Differences

This shows you the differences between two versions of the page.

--- technical:ldap-integration-rba [2025/06/08 04:53] – system
+++ technical:ldap-integration-rba [2025/06/08 06:35] (current) – [Adjusting the rights of a role] system
@@ Line 8: / Line 8: @@
 ====== LDAP and Role Based Access (RBA)  ======
-  * RADIUSdesk allows the admin of a cloud to be on one of three possible roles.
+  * RADIUSdesk allows the admin of a cloud to be in one of three possible roles.
     * Admin
     * Operator
     * View
-  * The rights of the admin is in turn then dictated by the role they are in.
+  * The rights of the admin is dictated by the role they are in.
-  * In this document, we will cover the optional configuration that allows you to map LDAP groups to the respective roles that are available.
+  * This document will cover the optional configuration that allows you to map LDAP groups to the respective available roles.
 -----------------
-====== Required Packages ======
+====== Group Attribute ======
-  * We use the Authentication **Plugin** available with CakePHP v4 and CakePHP v5 as the foundation for the LDAP integration.
+  * The RADIUSdesk implementation allows you to specify the LDAP attribute which contains the groups a user belongs to.
-  * In the past we used the Auth **Component** which is now being replaced by the Authentication and Authorization **Plugins** in more recent versions of CakePHP.
+  * If you have an OpenLDAP deployment, you might have to add the //memberof// overlay.
-  * The rdcore git code from 15 February onward will have the Authentication plugin included and active.
+  * This link describes the process in more detail: https://tylersguides.com/guides/openldap-memberof-overlay/
-  * To add LDAP capability you also need to install the LDAP php library on the system hosting RADIUSdesk.
+  * If you have an Active Directory deployment, make sure the user that does the initial bind can read the **memberOf** attribute.
-<code bash>
+  * This link covers the items you need to double check: http://www.michaelm.info/blog/?p=1435
-sudo apt-get install php-ldap
-</code>
 -----------------
-====== LDAP Authentication Process ======
+====== LDAP group to RBA mapping ======
-===== Bind (Initial Connection) =====
+===== Common Settings =====
-  - **Client connects:** The LDAP client (e.g., a user authentication script) connects to the LDAP server.
+<panel type="primary">
-  - **Bind request:** The client sends a bind request to the server, which includes the username (or DN) and password.
+{{:technical:ldap:ldap_rba_common.png|}}
-  - **Server authenticates:** The server checks the username and password against its stored credentials.
+</panel>
-  - **Bind response:** If the credentials are valid, the server responds with a bind response, indicating a successful connection.
+  * The LDAP group to RBA mapping is optional functionality available as a complement to the standard LDAP integration.
+  * To ensure that the LDAP user has a pleasant experience the first time they log in, we pre-define the default Cloud and Realm they will be assigned to.
+  * As stated earlier, we also give the option to specify the attribute that will contain the groups the user belongs to.
+  * The recommended value is //memberof//, all in lowercase.
-===== Search =====
+-----------------
-  - **Search request:** The client sends a search request to the server, specifying the search base, scope, filter, and attributes to retrieve.
+===== Admin =====
-  - **Server searches:** The server searches its directory based on the client's request.
+<panel type="primary">
-  - **Search response:** The server responds with a search response, containing the matching entries and their attributes.
+{{:technical:ldap:ldap_rba_admin.png|}}
+</panel>
+   * The Admin role will typically include the most components to include.
-===== Bind on Search Result with Password =====
+-----------------
-  - **Client selects entry:** The client selects an entry from the search results.
+===== Operator =====
-  - **Client extracts DN:** The client extracts the DN (distinguished name) from the selected entry.
-  - **Bind request with DN and password:** The client sends a new bind request to the server, using the extracted DN and the user-provided password.
-  - **Server authenticates:** The server checks the DN and password against its stored credentials.
-  - **Bind response:** If the credentials are valid, the server responds with a bind response, indicating a successful authentication.
-----------
-----------
-====== Configure LDAP ======
-  * LDAP Integration is configured under the settings tab.
-  * One item that needs a bit more explanation is Filter.
-  * The filter contains a special character (**%s**) which will be substituted with the username that the user provide to log in.
-  * For active directory it will typically be **(&(objectClass=user)(samaccountname=%s))**.
-  * This filter will be applied when searching to find the DN of the user who needs to be authenticated.
 <panel type="primary">
-{{:technical:ldap:ldap_settings.png|}}
+{{:technical:ldap:ldap_rba_operator.png|}}
 </panel>
+  * The Operator role will typically have less components selected compared to the Admin role, but more components then the View role.
----------
+-----------------
+===== View =====
-====== Test LDAP Settings ======
-  * There is also a **Test LDAP Settings** Button that helps you to test the LDAP settings to ensure they work as intended.
-  * The tests that will be done will be matching the **LDAP Authentication Process** described earlier on this page.
 <panel type="primary">
-{{:technical:ldap:ldap_settings_test.png|}}
+{{:technical:ldap:ldap_rba_view.png|}}
 </panel>
+  * The View role will typically have the least components selected of the available three roles.
+---------
+====== Adjusting the rights of a role ======
+  * Should you need to adjust the rights for one of the roles, there is a dedicated section in the Wiki which covers that topic.