LDAP Authentication
We currently have an LDAP server running on ad.6connect.com. Like Radius, the purpose of the LDAP server is central authentication. You supply the server with a username and a password and, if everything checks out, the server spits back a list of all groups the user belongs to.
...
Starting in 3.6, ProVision supports LDAP authentication. To an LDAP server for authentication, you must perform the following three procedures:
- Configure the LDAP Server
- Configure ProVision for LDAP Authentication
Configure the LDAP Server
To query the LDAP server, punch this line into any server which has openLDAP enabled, which is almost all of them.
...
ldapsearch -h [IPADDRESS] -D [DOMAIN] -w [PASSWORD] [USER]
...
The "-h" flag is straightforward, indicating the IP of the server. Don't even try getting this to accept IPv6 addresses -- every site mentions a different format; none of them work.
...
The "-w" flag indicates the password.
...
...
The "-D" flag marks the descent into crazypants wackytown. This is the "domain" of the LDAP search, which I don't understand one bit, but is apparently super-important. I guess its analogous to the database selector when querying off a MySQL server? I dunno. You should not need to modify this field.
...
...
And at the end you add in the User (or users, or groups, or whatever) you want to query the LDAP server on, again in that fun fun LDAP format.
...
...
Here is a practical example of an LDAP query:
...
...
ldapsearch -h 50.240.195.129 -D "cn=Mayor,ou=people,dc=6connect,dc=com" -w testpass "cn=MajorMiner"
...
When configuring the ProVision tool, you don't have to worry about much of that. Use the following settings on admin.php:
Configure ProVision for LDAP Authentication
LDAP Enable: check
LDAP Server Address: 50.240.195.129
...