LDAP Tools/Explanation of Parameters
From Authentication Tools for Joomla! (JAuthTools)
(→Connect string) |
(→Advanced Synchronisation) |
||
(15 intermediate revisions not shown) | |||
Line 1: | Line 1: | ||
There are many parameters for LDAP Tools, some which might be a bit confusing as to their true purpose. This page aims to document them in more detail. | There are many parameters for LDAP Tools, some which might be a bit confusing as to their true purpose. This page aims to document them in more detail. | ||
- | + | Unless otherwise stated, all settings are available in the core Joomla! LDAP mambot/plugin. Some settings may exist in the Joomla! 1.5 LDAP plugin but not all do, where to find the feature is noted where possible. The various mambots/plugins may or may not support all the settings, only relevant settings are displayed for them. | |
- | + | ||
- | + | = Server Connect Settings = | |
+ | '''Use Global Settings''' | ||
- | + | Use the Joomla! LDAP Library configuration settings instead of the plugins configured settings. This allows single point configuration of LDAP settings via the Joomla! LDAP plugin (1.0.x only) | |
- | |||
- | + | '''Host''' | |
- | + | ||
- | + | ||
- | + | ||
- | + | ||
- | + | ||
- | + | ||
The host name of the server to connect. | The host name of the server to connect. | ||
- | + | '''Port''' | |
The port to connect to the server. This will normally be fine with the default. | The port to connect to the server. This will normally be fine with the default. | ||
- | + | '''LDAP V3''' | |
Use LDAP Version 3. This may be required by your server (e.g. OpenLDAP) | Use LDAP Version 3. This may be required by your server (e.g. OpenLDAP) | ||
- | + | '''Negotiate TLS''' | |
Use TLS (like SSL) for the Connection. | Use TLS (like SSL) for the Connection. | ||
- | '''Don | + | '''Don't follow referrals''' |
If your LDAP server is configured to refer to other hosts (for load balancing), do not enable this option. This can be a security risk. | If your LDAP server is configured to refer to other hosts (for load balancing), do not enable this option. This can be a security risk. | ||
- | |||
- | ==Base DN | + | '''LDAP is AD''' |
+ | |||
+ | If your LDAP server is an Active Directory server, enabling this will impact user creation and group mapping with the Active Directory environment. | ||
+ | |||
+ | |||
+ | |||
+ | '''Auth Method''' | ||
+ | |||
+ | The authentication method to use with your directory service. | ||
+ | |||
+ | = Server Binding Settings = | ||
+ | |||
+ | '''Base DN''' | ||
The Base DN of the tree. | The Base DN of the tree. | ||
- | |||
- | == | + | |
+ | '''Users DN''' | ||
+ | |||
+ | User DN to search for users (e.g. CN=[username],OU=Users,O=Example) | ||
+ | |||
+ | |||
+ | '''Search string''' | ||
+ | |||
+ | A full default search string, e.g. CN=[search] | ||
+ | |||
+ | |||
+ | ''' Connect Username''' | ||
Connection username to be passed to the server. Used for default authentication. | Connection username to be passed to the server. Used for default authentication. | ||
- | |||
- | The password to use if you need one to connect to your server | + | '''Connect password''' |
+ | |||
+ | The password to use if you need one to connect to your server (e.g. Active Directory) | ||
+ | |||
+ | |||
+ | |||
+ | = Attribute Mapping Settings = | ||
+ | |||
+ | '''Map Fullname''' | ||
+ | |||
+ | The LDAP attribute that stores the fullname of your users. For most systems this will be fullName (the default), however for Active Directory this might also be displayName. | ||
+ | |||
+ | |||
+ | '''Map Email''' | ||
+ | |||
+ | The LDAP attribute that stores the email address of your users. | ||
+ | |||
+ | |||
+ | '''Map User ID''' | ||
+ | |||
+ | The LDAP attribute that stores the user ID or login/username of your users. For most systems this will be uid (the default), however for Active Directory this is sAMAccountName. | ||
+ | |||
+ | |||
+ | '''Map Password''' | ||
+ | |||
+ | The LDAP attribute that store the password for your user. | ||
+ | |||
+ | |||
+ | '''Map User Blocked''' | ||
+ | |||
+ | An LDAP Attribute to map blocked users. This should be a boolean value (true or false) | ||
+ | |||
+ | |||
+ | '''Map Group Name''' | ||
+ | |||
+ | The attribute in LDAP storing the group name. This is used by the group mapping system. If you are using Active Directory this will be "memberOf" and if you are using Novell eDirectory this will be "groupMembership". | ||
+ | |||
+ | = User Creation and Synchronisation Settings = | ||
+ | |||
+ | Not all settings in this section apply to all plugins, see the below table for which settings are applied to which plugin (SSO applies to LDAP SSO and HTTP SSO): | ||
+ | {| border=1 | ||
+ | ! Setting Name !! Joomla LDAP !! SSI !! SSO !! Sync !! Adv Sync | ||
+ | |- | ||
+ | | Autocreate Users || x || x || x || || | ||
+ | |- | ||
+ | | Autocreate Front End || x || x || x || || | ||
+ | |- | ||
+ | | Demote User || x || || || x || | ||
+ | |- | ||
+ | | Force LDAP || x || x || || || | ||
+ | |- | ||
+ | | CB Confirm || x || x || x || || | ||
+ | |- | ||
+ | | Obscure PW || x || x || || || | ||
+ | |- | ||
+ | | Synchronisation Event || x || || || x || x | ||
+ | |} | ||
+ | |||
+ | '''Autocreate Users''' | ||
+ | |||
+ | Autocreate a user if it is possible (e.g. user is recognized via LDAP but not in Joomla!). | ||
+ | |||
+ | ''Note: In J!1.5 this is stored in the "User - Joomla!" plugin parameter settings.'' | ||
+ | |||
+ | |||
+ | '''Auto Create Public Frontend''' | ||
+ | |||
+ | Create a user even if their group is only 'Public Frontend'. By default public front end is the lowest group so you should map to default users. Useful if you want to restrict autocreation to special groups. | ||
+ | |||
+ | |||
+ | '''Demote Users''' | ||
+ | |||
+ | Demote users if their group mapping or default user settings are different. | ||
+ | |||
+ | |||
+ | '''Force LDAP''' | ||
+ | |||
+ | Users Joomla password is reset upon unsuccessful bind. This ensures that new LDAP passwords are used, instead of old synchronized value. | ||
+ | |||
+ | |||
+ | '''CB Confirm''' | ||
+ | |||
+ | Attempt to confirm users with CB when they are created automatically. | ||
+ | |||
+ | |||
+ | '''Obscure Password''' | ||
+ | |||
+ | Set the user password to a random value after they have successfully authenticated to improve security. | ||
+ | |||
+ | |||
+ | '''Synchronisation Event''' | ||
+ | |||
+ | Determine when to attempt synchronisation, either on each page load after the user has logged in or only when the user logs in. | ||
+ | |||
+ | |||
+ | = Group Assignment Settings = | ||
+ | '''Default Group''' | ||
+ | |||
+ | The default group to autocreate users in. This is restricted to front end users for security reasons. | ||
+ | |||
+ | |||
+ | '''Group Map''' | ||
+ | |||
+ | [[LDAP Tools/Group Mapping|Group Mapping]] is a system to simply map LDAP based groups to Joomla!'s group system. This information is used by the autocreate system to map users, otherwise all autocreated users are created as the default value. | ||
+ | |||
+ | = Internationalisation Support = | ||
+ | '''Use iconv''' | ||
+ | |||
+ | iconv is required to convert some fields into UTF-8 that is stored in the database. You will need iconv installed (See System -> System Info -> PHP Info) or this will error | ||
+ | |||
+ | |||
+ | '''Original Encoding''' | ||
+ | |||
+ | This is the encoding used in your LDAP directory. | ||
+ | |||
+ | |||
+ | '''Target Encoding''' | ||
+ | |||
+ | This is the encoding used in your database server (e.g. MySQL, typically UTF-8) | ||
+ | |||
+ | = SSO IP Black Listing = | ||
+ | '''IP Blacklist''' | ||
+ | |||
+ | A list of comma seperated IP address to blacklist when conducting SSO. Blacklisted IP's will be ignored for SSO. | ||
+ | |||
+ | |||
+ | = Advanced Synchronisation = | ||
+ | '''External Table''' | ||
+ | |||
+ | The name of the external table to synchronise with. This table will need a foreign key link back to the #__users table, and has to exist in the same database that Joomla! is residing in. | ||
- | + | '''User ID Field''' | |
- | + | The name of the user ID field in the external table that links back to the #__users table. | |
- | + | '''Primary Key Field''' | |
- | + | The name of the primary key field in the table. This is optional if it is the same as the user ID field. | |
- | + | '''Sync Map''' | |
- | + | This is a [[LDAP Tools/Sync Mapping|sync map]] which maps fields from the table to LDAP. | |
- | |||
[[Category:LDAP]] [[Category:Settings]] | [[Category:LDAP]] [[Category:Settings]] |
Current revision as of 05:58, 7 May 2008
There are many parameters for LDAP Tools, some which might be a bit confusing as to their true purpose. This page aims to document them in more detail.
Unless otherwise stated, all settings are available in the core Joomla! LDAP mambot/plugin. Some settings may exist in the Joomla! 1.5 LDAP plugin but not all do, where to find the feature is noted where possible. The various mambots/plugins may or may not support all the settings, only relevant settings are displayed for them.
Contents |
Server Connect Settings
Use Global Settings
Use the Joomla! LDAP Library configuration settings instead of the plugins configured settings. This allows single point configuration of LDAP settings via the Joomla! LDAP plugin (1.0.x only)
Host
The host name of the server to connect.
Port
The port to connect to the server. This will normally be fine with the default.
LDAP V3
Use LDAP Version 3. This may be required by your server (e.g. OpenLDAP)
Negotiate TLS
Use TLS (like SSL) for the Connection.
Don't follow referrals
If your LDAP server is configured to refer to other hosts (for load balancing), do not enable this option. This can be a security risk.
LDAP is AD
If your LDAP server is an Active Directory server, enabling this will impact user creation and group mapping with the Active Directory environment.
Auth Method
The authentication method to use with your directory service.
Server Binding Settings
Base DN
The Base DN of the tree.
Users DN
User DN to search for users (e.g. CN=[username],OU=Users,O=Example)
Search string
A full default search string, e.g. CN=[search]
Connect Username
Connection username to be passed to the server. Used for default authentication.
Connect password
The password to use if you need one to connect to your server (e.g. Active Directory)
Attribute Mapping Settings
Map Fullname
The LDAP attribute that stores the fullname of your users. For most systems this will be fullName (the default), however for Active Directory this might also be displayName.
Map Email
The LDAP attribute that stores the email address of your users.
Map User ID
The LDAP attribute that stores the user ID or login/username of your users. For most systems this will be uid (the default), however for Active Directory this is sAMAccountName.
Map Password
The LDAP attribute that store the password for your user.
Map User Blocked
An LDAP Attribute to map blocked users. This should be a boolean value (true or false)
Map Group Name
The attribute in LDAP storing the group name. This is used by the group mapping system. If you are using Active Directory this will be "memberOf" and if you are using Novell eDirectory this will be "groupMembership".
User Creation and Synchronisation Settings
Not all settings in this section apply to all plugins, see the below table for which settings are applied to which plugin (SSO applies to LDAP SSO and HTTP SSO):
Setting Name | Joomla LDAP | SSI | SSO | Sync | Adv Sync |
---|---|---|---|---|---|
Autocreate Users | x | x | x | ||
Autocreate Front End | x | x | x | ||
Demote User | x | x | |||
Force LDAP | x | x | |||
CB Confirm | x | x | x | ||
Obscure PW | x | x | |||
Synchronisation Event | x | x | x |
Autocreate Users
Autocreate a user if it is possible (e.g. user is recognized via LDAP but not in Joomla!).
Note: In J!1.5 this is stored in the "User - Joomla!" plugin parameter settings.
Auto Create Public Frontend
Create a user even if their group is only 'Public Frontend'. By default public front end is the lowest group so you should map to default users. Useful if you want to restrict autocreation to special groups.
Demote Users
Demote users if their group mapping or default user settings are different.
Force LDAP
Users Joomla password is reset upon unsuccessful bind. This ensures that new LDAP passwords are used, instead of old synchronized value.
CB Confirm
Attempt to confirm users with CB when they are created automatically.
Obscure Password
Set the user password to a random value after they have successfully authenticated to improve security.
Synchronisation Event
Determine when to attempt synchronisation, either on each page load after the user has logged in or only when the user logs in.
Group Assignment Settings
Default Group
The default group to autocreate users in. This is restricted to front end users for security reasons.
Group Map
Group Mapping is a system to simply map LDAP based groups to Joomla!'s group system. This information is used by the autocreate system to map users, otherwise all autocreated users are created as the default value.
Internationalisation Support
Use iconv
iconv is required to convert some fields into UTF-8 that is stored in the database. You will need iconv installed (See System -> System Info -> PHP Info) or this will error
Original Encoding
This is the encoding used in your LDAP directory.
Target Encoding
This is the encoding used in your database server (e.g. MySQL, typically UTF-8)
SSO IP Black Listing
IP Blacklist
A list of comma seperated IP address to blacklist when conducting SSO. Blacklisted IP's will be ignored for SSO.
Advanced Synchronisation
External Table
The name of the external table to synchronise with. This table will need a foreign key link back to the #__users table, and has to exist in the same database that Joomla! is residing in.
User ID Field
The name of the user ID field in the external table that links back to the #__users table.
Primary Key Field
The name of the primary key field in the table. This is optional if it is the same as the user ID field.
Sync Map
This is a sync map which maps fields from the table to LDAP.