Differences

This shows you the differences between two versions of the page.

Link to this comparison view

documentation:white-pages:latest:config_ldap [2019/07/16 16:49] (current)
Line 1: Line 1:
 +====== LDAP connection ======
  
 +<​note>​Configuration file: ''​white-pages/​conf/​config.inc.local.php''</​note>​
 +
 +===== Server address =====
 +
 +Use an LDAP URI to configure the location of your LDAP server in ''​$ldap_url'':​
 +<file php>
 +$ldap_url = "​ldap://​localhost:​389";​
 +</​file>​
 +
 +You can set several URI, so that next server will be tried if the previous is down:
 +<file php>
 +$ldap_url = "​ldap://​server1 ldap://​server2";​
 +</​file>​
 +
 +To use SSL, set ''​ldaps''​ in the URI:
 +<file php>
 +$ldap_url = "​ldaps://​localhost";​
 +</​file>​
 +
 +To use StartTLS, set ''​true''​ in ''​$ldap_starttls'':​
 +<file php>
 +$ldap_starttls = true;
 +</​file>​
 +
 +<note important>​
 +LDAP certificate management in PHP relies on LDAP system libraries. Under Linux, you can configure ''/​etc/​ldap.conf''​ (or ''/​etc/​ldap/​ldap.conf''​ on Debian/​Ubuntu,​ or ''​C:​\OpenLDAP\sysconf\ldap.conf''​ for Windows) to either:
 +  * Provide the certificate from the certificate authority that issued your LDAP server'​s certificate:​
 +<​file>​
 +TLS_CACERT /​etc/​ssl/​ca.crt
 +</​file>​
 +  * Or, disable server certificate checking:
 +<​file>​
 +TLS_REQCERT allow
 +</​file>​
 +</​note>​
 +
 +===== Credentials =====
 +
 +Configure DN and password in ''​$ldap_bindn''​ and ''​$ldap_bindpw'':​
 +<file php>
 +$ldap_binddn = "​cn=manager,​dc=example,​dc=com";​
 +$ldap_bindpw = "​secret";​
 +</​file>​
 +
 +<note tip>You can leave these parameters empty to bind anonymously.</​note>​
 +
 +===== LDAP Base =====
 +
 +You can set base of searchs in ''​$ldap_base''​ :
 +<file php>
 +$ldap_base = "​dc=example,​dc=com";​
 +</​file>​
 +
 +===== User search parameters =====
 +
 +You can set base of the search in ''​$ldap_user_base'':​
 +<file php>
 +$ldap_user_base = "​ou=users,"​.$ldap_base;​
 +</​file>​
 +
 +The filter can be set in ''​$ldap_user_filter'':​
 +<file php>
 +$ldap_user_filter = "​(objectClass=inetOrgPerson)";​
 +</​file>​
 +
 +When an entry is displayed, to help the software to determine if this is a user, you can configure a regular expression:
 +<file php>
 +$ldap_user_regex = "/,​ou=users,/​i";​
 +</​file>​
 +
 +<note tip>If you don't set this value, the software will use the search base: if the entry DN is inside the user search base, then it is a user. But this method can be useless depending of your LDAP directory organization.</​note>​
 +===== Group search parameters =====
 +
 +You can set the base of the search in ''​$ldap_group_base'':​
 +<file php>
 +$ldap_group_base = "​ou=groups,"​.$ldap_base;​
 +</​file>​
 +
 +The filter can be set in ''​$ldap_group_filter'':​
 +<file php>
 +$ldap_group_filter = "​(|(objectClass=groupOfNames)(objectClass=groupOfUniqueNames))";​
 +</​file>​
 +===== Size limit =====
 +
 +It is advised to set a search limit on client side if no limit is set by the server:
 +<file php>
 +$ldap_size_limit = 100;
 +</​file>​
 +
 +<​note>​This limit will also restrict the number of entries shown in the [[.:​config_gallery|gallery menu]]</​note>​