Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
technical:ldap-integration-rba [2025/06/08 04:56] – [LDAP and Role Based Access (RBA)] systemtechnical:ldap-integration-rba [2025/06/08 06:35] (current) – [Adjusting the rights of a role] system
Line 17: Line 17:
 ----------------- -----------------
  
-====== Required Packages ====== +====== Group Attribute ====== 
-  * We use the Authentication **Plugin** available with CakePHP v4 and CakePHP v5 as the foundation for the LDAP integration+  * The RADIUSdesk implementation allows you to specify the LDAP attribute which contains the groups a user belongs to
-  * In the past we used the Auth **Component** which is now being replaced by the Authentication and Authorization **Plugins** in more recent versions of CakePHP+  * If you have an OpenLDAP deployment, you might have to add the //memberof// overlay. 
-  * The rdcore git code from 15 February onward will have the Authentication plugin included and active+  This link describes the process in more detail: https://tylersguides.com/guides/openldap-memberof-overlay/ 
-  * To add LDAP capability you also need to install the LDAP php library on the system hosting RADIUSdesk. +  * If you have an Active Directory deployment, make sure the user that does the initial bind can read the **memberOf** attribute
-<code bash> +  * This link covers the items you need to double check: http://www.michaelm.info/blog/?p=1435
-sudo apt-get install php-ldap +
-</code>+
  
 ----------------- -----------------
-====== LDAP Authentication Process ======+====== LDAP group to RBA mapping ======
  
-===== Bind (Initial Connection) ===== +===== Common Settings ===== 
-  - **Client connects:** The LDAP client (e.g., user authentication script) connects to the LDAP server+<panel type="primary"> 
-  **Bind request:** The client sends bind request to the serverwhich includes the username (or DN) and password+{{:technical:ldap:ldap_rba_common.png|}} 
-  **Server authenticates:** The server checks the username and password against its stored credentials+</panel> 
-  **Bind response:** If the credentials are validthe server responds with a bind response, indicating a successful connection.+  * The LDAP group to RBA mapping is optional functionality available as complement to the standard LDAP integration
 +  * To ensure that the LDAP user has pleasant experience the first time they log inwe pre-define the default Cloud and Realm they will be assigned to
 +  * As stated earlier, we also give the option to specify the attribute that will contain the groups the user belongs to
 +  * The recommended value is //memberof//all in lowercase.
  
-===== Search ===== +----------------- 
-  - **Search request:** The client sends a search request to the server, specifying the search base, scope, filter, and attributes to retrieve. +===== Admin ===== 
-  - **Server searches:** The server searches its directory based on the client's request+<panel type="primary"> 
-  - **Search response:** The server responds with a search response, containing the matching entries and their attributes.+{{:technical:ldap:ldap_rba_admin.png|}} 
 +</panel> 
 +   * The Admin role will typically include the most components to include.
  
-===== Bind on Search Result with Password ===== +----------------- 
-  **Client selects entry:** The client selects an entry from the search results. +===== Operator =====
-  **Client extracts DN:** The client extracts the DN (distinguished name) from the selected entry. +
-  **Bind request with DN and password:** The client sends a new bind request to the server, using the extracted DN and the user-provided password. +
-  **Server authenticates:** The server checks the DN and password against its stored credentials. +
-  **Bind response:** If the credentials are valid, the server responds with a bind response, indicating a successful authentication. +
- +
----------- +
-----------  +
-====== Configure LDAP ====== +
-  * LDAP Integration is configured under the settings tab. +
-  * One item that needs a bit more explanation is Filter. +
-  * The filter contains a special character (**%s**) which will be substituted with the username that the user provide to log in. +
-  * For active directory it will typically be **(&(objectClass=user)(samaccountname=%s))**. +
-  * This filter will be applied when searching to find the DN of the user who needs to be authenticated. +
- +
 <panel type="primary"> <panel type="primary">
-{{:technical:ldap:ldap_settings.png|}}+{{:technical:ldap:ldap_rba_operator.png|}}
 </panel> </panel>
 +  * The Operator role will typically have less components selected compared to the Admin role, but more components then the View role.
  
---------- +----------------- 
- +===== View =====
-====== Test LDAP Settings ====== +
-  * There is also a **Test LDAP Settings** Button that helps you to test the LDAP settings to ensure they work as intended. +
-  * The tests that will be done will be matching the **LDAP Authentication Process** described earlier on this page.+
 <panel type="primary"> <panel type="primary">
-{{:technical:ldap:ldap_settings_test.png|}}+{{:technical:ldap:ldap_rba_view.png|}}
 </panel> </panel>
 +  * The View role will typically have the least components selected of the available three roles.
 +
 +
 +---------
 +====== Adjusting the rights of a role ======
 +  * Should you need to adjust the rights for one of the roles, there is a dedicated section in the Wiki which covers that topic.
  
  • technical/ldap-integration-rba.1749351374.txt.gz
  • Last modified: 2025/06/08 04:56
  • by system