After some fiddling around I managed to connect to an AD from Joomla, so I would like to share with you the configuration.
Apart from being a requirement in many projects, here are the benefits of using an LDAP/AD for Joomla authentication:
- Centralised user database which can be used from many different systems
- Users have only one username/password for all systems utilizing LDAP/AD
- Users can still be administered inside Joomla, since they are imported into Joomla db the first time they connect to Joomla using LDAP
- Keeps users happy! (no more extra signups)
- Best practice, IT integration
1. Go to the Joomla's administration plugin manager and enable the Authentication - LDAP plugin:
2. Configure the plugins with your AD/LDAP data. This is the tricky part, which could make you spend many hours and frustrate you a lot if you are not sure about the parameters.
The parameters shown above are for Microsoft's Active Directory and should be ok for the majority of the systems and should allow you to connect using your email credentials, for example user@staff.domain.com
The CN of this is the Full Name of the user.
sAMAccountName: user
email: user@staff.domain.com
Notes:
- Host: This is the AD/LDAP hostname of your enterprise.
- Port: 389 for the majority of the systems.
- Base DN is usually something like: DC=staff,DC=domain,DC=com, but if you are not sure then you should ask your LDAP/AD administrator
- Map: User ID is case sensitive. This parameter alone could make you feel stupid if you are not aware of the case sensitivity part!
- Map: User ID is LDAP attribute to be used for the username mapping for Joomla's database. If this is different in your system, then use corresponding attribute. In most cases though the correct attribute is the sAMAccountName.
- Search String: this the LDAP filter which is used for searching and get the required attributes. This is very important, since if Joomla cannot find the user in the LDAP it doesn't authorize them (although the user binds ok with his/her credentials)
Using this configuration, users can connect to joomla using their email account and its password.
Additionally, Joomla automatically gets user's real name, email and username and uses those for its own database.
Joomla 2.5 administrators can then apply extra security, for example change user group and access levels.
Troubleshooting
Check the following articles for extra info and troubleshooting:
Hello,
ReplyDeleteI have configured joomla to authenticate user, I can login but joomla profile is not created - for instance I can't set the permissions for this user (I would like to make one of my LDAP accouns superuser).
Any ideas?
Thanks in advance!
Check joomla's plug-in manager the plugin "User - Joomla!".
DeleteIs the option "Auto-create Users" enabled (YES)?
Hi!
ReplyDeleteMy joomla 2.5 site was working fine with the LDAP authentication. But this week the server that hosts the application changed to a linux server, in the same local LAN connection. After that LDAP login doesn't work, as when I try, a white page loads. There is no mention of error as well, so how can I understand what is wrong?
Thank you for the help!!
Hi elida,
DeleteHave you tried this?
http://ourlife01.blogspot.gr/2012/05/debugging-ldap-php-scripts.html
Sorry, wrong link!
DeleteI actually meant this:
http://ourlife01.blogspot.gr/2012/04/how-to-connect-to-ssl-openldap.html
Thanks for the instructions, they were very easy to follow. I am wondering what I can do about the need to pull in users from multiple OU's? we have a single ad domain, 5 store ou's and a Users Ou under each. There is no single central store for me to get users from. Any suggestions?
ReplyDeleteI am using Joomla! 2.5.7 on the latest version of OpenSuse.
Although I haven't tried it, I think you can use the usual LDAP filter notation in Joomla's "search string" field, eg: (|(exp1)(exp2)(exp3)) means: exp1 OR exp2 OR exp3, so for your organisation, would be something like:
Delete(|(ou=orgunit1)(ou=orgunit2)(ou=orgunit3))
This comment has been removed by the author.
ReplyDeleteThanks Man , It is Working great you can also get in
DeleteJoomla CMS
This comment has been removed by the author.
ReplyDeleteI have OpenLDAP in a Linux environment.
ReplyDeleteBut I can't make this to work properly...
Have run the php script and it returns the correct info.
My params are:
Host: my ip host
port: 389
ldapv3: yes
tls: no
referrals: no
bind as user
base dn: ou=people,dc=mydomain,dc=com
search string: uid=[search]
user dn: uid=[username],ou=people,dc=mydomain,dc=com
connect username: empty
connect password: empty (I have tried with the manager too)
Map full name: cn
map email: mail
map user id: uid
What I'm doing wrong????
Openldap can be different...
DeleteHave you tried this?
http://ourlife01.blogspot.gr/2012/05/debugging-ldap-php-scripts.html
Is your LDAP with SSL? Then you should check this:
http://ourlife01.blogspot.gr/2012/04/how-to-connect-to-ssl-openldap.html
Thanks for replying...
DeleteHave done the following:
http://ourlife01.blogspot.gr/2012/04/how-to-connect-to-ssl-openldap.html
and the result is ok!!
That's why I wonder what can be wrong in joomla config....
Strange..I suppose you are doing the tests from the same host, right?
DeleteIf all attributes AND mapping are OK, then your only option is to try to enable debugging in Joomla and check joomla's logs...(you can also modify joomla's ldap plugin to log more info for debugging)
Folks - we have a project were we need consulting help from someone who's done active directory authentication between internal .Net intranet and external PHP website. Would you kindly email me at andy at rabinovicionline.com if you're interested, and we'll discuss the details?
ReplyDeleteAlguien me puede ayudar, soy nueva en joomla trabajo bajo la versión 2.5 y quiero conectar una Intranet con el LDAP, si alguien me puede explicar el paso a paso de cómo hacerlo y que debe ingresar en cada uno de los campos, e investigado y no he sido capaz de conectarlos.
ReplyDeleteMuchas Gracias
Sam, envíame un mail (mira en mi perfil)
DeleteI am having trouble getting LDAP Auth to work. I've tried the following php code just to make sure that it's working and the following code works and seems to bind.
ReplyDelete$ldapurl = "192.168.1.18";
$ldaprdn = 'uid=bmcwhirt,cn=users,cn=accounts,dc=myhhca,dc=com';
// connect to ldap server
$ldapconn = ldap_connect($ldapurl) or die ("Couldn't connect");
// binding to ldap server
echo "Trying to bind with $ldapuser - $ldappass\n";
$ldapbind = ldap_bind($ldapconn, $ldaprdn, $ldappass);
if (!$ldapbind) {
echo "Unable to bind to server $ldapurl\n";
echo "OpenLdap error message: " . ldap_error($ldapconn) . "\n";
exit;
}
This works with no errors and seems to bind.
Here are my settings in Joomla
Host: 192.168.1.18
Port: 389
LDAP V3: Yes
Negotiate TLS: No
Follow Referrals: No
Authorisation Method: Bind Directly as User
Base DN: o=myhhca.com
Search String: uid=[search]
User's DN: uid=[username],cn=users,cn=accounts,dc=myhhca,dc=com
I am using Joomla 2.5 and the auth server is FreeIPA with OpenLDAP
I would appreciate any advice or corrections.
Try to troubleshoot at joomla level...
DeleteIf you still can't do it drop me an email (look at my profile)
I found the problem. Though Community Builder claims 1.9 is LDAP capable with the Joomla Auth LDAP module, that is only partly true. You can not use the CB Login Form. Everything else CB-wise seems to work just fine after you hav authenticated. Here were my final settings for the LDAP module.
DeleteHost: 192.168.1.18
Port: 389
LDAP V3: Yes
Negotiate TLS: No
Follow Referrals: No
Authorisation Method: Bind Directly as User
Base DN: cn=users,cn=accounts,dc=myhhca,dc=com
Search String: uid=[search]
User's DN: uid=[username],cn=users,cn=accounts,dc=myhhca,dc=com
Map: Full Name: cn
Map: email: mail
Map: User ID: hid
This setup using the default joomla login form works well for authenticating off Fedora 18 running FreeIPA 3.1.2
This site, Michael, and everyone who has commented with their thoughts has been very helpful and I hope my contribution will save someone some time in the future. Next time I will be authentication off a Mac mini server. When that happens I'll post what setup works for that as well.
Thanks
That should read:
DeleteMap: User ID: uid
hi, thanks for posting this! unfortunately, I get error 500 when I try it with my site.
ReplyDeleteI used the settings as shown in your post, except I want the users to log in with their uid, not their email address. So I tried setting the search string to uid=[search] as well as sAMAccountName=[search] but error 500 either way.
my Joomla site is 2.5.8 on Ubuntu 12 server, and my AD server is 2008r2.
Hi Luke,
Deletedo you found any solution to this issue? I got the same:
"POST /administrator/index.php HTTP/1.1" 500 388 "
"POST /administrator/index.php HTTP/1.1" 500 533 "
Axel
Have you tried:
DeleteMap: User ID uid ?
Of course... other apps like subversion or redmine successfully authenticated against my Samba 4 AD or 2k8R2 AD. Only Joomla not...
DeleteDo you have command line access on your server?
DeleteHave you tried this? http://ourlife01.blogspot.gr/2012/05/debugging-ldap-php-scripts.html
I have command line access, but i don't know, what i have to do with the script...
DeleteBetter use this one:
Deletehttp://ourlife01.blogspot.com/2013/10/sample-active-directory-command-line.html
And check if everything is OK...
Yay, very nice. I've found the problem. Need to install php5-ldap, then "$ldapconn = ldap_connect($ldapserver, $ldapport);" found the LDAP-Directory and my login works :)
DeleteThank you man!!
Hola yo tengo un servidor ad dc samba 4 y con la configuración que figura en la imagen "ldap_joomla_params.png" funciona.
ReplyDeleteEl problemas que tenemos es que el email de los usuarios no pertenecen al mismo dominio y si no lo cambio en el ADdc no funciona.
Existe alguna posibilidad que los usuarios se conecten con su nombre de usuario solamente (no email) probé de diferentes maneras con diferentes campos y no tuve buenos resultados
gracias
---------------
google traslate
Hello I have a server ad dc samba 4 and with the configuration that appears in the image "ldap_joomla_params.png" works.
The problem we have is that the email of the users do not belong to the same domain and if I do not change it in the ADdc it does not work.
There is some possibility that the users connect with their name alone (without email) I tried different ways with different fields and I did not have good results
Muchas gracias
This comment has been removed by a blog administrator.
ReplyDeleteThis comment has been removed by a blog administrator.
ReplyDeleteThis is a great post and I read a way while back. It really helped me out.Thank you so much for this great article.
ReplyDeleteSEO Tool
wordpress theme
Great post . thanks for sharing a clear step by step process on getting in the nice.
ReplyDeleteservice now administration training
This comment has been removed by the author.
ReplyDeleteOnline food ordering is undeniably a million dollars business. Significant urban population, their busy lifestyles have driven the online food delivery market growth.
ReplyDeleteFood Ordering App Development