----- ====== Introduction ====== * RADIUSdesk has become a popular choice for enterprise deployments due to its flexibility and a user-friendly and versatile interface. * We now also offer our enterprise customers the option of LDAP integration for managing administrators within the RADIUSdesk system. * In this document, we will cover the configuration and testing of LDAP integration in RADIUSdesk. ----------------- ====== Required Packages ====== * We use the Authentication **Plugin** available with CakePHP v4 and CakePHP v5 as the foundation for the LDAP integration. * In the past we used the Auth **Component** which is now being replaced by the Authentication and Authorization **Plugins** in more recent versions of CakePHP. * The rdcore git code from 15 February onward will have the Authentication plugin included and active. * To add LDAP capability you also need to install the LDAP php library on the system hosting RADIUSdesk. sudo apt-get install php-ldap ----------------- ====== LDAP Authentication Process ====== ===== Bind (Initial Connection) ===== - **Client connects:** The LDAP client (e.g., a user authentication script) connects to the LDAP server. - **Bind request:** The client sends a bind request to the server, which includes the username (or DN) and password. - **Server authenticates:** The server checks the username and password against its stored credentials. - **Bind response:** If the credentials are valid, the server responds with a bind response, indicating a successful connection. ===== Search ===== - **Search request:** The client sends a search request to the server, specifying the search base, scope, filter, and attributes to retrieve. - **Server searches:** The server searches its directory based on the client's request. - **Search response:** The server responds with a search response, containing the matching entries and their attributes. ===== Bind on Search Result with Password ===== - **Client selects entry:** The client selects an entry from the search results. - **Client extracts DN:** The client extracts the DN (distinguished name) from the selected entry. - **Bind request with DN and password:** The client sends a new bind request to the server, using the extracted DN and the user-provided password. - **Server authenticates:** The server checks the DN and password against its stored credentials. - **Bind response:** If the credentials are valid, the server responds with a bind response, indicating a successful authentication. ---------- ---------- ====== Configure LDAP ====== * LDAP Integration is configured under the settings tab. * One item that needs a bit more explanation is Filter. * The filter contains a special character (**%s**) which will be substituted with the username that the user provide to log in. * For active directory it will typically be **(&(objectClass=user)(samaccountname=%s))**. * This filter will be applied when searching to find the DN of the user who needs to be authenticated. {{:technical:ldap:ldap_settings.png|}} --------- ====== Test LDAP Settings ====== * There is also a **Test LDAP Settings** Button that helps you to test the LDAP settings to ensure they work as intended. * The tests that will be done will be matching the **LDAP Authentication Process** described earlier on this page. {{:technical:ldap:ldap_settings_test.png|}}