Forums / Setup & design / Need help with LDAP integration

"Please Note:
  • At the specific request of Ibexa we are changing this projects name to "Exponential" or "Exponential (CMS)" effective as of August, 11th 2025.
  • This project is not associated with the original eZ Publish software or its original developer, eZ Systems or Ibexa".

Need help with LDAP integration

« 
Previous topic
|
Setup & design
|
Next topic
 »
Author Message

Jason Senich

Monday 29 November 2004 8:40:18 am

I've looked through every forum posting and still can't seem to figure out why I cant get LDAP authentication working. I suspect that either the way I'm structuring my directory in LDAP or my users/groups in Exponential are incorrect or both. Can somebody post an example of how the data needs to be structured on both sides to get this to work and a sample of a working ldap.ini for this structure? If not, can somebody point me in the right direction to find this information?

Jonny Bergkvist

Monday 29 November 2004 10:39:25 pm

First make sure you have the ldap-functions available in php.

Then edit your ini-files:
settings/override/site.ini.append.php:
[UserSettings]
LoginHandler[]=LDAP

settings/override/ldap.ini.append.php:
[LDAPSettings]
# Set to true if use LDAP server
LDAPEnabled=true
# LDAP host
# This example uses stunnel from localhost to ldap-server.
LDAPServer=ldapserverhostname
# Port nr for LDAP, default is 389
# 636 is ldaps (ldap over SSL/TLS)
LDAPPort=389
# Specifies the base DN for the directory.
# Ex: dc=example,dc=com
LDAPBaseDn=<your base DN>
# LDAP attribute for login. Normally, uid
LDAPLoginAttribute=uid
# Could be id or name
LDAPUserGroupType=id
# Default place to store LDAP users. Could be content object id or group name for LDAP
user group, depends on LDAPUserGroupType.
LDAPUserGroup=<your content object id where you store ldap-users in eZ>
# LDAP attribute type for user group. Could be name or id. Optional
# Having different user-type (ie. Employees and students? Then you could put them into
different user-groups in eZ to assign different roles/rights.
LDAPUserGroupAttributeType=
# LDAP attribute for user group. For example, employeetype. If specified, LDAP users will
be saved under the same group as in LDAP server. Depends on LDAPUserGroupAttributeType.
LDAPUserGroupAttribute=

Start doing a test with ie. ldapsearch on your ez-server to check that it has access to getting information from the ldap-server.

The structure of objects in the ldap-server is not important. eZ-ldap-handler can do a sub-tree search on your ldap-server starting at the base-dn.

There is also some issues with the ldap-ssl functionality. Try non-ssl first is my tip (port 389).

Jason Senich

Tuesday 30 November 2004 11:05:11 am

Okay, I have it working now but I still think there is something that I am doing wrong. In order for me to log in using LDAP authentication I had to enter the id as the username rather than the username and once I did this and logged in, a duplicate user was created in Exponential based on the information that was stored in LDAP. Is this what is supposed to happen? If not, what am I doing wrong? If it is supposed to work like this, how can I change it to log in with the username rather than the id?

Jonny Bergkvist

Wednesday 01 December 2004 3:47:43 am

Yes, it is supposed to create a local eZ-users for several reasons:
-content is stamped with the user that created/edited it.
-have the possibility to manage user-groups within eZ if you don't have that information in ldap-directory.

There is also a cron-job that sync's the local eZ-users against ldap-directory (ldapusermanage.php). If a user is deleted from ldap, then this script will disable the eZ-user (but not delete it).

For the login-name try changing LDAPLoginAttribute to the attribute you use in your ldap-directory that store the usernames. (Ex: In Novell it would often be the CN attribute).