LDAP Authentication
From Joomla! Documentation
(Redirected from LDAP Authentication)
LDAP Authentication in 1.7[edit]
LDAP Authentication is disabled by default because it needs to first be configured before enabled. To configure this plug-in, go to the Plug-in Manager and search for "Authentication - LDAP".
Configuration[edit]
The options should look similar to this:
Host: localhost Port: 389 LDAP V3: No Negotiate TLS: No Follow Referrals: No Authorisation Method: Bind and Search Base DN: Search String: User's DN: Connect Username: Connect Password: Map: Full Name: fullName Map: email: mail Map: UserID: uid
Assuming everything on your server is setup correctly (and the standard port is used), the only information that needs changed for a Bind and Search method is:
- Host
- LDAP V3
- Base DN
- Search String
What these entries mean[edit]
| Option Name | Meaning | Examples |
|---|---|---|
| Host | Host name of the LDAP server | localhost openldap.mycompany.org ldaps://ldap.company.org |
| Port | Port to connect to host | 389 |
| LDAP V3 | Whether or not the LDAP server is using LDAP Version 3 or not | No, Yes |
| Negotiate TLS | Negotiate TLS encryption with the LDAP server (requires all traffic to be encrypted) | No, Yes |
| Follow Referrals | Sets the value of LDAP_OPT_REFERRALS (Set to "No" for Windows 2003 servers) | No, Yes |
| Authorisation Method | How to authorize against the LDAP server | Bind and Search, Bind Directly as User |
| Base DN | The lowest-level Distinguished Name | dc=company,dc=com, o=company.com, c=us,o=company.com |
| Search String | Only used with Bind and Search - a query string used to search for the user, where [search] is directly replaced by search text from the login field | uid=[search] |
| User's DN | Only used with Bind Directly as User - a string used to authenticate as a user, where [username] is directly replaced by the username from the login field | uid=[username],dc=company,dc=com |
| Connect Username | Only used if not an anonymous lookup - administrator username | admin |
| Connect Password | Only used if not an anonymous lookup - administrator password | password |
| Map: Full Name | LDAP Attribute which holds the user's full name | fullName, givenName, name |
| Map: email | LDAP Attribute which holds the user's email address | |
| Map: User ID | LDAP Attribute which holds the user's ID | uid |
Example Configuration[edit]
On an Ubuntu server accessing an external LDAP V3 server, using the "Bind and Search" method with anonymous lookups enabled:
Host: ldaps://ldap.us.site Port: 389 LDAP V3: Yes Negotiate TLS: No Follow Referrals: No Authorisation Method: Bind and Search Base DN: dc=site Search String: uid=[search] User's DN: Connect Username: Connect Password: Map: Full Name: fullName Map: email: mail Map: UserID: uid
Errors[edit]
Just because some these aren't documented anywhere else on the web, this seems like the best place to keep track of some common, or uncommon but hard to diagnose errors.
500 Error[edit]
If after enabling this plugin you are receiving 500 errors when attempting to login, make sure that the php5-ldap package is installed (and loaded) on the server.
Invalid Credentials[edit]
If you cannot login with credentials you know to be accurate and are using an LDAP server which requires "ldaps://" instead of "ldap://", the protocol prefix must be applied in the "Host" field.