From 1b179104bfd8a822345afaa142415514b90d7f6d Mon Sep 17 00:00:00 2001 From: Stanley Date: Thu, 22 Aug 2019 11:16:31 +0200 Subject: [PATCH] Added documentation for ldap configuration --- ldapDocumentation.md | 38 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) create mode 100644 ldapDocumentation.md diff --git a/ldapDocumentation.md b/ldapDocumentation.md new file mode 100644 index 0000000..83b1c7e --- /dev/null +++ b/ldapDocumentation.md @@ -0,0 +1,38 @@ +# LDAP Authentification to the Risk Assessment Platform +Some organisation may prefer that the users of the risk assessment platform to authenticate with their internal LDAP server instead of MONARC's SQL database. This can, in some cases, allow the administrator to have a better control over the users. +This document explains the procedures of the LDAP authentification method by describing the configuration needed for both Monarc and the LDAP server. + +Note that the ldap package for the corresponding PHP version must be installed. + +### Installing ldap package for PHP +To install ldap package on a lamp for PHP, follow these steps: + +* *apt-get install php-ldap* to install the package +* *service apache2 restart* to restart the apache server +* Now ldap is installed. + +### Adding an user from LDAP Server in MONARC +In order to log in with a user from LDAP Server, the user must be added to the MONARC Platform with the ldap connection option. A password will not be required for the user as the password in LDAP server will be used. + +### Authentificating using the LDAP server +If the connecting user has the ldap connection option enabled, the platform will establish a connection with the LDAP server and firstly authentificate using the admin credentials specified in the configuration file (local.php). If the connection is established successfully, a query will be executed to search in the directory information tree for the entry with the corresponding email address. In the case where a unique entry is found, a second authentification will then be attempted with the credential entered in the MONARC platform. The procedues that follow are the same as normal authentification using the MONARC's SQL database. + +### MONARC's local configuration for LDAP authentification +The configuration of MONARC platform for LDAP authentification can be done in the local.php file. An array with key "ldap" can be added into the php array to specify the configuration needed. The following table shows the configurable fields and their corresponding key. + +| Key | Description | Default Value | +| ------ | ----------- | ----------- | +| uri | The URI of the LDAP server in the form ldap://hostname:port or ldaps://hostname:port for SSL encryption. | ldap:/// (local LDAP server with default port) +| ldapOptProtocolVersion | Version of LDAP protocol used | 3 (LDAPv3) +| ldapOptReferrals | How the client library should handle Referrals returned by the server | 0 (Disabled) +| baseDN | The distinguished name of the base entry for the directory where LDAP query should start at | dc=monarc,dc=com +| adminDN | The distinguished name of the admin entry | An anonymous bind will be attempted if not found +| adminPassword | The password of the admin entry | An anonymous bind will be attempted if not found +| loginAttribute | The key of the field in LDAP directory matched with the login e-mail | mail + + + + + + +