Details Screen
Last Updated: 18 May 2018
User Configuration
- User Type: Select which user type to use for the LDAP users. You can select to create users as either Backend Users, Simple Edit Users or Users. If your users do not need to edit the content of the Site (for example, they are member accounts), you can select to create User accounts. If they do need to edit content, you can create either Backend User accounts (access to the Administration Interface) or Simple Edit User accounts (access to Simple Edit interfaces only) . By default, Backend User accounts will be created for LDAP users.
- Use User ID as Shadow ID: Enabling this option will use the LDAP User's user ID attribute value as the shadow asset ID component.
For example, an LDAP User's username would then go from something like this:
123:CN=johnsmith,OU=Staff,O=Squiz,C=au,DC=ademo,DC=squiz,DC=net
To something like this:
123:johnsmith
This also means that your LDAP Users in Matrix won't get affected if you change the user groups or DN structure in your LDAP configuration or IDP.
If you switch this setting on an existing system, and if there are references to LDAP users outside of the bridge, the
ldap_update_bridge_references.php
script will also need to be run in order to the update all existing references in the database.
You can create System Administrator accounts for LDAP users by linking their accounts in the System Administrators Folder in the Asset Map. Once their account is in this folder, Squiz Matrix will treat it in the same way as a System Administrator account. To be able to do this, however, you need to create Backend User accounts for the LDAP users.
Connection Details
This section allows you to enter the settings for the LDAP directory that you want to use.
- Connection Status: This field will show whether or not it can connect to the LDAP directory using the information specified in the fields below. By default, it will say Unable to connect. Once you have entered the required in formation and clicked Commit, if it can connect, this will change to Connected. If it does not change, it may mean that the information you have entered is incorrect.
- System Type: Select which type of LDAP directory you are using. These options include OpenLDAP and Active Directory.
- Options: The options available are as follows:
- Use Protocol Version 3: Select this option if you are using version 3 for the LDAP directory.
- Disallow Referrals: Some Active Directory installations may require this option to be set. If you have trouble connecting to a directory (e.g. the system hangs when expanding the LDAP Bridge asset in the Asset Map) you may need to select this option.
- Aliases: Select whether to Never dereferenced, Dereferenced during search, Dereferenced when locating the base object or Derefenced always. Please note, this is a fairly advanced feature that requires knowledge on whether and how the LDAP directory uses aliases.
- Host: Enter the host to use to connect to the LDAP directory.
- Port: Enter the port to use to connect to the LDAP directory.
- Base DN: Enter the base DN of the LDAP directory.
- Bind DN: Enter the DN of the user to bind as. This user account must exist underneath the specified Base DN, otherwise the LDAP Bridge may not be able to connect successfully. If you want to use a user that is outside of the Base DN, enter their DN into the Auth DN field below. If this field is left blank, the LDAP Bridge will assume that the LDAP directory should be accessed anonymously and the Password field will be ignore. To do this, however, the LDAP directory must be set up to allow anonymous binding.
- Password: Enter the password to use when connecting to the LDAP directory.
- Auth DN: If you want to bind as a user that exists outside of the Base DN, enter their DN into this field. Otherwise, if they exist under the Base DN, enter their DN into the Bind DN field.
- Auth Filter: Enter an Auth Filter that will be used when Squiz Matrix attempts to authenticate an LDAP user for logging in. If Use Default Filter is enabled, a default filter of "({User ID}=%username%)" will be used. Disable this setting to enter a custom Auth Filter to be used. For example, you can enter a filter specification to restrict the users who are allowed authenticate to the LDAP system. A filter specification such as (ou=Sydney) could be used to restrict authentication to users within the Sydney office. Boolean combinations can be used to further refine filtering, for example, (&(ou=Sydney)(ou=Developers)) to restricting authentication to developers in the Sydney office. You can also use the Auth Filter to allow users to login using their username or email address using something like (|(uid=%username%)(mail=%username%)).
- Recursive Parent Groups: Specify whether or not the LDAP Bridge should recursively return all parent groups of an LDAP User when they log into the system. These parent groups are used to define the permissions of users within Squiz Matrix. By default, this field is enabled; disabling this option can speed up the LDAP login process by only retrieving a user's immediate parent groups.
Cache Options
- Caching Status: Setting this value to On, will enable caching for the LDAP Bridge which means it will only make requests back to the LDAP server once the cache has expired. Enabling this setting can significantly improve performance for users logged in to the system using an LDAP User account.
- Cache Expiry: The length of time an LDAP result cache entry is valid in seconds. When this value is set to zero or not supplied, the cached LDAP result will expire after the Default Expiry period set on the Cache Manager.
The Caching Status on the Cache Manager must also be enabled in order for caching on LDAP Bridges to take effect.