[title sub="Written by Chris Graham"]Composr Tutorial: Integrating Composr into a corporate network via LDAP[/title]

{!cns:DOC_LDAP}

[box="Potentially out-dated"]This tutorial is potentially out-dated and has not yet been tested for v11[/box]

[i]{$IS_MAINTAINED,ldap,LDAP support} is complex. If you're not sure what settings to use then you'll probably need someone with programming experience to step through it all, as LDAP can be very complex and involve non-standard/diverse schema.[/i]

[contents]decimal,lower-alpha[/contents]

[title="2"]Configuring[/title]

[surround]
[media width="150" description="Configuring LDAP support" float="right"]data_custom/images/docs/tut_ldap/ldap_configuration.png[/media]
To use LDAP, you must be using Composr's inbuilt forum system, Conversr. LDAP is enabled after Composr installation, in Admin Zone > Setup > Configuration > User/usergroup options > LDAP. You may access the Admin Zone using the 'admin' username that was defined when Composr was installed and the username will remain functional even if there are problems with LDAP -- this is so that you may fix settings without having to manually adjust the configuration settings in the Composr database.

LDAP is known as a [concept]directory service[/concept], and in theory, all the LDAP servers of the world together form a combined directory. Because of this, each LDAP server is given a position in the directory, specified in the LDAP DN (directory navigation) syntax; this is known as the base-DN, and the system administrator of the network should be able to identify this. The base-DN is usually based on the DNS domain name of the network the LDAP server serves, for example: [tt]dc=intranet,dc=example,dc=com[/tt] might be used for the domain [tt]intranet.example.com[/tt]. It is important to use the DNS of the domain and [b]not[/b] the DNS of the server on the domain.
[/surround]

[surround]
[media width="150" description="When LDAP is working, login is a snap" float="left"]data_custom/images/docs/tut_ldap/ldap_login.png[/media]
[media width="150" description="After logging in for the first time, Composr will ask for some details to be finalised" float="right"]data_custom/images/docs/tut_ldap/ldap_finishprofile.png[/media]
The configuration requires that you either perform an 'anonymous bind', or provide credentials for a user in the system that has full read access to what Composr needs in every account. Whether an 'anonymous bind' will work depends on your network: it noes not work on Active Directory by default, but does on OpenLDAP. The anonymous bind account would need full read access as a specified user would.

The LDAP standard is more concerned with protocol and structure than the actual schema used to hold information. Therefore there are significant differences between implementations, and thus we must consider each a separate case.
[/surround]

[title="3"]Active Directory[/title]

[media width="150" description="Adding a user to Active Directory" float="right"]data_custom/images/docs/tut_ldap/ldap_adduser.png[/media]
Active Directory is a fundamental part of post-NT Windows networking. It resides on the [concept]domain controller[/concept](s) of the network, and is an LDAP based system that includes a lot of information, especially users and usergroups.

As Active Directory is so standard across Windows, Composr has good support for its schema.

The usergroup, 'Administrators' is mapped to the Composr Administrators usergroup.
The usergroup, 'Users' is mapped to the lowest ranking Composr member usergroup.

[title="3"]OpenLDAP[/title]

Composr supports the [concept]NIS[/concept] (aka [concept]POSIX[/concept]) schema. This is the schema that is installed on the server in order for Linux clients to be able to login using the LDAP database for full credentials. It is possible that there are variations of the schema installed on different networks, therefore it may be necessary to ask a professional developer to make sure Composr can handle your specific configuration.

The usergroups, 'root' and 'admin', are mapped to the Composr Administrators usergroup. The usergroup, 'users' is mapped to the lowest ranking Composr member usergroup.

[title="2"]Changed Composr behaviour[/title]

[surround]
[media width="150" description="Synchronising with LDAP (Composr doesn't duplicate LDAP information, but some parameters need to be set and clean-ups undertaken, which this tool assists)" float="right"]data_custom/images/docs/tut_ldap/ldap_sync.png[/media]
When you use Composr with LDAP, there are some necessary changes to how Composr behaves:
 - Automatic mapping between the standard Composr usergroups and LDAP usergroups will be performed, even when the names do not quite correlate. For example, an administrator in LDAP, will be an administrator in Composr, automatically.
 - Unless you allow it, joining on Composr will be disabled, in favour of only allowing new LDAP accounts to be seen. Composr assumes all LDAP account management is done elsewhere, and only employs read-only access to the LDAP data.
 - It is necessary to use the LDAP synchronisation module to choose which LDAP usergroups will be featured in Composr. This is done for reasons of cleanliness: often an LDAP database will consist of many cryptic usergroups that would look out-of-place on the portal. Do this from Admin Zone > Security > LDAP.
 - When an LDAP user logs in for the first time, Composr will ask for some supplementary information them (such as their e-mail address) in order to complete the Composr profile. This is because usually LDAP does not hold this data, but Composr requires it.
 - Passwords and usernames of LDAP users cannot be changed.
 - LDAP users may not change their usergroup membership from within Composr.
 - The 'lost password' feature will not work for LDAP users.
[/surround]

[concepts
 1_key="LDAP"              1_value="Lightweight Directory Access Protocol; a scheme that allows many systems to share authentication and user profile information"
 2_key="OpenLDAP"          2_value="An Open Source LDAP system"
 3_key="Active Directory"  3_value="The Windows Server LDAP system"
 4_key="NIS"               4_value="Network information system; the traditional network based authentication scheme used on Linux, to which OpenLDAP/Linux work to for Linux authentication"
 5_key="POSIX"             5_value="A standardisation effort for Unix/Linux that has an implication for users and usergroups"
 6_key="Domain Controller" 6_value="A Windows Server that manages authentication for a Windows Domain (a contained Windows network)"
 7_key="Directory service" 7_value="A service available on a network for looking up entries in a directory. LDAP is an example of a protocol to provide a directory service: a directory that is most often of users"
]Concepts[/concepts]

[title="2"]See also[/title]

 - [page="_SEARCH:tut_httpauth"]Integrating Composr into a network via HTTP authentication[/page]
 - [page="_SEARCH:tut_members"]Composr member system[/page]

{$SET,tutorial_tags,Third Party Integration,Security,Members,ldap,expert}{$SET,tutorial_add_date,Aug 2008}{$SET,tutorial_summary,How to integrate Composr into a corporate network via LDAP (OpenLDAP, or Microsoft Active Directory).}[block]main_tutorial_rating[/block]
