search

meeting-room-booking-system / mrbs-code

MRBS application code
Other
117 stars 57 forks source link

Can't configure a suitable auth method #1862

Open jberanek opened 7 years ago

jberanek commented 7 years ago

Hi! I have used MRBS for some years now, using the POP3 authentication method which looked at our Internal mail server. However much has changed since then - we now use GSuite/Google Apps for email, so the internal mail server is now redundant. It is time to rebuild MRBS on a new server.

I want to setup a reliable authentication method for staff to access MRBS. The only two options that work for us are LDAP or IMAP/POP3.

LDAP: We have a Mac Open Directory running on the same server as MRBS. I can't for the life of me get MRBS to authenticate with LDAP, I always get "Unknown User". All documentation and threads online focus on Active Directory LDAP / windows servers.

IMAP: This method would require connecting to Gmail's mail servers (imap.gmail.com), so I am wondering how to restrict authentication to users in our GSuite domain? Otherwise, anyone with a gmail account could sign in.

Any guidance much accepted. Rhys

Reported by: *anonymous

Original Ticket: mrbs/support-requests/1141

jberanek commented 7 years ago

As far as I can tell, for Apple/Mac Open Directory you want to be following instructions as per an OpenLDAP configuration. This would be setting:

$ldap_user_attrib = "uid";

If your directory doesn't allow anonymous searching, you'll also need:

$ldap_dn_search_dn = "cn=Search User,ou=Users,dc=example,dc=com";
$ldap_dn_search_password = "some-password";

Original comment by: jberanek

jberanek commented 7 years ago

Hi John, Thanks for the response. I believe my LDAP allows anon. searching but had tried this also.

The settings currently are: ldap_host = 127.0.0.1 ldap_v3 = true (have tried false as well) ldap_tls = false ldap_base_dn = cn=users,dc=domain,dc=com ldap_user_attrib = uid

The base dn matches how other appliances have connected to this LDAP. These settings also match my attempts with the old install of MRBS using the old LDAP server, which as I recall also did not work, hence reverting to the POP3 method.

Are any steps required for the auth_ldap PHP extension to be functional? I am currently using the built-in web server offered by macOS Server.

Thanks Rhys

Original comment by: *anonymous

jberanek commented 7 years ago

Hi John, after fiddling around with all sorts of settings, I finally found a combination that worked. I can't seem to specify a group to prevent other groups from authenticating, but that's a challenge for another day.

Thank you Rhys

Original comment by: *anonymous