LDAP
	
	
		| Authentication | Users | Password | 
	
	
		| ✔ | ✔ | ✔ | 
 
Presentation
LL::NG can use an LDAP directory to:
This works with every LDAP v2 or v3 server, including Active Directory.
LL::NG is compatible with LDAP password policy:
-  LDAP server can check password strength, and  LL::NG-  portal will display correct errors (password too short, password in history, etc.) 
-  LDAP sever can block brute-force attacks, and  LL::NG-  will display that account is locked 
-  LDAP server can force password change on first connection, and  LL::NG-  portal will display a password change form before opening  SSO-  session 
 
Configuration
In Manager, go in General Parameters > Authentication modules and choose LDAP for authentication, users and/or password modules.
 
Authentication level
The authentication level given to users authenticated with this module.
As LDAP is a login/password based module, the authentication level can be:
 
Exported variables
Connection
-  Server host- : LDAP server hostname or  URI-  (by default: localhost). Accept some specificities: 
 - 
-  More than one server can be set here separated by spaces or commas. They will be tested in the specified order. 
-  To use TLS, set - ldap+tls://serverand to use LDAPS, set- ldaps://serverinstead of server name.
 
-  If you use TLS, you can set any of the  Net::LDAP-  start_tls() sub like  - ldap+tls://server/verify=none&capath=/etc/ssl- . You can also use cafile and capath parameters. 
 
-  Server port- : TCP port used by LDAP server. Can be overridden by an LDAP  URI-  in server host. 
 
-  Users search base: Base of search in the LDAP directory. 
-  Account- :  DN-  used to connect to LDAP server. By default, anonymous bind is used. 
 
-  Password: password to used to connect to LDAP server. By default, anonymous bind is used. 
-  Timeout: server idle timeout. 
-  Version: LDAP protocol version. 
-  Binary attributes- : regular expression matching binary attributes (see  Net::LDAP-  documentation). 
 
 
Filters
In LDAP filters, $user is replaced by user login, and $mail by user email.
-  Default filter: default LDAP filter for searches, should not be modified. 
-  Authentication filter: Filter to find user from its login (default: - (&(uid=$user)(objectClass=inetOrgPerson)))
 
-  Mail filter: Filter to find user from its mail (default: - (&(mail=$mail)(objectClass=inetOrgPerson)))
 
-  Alias dereference: How to manage LDAP aliases. (default: - find)
 
For Active Directory, the default authentication filter is:
(&(sAMAccountName=$user)(objectClass=person))
And the mail filter is:
(&(mail=$mail)(objectClass=person))
 
Groups
-  Search base- :  DN-  of groups branch. If no value, disable group searching. 
 
-  Object class: objectClass of the groups (default: groupOfNames). 
-  Target attribute: name of the attribute in the groups storing the link to the user (default: member). 
-  User source attribute: name of the attribute in users entries used in the link (default: dn). 
-  Searched attributes: name(s) of the attribute storing the name of the group, spaces separated (default: cn). 
-  Recursive: activate recursive group functionality (default: 0). If enabled, if the user group is a member of another group (group of groups), all parents groups will be stored as user's groups. 
-  Group source attribute: name of the attribute in groups entries used in the link, for recursive group search (default: dn). 
 
Password
-  Password policy control: enable to use LDAP password policy. This requires at least Net::LDAP 0.38. (see ppolicy workflow below) 
-  Password modify extended operation: enable to use the LDAP extended operation - password modifyinstead of standard modify operation.
 
-  Change as user- : enable to perform password modification with credentials of connected user. This requires to request user old password (see  portal customization- ). 
 
-  LDAP password encoding: can allow one to manage old LDAP servers using specific encoding for passwords (default: utf-8). 
-  Use reset attribute- : enable to use the password reset attribute. This attribute is set by LemonLDAP::NG when  password was reset by mail-  and the user choose to generate the password (default: enabled). 
 
-  Reset attribute: name of password reset attribute (default: pwdReset). 
-  Reset value: value to set in reset attribute to activate password reset (default: TRUE). 
-  Allow a user to reset his expired password: if activated, the user will be prompted to change password if his password is expired (default: 0) 
Password expiration warning workflow
 
 
Password expiration workflow
