Authenticating Against An Ldap Directory

  1. Home
  2. Authenticating Against An Ldap Directory

Authenticating Against An Ldap Directory

The piler gui can authenticate users against various LDAP directories.

Prerequisite: have an LDAP directory with all your users, distribution lists, etc.

Generic steps: enable LDAP authentication, and create a helper account

The piler gui requires a (preferably read-only) LDAP account that can run ldap queries.

$config['ENABLE_LDAP_AUTH'] = 1;
$config['LDAP_HOST'] = 'your.ldap.host';
$config['LDAP_HELPER_DN'] = '..........';
$config['LDAP_HELPER_PASSWORD'] = 'xxxxxxx';

// set this if you want to limit the scope of the ldap query
$config['LDAP_BASE_DN'] = '';

For ldaps connections you should add the following to /etc/ldap/ldap.conf:

TLS_REQCERT never

Settings for Zimbra

$config['ENABLE_LDAP_AUTH'] = 1;
$config['LDAP_HOST'] = 'zimbra.yourdomain.com';
$config['LDAP_MAIL_ATTR'] = 'mail';
$config['LDAP_ACCOUNT_OBJECTCLASS'] = 'zimbraAccount';
$config['LDAP_DISTRIBUTIONLIST_OBJECTCLASS'] = 'zimbraDistributionList';
$config['LDAP_DISTRIBUTIONLIST_ATTR'] = 'zimbraMailForwardingAddress';
$config['LDAP_HELPER_DN'] = 'uid=zimbra,cn=admins,cn=zimbra';
$config['LDAP_HELPER_PASSWORD'] = 'xxxxxxx';

That’s all, the gui will forward authentication requests to the ldap server. If You need auditor or additional admin users, then create them manually in the gui.

Settings for Lotus Domino

$config['LDAP_MAIL_ATTR'] = 'mail';
$config['LDAP_ACCOUNT_OBJECTCLASS'] = 'dominoPerson';
$config['LDAP_DISTRIBUTIONLIST_OBJECTCLASS'] = 'dominoGroup');
$config['LDAP_DISTRIBUTIONLIST_ATTR'] = 'mail';
$config['LDAP_HELPER_DN'] = '.........';
$config['LDAP_HELPER_PASSWORD'] = 'xxxxxxx';

Settings for iredmail

$config['LDAP_MAIL_ATTR'] = 'mail';
$config['LDAP_ACCOUNT_OBJECTCLASS'] = 'mailUser';
$config['LDAP_BASE_DN'] = 'o=domains,dc=yourdomain,dc=com';
$config['LDAP_DISTRIBUTIONLIST_OBJECTCLASS'] = 'mailList';
$config['LDAP_DISTRIBUTIONLIST_ATTR'] = 'memberOfGroup';
$config['LDAP_HELPER_DN'] = 'cn=vmailadmin,dc=yourdomain,dc=com';
$config['LDAP_HELPER_PASSWORD'] = 'xxxxxxx';

Note that the gui grants regular user permissions for everyone authenticated successfully against ldap. If certain users need auditor rights, then create a group in ldap, and put the auditors to this group. Then set this value to LDAP_AUDITOR_MEMBER_DN in config-site.php:

// the value is case sensitive!
$config['LDAP_AUDITOR_MEMBER_DN'] = 'CN=PilerAuditors,CN=Users,DC=your,DC=domain,DC=com';

The same can be done with admin users, too:

// the value is case sensitive!
$config['LDAP_ADMIN_MEMBER_DN'] = 'CN=PilerAdmins,CN=Users,DC=your,DC=domain,DC=com';