114 lines
3.7 KiB
Markdown
114 lines
3.7 KiB
Markdown
generis-auth-ldap
|
|
=================
|
|
|
|
An LDAP implementation of the Tao 3.0 user authentication
|
|
|
|
Requirement
|
|
=====================
|
|
In order to use this system, you need to have an ldap server installed. It should have user in it.
|
|
Test have been maded with openldap.
|
|
I recommend a graphical client to use with, like phpldap admin
|
|
You can correct the bug of the 1.2.2-5ubuntu1 with the following process :
|
|
http://forums.debian.net/viewtopic.php?f=5&t=111508
|
|
|
|
|
|
|
|
|
|
Installation
|
|
============================
|
|
|
|
This system can be added to a projet as a library. You need to add this parameter to your composer.json
|
|
|
|
"minimum-stability" : "dev",
|
|
"repositories": [
|
|
{
|
|
"type": "vcs",
|
|
"url": "https://github.com/oat-sa/generis-auth-ldap"
|
|
}
|
|
],
|
|
"require": {
|
|
"oat-sa/generis-auth-ldap": "*"
|
|
},
|
|
|
|
Once it's done, run a composer update.
|
|
|
|
------------------------------
|
|
|
|
To enable them, you need to go to /config/generis/auth.conf.php and add these lines
|
|
|
|
array(
|
|
'driver' => 'oat\authLdap\model\LdapAdapter',
|
|
'config' => array(
|
|
array(
|
|
'host' => '127.0.0.1',
|
|
'accountDomainName' => 'test.com',
|
|
'username' => 'cn=admin,dc=test,dc=com',
|
|
'password' => 'admin',
|
|
'baseDn' => 'OU=organisation,dc=test,dc=com',
|
|
'bindRequiresDn' => 'true',
|
|
)
|
|
)
|
|
),
|
|
|
|
here the domain is test.com All the parameters are in a separate dc in ldap
|
|
|
|
These are the configuration of the connection to the ldap server.
|
|
|
|
Then the login will try to use this library.
|
|
|
|
Configuration
|
|
============================
|
|
|
|
By default and LDAP user will be considered a test-taker belonging to no group.
|
|
|
|
The following attributes will be taken from LDAP and mapped to TAO properties by default:
|
|
|
|
* 'mail' as PROPERTY_USER_MAIL
|
|
* 'givenName' as PROPERTY_USER_FIRSTNAME
|
|
* 'sn' as PROPERTY_USER_LASTNAME
|
|
* 'displayName' as RDFS_LABEL
|
|
|
|
However there are several ways to enhance or override this default behaviour:
|
|
|
|
------------------------------
|
|
|
|
To hardcode one of the user properties, you would need to add a mapping of the type 'value' to the configuration:
|
|
|
|
array(
|
|
'driver' => 'oat\authLdap\model\LdapAdapter',
|
|
'config' => SEE_ABOVE
|
|
'mapping' => array(
|
|
'http://www.tao.lu/Ontologies/TAOGroup.rdf#member' => array(
|
|
'type' => 'value',
|
|
'value' => array('http://localnamespace.com/install#i123456789')
|
|
)
|
|
);
|
|
),
|
|
|
|
This example would set the group membership of all users loging in to a group identified by the id http://localnamespace.com/install#i123456789
|
|
|
|
------------------------------
|
|
|
|
Alternatively if you want to take over a value of an LDAP attribute you would add a mapping of type 'attributeValue'
|
|
|
|
array(
|
|
'driver' => 'oat\authLdap\model\LdapAdapter',
|
|
'config' => SEE_ABOVE
|
|
'mapping' => array(
|
|
'http://www.tao.lu/Ontologies/TAOGroup.rdf#member' => array(
|
|
'type' => 'value',
|
|
'value' => array('http://localnamespace.com/install#i123456789')
|
|
),
|
|
'http://www.w3.org/2000/01/rdf-schema#label' => array(
|
|
'type' => 'attributeValue',
|
|
'attribute' => 'username'
|
|
)
|
|
);
|
|
),
|
|
|
|
This would use the value of the LDAP attribute 'username' as label (RDFS_LABEL) for the user, overriding the default rule to use 'displayName'.
|
|
|
|
------------------------------
|
|
|
|
For more advanced cases there is the type 'callback' which allows you to programmatically enhance the mapping of the LDAP attributes to the TAO properties. See oat\authLdap\model\LdapUserFactory for details.
|