LDAP External Authentication Drop-In for Codiad
Written by Korynkai (Matt Schultz) of QuantuMatriX Technologies.
-
Download
ldap.php
here: ldap.php (right-click -> Save Link As). -
Edit
ldap.php
in a text editor, changing configuration values as needed (see below in "Configuration" for a description of these values). Do not edit the core logic (anything under the "Do not edit anything under..." line) -- you can break functionality, corrupt your users.php file, or even accidentally allow anybody to log in and modify your code. Only edit under the line if you're looking to experiment and have a test environment set up. -
Save
ldap.php
somewhere on the webserver, preferably somewhere within the Codiad root (I created a special directory for External Authentication calledauth
on my setup) and ensure your webserver daemon has permissions to read the file. -
Edit Codiad's
config.php
in a text editor, uncommenting and/or adding the linedefine("AUTH_PATH", "/path/to/ldap.php");
. Replace "/path/to" with the actual path. You may use theBASE_PATH
directive if you savedldap.php
to somewhere within the Codiad root. For example, on my setup (with theauth
directory), this is set todefine("AUTH_PATH", BASE_PATH . "/auth/ldap.php");
The following values should be set in accordance with the specific LDAP set-up being used:
-
$server
would be your LDAP server's connection URI; For example: -
$server = 'ldap://ldap.example.com:389';
-
$basedn
would be your LDAP server's search base distinguished name. This would be where Codiad looks for user entries within LDAP. Example: -
$basedn = 'ou=people,dc=example,dc=com';
-
Set
$anonbind
based on whether or not your LDAP server uses anonymous binds for search. Active Directory does not allow this by default, however this is the default method for most servers based on the LDAP standard. Optionally one can bind to a user for search on any LDAP server or enable anonymous binds for search on Active Directory, however this allows for any search option. Default istrue
to use anonymous bind (most LDAP servers except Active Directory). -
$binddn
and$bindpass
are the corresponding DN and password to bind to for search if$anonbind
is disabled. Examples: -
$binddn = "cn=binduser,cn=Users,dc=example,dc=com";
-
$bindpass = "secret";
-
$filter
is your LDAP user search filter. This tells Codiad which attribute/value pairs to look for as the username to look up. If you aren't sure what to do here, you may use one of the alternatives or use the references either at http://tools.ietf.org/search/rfc4515 (quite technical IETF RFC) or http://goo.gl/FOdGp7 (CentOS documentation page on LDAP search filters). The variable$1
must always be supplied as a value as it signifies the username. The default will allow a CN or an email to log in; however, the user environments between the CN and email logins would differ, essentially acting as separate users within Codiad. Examples: -
$filter = '(&(objectClass=*)(|(cn=$1)(email=$1)))';
<-- Allows CN or email to denote the username. As it uses a logicalor
(|
), it allows more than one field to directly act as the username, in effect allowing each LDAP user (with both a CN and an email attribute) to create/log-in to two Codiad users if they so desire. -
$filter = '(&(objectClass=*)(cn=$1))';
<-- Strictly use CN as username. -
$filter = '(&(objectClass=*)(email=$1))';
<-- Strictly use email as username. -
$filter = '(&(objectClass=*)(uniqueIdentifier=$1))';
<-- Strictly use uniqueIdentifier as username. This is useful for custom self-identifiable usernames and is the filter we use on our setup, however it may require additional configuration on LDAP. -
$createuser
either allows or denies the automatic creation of a Codiad user upon successful LDAP authentication. If set to true, auser
will be created if the user successfully authenticates through LDAP but is not present within Codiad'sdata/users.php
file. If set tofalse
, the user will be denied access if they are not present within Codiad'sdata/users.php
file, regardless of whether or not the user has successfully authenticated to LDAP. Default istrue
. -
$version
-- The LDAP protocol version used by the LDAP server. Should not be changed unless you are sure you are using a different version of the protocol. Should not be confused with any specific LDAP server version. The developer discourages modifying this value.