LDAP Authentication

From Joomla! Documentation

LDAP Authentication in 1.7

LDAP Authentication is disabled by default because it needs to first be configured before enabled. To configure this plug-in, go to the Plug-in Manager and search for "Authentication - LDAP".

Configuration

The options should look similar to this:

Host: localhost
Port: 389
LDAP V3: No
Negotiate TLS: No
Follow Referrals: No
Authorisation Method: Bind and Search
Base DN:
Search String:
User's DN:
Connect Username:
Connect Password:
Map: Full Name: fullName
Map: email: mail
Map: UserID: uid

Assuming everything on your server is setup correctly (and the standard port is used), the only information that needs changed for a Bind and Search method is:

  • Host
  • LDAP V3
  • Base DN
  • Search String

What these entries mean

Option Name Meaning Examples
Host Host name of the LDAP server localhost openldap.mycompany.org ldaps://ldap.company.org
Port Port to connect to host 389
LDAP V3 Whether or not the LDAP server is using LDAP Version 3 or not No, Yes
Negotiate TLS Negotiate TLS encryption with the LDAP server (requires all traffic to be encrypted) No, Yes
Follow Referrals Sets the value of LDAP_OPT_REFERRALS (Set to "No" for Windows 2003 servers) No, Yes
Authorisation Method How to authorize against the LDAP server Bind and Search, Bind Directly as User
Base DN The lowest-level Distinguished Name dc=company,dc=com, o=company.com, c=us,o=company.com
Search String Only used with Bind and Search - a query string used to search for the user, where [search] is directly replaced by search text from the login field uid=[search]
User's DN Only used with Bind Directly as User - a string used to authenticate as a user, where [username] is directly replaced by the username from the login field uid=[username],dc=company,dc=com
Connect Username Only used if not an anonymous lookup - administrator username admin
Connect Password Only used if not an anonymous lookup - administrator password password
Map: Full Name LDAP Attribute which holds the user's full name fullName, givenName, name
Map: email LDAP Attribute which holds the user's email address mail
Map: User ID LDAP Attribute which holds the user's ID uid

Example Configuration

On an Ubuntu server accessing an external LDAP V3 server, using the "Bind and Search" method with anonymous lookups enabled:

Host: ldaps://ldap.us.site
Port: 389
LDAP V3: Yes
Negotiate TLS: No
Follow Referrals: No
Authorisation Method: Bind and Search
Base DN: dc=site
Search String: uid=[search]
User's DN:
Connect Username:
Connect Password:
Map: Full Name: fullName
Map: email: mail
Map: UserID: uid

Errors

Just because some these aren't documented anywhere else on the web, this seems like the best place to keep track of some common, or uncommon but hard to diagnose errors.

500 Error

If after enabling this plugin you are receiving 500 errors when attempting to login, make sure that the php5-ldap package is installed (and loaded) on the server.

Invalid Credentials

If you cannot login with credentials you know to be accurate and are using an LDAP server which requires "ldaps://" instead of "ldap://", the protocol prefix must be applied in the "Host" field.