From OpenDCIM Wiki
Jump to: navigation, search
(LDAP Configuration)
Line 11: Line 11:
  
 
=== LDAP Configuration ===
 
=== LDAP Configuration ===
 +
 +
There are several attributes related to LDAP that you can configure.  Most are simply entering in site specific Distinguished Names that relate to the various access rights within openDCIM.
 +
 +
'''Server''': Any valid LDAP uri should work
 +
 +
'''Base DN''': If you're not sure what this means, you should find someone within your organization that is familiar with your LDAP setup.  This refers to the domain within the LDAP server that you are formulating your queries.
 +
 +
'''Bind DN''': The distinguished name that we will use for binding to the LDAP server.  Note the use of ''%userid%'' in the default value - that section will be replaced by the UserID that is entered by users.
 +
 +
'''LDAP Session Expiration''': The maximum amount of time that a user may remain logged in.  This is not an idle time expiration - it is a maxmimum time from login until expiration.  If you leave this at 0, the session will remain active until the browser is closed or the user explicitly logs out.
 +
 +
 +
-- Group Membership --
 +
 +
There are entries relating to each of the access rights within the openDCIM application.  Once a user logs in, the system will query the LDAP server to get a list of group memberships, and any groups that match a given DN will grant the corresponding access right.
 +
 +
Rights are only checked at the initial login, so any changes made on the LDAP server would not take effect until the user logs out.  Also any changes made to the database for a user record will be overwritten upon the next login (other than Phone, Email, and APIKey).

Revision as of 12:44, 1 April 2016

LDAP Integration

Changing Existing Installations from Apache to LDAP Authentication

If you are already running openDCIM that is an older version than 4.2, it is suggested that you simply make no changes to the authentication configuration until after you upgrade to version 4.2. From that point the LDAP configuration screens can easily be configured by a user with SiteAdmin privileges and in case you get them wrong, you can flip back and forth between LDAP and Apache authentication via your config file.

New Installations

Step 1 - Watch the YouTube video that I made showing how to do a new installation with LDAP. Step 3 - Profit!

LDAP Configuration

There are several attributes related to LDAP that you can configure. Most are simply entering in site specific Distinguished Names that relate to the various access rights within openDCIM.

Server: Any valid LDAP uri should work

Base DN: If you're not sure what this means, you should find someone within your organization that is familiar with your LDAP setup. This refers to the domain within the LDAP server that you are formulating your queries.

Bind DN: The distinguished name that we will use for binding to the LDAP server. Note the use of %userid% in the default value - that section will be replaced by the UserID that is entered by users.

LDAP Session Expiration: The maximum amount of time that a user may remain logged in. This is not an idle time expiration - it is a maxmimum time from login until expiration. If you leave this at 0, the session will remain active until the browser is closed or the user explicitly logs out.


-- Group Membership --

There are entries relating to each of the access rights within the openDCIM application. Once a user logs in, the system will query the LDAP server to get a list of group memberships, and any groups that match a given DN will grant the corresponding access right.

Rights are only checked at the initial login, so any changes made on the LDAP server would not take effect until the user logs out. Also any changes made to the database for a user record will be overwritten upon the next login (other than Phone, Email, and APIKey).