Directory Configuration

Directory List

In order to leverage the LDAP package, you will need to configure one or more directories. To add or edit a directory we have added a page called "LDAP Directories" to the dashboard, this can be found at index.php/dashboard/system/registration/authentication/ec_ldap on your website after the package has been installed. From this page you can click on an existing directory row to edit it, or click the "Add Directory" button in the upper right corner of the screen. Additionally, from this page you can re-order any existing directories by simply dragging and dropping the rows from the move icon. Re-ordering the directories affects the dropdown that appears on the log in page when you have multiple directories set up.

Note: If you are using Active Directory we have provided a "Load Active Directory Preset" button which will populate most of the directory schema fields for you which are appropriate for most Active Directory setups.

Directory Add/Edit

In order to set up or configure a directory you will need to know some key pieces of information. Here we'll outline the configuration information that's required to get up and running.

Basic Details

Display Name - This field is a user friendly identifier for the directory. This is shown to help you easily identify a directory in the directory list. It is also shown on the log in page for the user to select when you have multiple directories configured.

Domain Admin Username - We use the term "domain admin" pretty loosely here, but essentially what we are looking for is the a user who you want to act as the system user. We use this for scenarios where we need to query ldap for information that an anonymous bind might not otherwise have access to. This user should have read access to all user and group objects within your directory at a minimum. If you're using Active Directory, the UPN (User Principal Name) can be used for this and might look something like admin@exchangecore.com, otherwise you will need to specify the user's DN, which look something like cn=admin,dc=exchangecore,dc=com.

Domain Admin Password - This is the password that belongs to the Domain Admin Username. We store this in the database using concrete5's built in encryption service provider.

LDAP Servers

In the ExchangeCore LDAP package, we allow for multiple servers to be tied to a single directory. Most environments leverage multiple synchronized LDAP servers which allow for high availability in case of a failure or server going offline. We validate that the servers are able to be connected to when you save the directory. If the server is down you will not be able to add it to your list of servers until it comes back online. Currently, the package attempts to connect to the servers in the order they are defined (so ideally you add the ones with the lowest latency first).

Hostname - This should be the hostname or ip address of your LDAP server.

Port - This should be the port number which your LDAP server is listening on.

Encryption - LDAP Servers can be set up to use no encryption, LDAPS encryption, or StartTLS encryption. If you have problems using LDAPS or StartTLS it may be that you are using a self signed or untrusted certificate, to get around this issue you can set TLS_REQCERT never in your ldap.conf on your server which will disable certificate validation but will still allow for the encryption to occur.

Preferred Server Selection - Determines if LDAP servers will be used in the order they appear on the screen or if the server will be randomly selected. The former is useful for environments which have geographically disperse servers where latency may be higher to one server than another. The latter is useful when you require being able to share the LDAP query load across multiple servers.

Directory Type - Used to determine if the directory qualifies for special rules which might improve performance or expose additional functionality.

LDAP Schema

Base DN - This is the starting DN for this directory to use for all of its LDAP queries to the server, regardless as to the type of object it is querying for. This might look something like dc=exchangecore,dc=com.

Additional User DN - This is prepended to the Base DN and is used as the DN when querying for user objects. This can be left blank, or if you wanted to restrict user queries to a specific OU you might have something like ou=Domain Admins populated, which would then search the DN of ou=Domain Admins,dc=exchangecore,dc=com when looking for user objects.

Additional Group DN - This is prepended to the Base DN and is used as the DN when querying for group objects. This can be left blank, or if you wanted to restrict group queries to a specific OU you might have something like ou=Security Groups populated, which would then search the DN of ou=Security Groups,dc=exchangecore,dc=com when looking for group objects. Note that this will not restrict looking up nested groups which are assigned to groups within this DN

User Schema

User Object Filter - This is an LDAP filter that is applied when querying for user objects from your directory. This filter should be set up so that only user ldap objects are returned when the filter is applied. Usually this involves using an objectcategory or objectclass filter.

Username Attribute - This should be the attribute that contains the data of the username, which is used to create the concrete5 account username and is used as the username the user logs in with.

User Email Attribute - This is the attribute that contains the user's email address. Because concrete5 requires a valid email address in order to create a user, this cannot be blank. In instances where a user is selected, but does not have an email address they will receive an invalid username or password error message when logging in, and will not be synced by running the sync job.

User Unique ID Attribute - This is used as a unique identifier for the user object. We use this in order to check for any existing links from an LDAP user to a concrete5 user before we attempt to create a concrete5 user when synchronizing. Note: In the absence of any truly unique identifier, you should consider using the username attribute as the unique identifier

Group Schema

Group Object Filter - This is an LDAP filter that is applied when querying for group objects from your directory. This filter should be set up so that only group ldap objects are returned when the filter is applied. Usually this involves using an objectcategory or objectclass filter.

Group Name Attribute - This is the "user friendly" group name that is displayed when setting up a group mapping.

Group Membership Attribute - This is the attribute which contains a list of DNs of users (or other groups) which belong to this group object. In most cases this is the member attribute.