Composr Tutorial: Integrating Composr into a corporate network via LDAP
Written by Chris Graham
If you plan to integrate your website into a corporate network, perhaps as your intranet, you may wish to use the same credentials for users of the website as you do for your other services, such as desktop login. With this approach, there are a number of advantages:- There is no issue with preventing non-authorised users joining, or having to manually validate accounts of those who do join.
- Users do not need to join.
- A user only has a single password to maintain.
- It is clear who the users of the website are, as there is no potential for them to use unknown handles.
- Usergroup membership is the same as on your corporate network, and permissions can be assigned using it.
The standard protocol for sharing of network credentials is called LDAP. Two variations of LDAP are supported:
- Active Directory, which is a standard part of the Windows architecture.
- OpenLDAP, which is the de facto standard for Linux systems.
LDAP support (maintenance status) is complex. If you're not sure what settings to use then you'll probably need someone with programming experience to step through it all, as LDAP can be very complex and involve non-standard/diverse schema.
Configuring
To use LDAP, you must be using Composr's inbuilt forum system, Conversr. LDAP is enabled after Composr installation, in Admin Zone > Setup > Configuration > User/usergroup options > LDAP. You may access the Admin Zone using the 'admin' username that was defined when Composr was installed and the username will remain functional even if there are problems with LDAP – this is so that you may fix settings without having to manually adjust the configuration settings in the Composr database.
LDAP is known as a directory service, and in theory, all the LDAP servers of the world together form a combined directory. Because of this, each LDAP server is given a position in the directory, specified in the LDAP DN (directory navigation) syntax; this is known as the base-DN, and the system administrator of the network should be able to identify this. The base-DN is usually based on the DNS domain name of the network the LDAP server serves, for example: dc=intranet,dc=example,dc=com might be used for the domain intranet.example.com. It is important to use the DNS of the domain and not the DNS of the server on the domain.
LDAP is known as a directory service, and in theory, all the LDAP servers of the world together form a combined directory. Because of this, each LDAP server is given a position in the directory, specified in the LDAP DN (directory navigation) syntax; this is known as the base-DN, and the system administrator of the network should be able to identify this. The base-DN is usually based on the DNS domain name of the network the LDAP server serves, for example: dc=intranet,dc=example,dc=com might be used for the domain intranet.example.com. It is important to use the DNS of the domain and not the DNS of the server on the domain.
The configuration requires that you either perform an 'anonymous bind', or provide credentials for a user in the system that has full read access to what Composr needs in every account. Whether an 'anonymous bind' will work depends on your network: it noes not work on Active Directory by default, but does on OpenLDAP. The anonymous bind account would need full read access as a specified user would.
The LDAP standard is more concerned with protocol and structure than the actual schema used to hold information. Therefore there are significant differences between implementations, and thus we must consider each a separate case.
The LDAP standard is more concerned with protocol and structure than the actual schema used to hold information. Therefore there are significant differences between implementations, and thus we must consider each a separate case.
Active Directory
Active Directory is a fundamental part of post-NT Windows networking. It resides on the domain controller(s) of the network, and is an LDAP based system that includes a lot of information, especially users and usergroups.As Active Directory is so standard across Windows, Composr has good support for its schema.
The usergroup, 'Administrators' is mapped to the Composr Administrators usergroup.
The usergroup, 'Users' is mapped to the lowest ranking Composr member usergroup.
OpenLDAP
Composr supports the NIS (aka POSIX) schema. This is the schema that is installed on the server in order for Linux clients to be able to login using the LDAP database for full credentials. It is possible that there are variations of the schema installed on different networks, therefore it may be necessary to ask a professional developer to make sure Composr can handle your specific configuration.The usergroups, 'root' and 'admin', are mapped to the Composr Administrators usergroup. The usergroup, 'users' is mapped to the lowest ranking Composr member usergroup.
Changed Composr behaviour
When you use Composr with LDAP, there are some necessary changes to how Composr behaves:
- Automatic mapping between the standard Composr usergroups and LDAP usergroups will be performed, even when the names do not quite correlate. For example, an administrator in LDAP, will be an administrator in Composr, automatically.
- Unless you allow it, joining on Composr will be disabled, in favour of only allowing new LDAP accounts to be seen. Composr assumes all LDAP account management is done elsewhere, and only employs read-only access to the LDAP data.
- It is necessary to use the LDAP synchronisation module to choose which LDAP usergroups will be featured in Composr. This is done for reasons of cleanliness: often an LDAP database will consist of many cryptic usergroups that would look out-of-place on the portal. Do this from Admin Zone > Security > LDAP.
- When an LDAP user logs in for the first time, Composr will ask for some supplementary information them (such as their e-mail address) in order to complete the Composr profile. This is because usually LDAP does not hold this data, but Composr requires it.
- Passwords and usernames of LDAP users cannot be changed.
- LDAP users may not change their usergroup membership from within Composr.
- The 'lost password' feature will not work for LDAP users.
Concepts
- LDAP
- Lightweight Directory Access Protocol; a scheme that allows many systems to share authentication and user profile information
- OpenLDAP
- An Open Source LDAP system
- Active Directory
- The Windows Server LDAP system
- NIS
- Network information system; the traditional network based authentication scheme used on Linux, to which OpenLDAP/Linux work to for Linux authentication
- POSIX
- A standardisation effort for Unix/Linux that has an implication for users and usergroups
- Domain Controller
- A Windows Server that manages authentication for a Windows Domain (a contained Windows network)
- Directory service
- A service available on a network for looking up entries in a directory. LDAP is an example of a protocol to provide a directory service: a directory that is most often of users
See also
Feedback
Please rate this tutorial:
Have a suggestion? Report an issue on the tracker.