...
Starting in 3.6, ProVision supports LDAP authentication (including Windows Server!). To setup an LDAP server for authentication, you must perform the following procedures:toc
- Configure the LDAP Server (Extend the Schema, Adding an Attribute/Schema Object)
- Test the LDAP Server
- Configure ProVision for LDAP Authentication
Configuring the LDAP functions on your Windows Server
...
- Select a name for the attribute (ProVision assumes that the name will be 'sixConnGroup')
- Get a valid Object Identifier (OID) from an issuing authority (http://msdn.microsoft.com/en-us/library/ms677620.aspx)
Info title Generate an Object Identifier Microsoft has released a script that can generate an Object Identifier (OID): https://gallery.technet.microsoft.com/scriptcenter/56b78004-40d0-41cf-b95e-6e795b2e8a06
- Document the attribute syntax
- Confirm that the attribute should be single-value
- Confirm the attribute indexing behavior
- Decide if the attribute needs to be distributed to the Global Catalog
LDAP Schema - Example
| Code Block |
|---|
attributetype (1.3.6.1.4.1.5023215.2.3.21 NAME 'sixConnGroup' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) objectclass ( 1.3.6.1.4.1.5023215.2.4.2 NAME 'sixConnectPermissionsV2' DESC '6Connect Permissions Object v2' SUP top AUXILIARY MUST ( sixConnGroup ) ) |
LDAP User Example
SSH into your openLDAP server and create a new 'ldif' file. Example:
...
The user will now be active in openLDAP and can be used to login to ProVision.
Test the LDAP Server
To query the LDAP server, run the following command on any server which has openLDAP enabled:
| Code Block |
|---|
ldapsearch -b [BASE] -h [IPADDRESS] -D [DOMAIN] -w [PASSWORD] [USER] |
Note: We have not been able to use a v6 address at with this tool, even though multiple sources say it should work.
At the end of the command where [USER] is specified, user or groups can be used (in LDAP format) to query.
Example:
| Code Block | language | text
|---|
ldapsearch -b "dc=6connect,dc=com" -h 50.240.195.129 -D "cn=MayorJoeSmith,ou=people,dc=6connect,dc=com" -w testpass "cn=MajorMinerJoeSmith" |
Configure ProVision for LDAP Authentication
To configure the use of LDAP authentication with ProVision, follow the steps below.
- Log into 6connect ProVision
- Go to Admin -> General Settings -> Authentication
- Click the LDAP Enable checkbox.
- Fill in the hostname or ip address, authentication port, LDAP Security, Auth DN, and Fetch DN.
Example values in this case would be:
...
- An example is below:
LDAP Server Address: 52 52.240.195.12
LDAP Port: 389 389 ( or SSL/TLS port is 636)
LDAP Security: None None
LDAP Auth DN: cn cn=%LOGIN%,ou=people,dc=6connect,dc=com
LDAP Fetch DN: cn cn=%LOGIN%
| Note | ||
|---|---|---|
| ||
In the login screen, you would select the authentication method from the dropdown. If you like, you can set the default login option in the following way: Go to the /data/globals.php and open in vi (or other editor). Add in the following text as the last line of the file (before the closing ?>) define('DEFAULT_LOGIN_TYPE', 'radius'); |
...