diff options
| -rw-r--r-- | README.markdown | 1 | ||||
| -rw-r--r-- | docs/ldap-authentication.markdown | 73 |
2 files changed, 74 insertions, 0 deletions
diff --git a/README.markdown b/README.markdown index 2d88cda4..3858c1e6 100644 --- a/README.markdown +++ b/README.markdown @@ -72,6 +72,7 @@ Documentation - [Upgrade Kanboard to a new version](docs/update.markdown) - [Sqlite database management](docs/sqlite-database.markdown) - [How to use Mysql instead of Sqlite](docs/mysql-configuration.markdown) +- [LDAP authentication](docs/ldap-authentication.markdown) - [How to use Kanboard with Vagrant](docs/vagrant.markdown) - [Webhooks](docs/webhooks.markdown) diff --git a/docs/ldap-authentication.markdown b/docs/ldap-authentication.markdown new file mode 100644 index 00000000..65abbbb3 --- /dev/null +++ b/docs/ldap-authentication.markdown @@ -0,0 +1,73 @@ +LDAP authentication +=================== + +Requirements +------------ + +- LDAP extension for PHP +- LDAP server (By example: OpenLDAP or Microsoft Active Directory) + +Workflow +-------- + +When the LDAP authentication is activated, the login process work like that: + +1. Try to authenticate the user by using the database +2. If the user is not found inside the database, a LDAP authentication is performed +3. If the LDAP authentication is successful, a local user is created automatically with no password and marked as LDAP user. + +Differences between a local user and a LDAP user are the following: + +- LDAP users have no local passwords +- LDAP users can't modify their password with the user interface +- By default, all LDAP users have no admin privileges +- To become administrator, a LDAP user must be promoted by another administrator + +Configuration +------------- + +The first step is to create a custom config file named `config.php`. +This file must be stored in the root directory. + +To do that, you can create an empty PHP file or copy/rename the sample file `config.default.php`. + +### Example for Microsoft Active Directory + +Let's say we have a domain `MYDOMAIN` (mydomain.local) and the primary controller is `myserver.mydomain.local`. + +```php +<?php + +// Enable LDAP authentication (false by default) +define('LDAP_AUTH', true); + +// LDAP server hostname +define('LDAP_SERVER', 'myserver.mydomain.local'); + +// User LDAP DN +define('LDAP_USER_DN', 'MYDOMAIN\\%s'); + +// Another way to do the same thing +define('LDAP_USER_DN', '%s@mydomain.local'); + +``` + +### Example for OpenLDAP + +Here, our LDAP server is `myserver.example.com` and all users are stored in the hierarchy `ou=People,dc=example,dc=com`. + +```php +<?php + +// Enable LDAP authentication (false by default) +define('LDAP_AUTH', true); + +// LDAP server hostname +define('LDAP_SERVER', 'myserver.example.com'); + +// User LDAP DN +define('LDAP_USER_DN', 'uid=%s,ou=People,dc=example,dc=com'); + +``` + +The `%s` is replaced by the username for the parameter `LDAP_USER_DN`, so you can define a custom Distinguished Name. |