LDAP settings: Difference between revisions

  Attention : This feature is for token import via LDAP. If you need a Ldap Authentification, please refer to AuthLDAP plugin

General

To use this feature you have to enable LDAP support in config.php and configure LDAP parameters in config/ldap.php.

  To be able to use LDAP you have to make sure the LDAP module is installed in your PHP. Please refer to the PHP LDAP module documentation how to install this extension.

Enabling LDAP in config.php

• $enableLdap: if you want to use LDAP functions in LimeSurvey, you must set this parameter to true (it is set to false by default)

'config'=>array(
		'debug'=>0,
		'debugsql'=>0,
		'enableLdap'=>true,
	)

Defining LDAP servers

First define the ldap server connections options in application/config/ldap.php. For each server, the following options are available:

• $serverId: an integer that identifies this LDAP server. It is used in query definitions to bind a server to a specific query
• $ldap_server[$serverId]['server']: the IP address or DNS name of the LDAP server. If you use SSL secured connections (LDAPs or LDAP+Start-TLS) this name must correspond to the server's Certificate CN (or SubjectAlternativeName)
• $ldap_server[$serverId]['protoversion']: can be 'ldapv2' or 'ldapv3' depending on the protocol supported by your server. 'ldapv3' is the preferred protocol. However, if you want to use encrypted connections, note that LDAPs is supported in 'ldapv2' mode whereas Start-TLS is the encryption method for 'ldapv3'
• $ldap_server[$serverId]['encrypt']: defines the encryption method used. 'ldaps' is supported for 'ldav2' servers, 'start-tls' for 'ldapv3' servers. The 'none' keyword is used for cleartext LDAP communications
  • Don't forget that for 'ldaps' or 'start-tls' encryption, the webserver must be able to check the LDAP server's certificate. Thus you need to define your Certificate Authority in your openldap library (usually this is done in the /etc/openldap/ldap.conf file under linux)
• $ldap_server[$serverId]['referrals']: boolean parameter defining if referrals must be followed (use false for ActiveDirectory)
• $ldap_server[$serverId]['encoding']: optional parameter which gives the encoding used by the Ldap directory to store strings. You usually do not need to setup this parameter as the default assumed encoding, 'utf-8', is the standard encoding for LDAP directories. However, if you're using Active Directory and are having problems importing accentuated strings, then try to setup this parameter to the encoding used in you area (for instance 'cp850' for West Europe). You can refer to the 'Character set of the file' dropdown list in the 'Import Token from CSV file' GUI, to have the full list of supported encodings.

Next you need to define what authentication is needed to gain access to the directory. If 'anonymous' access is allowed do NOT set the two following parameters, otherwise set them accordingly:

• $ldap_server[$serverId]['binddn']: DN of the 'LDAP' user that is allowed to read the directory
• $ldap_server[$serverId]['bindpw']: Password for the above LDAP user

If you need to define other LDAP servers, add the following line to increment the serverID and define new parameters:

• $serverId++;

Defining queries in config/ldap.php

Caution: when an ldap attribute name is required in one of these parameters, only use lower case names: for instance displayname and NOT displayName.

Please refer to the config/ldap.php file as it contains samples configuration.

Simple Queries

Let's begin with simples queries. These queries only filter LDAP entries based on their own attributes and location. They are usually enough for querying ActiveDirectory.

• $query_id: is the id of the LDAP query
• $ldap_queries[$query_id]['ldapServerId']: bind the query to a specific server
• $ldap_queries[$query_id]['name']: String describing the query. It will be displayed in the GUI
• $ldap_queries[$query_id]['userbase']: Root DN to use for user searches
• $ldap_queries[$query_id]['userfilter']: filter used to select potential users' entries. It must be enclosed in parenthesis
• $ldap_queries[$query_id]['userscope']: scope of the LDAP search for users ('base', 'one' or 'sub')
• $ldap_queries[$query_id]['firstname_attr']: Ldap attribute that will be mapped to the Firstname field of the token entry
• $ldap_queries[$query_id]['lastname_attr']: Ldap attribute that will be mapped to the Lastname field of the token entry
• $ldap_queries[$query_id]['email_attr']: Ldap attribute that will be mapped to the email address field of the token entry

Optionaly you can retrieve more information from the directory:

• $ldap_queries[$query_id]['token_attr']: Ldap attribute that will be mapped to the token code
• $ldap_queries[$query_id]['language']: Ldap attribute that will be mapped to the user language code
• $ldap_queries[$query_id]['attr1']: Ldap attribute that will be mapped to the attribute_1 field
• $ldap_queries[$query_id]['attr2']: Ldap attribute that will be mapped to the attribute_2 field

Combined Group Queries with DN members

Let's now see how to define a more complicated query.

The following queries uses a first LDAP search that looks into LDAP groups. An LDAP group is an LDAP entry containing references to users' entries in the form of:

• • user ids (for instance posixGroups do)    ==> See the next section
  • Or user DNs (for instance groupofnames and groupofuniquenames do) ==> see below

Here we deal with groups containing user DNs:

• define $query_id, $ldap_queries[$query_id]['ldapServerId'], $ldap_queries[$query_id]['name'] as explained above

Then define the group filter parameters:

• $ldap_queries[$query_id]['groupbase']: the Root DN from which you want to start searching for group entries
• $ldap_queries[$query_id]['groupfilter']: the LDAP filter that will select potential group entries
• $ldap_queries[$query_id]['groupscope']: the scope of the LDAP search for groups ('on', 'base' or 'sub')
• $ldap_queries[$query_id]['groupmemberattr']: name of the LDAP attribute in the group entry that will contain references to users' entries
• $ldap_queries[$query_id]['groupmemberisdn']: TRUE

At this point everything is setup to let the first LDAP search find users corresponding to selected groups. However, you can restrict which of these 'user candidates' will be selected by applying another filter on them. This is, of course, optional:

• $ldap_queries[$query_id]['userbase']: Base DN for the user LDAP search (only user candidate matching this base) will be selected
• $ldap_queries[$query_id]['userscope']: Scope for the user LDAP search (only user candidate matching the userbase+scope) will be selected
• $ldap_queries[$query_id]['userfilter']: filter to apply to each user candidate entry (on its attributes) to add another selection

Combined Group Queries with UID members

Let's now see how to define a combined Group query when group members are user UIDs and not User DNs.

As for the Group queries with DNs members, these queries uses a first LDAP search that looks for LDAP groups entries and get their members. These members values are then used in a user search filter to search for corresponding entries. Thus another parameter must be configured to define the user attribute in the user's entry that should match the member UID found in the groups.

Let's review the required parameters:

• define $query_id, $ldap_queries[$query_id]['ldapServerId'], $ldap_queries[$query_id]['name'] as explained above

Then define the group filter parameters:

• $ldap_queries[$query_id]['groupbase']: the Root DN from which you want to start searching for group entries
• $ldap_queries[$query_id]['groupfilter']: the LDAP filter that will select potential group entries
• $ldap_queries[$query_id]['groupscope']: the scope of the LDAP search for groups ('on', 'base' or 'sub')
• $ldap_queries[$query_id]['groupmemberattr']: name of the LDAP attribute in the group entry that will contain references to users' entries
• $ldap_queries[$query_id]['groupmemberisdn']: FALSE
• $ldap_queries[$query_id]['useridattr']: name of the user attribute that must match the UID found in the group members

At this point everything is setup to let the first LDAP search find users UIDs corresponding to selected groups and a user search filter will be automatically filled.

However, you can restrict which of these 'user candidates' will be selected by completing the automatic user filter computed from member UIDs. This is, of course, optional:

• $ldap_queries[$query_id]['userbase']: Base DN for the user LDAP search (only user candidate matching this base) will be selected
• $ldap_queries[$query_id]['userscope']: Scope for the user LDAP search (only user candidate matching the userbase+scope) will be selected
• $ldap_queries[$query_id]['userfilter']: filter to apply to each user candidate entry (on its attributes) to add another selection

What about Active Directory?

Active Directory (AD) is a Microsoft registry that can be queried by using the LDAP protocol.

It is then possible to use its content for LimeSurvey token queries, but this requires knowledge on how AD is organized.

• The LDAP root base is dc=my_windows_domain_name,dc=dns_suffix2,dc=dns_suffix1

==> For instance if your company owns the DNS domain 'my-company.com', and your Windows domain is 'employees', then your root base is dc=employees,dc=my-company,dc=com

• Users and users-groups are stored below the cn=Users,dc=my_windows_domain_name,dc=dns_suffix2,dc=dns_suffix1 (please note this is not ou=users)
• Active Directory Groups
  • Groups objects contain DN of members in their 'member' attribute.
  • Group memberships are also stored in the memberOf attribute of each user entry. This attribute contains DNs of groups the user belongs to
  • some groups are in CN=Builtin,dc=my_windows_domain_name,dc=dns_suffix2,dc=dns_suffix1
    • For instance: cn=Administrator,CN=Builtin,dc=my_windows_domain_name,dc=dns_suffix2,dc=dns_suffix1

In some cases it is not as easy to query an active directory so here is a sample configuration for getting some infomations of an active directory:

//Connection to the active directory Server:
$serverId=0;
$ldap_server[$serverId]['server'] = "10.10.10.10";
$ldap_server[$serverId]['port'] = "389";
$ldap_server[$serverId]['protoversion'] = "ldapv2";
$ldap_server[$serverId]['encrypt'] = "none"; // Most AD LDAP servers will not have encryption set by default
$ldap_server[$serverId]['referrals'] = false;
$ldap_server[$serverId]['binddn'] = "domain\\user";
$ldap_server[$serverId]['bindpw'] = "userpassword";
//$ldap_server[$serverId]['binddn'] = "CN=user,OU=user_group,DC=xxx,DC=yyy"; this one will not work with active directory, that´s why you need to use "domain\\user"
//Here is a sample query for getting all active users of an active directory:
$query_id=0;
$ldap_queries[$query_id]['ldapServerId'] = 0;
$ldap_queries[$query_id]['name'] = 'Staff with an enabled account';
$ldap_queries[$query_id]['userbase'] = 'OU=USER_GROUP,DC=xxx,DC=yyy';
$ldap_queries[$query_id]['userfilter'] = '(&(objectClass=user)(!(userAccountControl=514)))';
//(!(userAccountControl=514)) you are not able to ask active directory for an active user but you are able to ask for a non inactive user
$ldap_queries[$query_id]['userscope'] = 'sub';
$ldap_queries[$query_id]['firstname_attr'] = 'givenname';
$ldap_queries[$query_id]['lastname_attr'] = 'sn';
$ldap_queries[$query_id]['email_attr'] = 'mail';
$ldap_queries[$query_id]['token_attr'] = ''; // Leave empty for Auto Token generation by phpsv
$ldap_queries[$query_id]['language'] = '';
$ldap_queries[$query_id]['attr1'] = '';
$ldap_queries[$query_id]['attr2'] = '';
//Group filtering was not possible in active directory, you need to add the memberOf attribute of an user. Here is a sample query for getting all active users that are member of the group "samplegroup" in active directory:
$query_id++;
$ldap_queries[$query_id]['ldapServerId'] = 0;
$ldap_queries[$query_id]['name'] = 'All members of samplegroup';
$ldap_queries[$query_id]['userbase'] = 'OU=USER_GROUP,DC=xxx,DC=yyy';
$ldap_queries[$query_id]['userfilter'] = '(&(objectClass=user)(memberOf=CN=samplegroup,OU=Group Global,OU=USER_GROUP,DC=xxx,DC=yyy)(!(userAccountControl=514)))';
$ldap_queries[$query_id]['userscope'] = 'sub';
$ldap_queries[$query_id]['firstname_attr'] = 'givenname';
$ldap_queries[$query_id]['lastname_attr'] = 'sn';
$ldap_queries[$query_id]['email_attr'] = 'mail';
$ldap_queries[$query_id]['token_attr'] = ''; // Leave empty for Auto Token generation by phpsv
$ldap_queries[$query_id]['language'] = '';
$ldap_queries[$query_id]['attr1'] = '';
$ldap_queries[$query_id]['attr2'] = '';

Another example User query:

$ldap_queries[$query_id]['userfilter'] = '(&('''objectCategory=Person''')(objectClass='''user''')(!('''userAccountControl=514''')))'; // AD doesn't recognise enabled accounts in the normal way, so instead, we check users are not disabled

• As suggested in the config file, consider adding (!(email=*)) to your user filters to ignore users with no email address.

Example group query:

$ldap_queries[$query_id]['groupfilter'] = '(&(objectClass='''group''')(cn=Domain Admins))'; // AD doesn't use the standard attribute name for groups, so use this example instead.

Find more information about the Active Directory LDAP structure on this page.