Active Directory LDAP - Githubissues

kernsb commented 4 years ago

Additions to allow compatibility with AD LDAP.

In user model:

If AD is enabled, sets LDAP_OPT_REFERRALS option
If AD is enabled, binds with bind account prior to ldap_search (AD LDAP does not accept anonymous)
Adds ability to filter access by security group (both standard and AD LDAP)

In local settings:

Additional options added to allow enabling/disabling AD settings and providing the needed info
Additional commenting on LDAP options to assist with setup confusion

Example config entries for AD connecting over LDAPS and limited to "Scalar Users" group for access:

` // LDAP authentication settings $config['use_ldap'] = (getenv('SCALAR_USE_LDAP') ? getenv('SCALAR_USE_LDAP') : true); // Default: off $config['ldap_server'] = (getenv('SCALAR_LDAP_SERVER') ? getenv('SCALAR_LDAP_SERVER') : "ldap://company.domain.com"); // Use 'ldap://' prefix even if connecting to ldaps $config['ldap_port'] = (getenv('SCALAR_LDAP_PORT') ? getenv('SCALAR_LDAP_PORT') : 636); $config['ldap_basedn'] = (getenv('SCALAR_LDAP_BASEDN') ? getenv('SCALAR_LDAP_BASEDN') : "DC=company,DC=domain,DC=com"); $config['ldap_uname_field'] = (getenv('SCALAR_LDAP_UNAME_FIELD') ? getenv('SCALAR_LDAP_UNAME_FIELD') : "sAMAccountName"); // Default 'uid', For AD use 'sAMAccountName' $config['ldap_filter'] = (getenv('SCALAR_LDAP_FILTER') ? getenv('SCALAR_LDAP_FILTER') : '(memberOf=CN=Scalar Users,OU=Groups,DC=company,DC=domain,DC=com)');

// Active Directory LDAP settings $config['use_ad_ldap'] = (getenv('SCALAR_USE_AD_LDAP') ? getenv('SCALAR_USE_AD_LDAP') : true); // Default: off $config['ad_bind_user'] = (getenv('SCALAR_AD_BIND_USER') ? getenv('SCALAR_AD_BIND_USER') : "CN=Service Account,OU=Users,DC=company,DC=domain,DC=com"); // Use LDAP Distinguished Name $config['ad_bind_pass'] = (getenv('SCALAR_AD_BIND_PASS') ? getenv('SCALAR_AD_BIND_PASS') : "serviceAccountPassword"); `

craigdietrich commented 4 years ago

Thanks, @kernsb!

I'm assuming, but want to make sure, this is backwards compatible with any other install that might have the old LDAP fields in play in local_settings.php?

kernsb commented 4 years ago

To my knowledge, yes. Most of what I did only executes when “use_ad_ldap” is set to true.

The only line that could even possibly have any issue would be the ldap filter line (198) where I included “objectClass=user“ for efficiency and the optional additional filter.

I’m 99% sure that is all standard ldap filtering, but I don’t have access to a vanilla ldap to test against, myself.

craigdietrich commented 4 years ago

@kernsb Okay great!

cc'ing @ccc2lu who committed the original LDAP work. I'll go ahead and run the pull request (and add the relevant fields to the "Changes to config files" wiki page... @ccc2lu can you let us know if this causes any problems?

Thanks!

anvc / scalar

Active Directory LDAP #128