LDAP user authentication
Combodo's customers only Included in iTop community since 3.0
- name:
- LDAP user authentication
- description:
- Multi-server LDAP authentification
- version:
- 2.8.1
- release:
- 2020-04-10
- itop-version-min:
- 2.6
- state:
- stable
- php-version-max:
- PHP 7.4
This extension provides support for multiple LDAP servers.
Features
Possibility to configure several LDAP servers in iTop configuration. Then it is possible to associate each LDAP user to a specific server.
The previous configuration remains functional.
Revision History
Release Date | Version | Comments |
---|---|---|
2022-04-13 | 2.8.1 | Add table prefix |
2020-04-10 | 2.8.0 | First version |
Limitations
N/A
Requirements
N/A
Installation
Install the extension using designer.
Configuration
iTop supports LDAP authentication against a remote LDAP server (or Windows Active Directory server). Both types of users (users with an account stored in the iTop local database and users with an LDAP account) can coexist on the same instance of iTop, on a per user basis.
LDAP users are created by selecting the appropriate type when prompted for a “New user Account”:
Configure iTop to connect to your LDAP server
Once iTop is installed, open the file 'config-itop.php' and look
for the section authent-ldap
. It should looks as
shown below:
- config-itop.php
-
'authent-ldap' => array ( 'host' => 'localhost', 'port' => 389, 'default_user' => '', 'default_pwd' => '', 'base_dn' => 'dc=mycompany,dc=com', 'user_query' => '(&(uid=%1$s))', 'options' => array ( 17 => 3, 8 => 0, ), 'debug' => false, 'servers' => array( 'MySecond-LDAP-Server' => array( 'host' => 'server1', 'port' => 389, 'default_user' => '', 'default_pwd' => '', 'base_dn' => 'dc=mycompany,dc=com', 'user_query' => '(&(uid=%1$s))', 'options' => array ( 17 => 3, 8 => 0, ), 'debug' => false, ), ), ),
Where:
-
The
host
parameter must contain the IP address or host name of your LDAP server -
The
port
parameter is the TCP port number to be used for connecting to LDAP (LDAP's default is 389) -
default_user
anddefault_pwd
identify an LDAP account with enough rights to connect to your LDAP server (in read-only mode) in order to search for the specified user. On most systems an anonymous user can do this, so you can leave these two fields blank. -
base_dn
defines the “root” used for searching for the user/logins. It can be something like “dc=mycompany,dc=com” or “ou=People,dc=mycompany,dc=com”. If you're not sure, ask your LDAP administrator. -
user_query
defines a LDAP query that will be used for searching for the users. You can write whatever valid LDAP query using any of the following placeholders:-
%1$s : iTop login of the user (i.e. what he/she types in the login form)
-
%2$s : User's First Name
-
%3$s : User's last name
-
%4$s : User's email
-
-
debug
must be set totrue
to turn on debug traces output (in the filelog/error.log
). Since the debug traces contain passwords in clear text, it is recommended to turn them off in production, but they are useful to troubleshoot the behavior of the application during configuration phases. -
servers
: Array of server configuration identical to the default one. The name of the server is the name referenced in the LDAP User definition. (if empty, then the default configuration is used).
host
parameter
can contain a list of LDAP servers separated by a space. If the
first server in the list fails to respond, the code will try the
second one, and so on.
'host' => 'ldap://ldap1.mycompany.com ldap://ldap2.mycompany.com',
host
and a port
but no protocol, then PHP will try to connect
without SSL (i.e. the default protocol is ldap://
)
If you specify a protocol in the
host
parameter, then the value of the
port
is ignored by PHP (i.e. ldap://
implies port 389 and ldaps://
implies port 636).
In order to connect via LDAPS using a non-standard port, you
must specify both the protocol and the port in the
host
and pass null
for the port.
Example:
'authent-ldap' => array ( 'host' => 'ldaps://ldap.demo.com:6636', 'port' => null, ... );
Refer to ldap_connect for more information.
The last part of the configuration, options
defines
some LDAP specific options. See http://www.php.net/manual/en/function.ldap-set-option.php
for the full list of possible options. You can use either the PHP
constants (like LDAP_OPT_PROTOCOL_VERSION - with no quote) or their
numeric equivalent (i.e. LDAP_OPT_PROTOCOL_VERSION equals 17). In
the example above:
LDAP_OPT_PROTOCOL_VERSION => 3 LDAP_OPT_REFERRALS => false