LDAP Tools/Microsoft Active Directory
From Authentication Tools for Joomla! (JAuthTools)
Microsoft Active Directory (MS AD) introduced in 2000, provides much needed built in directory support to the Microsoft Windows based operating systems replacing the previous Windows Domain system. Microsoft Active Directory provides a more comprehensive platform than the previous model and allows native LDAP interaction with its data set.
For more information, please visit Wikipedia's Active Directory article. You can also check out my MSAD Quirks page for some background knowledge on Active Directory.
There is also a quickstart for Active Directory.
Contents |
Notes
MS AD uses the users common name, typically their full name (e.g. "Samuel Moffatt"), as their DN. Using the default authentication method (bind as user), this means that a user name is (using the default settings) their full name or display name. This is usually undesirable as this makes their Windows login different to their Joomla login. I have prepared two sets of examples, the first being as close to default as possible, the second allowing their username to be used.
By default MS AD appears to be case sensitive and requires a valid login before it will allow LDAP searches. This means that anonymous connections will fail, so the creation of a user account for Joomla! is required to connect, however AD can be configured to allow anonymous lookups. Please keep this in mind when deploying solutions on this platform.
In these examples you will note that the Base DN is set to the same as the Users DN. This is done because on my AD set up (Server 2003) there is a server called 'TAPI3Directory' which points back to my AD server but doesn't accept any connections. This can cause an LDAP search to fail and as a consequence the login will also fail.
An Exim mailing list post mentions the following useful piece of information:
When using exim to do LDAP queries against an active directory based system, if you have more than a single domain, you should query against the GC (Global Catalog). This is an LDAP server running on port 3268 of your Domain Controllers.
For more information on the global catalog, check out Microsoft's TechNet article.
1.5 Settings
Proper Username Settings
host=ad.joomla.org port=389 use_ldapV3=1 negotiate_tls=0 no_referrals=0 auth_method=search base_dn=DC=joomla,DC=org search_string=sAMAccountName=[search] users_dn=CN=[username],CN=Users,DC=joomla,DC=org username=username password=password ldap_fullname=displayName ldap_email=mail ldap_uid=sAMAccountName
If you change the ldap_uid and search_string, you can use the long name (e.g. "Sam Moffatt", as displayed in the AD Users and Computers list; ldap_uid=CN and search_string=CN=[search]) or you can use the user principal name (e.g. "moffats@joomla.org"; ldap_uid=userPrinicpalName and search_string=userPrincipalName=[search]).
Common Issues
- LDAP search returns no results for login
Set the port to 3268 (see above). It is likely your Active Directory installation has multiple domains hosted on the domain controller.
- Page is blank
LDAP feature isn't correctly enabled in PHP. Check your PHP installation.
1.0 Settings
Proper Username Settings
For most users, these are the settings you are going to want to use.
useglobal=0 host=ad.joomla.org port=389 use_ldapV3=1 negotiate_tls=0 no_referrals=0 autocreate=1 autocreateregistered=1 forceldap=0 base_dn=CN=Users,DC=ad,DC=joomla,DC=org search_string=sAMAccountName=[search] auth_method=search username=Joomla Auth User password=password users_dn=CN=[username],CN=Users,DC=ad,DC=joomla,DC=org ldap_fullname=displayName ldap_email=mail ldap_uid=sAMAccountName ldap_password=userPassword groupMap=
Alternate Settings
These are settings for the alternate connection.The only difference between this set and the previous set is that the authorization method is now 'bind' and the search string is set to CN instead of sAMAccountName. Use this setting if you are comfortable with Active Directory's LDAP underpinnings.
useglobal=0 host=ad.joomla.org port=389 use_ldapV3=1 negotiate_tls=0 no_referrals=0 autocreate=1 autocreateregistered=1 forceldap=0 base_dn=CN=Users,DC=ad,DC=joomla,DC=org search_string=CN=[search] auth_method=bind username= password= users_dn=CN=[username],CN=Users,DC=ad,DC=joomla,DC=org ldap_fullname=displayName ldap_email=mail ldap_uid=sAMAccountName ldap_password=userPassword groupMap=
