LDAP-instellingen
From LimeSurvey Manual
Algemeen
LDAP wordt nu gebruikt bij de functie "Importeren toegangscodes uit LDAP query", maar mogelijk wordt in de toekomst ook LDAP authenticatie ondersteunt. Er is nu een niet ondersteunde manier voor authenticatie met LDAP. Workarounds: Authenticating Against LDAP Cheap and Dirty. Om deze functie te gebruiken, moet je LDAP support in config.php inschakelen en de parameters in config-ldap.php instellen.
Om LDAP te kunnen gebruiken, moet de LDAP module in je PHP geïnstalleerd zijn. Extensie installeren: PHP LDAP module documentation.
TIP: Als je wilt dat beheerders authenticatie via LDAP gaat, controleer dan de informatie over authenticatie in de optionele instellingen.
Inschakelen LDAP
- $enableLdap: als je LDAP functie wilt gebruiken, dan moet je deze parameter in config.php op "true" zetten (standaard: "false")
Definiëren LDAP servers
Definieer eerst de ldap server connectie opties in application/config/ldap.php. Voor elke server zijn er de volgende opties:
- $serverId: een integer die de LDAP-server identificeert. Het wordt gebruikt in query definities om de server aan een specifieke query te koppelen (bind).
- $ldap_server[$serverId]['server']: het IP adres of DNS naam van de LDAP server. Als je SSL secured connections (LDAPs of LDAP+Start-TLS) gebruikt dan moet deze naam overeenkomen met het server Certificaat CN (of SubjectAlternativeName)
- $ldap_server[$serverId]['protoversion']: kan zijn 'ldapv2' of 'ldapv3' afhankelijk van het door je server ondersteunde protocol. Voorkeur: 'ldapv3'. Als je encrypted connections wilt gebruiken, dan is LDAP ondersteunt in de 'ldapv2' mode terwijl Start-TLS is de encryption methode voor 'ldapv3'
- $ldap_server[$serverId]['encrypt']: definieert de gebruikte encryption methode. 'ldaps' wordt ondersteunt voor 'ldav2' servers, 'start-tls' voor 'ldapv3' servers. Het 'none' keyword wordt gebruikt voor cleartext LDAP communications
- Vergeet niet dat voor 'ldaps' of 'start-tls' encryption, de server het LDAP server certificaat moet kunnen controleren. Dus je moet de Certificate Authority in je openldap library definiëren (meestal wordt dit voor linux gedaan in het bestand /etc/openldap/ldap.conf)
- $ldap_server[$serverId]['referrals']: boolean parameter definieert of doorverwijzingen moeten worden gevolgd (gebruik "false" voor ActiveDirectory)
- $ldap_server[$serverId]['encoding']: optionele parameter die de gebruikte encoding aangeeft die gebruikt wordt in de ldap directory om strings op te slaan. Dit hoef je meestal niet te doen, omdat de standaard voor encoding 'utf-8' is. Als je echter Active Directory gebruikt en je hebt problemen met het importeren van strings met accenten, probeer dan deze parameter in te stellen op de door jou gebruikte encoding (bijvoorbeeld 'cp850' voor West Europa). Je ziet een lijst met ondersteunde encodings als je kijkt in de dropdown lijst 'karakterset van het bestand' bij de functie 'Importeer toegangscodes uit CSV-bestand'.
Daarna moet je aangeven welke authenticatie nodig is om toegang te krijgen tot de map. Als anonieme toegang is toegestaan, dan moet je de volgende twee parameters niet zetten en anders dus wel:
- $ldap_server[$serverId]['binddn']: DN van de 'LDAP' gebruiker die de map mag lezen
- $ldap_server[$serverId]['bindpw']: Password van de bovenstaande LDAP gebruiker
Als je meerdere LDAP servers definieert, voeg dan de volgende regel toe:
- $serverId++;
Definiëren queries in config-ldap.php
LET OP: wanneer er een ldap attribuutnaam wordt gebruikt in een van deze parameters, gebruik dan alleen kleine letters: dus displayname en NIET displayName.
Bekijk het bestand config-ldap.php, het bevat voorbeelden van de configuratie.
Simple Queries
Let's begin with simples queries. These queries only filter LDAP entries based on their own attributes and location. They are usually enough for querying ActiveDirectory.
- $query_id: is the id of the LDAP query
- $ldap_queries[$query_id]['ldapServerId']: bind the query to a specific server
- $ldap_queries[$query_id]['name']: String describing the query. It will be displayed in the GUI
- $ldap_queries[$query_id]['userbase']: Root DN to use for user searches
- $ldap_queries[$query_id]['userfilter']: filter used to select potential users' entries. It must be enclosed in parenthesis
- $ldap_queries[$query_id]['userscope']: scope of the LDAP search for users ('base', 'one' or 'sub')
- $ldap_queries[$query_id]['firstname_attr']: Ldap attribute that will be mapped to the Firstname field of the token entry
- $ldap_queries[$query_id]['lastname_attr']: Ldap attribute that will be mapped to the Lastname field of the token entry
- $ldap_queries[$query_id]['email_attr']: Ldap attribute that will be mapped to the email address field of the token entry
Optionaly you can retrieve more information from the directory:
- $ldap_queries[$query_id]['token_attr']: Ldap attribute that will be mapped to the token code
- $ldap_queries[$query_id]['language']: Ldap attribute that will be mapped to the user language code
- $ldap_queries[$query_id]['attr1']: Ldap attribute that will be mapped to the attribute_1 field
- $ldap_queries[$query_id]['attr2']: Ldap attribute that will be mapped to the attribute_2 field
Combined Group Queries with DN members
Let's now see how to define a more complicated query.
The following queries uses a first LDAP search that looks into LDAP groups. An LDAP group is an LDAP entry containing references to users' entries in the form of:
- user ids (for instance posixGroups do) ==> See the next section
- Or user DNs (for instance groupofnames and groupofuniquenames do) ==> see below
Here we deal with groups containing user DNs:
- define $query_id, $ldap_queries[$query_id]['ldapServerId'], $ldap_queries[$query_id]['name'] as explained above
Then define the group filter parameters:
- $ldap_queries[$query_id]['groupbase']: the Root DN from which you want to start searching for group entries
- $ldap_queries[$query_id]['groupfilter']: the LDAP filter that will select potential group entries
- $ldap_queries[$query_id]['groupscope']: the scope of the LDAP search for groups ('on', 'base' or 'sub')
- $ldap_queries[$query_id]['groupmemberattr']: name of the LDAP attribute in the group entry that will contain references to users' entries
- $ldap_queries[$query_id]['groupmemberisdn']: TRUE
At this point everything is setup to let the fist LDAP search find users corresponding to selected groups. However, you can restrict which of these 'user candidates' will be selected by applying another filter on them. This is, of course, optionnal:
- $ldap_queries[$query_id]['userbase']: Base DN for the user LDAP search (only user candidate matching this base) will be selected
- $ldap_queries[$query_id]['userscope']: Scope for the user LDAP search (only user candidate matching the userbase+scope) will be selected
- $ldap_queries[$query_id]['userfilter']: filter to apply to each user candidate entry (on its attributes) to add another selection
Combined Group Queries with UID members
Let's now see how to define a combined Group query when group members are user UIDs and not User DNs.
As for the Group queries with DNs members, these queries uses a first LDAP search that looks for LDAP groups entries and get their members. These members values are then used in a user search filter to search for corresponding entries. Thus another parameter must be configured to define the user attribute in the user's entry that should match the member UID found in the groups.
Let's review the required parameters:
- define $query_id, $ldap_queries[$query_id]['ldapServerId'], $ldap_queries[$query_id]['name'] as explained above
Then define the group filter parameters:
- $ldap_queries[$query_id]['groupbase']: the Root DN from which you want to start searching for group entries
- $ldap_queries[$query_id]['groupfilter']: the LDAP filter that will select potential group entries
- $ldap_queries[$query_id]['groupscope']: the scope of the LDAP search for groups ('on', 'base' or 'sub')
- $ldap_queries[$query_id]['groupmemberattr']: name of the LDAP attribute in the group entry that will contain references to users' entries
- $ldap_queries[$query_id]['groupmemberisdn']: FALSE
- $ldap_queries[$query_id]['useridattr']: name of the user attribute that must match the UID found in the group members
At this point everything is setup to let the fist LDAP search find users UIDs corresponding to selected groups and a user search filter will be automatically filled.
However, you can restrict which of these 'user candidates' will be selected by completing the automatic user filter computed from member UIDs. This is, of course, optional:
- $ldap_queries[$query_id]['userbase']: Base DN for the user LDAP search (only user candidate matching this base) will be selected
- $ldap_queries[$query_id]['userscope']: Scope for the user LDAP search (only user candidate matching the userbase+scope) will be selected
- $ldap_queries[$query_id]['userfilter']: filter to apply to each user candidate entry (on its attributes) to add another selection
What about Active Directory?
Active Directory (AD) is a Microsoft registry that can be queried by using the LDAP protocol.
It is then possible to use its content for LimeSurvey token queries, but this requires knowledge on how AD is organized.
- The LDAP root base is dc=my_windows_domain_name,dc=dns_suffix2,dc=dns_suffix1
==> For instance if your company owns the DNS domain 'my-company.com', and your Windows domain is 'employees', then your root base is dc=employees,dc=my-company,dc=com
- Users and users-groups are stored below the cn=Users,dc=my_windows_domain_name,dc=dns_suffix2,dc=dns_suffix1 (please note this is not ou=users)
- Active Directory Groups
- Groups objects contain DN of members in their 'member' attribute.
- Group memberships are also stored in the memberOf attribute of each user entry. This attribute contains DNs of groups the user belongs to
- some groups are in CN=Builtin,dc=my_windows_domain_name,dc=dns_suffix2,dc=dns_suffix1
- For instance: cn=Administrator,CN=Builtin,dc=my_windows_domain_name,dc=dns_suffix2,dc=dns_suffix1
In some cases it is not as easy to query an active directory so here is a sample configuration for getting some infomations of an active directory:
//Connection to the active directory Server:
$serverId=0;
$ldap_server[$serverId]['server'] = "10.10.10.10";
$ldap_server[$serverId]['port'] = "389";
$ldap_server[$serverId]['protoversion'] = "ldapv2";
$ldap_server[$serverId]['encrypt'] = "none"; // Most AD LDAP servers will not have encryption set by default
$ldap_server[$serverId]['referrals'] = false;
$ldap_server[$serverId]['binddn'] = "domain\\user";
$ldap_server[$serverId]['bindpw'] = "userpassword";
//$ldap_server[$serverId]['binddn'] = "CN=user,OU=user_group,DC=xxx,DC=yyy"; this one will not work with active directory, that´s why you need to use "domain\\user"
//Here is a sample query for getting all active users of an active directory:
$query_id=0;
$ldap_queries[$query_id]['ldapServerId'] = 0;
$ldap_queries[$query_id]['name'] = 'Staff with an enabled account';
$ldap_queries[$query_id]['userbase'] = 'OU=USER_GROUP,DC=xxx,DC=yyy';
$ldap_queries[$query_id]['userfilter'] = '(&(objectClass=user)(!(userAccountControl=514)))';
//(!(userAccountControl=514)) you are not able to ask active directory for an active user but you are able to ask for a non inactive user
$ldap_queries[$query_id]['userscope'] = 'sub';
$ldap_queries[$query_id]['firstname_attr'] = 'givenname';
$ldap_queries[$query_id]['lastname_attr'] = 'sn';
$ldap_queries[$query_id]['email_attr'] = 'mail';
$ldap_queries[$query_id]['token_attr'] = ''; // Leave empty for Auto Token generation bu phpsv
$ldap_queries[$query_id]['language'] = '';
$ldap_queries[$query_id]['attr1'] = '';
$ldap_queries[$query_id]['attr2'] = '';
//Group filtering was not possible in active directory, you need to add the memberOf attribute of an user. Here is a sample query for getting all active users that are member of the group "samplegroup" in active directory:
$query_id++;
$ldap_queries[$query_id]['ldapServerId'] = 0;
$ldap_queries[$query_id]['name'] = 'All members of samplegroup';
$ldap_queries[$query_id]['userbase'] = 'OU=USER_GROUP,DC=xxx,DC=yyy';
$ldap_queries[$query_id]['userfilter'] = '(&(objectClass=user)(memberOf=CN=samplegroup,OU=Group Global,OU=USER_GROUP,DC=xxx,DC=yyy)(!(userAccountControl=514)))';
$ldap_queries[$query_id]['userscope'] = 'sub';
$ldap_queries[$query_id]['firstname_attr'] = 'givenname';
$ldap_queries[$query_id]['lastname_attr'] = 'sn';
$ldap_queries[$query_id]['email_attr'] = 'mail';
$ldap_queries[$query_id]['token_attr'] = ''; // Leave empty for Auto Token generation bu phpsv
$ldap_queries[$query_id]['language'] = '';
$ldap_queries[$query_id]['attr1'] = '';
$ldap_queries[$query_id]['attr2'] = '';
Another example User query:
$ldap_queries<nowiki>[</nowiki>$query_id]]<nowiki>[</nowiki>'userfilter']] = '(&('''objectCategory=Person''')(objectClass='''user''')(!('''userAccountControl=514''')))'; // AD doesn't recognise enabled accounts in the normal way, so instead, we check users are not disabled
- As suggested in the config file, consider adding (!(email=*)) to your user filters to ignore users with no email address.
Example group query:
$ldap_queries<nowiki>[</nowiki>$query_id]]<nowiki>[</nowiki>'groupfilter']] = '(&(objectClass='''group''')(cn=Domain Admins))'; // AD doesn't use the standard attribute name for groups, so use this example instead.
Find more information about the Active Directory LDAP structure on this page.
Working configurations
MS AD 2003
Apache vhost code:
<Location /admin>
AuthBasicProvider ldap
AuthType Basic
AuthzLDAPAuthoritative off
AuthName "Rechner Login verwenden"
AuthLDAPURL "ldap://ldaphost.domain.tld:389/DC=domain,DC=tld?sAMAccountName?sub?(objectClass=*)" [<div class="simplebox">] NONE
AuthLDAPBindDN "DOMAIN\\ldapuser"
AuthLDAPBindPassword "ldappass"
require valid-user
</Location>
LimeSurvey config.php code:
$useWebserverAuth = true;
$userArrayMap = Array ('Administrator' => 'admin');
$WebserverAuth_autocreateUser = true;
function hook_get_autouserprofile($user_name) {
$SearchFor=$user_name;
$SearchField="samaccountname";
$LDAPHost = "ldaphost.domain.tld";
$dn = "OU=Benutzer,OU=Company,DC=domain,DC=tld";
$LDAPUserDomain = "@domain.tld";
$LDAPUser = "ldapuser";
$LDAPUserPassword = "ldappass";
$LDAPFieldsToFind = array("cn", "samaccountname", "mail");
$cnx = ldap_connect($LDAPHost) or die("Could not connect to LDAP");
ldap_set_option($cnx, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($cnx, LDAP_OPT_REFERRALS, 0);
ldap_bind($cnx,$LDAPUser.$LDAPUserDomain,$LDAPUserPassword) or die("Could not bind to LDAP");
error_reporting (E_ALL </div> E_NOTICE);
$filter="($SearchField=$SearchFor*)";
$sr=ldap_search($cnx, $dn, $filter, $LDAPFieldsToFind);
$info = ldap_get_entries($cnx, $sr);
for ($x=0; $x<$info["count"]; $x++) {
$sam=$info[$x]['samaccountname'][0];
$email=$info[$x]['mail'][0];
$nam=$info[$x]['cn'][0];
if (stristr($sam, "$SearchFor")) {
$user_name_from_backend = $nam;
$user_email_from_backend = $email;
}
}
if ($x==0) {
return Array();
}
return Array(
'full_name' => "$user_name_from_backend",
'email' => "$user_email_from_backend",
'lang' => "de",
'htmleditormode' => 'inline',
'templatelist' => 'default',
'create_survey' => 1,
'create_user' => 0,
'delete_user' => 0,
'superadmin' => 0,
'configurator' =>0,
'manage_template' => 0,
'manage_label' => 0);
}
Forum link (German): http://www.limesurvey.org/forum/german-forum/75992-ldap-auth-und-auto-benutzer-anlegen?lang=en#75992