model | ||
test | ||
.gitignore | ||
composer.json | ||
LICENSE | ||
README.md |
generis-auth-ldap
An LDAP implementation of the Tao 3.0 user authentication
Requirement
In order to use this system, you need to have an ldap server installed. It should have user in it. Test have been maded with openldap. I recommend a graphical client to use with, like phpldap admin You can correct the bug of the 1.2.2-5ubuntu1 with the following process : http://forums.debian.net/viewtopic.php?f=5&t=111508
Installation
This system can be added to a projet as a library. You need to add this parameter to your composer.json
"minimum-stability" : "dev",
"repositories": [
{
"type": "vcs",
"url": "https://github.com/oat-sa/generis-auth-ldap"
}
],
"require": {
"oat-sa/generis-auth-ldap": "*"
},
Once it's done, run a composer update.
To enable them, you need to go to /config/generis/auth.conf.php and add these lines
array(
'driver' => 'oat\authLdap\model\LdapAdapter',
'config' => array(
array(
'host' => '127.0.0.1',
'accountDomainName' => 'test.com',
'username' => 'cn=admin,dc=test,dc=com',
'password' => 'admin',
'baseDn' => 'OU=organisation,dc=test,dc=com',
'bindRequiresDn' => 'true',
)
)
),
here the domain is test.com All the parameters are in a separate dc in ldap
These are the configuration of the connection to the ldap server.
Then the login will try to use this library.
Configuration
By default and LDAP user will be considered a test-taker belonging to no group.
The following attributes will be taken from LDAP and mapped to TAO properties by default:
- 'mail' as PROPERTY_USER_MAIL
- 'givenName' as PROPERTY_USER_FIRSTNAME
- 'sn' as PROPERTY_USER_LASTNAME
- 'displayName' as RDFS_LABEL
However there are several ways to enhance or override this default behaviour:
To hardcode one of the user properties, you would need to add a mapping of the type 'value' to the configuration:
array(
'driver' => 'oat\authLdap\model\LdapAdapter',
'config' => SEE_ABOVE
'mapping' => array(
'http://www.tao.lu/Ontologies/TAOGroup.rdf#member' => array(
'type' => 'value',
'value' => array('http://localnamespace.com/install#i123456789')
)
);
),
This example would set the group membership of all users loging in to a group identified by the id http://localnamespace.com/install#i123456789
Alternatively if you want to take over a value of an LDAP attribute you would add a mapping of type 'attributeValue'
array(
'driver' => 'oat\authLdap\model\LdapAdapter',
'config' => SEE_ABOVE
'mapping' => array(
'http://www.tao.lu/Ontologies/TAOGroup.rdf#member' => array(
'type' => 'value',
'value' => array('http://localnamespace.com/install#i123456789')
),
'http://www.w3.org/2000/01/rdf-schema#label' => array(
'type' => 'attributeValue',
'attribute' => 'username'
)
);
),
This would use the value of the LDAP attribute 'username' as label (RDFS_LABEL) for the user, overriding the default rule to use 'displayName'.
For more advanced cases there is the type 'callback' which allows you to programmatically enhance the mapping of the LDAP attributes to the TAO properties. See oat\authLdap\model\LdapUserFactory for details.