LDAP authentication (AD, OpenLDAP, FreeIPA) - munkireport/munkireport-php GitHub Wiki

For LDAP authentication, Munkireport uses the excellent adldap2 library. To get your authentication configured you need to the necessary settings in your.env file (or environment variables):

AUTH_AD_HOSTS (required)

One or more LDAP servers (hostname or IP addresses) separated by a comma (,)

Example:

AUTH_AD_HOSTS=192.168.0.100, 192.168.0.101, myldap.mydomain.org

AUTH_AD_BASE_DN (required)

BaseDN for your directory

Example:

AUTH_AD_BASE_DN=dc=mydomain,dc=local

AUTH_AD_SCHEMA (optional)

LDAP Schema, defaults toActiveDirectory. Other values areFreeIPA andOpenLDAP.

Example:

AUTH_AD_SCHEMA=FreeIPA

AUTH_AD_ACCOUNT_PREFIX (optional)

Prefix used in the authentication string

Example:

AUTH_AD_ACCOUNT_PREFIX="uid="

AUTH_AD_ACCOUNT_SUFFIX (optional)

Suffix used in the authentication string.

Example:

AUTH_AD_ACCOUNT_SUFFIX=",ou=users,dc=my,dc=org"

AUTH_AD_USERNAME (optional)

Bind username to do the directory lookups, only specify if the users cannot lookup groups, etc.

Example:

AUTH_AD_USERNAME=admin_account

AUTH_AD_PASSWORD (optional)

Bind password that goes withAUTH_AD_USERNAME

Example:

AUTH_AD_PASSWORD=somesecretpassword

AUTH_AD_PORT (optional)

Port that LDAP listens to, defaults to 389

Example:

AUTH_AD_PORT=3389

AUTH_AD_USE_SSL (optional)

Use SSL, defaults to FALSE

Example:

AUTH_AD_USE_SSL=TRUE

AUTH_AD_USE_TLS (optional)

Use TLS, defaults to FALSE

Example:

AUTH_AD_USE_TLS=TRUE

AUTH_AD_VERSION (optional)

LDAP version to use, either 2 or 3. Defaults to 3

Example:

AUTH_AD_VERSION=2

AUTH_AD_TIMEOUT (optional)

The timeout option allows you to configure the amount of seconds to wait until your application receives a response from your LDAP server.

The default is 5 seconds.

Example:

AUTH_AD_TIMEOUT=10

AUTH_AD_FOLLOW_REFERRALS (optional)

The follow referrals option is a boolean to tell active directory to follow a referral to another server on your network if the server queried knows the information your asking for exists, but does not yet contain a copy of it locally.

This option is defaulted to false.

Disable this option if you're experiencing search / connectivity issues.

For more information, visit: https://technet.microsoft.com/en-us/library/cc978014.aspx Example:

AUTH_AD_FOLLOW_REFERRALS=10

AUTH_AD_ALLOWED_USERS (optional)

List of users that are allowed to login via LDAP

Example:

AUTH_AD_ALLOWED_USERS=bob, frances, jane

AUTH_AD_ALLOWED_GROUPS (optional)

List of groups that are allowed to login via LDAP.

Example:

AUTH_AD_ALLOWED_GROUPS=domain_admins, helpdesk_users

AUTH_AD_RECURSIVE_GROUPSEARCH (optional)

Try to resolve nested groups when looking up groups for a user. This may slow down logins.

The default is FALSE.

Example:

AUTH_AD_RECURSIVE_GROUPSEARCH=TRUE

OpenLDAP Demo

The following configuration will use the test LDAP server from forumsys

AUTH_AD_SCHEMA="OpenLDAP"
AUTH_AD_BASE_DN="dc=example,dc=com"
AUTH_AD_ACCOUNT_PREFIX="uid="
AUTH_AD_ACCOUNT_SUFFIX=",dc=example,dc=com"
AUTH_AD_HOSTS="ldap.forumsys.com"
AUTH_AD_ALLOWED_USERS="curie, tesla"

You can login with either curie or tesla with the password password

FreeIPA Demo

AUTH_AD can be used to authenticate to a FreeIPA server. The configuration can be used to authenticate to the FreeIPA demo server as described here: https://www.freeipa.org/page/Demo

AUTH_AD_SCHEMA="FreeIPA"
AUTH_AD_BASE_DN="dc=demo1,dc=freeipa,dc=org"
AUTH_AD_ACCOUNT_PREFIX="uid="
AUTH_AD_ACCOUNT_SUFFIX=",cn=users,cn=accounts,dc=demo1,dc=freeipa,dc=org"
AUTH_AD_HOSTS="ipa.demo1.freeipa.org"
AUTH_AD_ALLOWED_GROUPS="employees"

You can login as employee or as Helpdesk, all passwords are Secret123

The user employee should be able to log in. The user helpdesk is unauthorised because it's not a member of the group employees

Troubleshooting

If you turn on debug mode DEBUG=TRUE in .env AUTH_AD will write a log in:

/storage/logs/auth.log

An Opensource project

⚠️ **GitHub.com Fallback** ⚠️