LDAP Login

Gentics CMS is able to authenticate users using LDAP.

1 Information gathering

  • Does the LDAP-server allow anonymous binding ? If no, you will need a LDAP bind-user.
  • Find out the basedn to use (example: dc=gentics,dc=com)
  • Which LDAP fields to use (you can find them out with the linux tool ldapsearch). The $LDAP_LOGIN_FIELDS settings specify the LDAP field mappings.
  • How the LDAP groups or user-field should be mapped to Gentics CMS groups, see: Automatic group assignment.

2 Automatic group assignment

You can assign LDAP users to CMS group automatically. The CMS group must exist first. You can either use static mapping of all LDAP users to a single group, use a LDAP field of the LDAP user for dynamic mapping (see: $LDAP_LOGIN_FIELDS[“group”]) or use “Advanced groups” (See: Advanced Groups).

3 Configuration

Make sure that the PHP module “php-ldap” is installed.

Define the following settings in the configuration:

node.conf

// Enable ldap
$FEATURE["ldap"] = true;
$FEATURE["ldap_login"] = true;

// Configure LDAP server connection
$LDAP_LOGIN["server"] = "localhost"; // mandatory

// Login for the LDAP bind-user, leave empty if your LDAP server allows anonymous login
$LDAP_LOGIN["login"] = "";
$LDAP_LOGIN["pw"] = "";

$LDAP_LOGIN["basedn"] = "dc=gentics,dc=com"; // mandatory
$LDAP_LOGIN["filter"] = "objectclass=Person"; // This defines the LDAP object filter
// If binddn is set to 1 Gentics CMS will try to search for
// the user and bind with the found DN and the password provided
// by the user
$LDAP_LOGIN["binddn"] = 1;

// Don't follow referrals returned by the LDAP server (false).
// This is recommended for Microsoft Active Directory.
$LDAP_LOGIN["referrals"] = false;

// Map ldap attributes to user attributes using these settings
$LDAP_LOGIN_FIELDS["login"] = "uid";
$LDAP_LOGIN_FIELDS["pw"] = "pw";
$LDAP_LOGIN_FIELDS["firstname"] = "givenName";
$LDAP_LOGIN_FIELDS["lastname"] = "sn";
$LDAP_LOGIN_FIELDS["email"] = "mail";
// "group" may contain a Gentics CMS group id or the name of a users LDAP field
// that contains the CMS group id or a string that exactly matches
// a single group's description in the Gentics CMS. This allows the automatic
// assigning of Gentics CMS groups. The Gentics CMS group must exist.
$LDAP_LOGIN_FIELDS["group"] = 1;
$LDAP_LOGIN_FIELDS["isdefaultgroup"] = true;

4 Advanced Groups

This feature allows you to have many LDAP groups be mapped to many CMS groups in order to assign LDAP users permissions depending on in which LDAP group(s) they are in. The CMS groups have to be created first.

node.conf

$LDAP_LOGIN_FIELDS["advancedgroups"] = true;

// This is the recommended config for Microsoft ActiveDirectory LDAP,
// when objectclass=groupofUniqueNames & "uniqueMember" isn't supported.
$LDAP_LOGIN_FIELDS["groupfilter"] = "(&(objectclass=group)(cn=CMS*))";
$LDAP_LOGIN_FIELDS["dontuse_uniquememberattribute"] = true;

// For other LDAP servers with groupofUniqueNames support, use this:
$LDAP_LOGIN_FIELDS["groupfilter"] = "(&(objectclass=groupofUniqueNames)(cn=CMS*))"

Using “(cn=CMS*)” filters for the prefix of the desired group (in this case “CMS”) while objectclass will restrict for an attribute to speed up the search process. First all matching groups will be loaded. Then the user who tries to log on will be searched from the resulting set of groups and added to the corresponding CMS group. LDAP group names will will be mapped to CMS group description, eg. a user of group “(cn=CMS-Superadmin)” will be mapped to a CMS group having “CMS-Superadmin” as its description.