LDAP user authentication

Combodo's customers only Included in iTop community since 3.0

name:: LDAP user authentication
description:: Multi-server LDAP authentification
version:: 2.8.1
release:: 2020-04-10
itop-version-min:: 2.6
state:: stable
php-version-max:: PHP 7.4

Extension to replace current authent-ldap module until 3.0.0, as beginning with this version the feature was integrated in the product.
This extension provides support for multiple LDAP servers.

Features

Possibility to configure several LDAP servers in iTop configuration. Then it is possible to associate each LDAP user to a specific server.

The previous configuration remains functional.

Revision History

Release Date	Version	Comments
2022-04-13	2.8.1	Add table prefix
2020-04-10	2.8.0	First version

Limitations

N/A

Requirements

N/A

Installation

Install the extension using designer.

Configuration

iTop supports LDAP authentication against a remote LDAP server (or Windows Active Directory server). Both types of users (users with an account stored in the iTop local database and users with an LDAP account) can coexist on the same instance of iTop, on a per user basis.

LDAP users are created by selecting the appropriate type when prompted for a “New user Account”:

Configure iTop to connect to your LDAP server

Once iTop is installed, open the file 'config-itop.php' and look for the section authent-ldap . It should looks as shown below:

config-itop.php

'authent-ldap' => array (
        'host' => 'localhost',
        'port' => 389,
        'default_user' => '',
        'default_pwd' => '',
        'base_dn' => 'dc=mycompany,dc=com',
        'user_query' => '(&(uid=%1$s))',
        'options' => array (
                17 => 3,
                8 => 0,
        ),
        'debug' => false,
        'servers' => array(
                'MySecond-LDAP-Server' => array(
                        'host' => 'server1',
                        'port' => 389,
                        'default_user' => '',
                        'default_pwd' => '',
                        'base_dn' => 'dc=mycompany,dc=com',
                        'user_query' => '(&(uid=%1$s))',
                        'options' => array (
                                17 => 3,
                                8 => 0,
                        ),
                        'debug' => false,
                ),
        ),
),

Where:

The host parameter must contain the IP address or host name of your LDAP server
The port parameter is the TCP port number to be used for connecting to LDAP (LDAP's default is 389)
default_user and default_pwd identify an LDAP account with enough rights to connect to your LDAP server (in read-only mode) in order to search for the specified user. On most systems an anonymous user can do this, so you can leave these two fields blank.
base_dn defines the “root” used for searching for the user/logins. It can be something like “dc=mycompany,dc=com” or “ou=People,dc=mycompany,dc=com”. If you're not sure, ask your LDAP administrator.
user_query defines a LDAP query that will be used for searching for the users. You can write whatever valid LDAP query using any of the following placeholders:
- %1$s : iTop login of the user (i.e. what he/she types in the login form)
- %2$s : User's First Name
- %3$s : User's last name
- %4$s : User's email
debug must be set to true to turn on debug traces output (in the file log/error.log). Since the debug traces contain passwords in clear text, it is recommended to turn them off in production, but they are useful to troubleshoot the behavior of the application during configuration phases.
servers : Array of server configuration identical to the default one. The name of the server is the name referenced in the LDAP User definition. (if empty, then the default configuration is used).

The host parameter can contain a list of LDAP servers separated by a space. If the first server in the list fails to respond, the code will try the second one, and so on.

    'host' => 'ldap://ldap1.mycompany.com ldap://ldap2.mycompany.com',

If you specify both a host and a port but no protocol, then PHP will try to connect without SSL (i.e. the default protocol is ldap://)

If you specify a protocol in the host parameter, then the value of the port is ignored by PHP (i.e. ldap:// implies port 389 and ldaps:// implies port 636).

In order to connect via LDAPS using a non-standard port, you must specify both the protocol and the port in the host and pass null for the port.

Example:

  'authent-ldap' => array ( 
               'host' => 'ldaps://ldap.demo.com:6636', 
               'port' => null,
               ...
        );

Refer to ldap_connect for more information.

When connecting to a Windows Active Directory the query to retrieve the user based on her/his Windows login looks like: '(samaccountname=%1$s) '

The parameters %2$s, %3$s and %4$s are non-empty only if the User record (in iTop) is associated with a Person (i.e. if the “Contact” field is not empty for this User).

The last part of the configuration, options defines some LDAP specific options. See http://www.php.net/manual/en/function.ldap-set-option.php for the full list of possible options. You can use either the PHP constants (like LDAP_OPT_PROTOCOL_VERSION - with no quote) or their numeric equivalent (i.e. LDAP_OPT_PROTOCOL_VERSION equals 17). In the example above:

LDAP_OPT_PROTOCOL_VERSION => 3 
LDAP_OPT_REFERRALS => false

If you get an error 'Cannot bind to LDAP server, invalid DN syntax', check the syntax of the 'default_user' in your iTop configuration file. For some LDAP servers, the user name must be a complete name like: 'cn=admin,dc=mycompany,dc=com' and not just 'admin'.

Sidebar