Version 1 Guide
Last Modified: 17-November-2013
This guide covers the installation and setting up of the JMapMyLDAP set of extensions. Each section uses Javascript based show/hide toggle buttons; these buttons should work under most browsers.
It is recommended to use an LDAP browser such as ADSIEdit (Acive Directory) or phpLDAPAdmin to complete this guide.
Note: Errors can be viewed by opening the JLog in /logs/error.php or switching on Joomla debug mode.
Jump to:- Installing the extension
- Configuring the authentication plugin
- Configuring the user plugin
- Configuring the system SSO plugin
- Configuring the HTTP SSO plugin
Installing the extension
There is currently one user plugin, two libraries combined into one, and one authentication plugin in the JMapMyLDAP package.
The following instructions demonstrates how to install the package into a correctly configured Joomla installation:
-
Download the latest Core Package (pkg_jmapmyldap) from the downloads page.
Also, SSO Core & Plugins Package (pkg_jssomysite_plugins.zip) can be found there. - Log into the backend of the Joomla site and go to the Extension Manager.
- Click 'Browse...' then select the downloaded package from step 1.
- Click 'Upload & Install'.
If an error is presented during install, then the Joomla installation is not configured correctly (most likely a file permission problem on the web server).
Configuring the authentication plugin
This section demonstrates the usage for the JMapMyLDAP authentication plugin. A individual debug PHP file downloadable from here can help with setting up the authentication - please try this before contacting me. For this example we are assuming that Active Directory is the LDAP directory to be used.
- Open the 'Authentication - JMapMyLDAP' configuration through the Plug-in Manager.
-
Use the following settings:
Key Value LDAP V3 Latest versions of OpenLDAP require version 3 of the LDAP protocol. Older LDAP servers may use version 2.
Set to YesStart TLS Start TLS is currently an undocumented feature of PHP that allows an encrypted channel to be used when communicating with an LDAP server. This is not the same as using ldaps:// on port 636. Refer to the PHP manual page for more information on this feature.
Set to NoFollow Referrals This option sets the value of the LDAP_OPT_REFERRALS flag. This option must be set to NO for Windows Server 2003.
Set to NoHost Specify the host name for the LDAP servers(s) with either a IP, DNS or URL pointing at one or more LDAP server(s). Multiple entries can be used by separating each entry by a space.
When using SSL, the host may have to take the form ldaps://<host>. Though consult with the LDAP servers' documentation for correct configuration.
Examples:- 10.4.55.100 10.4.55.101
- ad.domain.local
- ldaps://ad.domain.local
Port Specify the port for the LDAP server. By default this is 389. Some Windows based servers can only use the Global Catalog port 3268. The default port for SSL connections is 636. Connect User Leave this blank to connect anonymously (the LDAP server must allow anonymous logins for this to work). Alternatively, specify the RDN or DN of the user to use for connecting. This is used when either searching for a user, failover group mapping or the single sign on plug-ins. This user doesn't require administrator rights as the plug-in only requires read access.
Examples:- cn=proxyuser,o=company (can be used for eDir)
- DOMAIN\proxyuser (can be used for AD)
Connect Password Leave blank for anonymous, otherwise enter password for connecting user. Use Search Enabling this option attempts to find the authenticating user within the LDAP directory and if successful, passes on the distinguished name of the authenticating user and password to bind. This option needs to be used if a direct user DN string is not possible (i.e. when users are in multiple organisational units).
This option requires a set of LDAP connect user credentials to use for searching. It should be noted that user and group details are read with the authenticating users credentials and not the connect credentials.Base DN Specify the base DN of the LDAP server or directory that the plug-in should use as a basis.
Examples:- o=company
- dc=domain,dc=local
User DN/Filter Specify the LDAP DN/Filter to be used for binding to the authenticating user. The [username] keyword is dynamically replaced by the attempting user's username.
If using search: this value must be a LDAP filter (sometimes referred to as a LDAP query) searching for a specific attribute that can distinguish a user from the username entered. This filter can also be used to exclude organisational units, groups and/or users from a search. See this reference for more on LDAP filters.
Examples:- (sAMAccountName=[username]) (can be used for AD)
- (cn=[username]) (can be used for eDir)
If search is not used: a LDAP DN must be specified. Multiple DN's can be separated by a semi-colon and each is attempted a bind in order.
Examples:- cn=[username],ou=accounts,dc=domain,dc=local (can be used for AD, however the default CN in AD is a full name)
- cn=[username],ou=users,o=company (can be used for eDir)
Map User ID Specify the LDAP attribute that contains the user's ID for mapping to the Joomla login name field.
Examples:- sAMAccountName (can be used for AD)
- uid (used for most LDAP systems)
Map Full Name Specify the LDAP attribute that contains the user's full name for mapping to the Joomla name field.
Examples:- name (can be used for AD)
- displayName (can be used for AD)
- fullName (used for most LDAP systems)
Map Email Specify the LDAP attribute that contains the user's email for mapping to the Joomla email field. The attribute mail is used as a default for most LDAP systems.
If the LDAP directory doesn't contain email values, then a 'fake' email can be implemented. These can be implemented by using the [username] keyword which is dynamically replaced by the username. For example [username]@ACME.LOCAL. - Set the plugin to the enabled state.
- Save and test the plugin by trying to authenticate as a user from the LDAP directory.
Do not proceed until this plugin is configured correctly and able to authenticate successfully.
^^Back to TopConfiguring the user plugin
This section demonstrates the usage for the group mapping plugin.
- Open the 'User - JMapMyLDAP' configuration through the Plug-in Manager.
-
The following table shows the usage and examples of each parameter in the plugin:
Key Usage/Example Authentication Plugin Specify the name of the authenticating LDAP plugin (shown as 'Plug-in file' within a plugin's configuration). This field is case sensitive.
Set to jmapmyldap to use the JMapMyLDAP authentication plugin.Auto Register If user does not exist in Joomla then they must be registered before they can use Joomla. This parameter sets the flag for auto registration.
Inherited options mean that if the flag has not been set by a past plug-in, then set it to the selected value. i.e. Inherited - Yes means that if the flag has not been set then auto registration is set to yes.
Override options mean that the flag will always be set to the selected value regardless of past plug-ins. Set to Override - Yes to enable back end registration.
NOTE: by default, Joomla ships with a separate enabled auto register option. If this is left switched on then users are still auto registered through that plugin only if an inherited option has been selected. Look at the 'User - Joomla' parameters.
This option could be useful if only a select number of already registered users should be able to login (i.e. for closed beta testing).Sync Name If set to Yes: replaces the name held for the user in Joomla with that in the LDAP directory.
Example: set it to Yes if name changes occur in the LDAP directory and you want to keep them in sync.Sync Email If set to Yes: replaces the email held for the user in Joomla with that in the LDAP directory.
Example: set it to Yes if email changes occur in the LDAP directory and you want to keep them in sync.Use Group Mapping If set to Yes: enables the LDAP group mapping. This activates the group mapping parameters below. Allow Additions If set to Yes: allows the plugin to add Joomla groups to Joomla users when it satisfies the condition for the add from the 'Group Mapping List'.
If set to No: the plugin never adds any Joomla groups to Joomla users.
Example: set this to No if you want to manually add groups to users through Joomla's user manager. Set this to Yes if you want the plugin to automate Joomla group additions.Allow Removals If set to Yes & Default Managed: allows the plugin to remove managed Joomla groups from users if they do not satisfy any conditions for a specified Joomla group from the 'Group Mapping List'. Also, all Joomla groups are defaulted as managed with this setting.
If set to Yes: same as the setting above except that that all Joomla groups are defaulted as unmanaged.
If set to No: the plugin never removes any Joomla groups from a user.
NOTE: If removal is allowed then only Joomla groups that are managed can be removed regardless of the 'Group Mapping List' contents. To read more about managed groups, take a look at the documentation.
Example: set to Yes & Default Managed if each Joomla group maps to an LDAP group and you only want to use the LDAP directory to manage Joomla group assignments.
On the other hand, if you have a lot of Joomla groups that do not map to any LDAP groups, then set this to Yes.
Set to No if you want to manually remove Joomla groups from Joomla users. This could be due to a different department administering Joomla to that of the LDAP directory.Unmanaged Groups Specify Joomla group ID's delimited by a semicolon that should be overridden to an unmanaged state. This doesn't affect groups being added to users, only the removal of them.
It is recommended to override the public, registered and super users groups in case of a error in the group mapping list that may accidentally lead to either users not able to login or super users getting demoted. Though this is optional.
Example: 1;2;8.Public Group Specify Joomla's public group ID to be used when a user has no mappings. Joomla doesn't like users without group associations and therefore one always needs to be mapped. In a default installation, the public group ID is 1. Group Mapping List Specify the list of group mapping entries. Each entry is made up of a LDAP Group DN (pointing at a group), and one or more Joomla group ID's. Use a colon to separate the LDAP DN from the Joomla group ID(s). Adding multiple group ID's for one LDAP DN can be achieved with a comma between each group ID. Each entry should use the form <Group DN>:<Joomla Group IDs> Multiple entries can be achieved with a newline.
Note: Joomla group id's specified in this list are classed as managed unless overridden in the 'Unmanaged Groups' value.
Also, the DN doesn't have to be a full DN. At a minimum you must have atleast the group container RDN for each entry. Do be aware that if only the group container RDN is specified, then any other groups with an identical group container in the directory shall also match the entry.
Example: lets presume the following:
Joomla Groups:
ID Name 2 Registered 5 Publisher 7 Administrator 20 Students 21 Student Council 30 Staff 31 Teachers 32 SLT 33 Support 34 IT Admins LDAP Strucutre:
Type Name DC ACME.LOCAL OU |– School OU |–– Staff CN |––– Staff Group CN |––– SLT Group OU |–– Students CN |––– Student Group CN |– Users CN |–– Domain Admins CN |–– Enterprise Admins
Map all domain admins to the IT admins and administrators groups:
CN=Domain Admins,CN=Users:7,34
Map all staff to the registered and staff groups:
CN=Staff Group,OU=Staff:2,30
Map all students to the registered and students groups:
CN=Student Group,OU=Students:2,20
Map all senior leadership team to the SLT group:
CN=SLT Group,OU=Staff:32
These would come together by separating each entry by a newline:CN=Domain Admins,CN=Users:7,34
That would be the contents of the list box.
CN=Staff Group,OU=Staff:2,30
CN=Student Group,OU=Students:2,20
CN=SLT Group,OU=Staff:32Lookup Type In most cases, setting to either value should return the same groups. Set the best (or only) option for your environment. The option specified here is also used for recursion when enabled.
Set to Forward: returns the users group membership list.
Set to Reverse: returns the group's members list.Lookup Attribute Specify the attribute in LDAP that successfully returns the groups depending on the lookup type.
For active directory set to memberOf for forward lookups OR member for reverse lookups.
For most other systems including NDS/eDirectory set to groupMembership for forward lookups OR member for reverse lookups.Lookup Member Specify the user attribute to use when searching for group membership. Some LDAP schemas do not use a full DN to map group members and instead use the uid attribute. This parameter is only used when using a reverse lookup.
Lets look at this in more depth; when searching for group membership in a reverse lookup, the plug-in sets dn as the default which calls the LDAP filter:member=cn=user,ou=container,o=company
However, some schemas do not use a full DN to query membership and instead require the uid attribute which calls a LDAP filter similar to:member=user
(where member is the value of the Lookup Attribute parameter)
For most schemas, dn is the correct setting.Use Recursion Recursion can be used to find nested groups (i.e. groups of members of groups). However, depending on the amount of groups in the LDAP directory, this could severely affect performance of the LDAP server - use with caution.
If set to Yes: uses the 'Recursive Query' to find nested groups the user is apart of.
If set to No: only uses the top level groups the member is apart of.DN Attribute Specify the attribute in LDAP that returns the Distinguished Name (DN) of a object. This is used to perform recursive forward lookups.
For Active Directory set to distinguishedName.Max Depth Set the maximum recursive depth for nested groups. Set this value to 0 for unlimited depth. - Set the plugin to the enabled state.
- Save and test the plugin by trying to authenticate as a user that should have a group mapping.
Configuring the JSSOMySite SSO plugin
This section demonstrates the usage for the JSSOMySite system plugin. Parts of the SSO extensions are forks from the works of JAuthTools by Samual Moffatt.
- Open the 'System - JSSOMySite' configuration through the Plug-in Manager.
-
Use the following settings:
Key Value Auto Create Users Setting this to Yes enables auto user creation if a user does not exist. IP Rule Specify the default rule for IP addresses to use SSO.
If set to Allow all: allows IP address except those specified in the 'IP Exception List'.
If set to Deny all: denies IP address except those specified in the 'IP Exception List'.IP Exception List Enter IP addresses separated by a newline that should be excluded from the IP Rule. Masks, wildcards, selections and single IP addresses are supported.
Examples:- 192.168.2.10
- 192.168.2.*
- 192.168.2.0-192.168.2.254
- 192.168.2.0/24
URL Bypass Enter a URL variable name to bypass SSO on either the front or back end. The bypass variable value must be set to 1 for successful SSO bypass. This parameter must be empty to disable.
Examples: Set to nosso to use index.php?nosso=1 to bypass SSO either on the front or back ends.Allow Backend SSO Setting this to Yes allows SSO to attempt logon to the backend (Administrator) of the site. - Set the plugin to the enabled state.
- Save.
NOTE: One or more of the SSO type based plugins (e.g. HTTP) must be enabled & configured for SSO to attempt authentication.
Configuring the SSO HTTP plugin
This section demonstrates the usage for the SSO HTTP plugin.
- Open the 'SSO - HTTP' configuration through the Plug-in Manager.
-
Use the following settings:
Key Value User Key This is the key in the $_SERVER array that holds the username. Check the environment section in the PHPInfo for the correct key.
Examples: set to REMOTE_USER or AUTH_USER in most casesUsername Replacement Enter a list of strings separated by a semi-colon to replace any domain related strings from the User Key result to return only the username.
Examples: if the User Key result is DOMAIN\user then set to DOMAIN\. If it was user@DOMAIN.LOCAL then set to @DOMAIN.LOCAL.
NOTE: there has been reports of backslashes getting stripped therefore, also try DOMAIN instead of DOMAIN\.IP Rule Specify the default rule for IP addresses to use HTTP SSO.
If set to Allow all: allows IP address except those specified in the 'IP Exception List'.
If set to Deny all: denies IP address except those specified in the 'IP Exception List'.IP Exception List Enter IP addresses separated by a newline that should be excluded from the IP Rule. Masks, wildcards, selections and single IP addresses are supported.
Examples:- 192.168.2.10
- 192.168.2.*
- 192.168.2.0-192.168.2.254
- 192.168.2.0/24
- Set the plugin to the enabled state.
- Save.
NOTE: Make sure the System SSO plugin is enabled and configured.