ocPortal Tutorial: Integrating ocPortal into a corporate network via LDAP

Written by Chris Graham, ocProducts

The functionality described in this tutorial is only available in the enterprise version of ocPortal - now available for free from our community forums.

{!DOC_LDAP}

Table of contents

ocPortal Tutorial: Integrating ocPortal into a corporate network via LDAP

Configuring

Configuring LDAP support

To use LDAP, you must be using ocPortal's inbuilt forum system, OCF. LDAP is enabled after ocPortal installation, in the Admin Zone configuration, using the 'admin' username that was defined when ocPortal was installed. This username will remain functional even if there are problems with LDAP, so that you may fix settings without having to manually adjust the configuration settings in the ocPortal database.

LDAP is known as a directory service , and in theory, all the LDAP servers of the world together form a combined directory. Because of this, each LDAP server is given a position in the directory, specified in the LDAP DN (directory navigation) syntax; this is known as the base-DN, and the system administrator of the network should be able to identify this. The base-DN is usually based on the DNS domain name of the network the LDAP server serves, for example: dc=intranet,dc=ocportal,dc=com might be used for the domain intranet.ocportal.com. It is important to use the DNS of the domain and not the DNS of the server on the domain.

When LDAP is working, login is a snap

After logging in for the first time, ocPortal will ask for some details to be finalised

The configuration requires that you either perform an 'anonymous bind', or provide credentials for a user in the system that has full read access to what ocPortal needs in every account. Whether an 'anonymous bind' will work depends on your network: it noes not work on Active Directory by default, but does on OpenLDAP. The anonymous bind account would need full read access as a specified user would.

The LDAP standard is more concerned with protocol and structure than the actual schema used to hold information. Therefore there are significant differences between implementations, and thus we must consider each a separate case.

Active Directory

Adding a user to Active Directory

Active Directory is a fundamental part of post-NT Windows networking (at the time of writing, Windows 2000, Windows XP and Windows Server 2003). It resides on the domain controller (s) of the network, and is an LDAP based system that includes a lot of information, especially users and user-groups.

As Active Directory is so standard across Windows, ocPortal has good support for it's schema.

The user-group, 'Administrators' is mapped to the ocPortal Administrators user-group.
The user-group, 'Users' is mapped to the lowest ranking ocPortal member user-group.

OpenLDAP

ocPortal supports the NIS (aka POSIX ) schema. This is the schema that is installed on the server in order for Linux clients to be able to login using the LDAP database for full credentials. It is possible that there are variations of the schema installed on different networks, therefore it may be necessary to approach ocProducts for consultation in making sure ocPortal can handle your specific configuration.

The user-groups, 'root' and 'admin', are mapped to the ocPortal Administrators user-group.
The user-group, 'users' is mapped to the lowest ranking ocPortal member user-group.

Changed ocPortal behaviour

Synchronising with LDAP (ocPortal doesn't duplicate LDAP information, but some parameters need to be set and clean-ups done, which this tool assists)

When you use ocPortal with LDAP, there are some necessary changes to how ocPortal behaves:

Automatic mapping between the standard ocPortal user-groups and LDAP user-groups will be performed, even when the names do not quite correlate. For example, an administrator in LDAP, will be an administrator in ocPortal, automatically.
Unless you allow it, joining on ocPortal will be disabled, in favour of only allowing new LDAP accounts to be seen. ocPortal assumes all LDAP account management is done elsewhere, and only employs read-only access to the LDAP data.
It is necessary to use the LDAP synchronisation module to choose which LDAP groups will be featured in ocPortal. This is done for reasons of cleanliness: often an LDAP database will consist of many cryptic groups that would look out-of-place on the portal.
When an LDAP user logs in for the first time, ocPortal will ask for some supplementary information them (such as their e-mail address) in order to complete the ocPortal profile. This is because usually LDAP does not hold this data, but ocPortal requires it.
Passwords and user-names of LDAP users cannot be changed.
LDAP users may not change their user-group membership from within ocPortal.
The 'lost password' feature will not work for LDAP users.

Concepts

LDAP: Lightweight Directory Access Protocol; a scheme that allows many systems to share authentication and user profile information
OpenLDAP: An Open Source LDAP system
Active Directory: The Windows Server LDAP system
NIS: Network information system; the traditional network based authentication scheme used on Linux, to which OpenLDAP/Linux work to for Linux authentication
POSIX: A standardisation effort for Unix/Linux that has an implication for users and usergroups
Domain Controller: A Windows Server that manages authentication for a Windows Domain (a contained Windows network)
directory service: A service available on a network for looking up entries in a directory. LDAP is an example of a protocol to provide a directory service: a directory that is most often of users