History of AuthenticationPluginLdap
LDAP is the Lightweight Directory Access Protocol, and provides user authentication via an LDAP server. Use of the plugin requires that both PEAR:Auth and the php ldap module are installed in your web server setup. In addition, obviously, an ((LDAPServerConfiguration|operational LDAP server)) is also required.
Ubuntu/Debian Example:^apt-get install php-auth php-ldap^Note for v2.6: ^You must also uncomment ./users/auth/ldap/auth.php line 15. This allows the PEAR::Auth module to be found on your system. Oops; LDAP support is broke in 2.6, working on it now...^
[http://www.openldap.org/|The OpenLDAP Project] is a useful starting point for setting up a working LDAP system although alternatives are also available. Most of the Linux distributions will have an LDAP server setup that can be enabled if required.
!!!Configuring access
Once correctly enabled, an LDAP tab will be provided on the Login Settings page, and this needs to be populated with the access information for your LDAP server.
{attachment id=990 size=medium}
++yellow:Now to work out what it all means++
Bitweaver requires a number of fields available in it's USERS_USERS table in order to correctly identify and work with it's internal user_id. The three that must be available are login, email and real_name, although real_name can probably be defaulted to login if not available. The password fields provided in the USERS_USERS table can be ignored if LDAP is being used to provide those checks, although at present we have no details on how things like password time-out are handled at the ldap end. At some point we may be able to link user avatars stored in ldap with the local attachments, but having all files stored via ldap may be a little further off. This just leaves the 'default_group_id', but at this stage it will be assumed that this is only managed locally, although the role/group overlap does come into play.
||Schema|login|email|real_name
|LDAP User Attribute|LDAP User E-Mail Address|LDAP User Display Name
inetOrgPerson|cn|mail|displayName
Active Directory|cn|mail|displayName
| | ||
Not having an AD server to test against it is a little difficult to confirm things, but it does seem that modern AD schemas will accept the international strandard fields and return the same results.
!!!Other useful links
[http://uk.php.net/ldap|PHP LDAP Package]
[http://pear.php.net/manual/en/package.authentication.auth.php|PEAR Auth Module]
[http://phpldapadmin.sourceforge.net/wiki/index.php/Main_Page|phpLDAPAdmin administration package]
[http://www.it.ufl.edu/projects/directory/ldap-schema/objectclasses.html|Useful schema tree - use links at bottom] Need something a little tidier, but this is a useful start
[http://www.symas.com/documents/Adam-Eval1-0.pdf|Very nice comparison document for Active Directory] This also outlines a number of more advanced fatures.
Ubuntu/Debian Example:^apt-get install php-auth php-ldap^Note for v2.6: ^You must also uncomment ./users/auth/ldap/auth.php line 15. This allows the PEAR::Auth module to be found on your system. Oops; LDAP support is broke in 2.6, working on it now...^
[http://www.openldap.org/|The OpenLDAP Project] is a useful starting point for setting up a working LDAP system although alternatives are also available. Most of the Linux distributions will have an LDAP server setup that can be enabled if required.
!!!Configuring access
Once correctly enabled, an LDAP tab will be provided on the Login Settings page, and this needs to be populated with the access information for your LDAP server.
{attachment id=990 size=medium}
++yellow:Now to work out what it all means++
Bitweaver requires a number of fields available in it's USERS_USERS table in order to correctly identify and work with it's internal user_id. The three that must be available are login, email and real_name, although real_name can probably be defaulted to login if not available. The password fields provided in the USERS_USERS table can be ignored if LDAP is being used to provide those checks, although at present we have no details on how things like password time-out are handled at the ldap end. At some point we may be able to link user avatars stored in ldap with the local attachments, but having all files stored via ldap may be a little further off. This just leaves the 'default_group_id', but at this stage it will be assumed that this is only managed locally, although the role/group overlap does come into play.
||Schema|login|email|real_name
|LDAP User Attribute|LDAP User E-Mail Address|LDAP User Display Name
inetOrgPerson|cn|mail|displayName
Active Directory|cn|mail|displayName
| | ||
Not having an AD server to test against it is a little difficult to confirm things, but it does seem that modern AD schemas will accept the international strandard fields and return the same results.
!!!Other useful links
[http://uk.php.net/ldap|PHP LDAP Package]
[http://pear.php.net/manual/en/package.authentication.auth.php|PEAR Auth Module]
[http://phpldapadmin.sourceforge.net/wiki/index.php/Main_Page|phpLDAPAdmin administration package]
[http://www.it.ufl.edu/projects/directory/ldap-schema/objectclasses.html|Useful schema tree - use links at bottom] Need something a little tidier, but this is a useful start
[http://www.symas.com/documents/Adam-Eval1-0.pdf|Very nice comparison document for Active Directory] This also outlines a number of more advanced fatures.