Configuration: authentification
Un article de EpistemaWiki.
Sommaire |
LDAP Configuration
Here are the configuration variables for LDAP support.
LDAP users are imported on the call of the script: [EAS_Root]/scheduled_tasks/sync_ldap.php (the script should be scheduled every night)
| $GLOBALS['conf']['ENABLE_LDAP_SYNCHRO'] = true; | set to false to disable all synchronization |
| $GLOBALS['conf']['LMS_LDAP_SERVER'] = "ldap://192.168.1.20"; | URL of the LDAP directory server |
| $GLOBALS['conf']['LMS_LDAP_ROOT'] = "OU=SBSUsers,OU=Users,OU=MyBusiness,DC=your_company,DC=local"; | DN of the folder where users to be imported reside. |
| $GLOBALS['conf']['LMS_LDAP_CONNECTION_USER_LOGIN'] = "some_readonly_ldap_user@your_company.local"; | Username of a user that can connect to the server and read the list of users. This user should have read-only access only. |
| $GLOBALS['conf']['LMS_LDAP_CONNECTION_USER_PASSWORD'] = "some_password"; | Password for the user above |
| $GLOBALS['conf']['LMS_LDAP_ROOT_GROUP_ID'] = 1; | Optional - Id of the group in which to place all found candidates. Default is 1. |
| $GLOBALS['conf']['LMS_LDAP_IMPORT_GROUPS'] = true; | If true, the LDAP sub-group structure will be kept on the LMS. The sub-groups will be created in LMS_LDAP_ROOT_GROUP_ID |
| $GLOBALS['conf']['LMS_LDAP_INCLUDE_PATH'][] = array(
'path' => "OU=OtherUsers,OU=MyOtherBusiness,DC=MyCompany,DC=local", 'group_id' => 123); | Additional OU's can be defined here (optional)
Each row of LMS_LDAP_INCLUDE_PATH is an array with 2 parameters : - path : The LDAP path. Candidates are fetched recusively. - group_id : The LMS group id the candidates will be imported into. Optional (default is 1) |
| $GLOBALS['conf']['LMS_LDAP_EXCLUDE_PATH'][] = "CN=Test user,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=MyCompany,DC=local"; | Some OU's can be excluded from import (optional) |
| $GLOBALS['conf']['LMS_LDAP_EXCLUDE_RULES'][] = array('param' => 'givenname', 'value' => 'Template$'); | Additional exclusion rules on LDAP params. Optional
- param : LDAP param - value : POSIX Regular expression test on param value. In this example, all users having a name finishing by "Template" will be excluded. |
| $GLOBALS['conf']['LMS_LDAP_FIELDS']['candidate_login'] = 'samaccountname'; | The LDAP field for the candidate login |
| $GLOBALS['conf']['LMS_LDAP_FIELDS']['name'] = 'sn'; | The LDAP field for the name |
| $GLOBALS['conf']['LMS_LDAP_FIELDS']['firstname'] = 'givenname'; | The LDAP field for the firstname |
| $GLOBALS['conf']['LMS_LDAP_FIELDS']['email'] = 'mail'; | The LDAP field for email |
| $GLOBALS['conf']['LMS_LDAP_FIELDS']['...'] = '...'; | Any field can be set that can be saved in a candidate - the key of the array is the field as expected by the Candidate::save() function, and the value is the LDAP attribute. |
| $GLOBALS['conf']['LMS_LDAP_CONNECTION_ROOT'][] = "uid={uid},ou=people,dc=yourdomain,dc=com";
$GLOBALS['conf']['LMS_LDAP_CONNECTION_ROOT'][] = "uid={uid},ou=other_people,dc=yourdomain,dc=com"; | These branches can be used to connect the user (that's when the passwords are tested on other branches).
These are optional. The {uid} will be replaced with the login entered by the user. |
If you want to synchronize LDAP data into custom fields, you need to add a configuration as follows:
$GLOBALS['conf']['LMS_LDAP_FIELDS']['custom']['41C76B32-5EA3-4034-8BFC-CB424FE995A1'] = 'sn';
The alphanum code is a GUID, that matches the custom field (each custom field has its own guid). You can find the correct GUID using one of the following ways:
- look into the table eqs_candidate_custom_fields, where the values are stored. The guid will be shown in from of the corresponding value (one trainee at least has to have the value)
- look into the field custom_fields of the table eqs_group, where all the custom fields are defined
- look at the code of the trainee edit form, where the name of the custom field in HTML has the guid.
Test of the LDAP installation
First you need to make sure that LDAP is properly activated in php's extension. Please find the text: extension=php_ldap.dll in your php.ini file, and make sure no semi-column is set at the beginning of the line. If you don't know where is the php.ini file, just type in a CMD prompt :
c:\wamp\php4\php.exe -i | findstr php.ini <tr><td class="e">Configuration File (php.ini) Path </td><td class="v">c:\wamp\php4\php.ini </td></tr>
or on linux
php -i | grep php.ini <tr><td class="e">Configuration File (php.ini) Path </td><td class="v">c:\wamp\php4\php.ini </td></tr>
To make sure LDAP is properly activated, juste type :
c:\wamp\php4\php.exe -i | findstr ldap
If the text <h2><a name="module_ldap">ldap</a></h2> is shown, then the LDAP module is properly activated.
Enabling the scheduled task
The scheduled task to set is the following:
c:\wamp\php4\php.exe c:\wamp\www\EAS\scheduled_tasks\sync_ldap.php
In order to check that it is working properly, just type the command in a prompt. When the import is working (you can verify by logging in the application and going to the list of trainees), just add the command to the scheduled tasks of Windows or in the cron jobs of your Linux server.
IP filtering Configuration
IP address filtering limits the connections to the application to only the PCs which have their IP address specifically listed in the configuration of the application.
IP addresses can be entered exactly, by range or by name with wildcards, although the latest require name resolution of the IP address which is not secure at all.
if $GLOBALS['conf']['AllowIPs'] is empty, no IP filtering is done.
| $GLOBALS['conf']['AllowIPs'][] = array('from' => '192.168.1.1', 'to' => '192.168.1.128'); | Specify a range of IP addresses allowed to connect to the application. |
| $GLOBALS['conf']['AllowIPs'][] = array('exact' => '192.168.1.1'); | Specify a specific address only |
| $GLOBALS['conf']['AllowIPs'][] = array('hostname' => '*.mycompany.com'); | Limit access to only those computers that have this hostnames (using * as a wildcard). Note that this method is NOT secure. |
