I searched for a while online trying to find the proper settings to get LDAP authentication to work with the built in plugin but couldn't find anything that worked and was up to date. I wanted to post what settings worked for me. I used a PHP debugger to figure out what was being sent and what I needed to change. Here is what I found worked for me.
Host: The ip address or fully qualified domain name. IE. 10.0.0.250 or mydc01.corp.example.com
(DO NOT INCLUDE ldap:// or ldaps:// in the value. It is added by the plugin)
Port: 636
(This assumes you have already setup your domain controller with the proper certificate to use SSL secure connections. If not, you can try port 389 but that sends data including passwords in plain text over the network so for security sake, it is better to get the secure 636 working)
LDAP V3: Yes
Connection Security: SSL/TLS
(This would be set to none if using port 389)
Ignore Certificate: Yes
Follow Referrals: No
Authorisation Method: Bind and Search
(You can use Bind Directly As User if you don't have a separate account to do queries setup)
Base DN: DC=corp,DC=example,DC=com
(This will obviously need to be changed to what your domain settings are. You can use Active Directory Users and Computers with Advanced Features checked under the view menu to find this info. Right click on your domain name, click properties and then click the Attribute Editor tab. Scroll down to Distinguished Name and that is the value you need.
Search String: mail=[search]
(We use email addresses to log in so we use the mail attribute. You can use just the account name by using "sAMAccountName=[search]")
(The following connect username and password is only needed if you use Bind and Search as the method.
Connect Username: ldapqueryuser@corp.example.com
Connect Password: some secret password you set
Map: Full Name: displayName
Map: Email: mail
Map: User ID: mail
(This value becomes the Login Name (Username) in the Joomla Account Details. Since we use email we set it to "mail". If you wanted just the account name you would set this to "sAMAccountName". If you wanted to have a user id as the login, you would use the uid or uidNumber attribute depending which one contains that info in your ldap.
I hope this helps someone to save time setting this up.
Host: The ip address or fully qualified domain name. IE. 10.0.0.250 or mydc01.corp.example.com
(DO NOT INCLUDE ldap:// or ldaps:// in the value. It is added by the plugin)
Port: 636
(This assumes you have already setup your domain controller with the proper certificate to use SSL secure connections. If not, you can try port 389 but that sends data including passwords in plain text over the network so for security sake, it is better to get the secure 636 working)
LDAP V3: Yes
Connection Security: SSL/TLS
(This would be set to none if using port 389)
Ignore Certificate: Yes
Follow Referrals: No
Authorisation Method: Bind and Search
(You can use Bind Directly As User if you don't have a separate account to do queries setup)
Base DN: DC=corp,DC=example,DC=com
(This will obviously need to be changed to what your domain settings are. You can use Active Directory Users and Computers with Advanced Features checked under the view menu to find this info. Right click on your domain name, click properties and then click the Attribute Editor tab. Scroll down to Distinguished Name and that is the value you need.
Search String: mail=[search]
(We use email addresses to log in so we use the mail attribute. You can use just the account name by using "sAMAccountName=[search]")
(The following connect username and password is only needed if you use Bind and Search as the method.
Connect Username: ldapqueryuser@corp.example.com
Connect Password: some secret password you set
Map: Full Name: displayName
Map: Email: mail
Map: User ID: mail
(This value becomes the Login Name (Username) in the Joomla Account Details. Since we use email we set it to "mail". If you wanted just the account name you would set this to "sAMAccountName". If you wanted to have a user id as the login, you would use the uid or uidNumber attribute depending which one contains that info in your ldap.
I hope this helps someone to save time setting this up.
Statistics: Posted by dcccritadmin — Thu Mar 21, 2024 3:52 pm