclosing parentheses'': '''(leave blank)'''
| |
| * ''Optional DN of the LDAP account used to search for the end-user's DN. An anonymous bind is performed if empty.'': '''cn=admin,dc=mydomain,dc=com'''
| |
| * ''Password of the LDAP account used to search for the end-user's DN if previoulsy set.'': '''password''' (appears!)
| |
| * ''Check to make default authentication method'': '''(as you wish)'''
| |
| | |
| Log in using the LDAP credentials (username: '''user''' and password).
| |
| | |
| ==== Authentication with OpenLDAP, ''uid'' attribute, and group restriction [2.62+] ====
| |
| | |
| Some applications require a separate LDAP query (beyond the user search and bind to check password) to determine if the user has sufficient authorization. For example, let's assume that LDAP has a <code>Groups</code> OU that includes an entry identified by <code>cn=limeusers</code> and our policy is that for a user to be authorized to use LimeSurvey that entry must include an attribute of the form <code>memberUid=<i>username</i></code> where ''username'' is the username (uid) entered by the user attempting to login. To configure LDAP for that, set up basic ''uid'' authentication as above and then set the following additional (optional) parameters:
| |
| | |
| * ''Optional base DN for group restriction'': <code>ou=Groups,dc=mydomain,dc=com</code>
| |
| * ''Optional filter for group restriction'': <code>(&(cn=limeusers)(memberUid=$username))</code>
| |
| | |
| Note:
| |
| # <code>$username</code> is a magic value (in the context of the filter parameter) that is replaced by the username entered by the user when logging in.
| |
| # Although intended for testing group membership as above, this optional "group restriction" capability can be used to add any authorization check that can be expressed as a separate filtered search like this.
| |
| # Before specifying a group restriction this way, verify that basic LDAP authentication is working correctly.
| |
| # If either of the group restriction parameters is empty then the group restriction step will not be applied.
| |
| | |
| | |
| </translate>
| |