LDAP User Access: Difference between revisions
No edit summary |
|||
| Line 21: | Line 21: | ||
*null: The is the default value and means that we use the default DN (distinguished name) for querying and authenticating users | *null: The is the default value and means that we use the default DN (distinguished name) for querying and authenticating users | ||
*a JSON encoded string: The data to is a JSON enocode string of optional configuration value for the user access. The JSON encoded data has the following keys: | *a JSON encoded string: The data to is a JSON enocode string of optional configuration value for the user access. The JSON encoded data has the following keys: | ||
**dn: The DN used to query users against. | **dn: The DN used to query users against. Defaults to 'dc=localhost' | ||
**application: The application name used to check for user roles in. If not set, it will use the site module's name | **application: The application name used to check for user roles in. If not set, it will use the site module's name | ||
**People: The qualifier to query people against. Defaults to 'ou=People'. | **People: The qualifier to query people against. Defaults to 'ou=People'. | ||
Revision as of 14:12, 19 November 2009
The is an authentication mechanism which authenticates users against an openLDAP server
This user access mechansim is implemented by the I2CE_UserAccess_LDAP class.
Configuration
To use the default user authentication, you need to enable the module and set an initialization string.
Enabling the Module
To enable, just make sure you have: <source lang='xml'>
<requirement name='UserAccess_LDAP'> <atLeast version='4.0'/> <lessThan version='4.1'/> </requirement>
</source>
Initialization String
The initialization string is sent to I2CE::initialize() in the index.php as the fourth argument, $user_access_init. This string must be prefixed with the 'LDAP://. What follows take any of the following formats:
- null: The is the default value and means that we use the default DN (distinguished name) for querying and authenticating users
- a JSON encoded string: The data to is a JSON enocode string of optional configuration value for the user access. The JSON encoded data has the following keys:
- dn: The DN used to query users against. Defaults to 'dc=localhost'
- application: The application name used to check for user roles in. If not set, it will use the site module's name
- People: The qualifier to query people against. Defaults to 'ou=People'.
- Roles: The qualifier to query user roles against. Defaults to 'ou=Application'.
For example:
LDAP://{'dn':'dc=moh,dc=example,dc=gov'}
would be a minimal initialization string needed to authenticate against.
LDAP Directory Structure
Example Entries
A user could be represented as:
dn: uid=litlfred, ou=People, dc=moh,dc=example,dc=gov
sn: Leitner
givenName: Carl
cn: Carl Leitner
userPassword: {SSHA}DkMTwBl+a/3DQTxCYEApdUtNXGgdUac3
email: cleitner@intrahealth.org
locale: en_US
User roles be unique on the pair (username, software-component) and there may be software component specific information to share,
dn: uid=litlfred, app=ihris-manage, ou=Application, dc=moh,dc=example,dc=gov role: hr_staff id: 25 dn: uid=litlfred, app=ihris-qualify, ou=Application, dc=moh,dc=example,dc=gov role: admin id: 25 dn: uid=litlfred, app=dhis2, ou=Application, dc=moh,dc=example,dc=gov role: guest id: 42 phone: 919-555-1212
Passwords
We will use SSHA, salted SHA. For a php implementation see this
openLDAP Server Configuration
This describes how to set up openLDAP for use with openMRS, DHIS and iHRIS on an ubuntu machine. First, see this tutorial.
