NP_LDAPAuth.php

Allows you to use an existing LDAP directory for the user authentication credentials. Requires Nucleus 3.40 or higher.

1. Unzip the file and upload the contents to your plugin directory
2. Install the plugin
3. Set the options to match your environment, see below

Set the options to match your LDAP server, then enable it.

• None

• Save Options on uninstall? - Whether your settings (configuration) should be saved if you uninstall the plugin. (yes). Should only be set to no if you are removing the plugin forever, otherwise it will keep your options in the event of an uninstall as part of an upgrade.
• Enable LDAP Auth - Whether LDAPAuth should be enabled (no). Turn it on (yes) when you are ready to permit ldap authentications.
• Host, including port and protocol, to LDAP server - Host address, including protocol and port of your ldap server. (ldap://ldap.example.com:389). The default value will not work for you. An example for a secure ldap server might be ldaps:ldap.example.com:636. When using secure ldap servers, you must use the hostname in the server's SSL certificate, and the web server must trust the CA who issued the LDAP server certificate. * DN of read-capable account to search for user DN - Distinguished name of LDAP user who has read access to entire user structure of the LDAP server (cn=nucleusreader,cn=users,dc=example,dc=com). Again, default won't work for you. This user will be used to search the directory for the user with a certain attribute matching the login name entered by the user. * password used by the search account - password used by the above LDAP account (). * Base DN where searches should begin - Base in LDAP tree where the searches for users should begin (dc=example,dc=com). Should match your structure. For example, if all your users are in an ou=users, then set the base dn to ou=users,dc=example,dc=com to limit the search to that part of the tree. * name of ldap object class for user entries - LDAP objectclass of your user entries (*). The default means yoru users might be of any class. Usually, user objects have multiple classes, i.e. person, inetorguser, top. Pick one that is common to all users, but not to other objects, like groups. Used in ldap search filter. * Advanced. Leave blank if not sure. LDAP query used to find user DN. Use %LOGIN% for user-entered login name. e.g. (&(objectClass=person)(uid=%LOGIN%)) - Name says it all here. This allows a custom filter to be used to match the loginname entered by the user to a user object in the directory. (). Only use this if you understand LDAP search filters! * LDAP Protocol version to use - LDAP Protocol version to use (3). Should probably not need to change this. * name of ldap attribute storing the user login name - LDAP attribute that stores the loginname you want entered by the user (uid). For Active Directory servers, this is probably the samaccountname attribute. * LDAP attribute to use as Nucleus display name - LDAP attribute to use as Nucleus display name (uid). The ldap user gets mapped to a nucleus user, the value of this attribute will be used as the display name in nucleus (it may get normalized to meet restrictions on valid nucleus displaynames). * LDAP attribute to use as Nucleus real name - LDAP attribute to use as Nucleus real name (cn). The ldap user gets mapped to a nucleus user, the value of this attribute will be used as the real name in nucleus. * LDAP attribute to use as Nucleus email address - LDAP attribute to use as Nucleus email address (email). The ldap user gets mapped to a nucleus user, the value of this attribute will be used as the email in nucleus. * Comma separated list of blogids to which user should be added as team member - List the blogs to which authenticated members should be added (0). The default, 0, will not add ldap users to any blog teams. To add them to blogs 2 and 7, enter 2,7. This is pretty limited and might be improved later if there is a need. * Are Nucleus admin users permitted to login using LDAP - Should nucleus admin users be allowed to login using ldap credentials? (no). The default, no, forces nucleus admin users to login using local credentials. There is a small possible security risk in allowing ldap users to have admin access to nculeus, so if you want it, turn it on. =====Tips and Tricks===== You will need to know a bit about LDAP and the structure of your LDAP (AD) tree to get this working. Also, consider any firewalls that might be between your web server and the ldap server. This won't be for the novice. =====Wishlist===== =====Bugs===== =====History===== * Version 0.6, released 05 Oct 2009 * small change to allow for longer displaynames in Nucleus CMS v 3.50 * Version 0.5, released 24 June 2009 * initial release