Logo Help Center

Integrating LDAP in Enterprise Server 10

Integrating LDAP in Enterprise Server 10

Integrating LDAP (Lightweight Directory Access Protocol) in Enterprise Server allows you to better control user authorizations as well as better maintain user accounts.

With LDAP enabled — which is optional — user authorization is controlled through the LDAP Server rather than through Enterprise Server.

The process is shown in the following overview:

LDAP integration overview

  • When a user logs in, it is validated by LDAP.
  • If the account is validated, Enterprise synchronizes it by also making it available in its own database (when missing).
  • It will then check if there are any user groups that are defined both in Enterprise and LDAP.
  • Only taking those groups into account, if a user is assigned to a certain group in LDAP, that user will be assigned to the corresponding Enterprise user group and removed from other groups as well.

Note: Enterprise supports both Windows Active Directory and OpenLDAP.

Enabling LDAP in Enterprise Server

Step 1. In the configserver.php file for Enterprise Server, locate the List of LDAP servers section.

Tip: (For Enterprise Server 10.1 or higher only) Easily manage and configure settings of all configuration files by adding them to a single configuration file.

/*
// -----------------------------------------------------------------------------
// List of LDAP servers. See '/server/dataclasses/LDAPServer.class.php' for more info.
// -----------------------------------------------------------------------------
require_once BASEDIR.'/server/dataclasses/LDAPServer.class.php';

// Options for the LDAP server.
// To manage groups in Enterprise and not LDAP set GROUPMEMBER_ATTRIB to null.
//    For Windows Active Directory usually: 
//       'AUTH_USER' => '%username%@myldap.mycompany.local', 
//       'AUTH_PASSWORD' => '%password%', 
//       'USERNAME_ATTRIB' => 'sAMAccountName',
//       'GROUPMEMBER_ATTRIB' => 'memberof', 
//       'ATTRIB_MAP' => array('FullName' => array( 'name' ), 'EmailAddress' => 'mail'), 
//		 'FULLNAME_SEPARATOR' => ', ',
//       'GROUP_CLASS' => 'group',
//       'EXCLUDE_USERNAMES' => array('woodwing'),
//       'EMAIL_NOTIFICATIONS' => true
//    For OpenLDAP usually: 
//       'AUTH_USER' => null, 
//       'AUTH_PASSWORD' => null, 
//       'USERNAME_ATTRIB' => 'uid', 
//       'GROUPMEMBER_ATTRIB' => 'memberof',
//       'ATTRIB_MAP' => array('FullName' => array( 'name' ), 'EmailAddress' => 'mail'),
//		 'FULLNAME_SEPARATOR' => ', ', 
//       'GROUP_CLASS' => 'posixGroup',
//       'EXCLUDE_USERNAMES' => array('woodwing'),
//       'EMAIL_NOTIFICATIONS' => true
//
$ldap_options = array(
	'AUTH_USER' => '%username%@myldap.mycompany.local', 
	'AUTH_PASSWORD' => '%password%',                    
	'BASE_DN' => 'DC=myldap,DC=mycompany,DC=local',     
	'USERNAME_ATTRIB' => 'sAMAccountName',              
	'GROUPMEMBER_ATTRIB' => 'memberof',                 
	'ATTRIB_MAP' => array( 
		'FullName' => array( 'name' ),
		'EmailAddress' => 'mail'), 
 	'FULLNAME_SEPARATOR' => ', ',						
	'GROUP_CLASS' => 'group',                           
	'EXCLUDE_USERNAMES' => array('woodwing'),           
	'EMAIL_NOTIFICATIONS' => true						
);

define( 'LDAP_SERVERS', serialize( array(
   //  LDAPServer( LDAP server IP, port number, Primary DNS Suffix, Options: see above )
   new LDAPServer( 'myldap_server', null, 'myldap.mycompany.local', $ldap_options )
)));
*/

Step 2. Move the following outside of the comments so that they become active:

  • The first line require_once BASEDIR.'/server/dataclasses/LDAPServer.class.php';
  • The last sections $ldap_options and define 'LDAP_SERVERS'
/*
// ------------------------------------------------------------------------------
// List of LDAP servers. See '/server/dataclasses/LDAPServer.class.php' for more info.
// ------------------------------------------------------------------------------

// Options for the LDAP server.
// To manage groups in Enterprise and not LDAP set GROUPMEMBER_ATTRIB to null.
//    For Windows Active Directory usually: 
//       'AUTH_USER' => '%username%@myldap.mycompany.local', 
//       'AUTH_PASSWORD' => '%password%', 
//       'USERNAME_ATTRIB' => 'sAMAccountName',
//       'GROUPMEMBER_ATTRIB' => 'memberof', 
//       'ATTRIB_MAP' => array('FullName' => array( 'name' ), 'EmailAddress' => 'mail'), 
//		 'FULLNAME_SEPARATOR' => ', ',
//       'GROUP_CLASS' => 'group',
//       'EXCLUDE_USERNAMES' => array('woodwing'),
//       'EMAIL_NOTIFICATIONS' => true
//    For OpenLDAP usually: 
//       'AUTH_USER' => null, 
//       'AUTH_PASSWORD' => null, 
//       'USERNAME_ATTRIB' => 'uid', 
//       'GROUPMEMBER_ATTRIB' => 'memberof',
//       'ATTRIB_MAP' => array('FullName' => array( 'name' ), 'EmailAddress' => 'mail'),
//		 'FULLNAME_SEPARATOR' => ', ', 
//       'GROUP_CLASS' => 'posixGroup',
//       'EXCLUDE_USERNAMES' => array('woodwing'),
//       'EMAIL_NOTIFICATIONS' => true
//
*/
require_once BASEDIR.'/server/dataclasses/LDAPServer.class.php';
				
$ldap_options = array(
	'AUTH_USER' => '%username%@myldap.mycompany.local', 
	'AUTH_PASSWORD' => '%password%',                   
	'BASE_DN' => 'DC=myldap,DC=mycompany,DC=local',     
	'USERNAME_ATTRIB' => 'sAMAccountName',              
	'GROUPMEMBER_ATTRIB' => 'memberof',                 
	'ATTRIB_MAP' => array( 
		'FullName' => array( 'name' ),
		'EmailAddress' => 'mail'), 
 	'FULLNAME_SEPARATOR' => ', ',						
	'GROUP_CLASS' => 'group',                          
	'EXCLUDE_USERNAMES' => array('woodwing'),          
	'EMAIL_NOTIFICATIONS' => true				
);

define( 'LDAP_SERVERS', serialize( array(
   //  LDAPServer( LDAP server IP, port number, Primary DNS Suffix, Options: see above )
   new LDAPServer( 'myldap_server', null, 'myldap.mycompany.local', $ldap_options )
)));

Step 3. Fill out the ldap_options as required. For an explanation of each option, see the comments in the configserver.php file. See also Mapping LDAP users with Enterprise Server user accounts below.

Step 4. Enter your LDAP server configuration in the LDAP_SERVERS object. For details, see the comments in the configserver.php file.

Mapping LDAP users with Enterprise Server user accounts

Mapping LDAP with the properties for a user in Enterprise Server is done through the 'ATTRIB_MAP' setting of the $ldap_options in the configserver.php file.

Tip: (For Enterprise Server 10.1 or higher only) Easily manage and configure settings of all configuration files by adding them to a single configuration file.

The following Enterprise properties can be mapped:

  • FullName. Possible values:
  • 'name' For mapping to the full name as set in LDAP
  • 'sn' For mapping to the surname as set in LDAP
  • 'cn' For mapping to the common name as set in LDAP
  • array('givenName', 'sn') Use an array to map to multiple LDAP properties

Note: The separator used in the array is the one defined in FULLNAME_SEPARATOR. Its default value is a comma followed by a space ', '.

Examples:

FullName' => 'name',

FullName' => 'cn',

FullName' => array('cn', 'givenName'),

  • EmailAddress
  • Language
  • TrackChangesColor
  • Organization
  • Location

Enabling LDAP in PHP

To use LDAP authorization your PHP installation must be LDAP enabled. This means that the following PHP extensions must be installed:

  • On Windows:
  • php_ldap.dll
  • ssleay32.dll
  • libeay32.dll
  • On Mac/Linux:
  • php_ldap.so
  • openssl.so

Testing the installation

To verify the installation, run the LDAP test on the Enterprise Health Check page.

Step 1. In Enterprise Server, click Advanced in the Maintenance menu or on the Home page. A page with all advanced Maintenance features appears.

Step 2. Click Health Check. The Health Check page appears.

Step 3. Click Clear All to clear all selected tests.

Step 4. Select the LDAP test.

Step 5. Click Test.

The test result should appear as 'OK'. In case the test fails, follow the instructions on the page.

Synchronizing user accounts and user groups

User groups that have already been set up in LDAP can be synchronized by importing them into Enterprise Server. User accounts are synchronized after successfully logging in, after which an account is created and the user's (LDAP) group memberships are synchronized with Enterprise.

The following data is synchronized:

  • User Data: ID, Full Name, Password, and E-mail.
  • Group Data: Name, Description.
  • Memberships: User groups that are defined both in Enterprise and LDAP are assigned to the user logging in.

Note: When changing the user name in LDAP, Enterprise will automatically update the short user name in its system.

Importing user groups

Step 1. Access the Overview of User Groups page.

A page showing all created user groups appears.

Step 2. Click Import.

Note: This option is only available if Open LDAP or Active Directory are installed.

Step 3. Select the network domain from where you want to import from.

Step 4. (Optional) Apply a query such as “*Admin*” to narrow down the results.

Step 5. Tag the groups you want to import.

Step 6. Click Import.

Step 7. Add the imported groups to the User Authorizations section of the Brand that the users should have access to.

Verifying if users are assigned to user groups

Check the column named 'Assigned to User Groups' on the Overview of Users page.

A value of 'Yes' or 'No' can be shown:

  • 'Yes' means: the user has been assigned to one or more user groups and therefore has access to one or more Brands.
  • 'No' means: the user is created by a content source (such as WoodWing Elvis) but has not yet been assigned to a user group and therefore does not have access to any Brands.

Note: The reason why the user has not been assigned to a user group could be because the user has never logged in and its settings have therefore not been automatically updated yet.

Notes

  • When LDAP has been configured, users need to enter the short user name when logging in.
Was this article helpful?
0 out of 0 found this helpful / Created: / Updated:
Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.