LDAP Tools/OpenLDAP HowTo
From Authentication Tools for Joomla! (JAuthTools)
Note: This article is incomplete, and is perhaps still being written. Check back later for more information.
This is a step by step how to on how to get OpenLDAP installed and running as an authentication source for Joomla!.
OpenLDAP is a free, open source implementation of the Lightweight Directory Access Protocol (LDAP) which is often bundled with many Linux distributions. In this case we'll be using the Debian Etch distribution to install and configure OpenLDAP. Apologies for anything that might be specific to Debian.
Note: Mac OS X requires a lot of extra instructions, if you are compiling from source you will most likely have to complete similar if not the same tasks. Keep in mind that if you compile from source your Configuration directory is up to you.
Platform Installation Notes:
- Debian - Configuration directory at /etc/ldap
- Mac OS X - Configuration directory at /sw/etc/openldap
Once you've got slapd installed the configuration fun begins. In the configuration directory, open up the slapd.conf file. You will need to be root to do this. By default it should have a few things like this:
Debian:
# Schema and objectClass definitions include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema
Mac OS X: (Note: You will need to alter your slapd.conf file to add the cosine and inetorgperson entries)
include /sw/etc/openldap/schema/core.schema include /sw/etc/openldap/schema/cosine.schema include /sw/etc/openldap/schema/inetorgperson.schema
Progressing through the file we see some settings, what we're looking for is rootdn' and suffix:
suffix "dc=joomla,dc=org" rootdn "cn=admin,dc=joomla,dc=org"
Mac OS X will have them together. If you used Debian, some preconfiguration will have occured already.
Your suffix is whats often called the Base DN, its where your LDAP tree starts. Your root DN is typically the super user for LDAP. Finally there will also be a rootpw entry, which in the case of Mac OS X defaults to secret. Debian during install asks for this password. You should probably change this.
Now that we have our base setup fixed we can consider connecting to our LDAP server.
Again, Debian has already configured and started the server (which is very kind of it) but we get no such luck with Mac OS X. We're going to need to create a base entry for the LDAP server, heres a sample:
dn: dc=joomla,dc=org objectClass: top objectClass: dcObject objectClass: organization dc: joomla o: joomla
Save this to a file (in this case we called it 'base.ldif') and run the following command:
ldapadd -D 'cn=admin, dc=joomla, dc=org' -x -f base.ldif -W
Additionally you're going to want to define the admin/manager stle account, and theres an LDIF file here (called userbase.ldif):
dn: cn=admin,dc=joomla,dc=org objectclass: organizationalRole cn: admin
Again, we use a similar command as above to add it (instead of base.ldif its perhaps userbase.ldif).
Before we get too far into things, it might be a good time to add the Joomla LDAP schema into your server setup.
So now we've got some entries, even some special Joomla! schema, but the interface isn't the most user friendly. Since we're doing all of this with the eventual goal of getting LDAP auth into Joomla!, we might as well use a web based admin tool as well. The one I suggest is phpLDAPAdmin because it seems to work so well. Now for Debian, this package is available via APT but Mac OS X set up is a bit more complicated. phpLDAPAdmin requires a few things, including gettext. The easiest way I've found to satisfy its dependencies is to install the entropy PHP package and use it instead of the system provided PHP. Theres instructions on installing entropy available on their site, and configuring phpLDAPAdmin is also documented. For my Mac, I just extracted it to somewhere in my Sites folder and configured it from there. Additionally, I use LDAP Browser/Editor to do investigative queries against systems (normally eDirectory/Active Directory). Its adding/editing interface is limited but for the most basic of operations its quite a valuable tool.
So hopefully at this point you have phpLDAPAdmin set up and its pointing to your newly configured server waiting for you to login.
Sources
- Setting up slapd on Mac OS X - A blog entry useful for getting me started on Mac OS X
- LDAP authentication howto for Debian Sarge - one of the original documents I read on setting up OpenLDAP originally.
