• Created by Unknown User (anna), last modified on Jul 11, 2013

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 5 Next »

LDAP Authentication

 

Starting in 3.6, ProVision supports LDAP authentication. To an LDAP server for authentication, you must perform the following three procedures:

  • Configure the LDAP Server
  • Test the LDAP Server
  • Configure ProVision for LDAP Authentication

Configure the LDAP Server

SSH into your openLDAP server and create a new 'ldif' file.  Example:

 dn: cn=JoeSmith,ou=people,dc=6connect,dc=com

 cn: JoeSmith

 sn: JoeSmith

 objectclass: top

 objectclass: person

 objectclass: sixConnectPermissionsV2

 sixConnGroup: "Global Admins"

 sixConnGroup: "bonk"

 sixConnGroup: "poof"

 sixConnGroup: "grood"

 userPassword: testpass

 To create a new user, make a new ldif file and change all instances of "JoeSmith" to whatever username you wish to create and update the password.  Keep all of the object class definitions as listed above.  Add a sixConnGroup declaration for each ProVision user group a user is in.

 After the file is created, run the following command to add the new user to LDAP server:

 ldapadd -h [SERVER] -x -f [LDIF FILE] -D [ROOTDN] -w [ROOT PW] -v

 Example:

 ldapadd -h localhost -x -f 6connect.ldif -D "cn=Manager,dc=6connect,dc=com" -w secret -v

The user will now be active in openLDAP and can be used to login to ProVision.

Test the LDAP Server

To query the LDAP server, punch this line into any server which has openLDAP enabled, which is almost all of them.

ldapsearch -h [IPADDRESS] -D [DOMAIN] -w [PASSWORD] [USER]

 The "-h" flag is straightforward, indicating the IP of the server. Don't even try getting this to accept IPv6 addresses -- every site mentions a different format; none of them work.

 The "-w" flag indicates the password.

 The "-D" flag marks the descent into crazypants wackytown.  This is the "domain" of the LDAP search, which I don't understand one bit, but is apparently super-important.  I guess its analogous to the database selector when querying off a MySQL server?  I dunno.  You should not need to modify this field.

 And at the end you add in the User (or users, or groups, or whatever) you want to query the LDAP server on, again in that fun fun LDAP format.

 Here is a practical example of an LDAP query:

 ldapsearch -h 50.240.195.129 -D "cn=Mayor,ou=people,dc=6connect,dc=com" -w testpass "cn=MajorMiner" 

Configure ProVision for LDAP Authentication 

To configure the use of LDAP authentication with ProVision, follow the steps below.

  • Log into 6connect ProVision
  • Go to Admin -> General Settings -> Authentication
  • Click the LDAP Enable checkbox.
  • Fill in the hostname or ip address, authentication port, LDAP Security, Auth DN, and Fetch DN.  An example is below:

LDAP Server Address:  52.240.195.12

 LDAP Port:  389 ( or SSL/TLS port is 636)

LDAP Security:  None

 LDAP Auth DN:  cn=%LOGIN%,ou=people,dc=6connect,dc=com

 LDAP Fetch DN:  cn=%LOGIN%

 


  • No labels