plainblack.com
Username Password
search
Bookmark and Share

LDAP

WebGUI allows you to connect to an LDAP source for both authorization and authentication. These LDAP sources can also be used in your own custom programs for things like workflow routing if your LDAP server contains information on employee hierarchy.

The main LDAP screen under the Admin Console looks like this:

 

 

Here you can see all of your existing LDAP sources. One particularly interesting thing is the connection status column. This tells you whether this source has been configured properly as to whether WebGUI can connect to it.

To add a new source click on the “Add an ldap connection.” link.

 

 

You will then be presented with a screen containing all the properties you can assign to an LDAP connection.

 

 

Background Information

Though many people think of LDAP as a storage mechanism, it is actually a network protocol. So when you hear someone talking about connecting to an “LDAP Server”, that means that the protocol you're using to connect to the server is LDAP, but the storage mechanism on the server is called a “Directory”.

Some server documentation refers to directory protocols as the X.500 specification. LDAP is actually a subset of X.500. You don't need to concern yourself with X.500 because almost no one actually uses it. LDAP was created because X.500 was too heavy and slow. Just remember that if you see X.500 it's most likely talking about LDAP.

 

Configuring an LDAP Source

Configuring an LDAP Source in WebGUI is fairly simple. First in the admin bar choose “LDAP Connections” under “Admin Console”.

 

Then click on the “Add an LDAP connection.” link on the right side of the screen.

 

Then enter a name for your server and its URL.

 

If your LDAP server allows anonymous read access (most don't) then you can click save now. Otherwise you also need to specify some account information that WebGUI can use to connect to the server for administrative functions.

In the Connect DN field put in the fully distinguished name or DN for an account that has full read access to the directory. Most admins choose to make an account specifically for this purpose. In the Identifier field, type in the password associated with the user from the Connect DN.

 

Now hit save so that WebGUI can check to see if it has a valid connection to your LDAP source. You should see something similar to the following if it can connect to your LDAP source.

 

Authentication

Now that you have an LDAP connection you probably want to do something with it. The most common use for LDAP is authentication. By using LDAP for authentication your user's can use the same usernames and passwords everywhere throughout your organization.

To set up authentication edit your LDAP connection and fill in the following fields:

 

User RDN or Relative Distinguished Name is just the first part of the user's distinguished name. This is almost always “cn”.

LDAP Identity (default) is the element in your directory that WebGUI will use to look up a user to find out their distinguished name. This element must be unique and it varies from system to system. Commonly the field will be “shortname”, “username”, or “uid”. This is typically what the user will use for a username when authenticating against your LDAP source.

LDAP Identity Name and LDAP Password Name are just human readable labels, so you can put whatever you want in those fields. Sometimes admins will just use “Username” and “Password”, but often their users already know these fields by other names, so they use something like “Email Username” or “Windows Username” or “Internet Username”.

Now that you've configured the LDAP source for user authentication, we need to tell WebGUI to use it. To do this go to Admin Console > Settings and then to the Authentication tab.

Set the Authentication Method to “LDAP” and choose the LDAP connection we just set up.

 

Next, go to the User tab and choose your settings for Anonymous Registration and Automatic LDAP Registration:

 

 

 

 

Anonymous Registration, when LDAP is the authentication method, means that users can register themselves with WebGUI as long as they exist in the LDAP directory. If they don't, they won't be allowed to register. As an admin this means you don't have to pre-create WebGUI accounts for all your users, they can do it for you.

Automatic LDAP Registration automatically creates a WebGUI account for the user when they log in using valid LDAP credentials. This allows LDAP users to skip the registration process entirely, thusly making it easier for them to gain access to the site resources. As an admin, this gives you one more way to have the users create their own accounts so you don't have to manage it.

If you don't enable ether of the above options, then you'll need to register each of your users manually with WebGUI. To do that, go to Admin Console > Users and click “Add a new user.”

 

For Authentication Method choose “LDAP”. Then choose the LDAP connection you created before for LDAP Connection. The LDAP URL should be fine as is. Then under Connect DN you need to specify the fully distinguished name (DN) of this user.

Once you've done this, you can authenticate this user using his or her LDAP credentials.

Going forward when a user updates his/her password in LDAP, those changes will automatically be reflected in WebGUI. In addition, if you disable the user in LDAP, the user will no longer be able to log in to WebGUI.

 

Group Inclusion

Now that you have your users authenticating using LDAP, you can also associate WebGUI groups to LDAP groups so that LDAP users that are in LDAP groups will automatically be included into the associated WebGUI Groups. To learn how to do this, see the chapter on WebGUI Groups, and specifically the section on Special Inclusion Via LDAP.

Keywords: authentication groups ldap users

Search | Most Popular | Recent Changes | Wiki Home
© 2018 Plain Black Corporation | All Rights Reserved