Attentie : Deze functie is voor het importeren van tokens via LDAP. Als je LDAP Authentificatie nodig hebt, lees dan AuthLDAP plugin

Algemeen

You have to enable LDAP support in config.php and configure LDAP parameters in config/ldap.php in order to utilize this function.

  Om LDAP te kunnen gebruiken, moet de LDAP-module in PHP geïnstalleerd zijn. Extensie installeren: documentation.

Inschakelen LDAP

• $enableLdap: als je LDAP wilt gebruiken, dan moet je deze parameter in config.php op "true" zetten (standaard: "false"):

'config'=>array(
		'debug'=>0,
		'debugsql'=>0,
		'enableLdap'=>true,
	)

Definiëren LDAP-servers

First define the LDAP server connections options in "application/config/ldap.php". For each server, the following options are available:

• $serverId: An integer that identifies this LDAP server. It is used in query definitions to bind a server to a specific query;
• $ldap_server[$serverId]['server']: The IP address or DNS name of the LDAP server. If you use SSL secured connections (LDAPs or LDAP+Start-TLS), this name must correspond to the server's Certificate CN (or SubjectAlternativeName);
• $ldap_server[$serverId]['protoversion']: Can be 'ldapv2' or 'ldapv3' depending on the protocol supported by your server. 'ldapv3' is the preferred protocol. However, if you want to use encrypted connections, note that LDAPs is supported in 'ldapv2' mode whereas Start-TLS is the encryption method for 'ldapv3';
• $ldap_server[$serverId]['encrypt']: Defines the encryption method used. 'ldaps' is supported for 'ldav2' servers, 'start-tls' for 'ldapv3' servers. The 'none' keyword is used for cleartext LDAP communications;
  • Don't forget that for 'ldaps' or 'start-tls' encryption, the webserver must be able to check the LDAP server's certificate. Thus, you need to define your Certificate Authority in your openldap library (usually this is done in the /etc/openldap/ldap.conf file under linux).
• $ldap_server[$serverId]['referrals']: It is a boolean parameter that defines if referrals must be followed or not (use false for ActiveDirectory);
• $ldap_server[$serverId]['encoding']: It is an optional parameter which gives the encoding used by the LDAP directory to store strings. You usually do not need to setup this parameter as the default assumed encoding, 'utf-8', is the standard encoding for LDAP directories. However, if you're using Active Directory and having problems importing accentuated strings, then try to setup this parameter to the encoding used in you area (for instance 'cp850' for West Europe). You can refer to the "Character set of the file" drop-down list in the Survey_participants#Import_participants_from_a_CSV_file Import Token from CSV file GUI to have the full list of supported encodings.

Next, you need to define what authentication is needed to gain access to the directory. If 'anonymous' access is allowed, do NOT set the two following parameters, otherwise set them accordingly:

• $ldap_server[$serverId]['binddn']: DN of the 'LDAP' user that is allowed to read the directory;
• $ldap_server[$serverId]['bindpw']: Password for the above LDAP user.

If you need to define other LDAP servers, add the following line to increment the serverID and define new parameters:

• $serverId++.

Definiëren queries in config/ldap.php

LET OP: wanneer er een ldap attribuutnaam wordt gebruikt in een van deze parameters, gebruik dan alleen kleine letters: dus displayname en NIET displayName.

Bekijk het bestand config/ldap.php, het bevat voorbeelden van de configuratie.

Simpele queries

Let's begin with simples queries. These queries only filter LDAP entries based on their own attributes and location. They are usually enough for querying ActiveDirectory.

• $query_id: is the id of the LDAP query;
• $ldap_queries[$query_id]['ldapServerId']: Binds the query to a specific server;
• $ldap_queries[$query_id]['name']: String describing the query. It will be displayed in the GUI;
• $ldap_queries[$query_id]['userbase']: Root DN to use for user searches;
• $ldap_queries[$query_id]['userfilter']: It is a filter used to select potential users' entries. It must be enclosed in parentheses;
• $ldap_queries[$query_id]['userscope']: scope of the LDAP search for users ('base', 'one' or 'sub');
• $ldap_queries[$query_id]['firstname_attr']: Ldap attribute that will be mapped to the Firstname field of the token entry;
• $ldap_queries[$query_id]['lastname_attr']: Ldap attribute that will be mapped to the Lastname field of the token entry;
• $ldap_queries[$query_id]['email_attr']: Ldap attribute that will be mapped to the email address field of the token entry.

Optionally, you can retrieve more information from the directory:

• $ldap_queries[$query_id]['token_attr']: Ldap attribute that will be mapped to the token code;
• $ldap_queries[$query_id]['language']: Ldap attribute that will be mapped to the user language code;
• $ldap_queries[$query_id]['attr1']: Ldap attribute that will be mapped to the attribute_1 field;
• $ldap_queries[$query_id]['attr2']: Ldap attribute that will be mapped to the attribute_2 field.

Gecombineerde groep queries met DN leden

Nu gaan we een moeilijkere query maken.

The following queries use a first LDAP search that looks into LDAP groups. An LDAP group is an LDAP entry containing references to users' entries in the form of:

• user ids (for instance posixGroups do)    ==> See the next section
• Or user DNs (for instance groupofnames and groupofuniquenames do) ==> see below

Here we deal with groups containing user DNs:

• define $query_id, $ldap_queries[$query_id]['ldapServerId'], $ldap_queries[$query_id]['name'] as explained above.

Then define the group filter parameters:

• $ldap_queries[$query_id]['groupbase']: The Root DN from which you want to start searching for group entries;
• $ldap_queries[$query_id]['groupfilter']: The LDAP filter that will select potential group entries;
• $ldap_queries[$query_id]['groupscope']: The scope of the LDAP search for groups ('on', 'base' or 'sub');
• $ldap_queries[$query_id]['groupmemberattr']: The Name of the LDAP attribute in the group entry that will contain references to users' entries;
• $ldap_queries[$query_id]['groupmemberisdn']: TRUE.

At this point, everything is set up to let the first LDAP search find users corresponding to the selected groups. However, you can restrict which of these "user candidates" will be selected by applying another filter on them. This is, of course, optional:

• $ldap_queries[$query_id]['userbase']: Base DN for the user LDAP search (only user candidate matching this base) will be selected;
• $ldap_queries[$query_id]['userscope']: Scope for the user LDAP search (only user candidate matching the userbase+scope) will be selected;
• $ldap_queries[$query_id]['userfilter']: It is a filter that applies to each user candidate entry (on its attributes) to add another selection.

Gecombineerde groep queries met UID leden

We laten nu zien hoe je een gecombineerde groep query met groepsleden kunt maken, de leden zijn user UIDs en niet User DNs.

As for the Group queries with DNs members, these queries use a first LDAP search that looks for LDAP groups entries and get their members. These members values are then used in a user search filter to search for corresponding entries. Thus another parameter must be configured to define the user attribute in the user's entry that should match the member UID found in the groups.

We bekijken de verplichte parameters:

• defineer $query_id, $ldap_queries[$query_id]['ldapServerId'], $ldap_queries[$query_id]['name'] zoals hierboven uitgelegd

Then define the group filter parameters:

• $ldap_queries[$query_id]['groupbase']: The Root DN from which you want to start searching for group entries;
• $ldap_queries[$query_id]['groupfilter']: The LDAP filter that will select potential group entries;
• $ldap_queries[$query_id]['groupscope']: The scope of the LDAP search for groups ('on', 'base' or 'sub');
• $ldap_queries[$query_id]['groupmemberattr']: The name of the LDAP attribute in the group entry that will contain references to users' entries;
• $ldap_queries[$query_id]['groupmemberisdn']: FALSE;
• $ldap_queries[$query_id]['useridattr']: name of the user attribute that must match the UID found in the group members.

At this point everything is set up to let the first LDAP search find users UIDs corresponding to selected groups and a user search filter will be automatically filled.

However, you can restrict which of these 'user candidates' will be selected by completing the automatic user filter computed from member UIDs. This is, of course, optional:

• $ldap_queries[$query_id]['userbase']: Base DN for the user LDAP search (only user candidate matching this base) will be selected;
• $ldap_queries[$query_id]['userscope']: Scope for the user LDAP search (only user candidate matching the userbase+scope) will be selected;
• $ldap_queries[$query_id]['userfilter']: It is a filter that applies to each user candidate entry (on its attributes) to add another selection.

En hoe zit het met Active Directory?

Active Directory (AD) is een Microsoft registry die gelezen kan worden met het LDAP protocol.

Het is dan mogelijk om de inhoud te gebruiken voor LimeSurvey token queries, maar dat vereist kennis over hoe Active Directory is georganiseerd.

• De LDAP root base is dc=my_windows_domain_name,dc=dns_suffix2,dc=dns_suffix1

==> For instance, if your company owns the DNS domain 'my-company.com' and your Windows domain is 'employees', then your root base is dc=employees,dc=my-company,dc=com

• Users and users-groups are stored below the cn=Users,dc=my_windows_domain_name,dc=dns_suffix2,dc=dns_suffix1 (please note this is not ou=users);
• Active Directory Groups:
  • Groups objects contain DN of members in their 'member' attribute;
  • Group memberships are also stored in the memberOf attribute of each user entry. This attribute contains DNs of groups the user belongs to;
  • some groups are in CN=Builtin,dc=my_windows_domain_name,dc=dns_suffix2,dc=dns_suffix1:
    • For instance: cn=Administrator,CN=Builtin,dc=my_windows_domain_name,dc=dns_suffix2,dc=dns_suffix1;

Het is soms lastig om een query te gebruiken op een active directory. Hier een mogelijke configuratie voor het verkrijgen van informatie uit een active directory:

//Verbinden met de active directory Server:
$serverId=0;
$ldap_server[$serverId]['server'] = "10.10.10.10";
$ldap_server[$serverId]['port'] = "389";
$ldap_server[$serverId]['protoversion'] = "ldapv2";
$ldap_server[$serverId]['encrypt'] = "none"; // Meestal staat encryptie niet standaard aan bij Active Direcory LDAP servers
$ldap_server[$serverId]['referrals'] = false;
$ldap_server[$serverId]['binddn'] = "domain\\user";
$ldap_server[$serverId]['bindpw'] = "userpassword";
//$ldap_server[$serverId]['binddn'] = "CN=user,OU=user_group,DC=xxx,DC=yyy"; deze gebruikt active directory niet, daarom hoef je hier geen "domain\\user" te gebruiken 
//voorbeeld query voor ophalen alle actieve gebruikers in een active directory:
$query_id=0;
$ldap_queries[$query_id]['ldapServerId'] = 0;
$ldap_queries[$query_id]['name'] = 'Staf met ingeschakeld account';
$ldap_queries[$query_id]['userbase'] = 'OU=USER_GROUP,DC=xxx,DC=yyy';
$ldap_queries[$query_id]['userfilter'] = '(&(objectClass=user)(!(userAccountControl=514)))';
//(!(userAccountControl=514)) je kunt niet een active directory vragen om een actieve gebruiker, maar wel om een niet inactieve gebruiker
$ldap_queries[$query_id]['userscope'] = 'sub';
$ldap_queries[$query_id]['firstname_attr'] = 'voornaam';
$ldap_queries[$query_id]['lastname_attr'] = 'sn';
$ldap_queries[$query_id]['email_attr'] = 'mail';
$ldap_queries[$query_id]['token_attr'] = ''; // Leeg laten voor generatie toegangscode door phpsv
$ldap_queries[$query_id]['language'] = '';
$ldap_queries[$query_id]['attr1'] = '';
$ldap_queries[$query_id]['attr2'] = '';
//Groepsfiltering was niet mogelijk in active directory, je moet een memberOf attribuut van een gebruiker toevoegen. Voorbeeld query voor het ophalen van alle actieve gebruikers die lid zijn van de "samplegroup" in active directory:
$query_id++;
$ldap_queries[$query_id]['ldapServerId'] = 0;
$ldap_queries[$query_id]['name'] = 'Alle leden van de samplegroup';
$ldap_queries[$query_id]['userbase'] = 'OU=USER_GROUP,DC=xxx,DC=yyy';
$ldap_queries[$query_id]['userfilter'] = '(&(objectClass=user)(memberOf=CN=samplegroup,OU=Group Global,OU=USER_GROUP,DC=xxx,DC=yyy)(!(userAccountControl=514)))';
$ldap_queries[$query_id]['userscope'] = 'sub';
$ldap_queries[$query_id]['firstname_attr'] = 'voornaam';
$ldap_queries[$query_id]['lastname_attr'] = 'sn';
$ldap_queries[$query_id]['email_attr'] = 'mail';
$ldap_queries[$query_id]['token_attr'] = ''; // Leeg laten voor generatie toegangscode door phpsv
$ldap_queries[$query_id]['language'] = '';
$ldap_queries[$query_id]['attr1'] = '';
$ldap_queries[$query_id]['attr2'] = '';

Voorbeeld gebruiker query:

$ldap_queries[$query_id]['userfilter'] = '(&('''objectCategory=Person''')(objectClass='''user''')(!('''userAccountControl=514''')))'; // Active directory herkent niet ingeschakelde accounts, we controleren daarom op niet uitgeschakelde gebruikers

• Overweeg, om zoals voorgesteld in het config bestand, om (!(email=*)) toe te voegen aan je gebruikersfilters om gebruikers zonder e-mailadres over te slaan.

Voorbeeld groep query:

$ldap_queries[$query_id]['groupfilter'] = '(&(objectClass='''group''')(cn=Domain Admins))'; // Active directory gebruikt niet het standaard attribuutnaam voor groepen, dus gebruik daarom dit voorbeeld.

Find more information about the Active Directory LDAP structure on Active Directory Architecture and Active Directory Technical Specification.

LDAP configuration examples

Example settings AD2008 & 2.05+

Settings working with Active Directory 2008 and 2.05+ (build 140520) with AuthLDAP plugin.

Authentication with LDAP and userPrincipalName attribute

Note: Authentication with userPrincipalName attribute (ie: firstname.lastname@example.intra). Create a LimeSurvey user with the same name as a AD(active directory) user account :

• Username: firstname.lastname@example.intra
• Ldap server - e.g. ldap://ldap.mydomain.com: ldap://ldap.mydomain.com;
• Port number (default when omtopicitted is 389);
• LDAP version (LDAPv2 = 2), e.g. 3: 3;
• Username prefix cn= or uid=: cn=;
• Username suffix e.g. @mydomain.com or remaining part of ldap query: ,OU=people,DC=mydomain,DC=com;
• Create a LimeSurvey administrator with the same name as a AD(active directory) user account;
• Log in using the AD credentials (username and password).

Example settings AD2008 & 2.05+

Settings working with Active Directory 2008 and 2.05+ (build 140520) with AuthLDAP plugin .

Authentication with LDAP and userPrincipalName attribute

Note: Authentication with userPrincipalName attribute (ie: firstname.lastname@example.intra). Create a LimeSurvey user with the same name as the AD(active directory) user account:

• Username: firstname.lastname@exaom: ldap://ldap.mydomain.com
• Port number (default when omtopicitted is 389):
• LDAP version (LDAPv2 = 2), e.g. 3: 3
• Username prefix cn= or uid=: cn=
• Username suffix e.g. @mydomain.com or remaining part of ldap query: ,OU=people,DC=mydomain,DC=com
• Create a LimeSurvey administrator with the same name as a AD(active directory) user account.
• Log in using the AD credentials(username and password).

Example settings AD2008 & 2.05+

Settings working with Active Directory 20tra:

• Full name: Firstname LASTNAME

Then configure the plugin:

• Plugin Manager > LDAP > Configure;
• Ldap server e.g. ldap://ldap.example.intra: ldap://ldap.example.intra;
• Port number (default when omitted is 389): 389;
• LDAP version (LDAPv2 = 2), e.g. 3: LDAPv3;
• Username prefix cn= or uid=: cn=: empty;
• Username suffix e.g. @example.intra or remaining part of ldap query: empty;

Log in using the AD credentials (username: firstname.lastname@example.intra and password).

Authentication with LDAP and sAMaccountName attribute

Note: Authentication with sAMaccountName attribute (ie: firstname.lastname). Create a LimeSurvey user with the same name as the AD(active directory) user account :

• Username: firstname.lastname;
• Email: firstname.lastname@example.intra;
• Full name: Firstname LASTNAME.

Then configure the plugin : Plugin Manager > LDAP > Configure.

• Ldap server e.g. ldap://ldap.example.com: ldap://ldap.example.intra;
• Port number (default when omitted is 389): 389;
• LDAP version (LDAPv2 = 2), e.g. 3: LDAPv3;
• Username prefix cn= or uid=: cn=: empty;
• Username suffix e.g. @example.com or remaining part of ldap query: @example.intra.

Log in using the AD credentials (username: firstname.lastname and password).

Authentication with LDAPS and sAMaccountName attribute

Note: Authentication with sAMaccountName attribute (ie: firstname.lastname). Create a LimeSurvey user with the same name as an AD (active directory) user account:

• Username: firstname.lastname;
• Email: firstname.lastname@example.intra;
• Full name: Firstname LASTNAME;

Then configure the plugin : Plugin Manager > LDAP > Configure.

• Ldap server e.g. ldap://ldap.example.com: ldaps://ldap.example.intra;
• Port number (default when omitted is 389): 636;
• LDAP version (LDAPv2 = 2), e.g. 3: LDAPv3;
• Username prefix cn= or uid=: cn=: empty;
• Username suffix e.g. @example.intra or remaining part of ldap query: @example.intra.

Log in using the AD credentials (username: firstname.lastname and password).

Example settings OpenLDAP & 2.05+

Settings working with OpenLDAP and 2.05+ (git version Feb. 2015) with AuthLDAP plugin .

Authentication with LDAP and uid attribute

Note: Authentication with uid attribute. Create a LimeSurvey user with the same name as a the LDAP user account.

Then configure the plugin : Plugin Manager > LDAP > Configure.

• Ldap server e.g. ldap://ldap.mydomain.com: ldap://ldap.mydomain.com;
• Port number (default when omitted is 389): (389 or leave blank);
• LDAP version (LDAPv2 = 2), e.g. 3: LDAPv3;
• Select true if referrals must be followed (use false for ActiveDirectory): (leave blank);
• Check to enable Start-TLS encryption When using LDAPv3: False;
• Select how to perform authentication: Search and bind;
• Attribute to compare to the given login can be uid, cn, mail, ...: uid;
• Base DN for the user search operation: ou=people,dc=mydomain,dc=com;
• Optional extra LDAP filter to be ANDed to the basic (searchuserattribute=username) filter. Don't forget the outmost enclosing parentheses: (leave blank);
• Optional DN of the LDAP account used to search for the end-user's DN. An anonymous bind is performed if empty.: cn=admin,dc=mydomain,dc=com;
• Password of the LDAP account used to search for the end-user's DN if previoulsy set.: password (appears!);
• Check to make default authentication method: (as you wish).

Log in using the LDAP credentials (username: user and password).

Authentication with OpenLDAP, uid attribute, and group restriction [2.62+]

Some applications require a separate LDAP query (beyond the user search and bind to check password) to determine if the user has sufficient authorization. For example, let's assume that LDAP has a Groups OU that includes an entry identified by cn=limeusers and our policy is that for a user to be authorized to use LimeSurvey that entry must include an attribute of the form memberUid=username where username is the username (uid) entered by the user attempting to login. To configure LDAP for that, set up basic uid authentication as above and then set the following additional (optional) parameters:

• Optional base DN for group restriction: ou=Groups,dc=mydomain,dc=com
• Optional filter for group restriction: (&(cn=limeusers)(memberUid=$username))

Note:

1. $username is a magic value (in the context of the filter parameter) that is replaced by the username entered by the user when logging in.
2. Although intended for testing group membership as above, this optional "group restriction" capability can be used to add any authorization check that can be expressed as a separate filtered search like this.
3. Before specifying a group restriction this way, verify that basic LDAP authentication is working correctly.
4. If either of the group restriction parameters is empty, then the group restriction step will not be applied.