LDAP Tools/Microsoft Active Directory
From Authentication Tools for Joomla! (JAuthTools)
Line 2: | Line 2: | ||
For more information, please visit Wikipedia's [http://en.wikipedia.org/wiki/Active_Directory Active Directory] article. | For more information, please visit Wikipedia's [http://en.wikipedia.org/wiki/Active_Directory Active Directory] article. | ||
+ | |||
+ | [[LDAP Tools/Microsoft Active Directory/Quickstart|Quickstart for Active Directory]] | ||
== Notes == | == Notes == |
Revision as of 11:54, 14 November 2007
Microsoft Active Directory (MS AD) introduced in 2000, provides much needed built in directory support to the Microsoft Windows based operating systems replacing the previous Windows Domain system. Microsoft Active Directory provides a more comprehensive platform than the previous model and allows native LDAP interaction with its data set.
For more information, please visit Wikipedia's Active Directory article.
Quickstart for Active Directory
Notes
MS AD uses the users common name, typically their full name (e.g. "Samuel Moffatt"), as their DN. Using the default authentication method (bind as user), this means that a user name is (using the default settings) their full name or display name. This is usually undesirable as this makes their Windows login different to their Joomla login. I have prepared two sets of examples, the first being as close to default as possible, the second allowing their username to be used.
By default MS AD appears to be case sensitive and requires a valid login before it will allow LDAP searches. This means that anonymous connections will fail, so the creation of a user account for Joomla! is required to connect, however AD can be configured to allow anonymous lookups. Please keep this in mind when deploying solutions on this platform.
In these examples you will note that the Base DN is set to the same as the Users DN. This is done because on my AD set up (Server 2003) there is a server called 'TAPI3Directory' which points back to my AD server but doesn't accept any connections. This can cause an LDAP search to fail and as a consequence the login will also fail.
An Exim mailing list post mentions the following useful piece of information:
When using exim to do LDAP queries against an active directory based system, if you have more than a single domain, you should query against the GC (Global Catalog). This is an LDAP server running on port 3268 of your Domain Controllers.
Default Settings
These are settings for the default connection.
useglobal=0 host=ad.joomla.org port=389 use_ldapV3=1 negotiate_tls=0 no_referrals=1 autocreate=1 autocreateregistered=1 forceldap=0 base_dn=CN=Users,DC=ad,DC=joomla,DC=org search_string=CN=[search] auth_method=bind username= password= users_dn=CN=[username],CN=Users,DC=ad,DC=joomla,DC=org ldap_fullname=displayName ldap_email=mail ldap_uid=sAMAccountName ldap_password=userPassword groupMap=
Proper Username Settings
The only difference between this set and the previous set is that the authorization method is now 'search' and the search string is set to sAMAccountName.
useglobal=0 host=ad.joomla.org port=389 use_ldapV3=1 negotiate_tls=0 no_referrals=1 autocreate=1 autocreateregistered=1 forceldap=0 base_dn=CN=Users,DC=ad,DC=joomla,DC=org search_string=sAMAccountName=[search] auth_method=search username=Joomla Auth User password=password users_dn=CN=[username],CN=Users,DC=ad,DC=joomla,DC=org ldap_fullname=displayName ldap_email=mail ldap_uid=sAMAccountName ldap_password=userPassword groupMap=