Versions Compared

Old Version 18

changes.mady.by.user The Force

Saved on

compared with

New Version 19

changes.mady.by.user The Force

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Published by Scroll Versions from this space and version 5.0.3

LDAP Authentication

To setup  Starting in 3.6, ProVision supports LDAP authentication. To an LDAP server for authentication, you must perform the following three procedures:

Table of Contents

...

  • Configure the LDAP Server

...

...

  • Test the LDAP Server
  • Configure ProVision for LDAP Authentication

LDAP Schema - Example

Code Block
attributetype (1.3.6.1.4.1.5023215.2.3.21 NAME 'sixConnGroup'
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) 

objectclass ( 1.3.6.1.4.1.5023215.2.4.2 NAME 'sixConnectPermissionsV2'
        DESC '6Connect Permissions Object v2'
        SUP top AUXILIARY
        MUST ( sixConnGroup ) )

 

...

LDAP User

...

Example

SSH into your openLDAP server and create a new 'ldif' file.  Example:

Code Block
dn: cn=JoeSmith,ou=people,dc=6connect,dc=com
cn: JoeSmith
sn: JoeSmith
objectclass: top
objectclass: person
objectclass: sixConnectPermissionsV2
sixConnGroup: "Global Admins"
sixConnGroup: "IT Engineering"
sixConnGroup: "Sales"
sixConnGroup: "Customer Admin"
userPassword: testpass

 To  To create a new user, make a new ldif file and change all instances of "JoeSmith" to whatever username you wish to create and update the password.  Keep all of the object class definitions as listed above.  Add a sixConnGroup declaration for each ProVision user group a user is in.

 After  After the file is created, run the following command to add the new user to LDAP server:

Code Block
 ldapadd -h [SERVER] -x -f [LDIF FILE] -D [ROOTDN] -w [ROOT PW] -v

 Example Example:

Code Block
 ldapadd -h localhost -x -f 6connect.ldif -D "cn=Manager,dc=6connect,dc=com" -w secret -v

The user will now be active in openLDAP and can be used to login to ProVision. 

Test the LDAP Server

To query the LDAP server, run the following command on any server which has openLDAP enabled:

Code Block
ldapsearch -b [BASE] -h [IPADDRESS] -D [DOMAIN] -w [PASSWORD] [USER]

Note:  We have not been able to use a v6 address at with this tool, even though multiple sources say it should work.

At the end of the command where [USER] is specified, user or groups can be used (in LDAP format) to query.

Example: 

text
Code Block
language
ldapsearch -b "dc=6connect,dc=com" -h 50.240.195.129 -D "cn=MayorJoeSmith,ou=people,dc=6connect,dc=com" -w testpass "cn=MajorMinerJoeSmith"

Configure ProVision for LDAP Authentication 

To configure the use of LDAP authentication with ProVision, follow the steps below.

  • Log into 6connect ProVision
  • Go to Admin -> General Settings -> Authentication
  • Click the LDAP Enable checkbox.
  • Fill in the hostname or ip address, authentication port, LDAP Security, Auth DN, and Fetch DN.  

Image Removed

Example values in this case would be: 

...

  •  An example is below:

LDAP Server Address:   52 52.240.195.12

LDAP Port:   389  389 ( or SSL/TLS port is 636)

LDAP Security:   None None

LDAP Auth DN:   cn cn=%LOGIN%,ou=people,dc=6connect,dc=com

LDAP Fetch DN:   cn cn=%LOGIN%

 

Note
titleSetting default login authentication options

In the login screen, you would select the authentication method from the dropdown. If you like, you can set the default login option in the following way:

Go to the /data/globals.php and open in vi (or other editor). Add in the following text as the last line of the file (before the closing ?>)

define('DEFAULT_LOGIN_TYPE', 'radius');

Acceptable values are "local", "radius" and "ldap". If this line is not present in globals.php, the default option is "local".

Note
titleUsing SSL encryption

To use SSL encryption with LDAP, the ldap.conf file must be correctly configured on the ProVision server.

Typically, the LDAP configuration file is kept at "/etc/ldap/ldap.conf".  Make sure the following line is present:

    TLS_REQCERT allow

and restart the webserver.