LDAP Authentication =================== Requirements ------------ - PHP LDAP extension enabled - LDAP server: - OpenLDAP - Microsoft Active Directory - Novell eDirectory Workflow -------- When the LDAP authentication is activated, the login process work like that: 1. Try first to authenticate the user by using the database 2. If the user is not found inside the database, a LDAP authentication is performed 3. If the LDAP authentication is successful, by default a local user is created automatically with no password and marked as LDAP user. The full name and the email address are automatically fetched from the LDAP server. Authentication Types -------------------- | Type | Description | |------------|-----------------------------------------------------------------| | Proxy User | A specific user is used to browse LDAP directory | | User | The end-user credentials are used for browsing LDAP directory | | Anonymous | No authentication is performed for LDAP browsing | **The recommended authentication method is "Proxy"**. #### Anonymous mode ```php define('LDAP_BIND_TYPE', 'anonymous'); define('LDAP_USERNAME', null); define('LDAP_PASSWORD', null); ``` This is the default value but some LDAP servers don't allow anonymous browsing for security reasons. #### Proxy mode A specific user is used to browse the LDAP directory: ```php define('LDAP_BIND_TYPE', 'proxy'); define('LDAP_USERNAME', 'my proxy user'); define('LDAP_PASSWORD', 'my proxy password'); ``` #### User mode This method uses the credentials provided by the end-user. By example, Microsoft Active Directory doesn't allow anonymous browsing by default and if you don't want to use a proxy user you can use this method. ```php define('LDAP_BIND_TYPE', 'user'); define('LDAP_USERNAME', '%s@kanboard.local'); define('LDAP_PASSWORD', null); ``` In this case, the constant `LDAP_USERNAME` is used as a pattern to the ldap username, examples: - `%s@kanboard.local` will be replaced by `my_user@kanboard.local` - `KANBOARD\\%s` will be replaced by `KANBOARD\my_user` User LDAP filter ---------------- The configuration parameter `LDAP_USER_FILTER` is used to find users in LDAP directory. Examples: - `(&(objectClass=user)(sAMAccountName=%s))` is replaced by `(&(objectClass=user)(sAMAccountName=my_username))` - `uid=%s` is replaced by `uid=my_username` Other examples of [filters for Active Directory](http://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx) By example you can filter access to Kanboard from the user filter: `(&(objectClass=user)(sAMAccountName=%s)(memberOf=CN=Kanboard Users,CN=Users,DC=kanboard,DC=local))` This example allow only people member of the group "Kanboard Users" to connect to Kanboard. Example for Microsoft Active Directory -------------------------------------- Let's say we have a domain `KANBOARD` (kanboard.local) and the primary controller is `myserver.kanboard.local`. First example with proxy mode: ```php