Navigation :

Active Directory

This Login module will query a Microsoft Active Directory server. Example configuration is:

<jarvis>
    <app>
        <login module="Jarvis::Login::ActiveDirectory">
            <parameter name="server"        value="company-pdc"/>
            <parameter name="bind_username" value="bind user"/>
            <parameter name="bind_password" value="bindpass"/>
            <parameter name="base_object"   value="OU=OFFICE,DC=COMPANY,DC=LOCAL"/>
            <parameter name="search_filter" value="samaccountname"/>
            <parameter name="use_tls"       value="1"/>
            <parameter name="group_lookup"  value="memberOf"/>
        </login>
        ...

The parameters are:

Attribute	Default	Notes
`server`	(none)	[Required] IP address or resolvable DNS name locating the primary domain controller. Secondary controllers are not supported.
`port`	`389`	IP port number.
`bind_username`	`""`	The username to be specified at the bind attempt.
`bind_password`	`""`	The password to be specified at the bind attempt.
`base_object`	(none)	[Required] The base object to be specified in the search request.
`no_password`	`0`	If set true, the module will skip the password checking.
`allowed_groups`	`""`	Comma-separated list of groups. If specified, restricts login to users with group in allowed groups. Wildcard `*` is supported.
`use_tls`	`0`	Enables LDAP authentication using the TLS protocol for each bind attempt.
`search_filter`	`samaccountname`	Override the search filter when performing look-ups for user records.
`group_lookup`	`memberOf`	Which mechanism to utilize to determine which groups a user is a member of. Supports `memberOf` and `query`.
`group_base`	(none)	If `query` is specified for `group_lookup` this determines the root base to use for searches for groups belonging to the user DN.
`group_object_class`	`groupOfNames`	If `query` is specified for `group_lookup` this determines the type of object class to search for when searching for groups belonging to the user DN.
`group_member_class`	`member`	If `query` is specified for `group_lookup` this determines the type of attribute to search for in the mapped `group_object_class` when searching for groups belonging to the user DN.
`group_member_bind`	`dn`	If `query` is specified for `group_lookup` this determines the attribute to use when searching for a user within the specified `group_member_class`. Supported options `dn` or `uid`.

The module will bind to the AD server with the bind username and password. It will request a search of the full tree below the base object, with full dereferencing. The filter is for samaccountname equal to the username offered to Jarvis for this login attempt.

If the group_lookup is configured as memberOf we also ask the search to tell us of all memberOf attributes for the user.

If the group_lookup is configured as query an additional query will be made against the group_base searching for any instances of the group_object_class where the group_member_class matches the either the users DN or UID depending on the configuration of group_member_bind.

If the user exists, Jarvis then assembles the group list from the group lookup. Then Jarvis unbinds, and attempts to rebind with the user-supplied username and password, instead of the plugin-defined values. If the rebind succeeds, then the user is validated.