LDAP User Access: Difference between revisions
| Line 67: | Line 67: | ||
We will need (in our default scenario) to add the entries for the People and | We will need (in our default scenario) to add the entries for the People and Application organizational unit: | ||
dn: ou=People,dc=moh,dc=example,dc=org | dn: ou=People,dc=moh,dc=example,dc=org | ||
| Line 73: | Line 73: | ||
ou: People | ou: People | ||
dn: ou= | dn: ou=Applications,dc=moh,dc=example,dc=org | ||
objectClass: organizationalUnit | objectClass: organizationalUnit | ||
ou: | ou: Applications | ||
Revision as of 14:17, 19 November 2009
The is an authentication mechanism which authenticates users against an openLDAP server
This user access mechansim is implemented by the I2CE_UserAccess_LDAP class.
Configuration
To use the default user authentication, you need to enable the module and set an initialization string.
Enabling the Module
To enable, just make sure you have: <source lang='xml'>
<requirement name='UserAccess_LDAP'> <atLeast version='4.0'/> <lessThan version='4.1'/> </requirement>
</source>
Initialization String
The initialization string is sent to I2CE::initialize() in the index.php as the fourth argument, $user_access_init. This string must be prefixed with the 'LDAP://. What follows take any of the following formats:
- null: The is the default value and means that we use the default DN (distinguished name) for querying and authenticating users
- a JSON encoded string: The data to is a JSON enocode string of optional configuration value for the user access. The JSON encoded data has the following keys:
- dn: The DN used to query users against. Defaults to 'dc=localhost'
- app: The application name used to check for user roles in. If not set, it will use the site module's name
- people: The qualifier to query people against. Defaults to 'ou=People'.
- roles: The qualifier to query user roles against. Defaults to 'ou=Application'.
For example:
LDAP://{'dn':'dc=moh,dc=example,dc=gov'}
would be a minimal initialization string needed to authenticate against.
LDAP Directory Structure
Example Entries
A user could be represented as:
dn: uid=litlfred, ou=People, dc=moh,dc=example,dc=gov
sn: Leitner
givenName: Carl
cn: Carl Leitner
userPassword: {SSHA}DkMTwBl+a/3DQTxCYEApdUtNXGgdUac3
email: cleitner@intrahealth.org
locale: en_US
User roles be unique on the pair (username, software-component) and there may be software component specific information to share,
dn: uid=litlfred, app=ihris-manage, ou=Application, dc=moh,dc=example,dc=gov role: hr_staff id: 25 dn: uid=litlfred, app=ihris-qualify, ou=Application, dc=moh,dc=example,dc=gov role: admin id: 25 dn: uid=litlfred, app=dhis2, ou=Application, dc=moh,dc=example,dc=gov role: guest id: 42 phone: 919-555-1212
Passwords
We will use SSHA, salted SHA. For a php implementation see this
openLDAP Server Configuration
This describes how to set up openLDAP for use with openMRS, DHIS and iHRIS on an ubuntu machine. First, see this tutorial.
We will need (in our default scenario) to add the entries for the People and Application organizational unit:
dn: ou=People,dc=moh,dc=example,dc=org objectClass: organizationalUnit ou: People dn: ou=Applications,dc=moh,dc=example,dc=org objectClass: organizationalUnit ou: Applications
