I’ve finally had a chance to play with the new version of Elgg. The first order of business was to getting LDAP working for authentication and account creation. While the interface was quite a bit different, the setup was very similar to the previous version. As an added bonus the configuration is done through the web interface without needing to edit configuration files.
Things you need:
- Running Elgg Installation
- Running LDAP Server with user information
- LDAP Browser tool (I prefer JXplorer) highly recommended
Section 1: Verify Elgg and LDAP are working
You should begin by verifying that both your Elgg and LDAP are working correctly. You can check your Elgg installation by navigating to your Elgg site and logging in as the admin user. If you can log in and navigate around then your Elgg install is most likely good.
Elgg Install
Now we need to make sure that you can access your LDAP remotely. I’ve found that JXplorer is a great JAVA based LDAP tool. Download JXplorer and try making a connection with your LDAP info.
JXplorer Connection Menu
If the connection is successful then you see you LDAP data in the results menu. You will need to drill down through your LDAP until you get to users. Choose a user and click the “Table Edit” tab. The “Table Edit” view allows you to see all of the user atributes.
Table View in JXplorer with user attributes
If you have successfully verified you Elgg installation and connected to your LDAP server remotely, you are ready to setup Elgg LDAP authentication.
Section 2: Install and Configure the LDAP plugin from the Elgg admin UI
First, log into your Elgg installation as an admin user. Navigate to the admin page from the dashboard link “administration”. Once there, click on the “Tool Administration” link. This will bring all of the Elgg plugins you have on your installation. If you have the plugin for LDAP you will see a plugin named “ldap_auth”.
If you are missing “ldap_auth” you will need to go to elgg.org and download it. Take the “ldap_auth” folder and put it in <elgg home>/mod/. The “mod” folder holds all of the Elgg plugins.
You can either refresh you page or log back into your Elgg install and you should now see “ldap_auth”.
Now you need to configure your LDAP settings for authentication. You open the configuration by clicking the “more info” link underneath “ldap_auth”.
LDAP_Auth settings
Begin by putting in your host settings that you verified with JXplorer.
**Make sure that your Elgg server can resolve your LDAP servers DNS!**
Next we’ll configure the LDAP settings.
LDAP Settings
Step1: Bind Info
If you can do anonymous binds to your LDAP server than leave bind DN and bind password blank. Otherwise fill in the entire LDAP string for your bind DN (i.e. uid=<diruser>,cn=users,dc=ldap,dc=edsysad,dc=org) and password.
Step2: Base DN
This is the value you used to connect to your LDAP with jXplorer.
Step3: Username filter attribute
The plugin gives the three most username attributes for Linux and OS X “uid” and Windows AD “sAMAccountName”. If you use a non-standard attribute for username then it may be different.
Step4: Search attributes:
This step is the most important because it maps LDAP attributes to the variables needed for account creation and authentication. In most cases, the example given “firstname:givenname, lastname:sn, mail:mail” works but verify the attributes using jXplorer.
Step5: Create Users
When enabled this allows Elgg to create a new user account when a user authenticates to your Elgg installation. It means that any user in your LDAP directory can create an account. When disabled, LDAP users with a local account will get an error while users with a local account can login using their LDAP password.
Section 3: Test LDAP authentication
Try logging in as a LDAP user. If all is well their account should automatically be created. If not then verify your LDAP connection settings and verify your attribute mappings.
