User Tools

Site Tools


  Main   About   Help   Download
nconf:help:documentation:detail:authentication:ad_ldap

Auth by Active Directory

New feature introduced with NConf 1.3

When using Auth by Active Directory LDAP, make sure your PASSWD_ENC constant ist set to “clear”, regardless of the password encryption you are actually using in AD LDAP.

Active Directory will handle this by itself.

Default config

### Active Directory
define('AD_LDAP_SERVER',        "ldap://ad-ldaphost.mydomain.com");
define('AD_LDAP_PORT',          "389");
define('AD_BASE_DN',            "CN=<username>,OU=All,OU=Users,DC=my,DC=domain,DC=com");
define('AD_USER_REPLACEMENT',   "<username>");
define('AD_GROUP_ATTRIBUTE',    "memberof");
define('AD_USERNAME_ATTRIBUTE', "displayname");
define('AD_GROUP_DN',           "OU=Group,DC=my,DC=domain,DC=com");
define('AD_ADMIN_GROUP',        "CN=nagiosadmin");
define('AD_USER_GROUP',         "CN=sysadmin");
 
# if AD_GROUP_DN differs for admins and users:
# you can define FIX GROUPS: (needs empty GROUP_DN)
//define('AD_GROUP_DN',         "");
//define('ADMIN_GROUP',         "CN=nagiosadmin,OU=Group,DC=my,DC=domain,DC=com");
//define('USER_GROUP',          "CN=sysadmin,OU=Group,DC=my,DC=domain,DC=com");

Description of config values

You should know your AD LDAP tree design (DIT) and configure the config values accordingly.

AD_LDAP_SERVER

The AD LDAP connection string, with or without "[ldap[s]://]".
LDAP v3 is required.

Usage: "[ldap[s]://]hostname"
Default value: "ldap://ad-ldaphost.mydomain.com"

AD_LDAP_PORT

The LDAP port to connect to. This constant is ignored when using URL notation in the AD_LDAP_SERVER constant.

Default value: "389"

AD_BASE_DN

The “base dn” to where the user entries are located in the Active Directory.
<username>” is a placeholder and can be configured with the AD_USER_REPLACEMENT constant. (basically you do not have to change this, nconf will put your login username in there)

Default value: "CN=<username>,OU=All,OU=Users,DC=my,DC=domain,DC=com"

AD_USER_REPLACEMENT

This constant defines the placeholder which is to be replaced by the username of the actual user that is logging in.

Default value: "<username>"

AD_GROUP_ATTRIBUTE

This constant defines the attribute which holds the groups of your account. Change this if you want to use an other attribute to locate the groups.

Default value: "memberof"

AD_USERNAME_ATTRIBUTE

This constant defines the attribute which holds the users full name. Change this if you want to use an other attribute.

Default value: "displayname"

AD_GROUP_DN

The basic “dn” of your groups. You can define this if your user and admin group is located on the same dn.

Default value: "OU=Group,DC=my,DC=domain,DC=com"

ADMIN_GROUP

The name of the “admin group”. Users who want to be “NConf admin” have to be in this group. This group should only be assigned to NConf superusers. If a user is in the admin group, he does not need to be in the USER_GROUP as well.

Define your Group name like this, if your admin/user groups are located in the same DN

Default value: "CN=nagiosadmin"

If the BASE of the user group differs from the admin group, you could enter the whole DN like this:

Default value: "CN=nagiosadmin,OU=group,DC=my,DC=domain,DC=com"

USER_GROUP

The name of the ordinary “user group”. Any user who wants to access NConf, and is not an admin, has to be in this group. Users, who are whether in the USER_GROUP nor in the ADMIN_GROUP will not be able to access NConf. Define your group name like this, if your admin/user groups are located in the same DN

Default value: "CN=sysadmin"

If the BASE of the user group differs from the admin group, you could enter the whole DN like this:

Default value: "CN=sysadmin,OU=different_group,DC=my,DC=domain,DC=com"


showing AD information of your user

If you want to display all available information of your user, you can do the following:
(although you should know your AD structure and perhaps also created 2 groups for NConf admins and users)
This could help you to find the correct DN of your groups.

  1. activate NConf debugging
  2. configure all other AD config variables, but define the AD_ADMIN_GROUP and AD_USER_GROUP as empty
    define('AD_ADMIN_GROUP',         "");
    define('AD_USER_GROUP',          "");
  3. Login with AD user and have a look at the debug section at the bottom

nconf/help/documentation/detail/authentication/ad_ldap.txt · Last modified: 09.12.2011 01:48 (external edit)