Elgg 1.1 LDAP Setup Working

Andrew Chlup — Thu, 27 Nov 2008 14:16:06 +0000

I’ve finally had a chance to play with the new version of Elgg. The first order of business was to getting LDAP working for authentication and account creation. While the interface was quite a bit different, the setup was very similar to the previous version. As an added bonus the configuration is done through the web interface without needing to edit configuration files.

Things you need:

Running Elgg Installation
Running LDAP Server with user information
LDAP Browser tool (I prefer JXplorer) highly recommended

Section 1: Verify Elgg and LDAP are working

You should begin by verifying that both your Elgg and LDAP are working correctly. You can check your Elgg installation by navigating to your Elgg site and logging in as the admin user. If you can log in and navigate around then your Elgg install is most likely good.

Elgg Install

Now we need to make sure that you can access your LDAP remotely. I’ve found that JXplorer is a great JAVA based LDAP tool. Download JXplorer and try making a connection with your LDAP info.

JXplorer Connection Menu

If the connection is successful then you see you LDAP data in the results menu. You will need to drill down through your LDAP until you get to users. Choose a user and click the “Table Edit” tab. The “Table Edit” view allows you to see all of the user atributes.

Table View in JXplorer with user attributes

If you have successfully verified you Elgg installation and connected to your LDAP server remotely, you are ready to setup Elgg LDAP authentication.

Section 2: Install and Configure the LDAP plugin from the Elgg admin UI

First, log into your Elgg installation as an admin user. Navigate to the admin page from the dashboard link “administration”. Once there, click on the “Tool Administration” link. This will bring all of the Elgg plugins you have on your installation. If you have the plugin for LDAP you will see a plugin named “ldap_auth”.

If you are missing “ldap_auth” you will need to go to elgg.org and download it. Take the “ldap_auth” folder and put it in /mod/. The “mod” folder holds all of the Elgg plugins.

You can either refresh you page or log back into your Elgg install and you should now see “ldap_auth”.

Now you need to configure your LDAP settings for authentication. You open the configuration by clicking the “more info” link underneath “ldap_auth”.

LDAP_Auth settings

Begin by putting in your host settings that you verified with JXplorer.

**Make sure that your Elgg server can resolve your LDAP servers DNS!**

Next we’ll configure the LDAP settings.

LDAP Settings

Step1: Bind Info

If you can do anonymous binds to your LDAP server than leave bind DN and bind password blank. Otherwise fill in the entire LDAP string for your bind DN (i.e. uid=,cn=users,dc=ldap,dc=edsysad,dc=org) and password.

Step2: Base DN

This is the value you used to connect to your LDAP with jXplorer.

Step3: Username filter attribute

The plugin gives the three most username attributes for Linux and OS X “uid” and Windows AD “sAMAccountName”. If you use a non-standard attribute for username then it may be different.

Step4: Search attributes:

This step is the most important because it maps LDAP attributes to the variables needed for account creation and authentication. In most cases, the example given “firstname:givenname, lastname:sn, mail:mail” works but verify the attributes using jXplorer.

Step5: Create Users

When enabled this allows Elgg to create a new user account when a user authenticates to your Elgg installation. It means that any user in your LDAP directory can create an account. When disabled, LDAP users with a local account will get an error while users with a local account can login using their LDAP password.

Section 3: Test LDAP authentication

Try logging in as a LDAP user. If all is well their account should automatically be created. If not then verify your LDAP connection settings and verify your attribute mappings.

Adding SSL Support to OpenDirectory Replica

Andrew Chlup — Sat, 01 Nov 2008 00:24:11 +0000

While configuring our web filter, we realized that Apple’s default master/slave setup only allows LDAPS through the master server. This has some major limitations in regards to the usefulness of replicas. It turns out that one simple terminal command solves the problem.

sudo slapconfig -setldapconfig -ssl on -sslcert /etc/certificate/.crt -sslkey /etc/certificate/.key -ssldomain

If there’s a way to do this through the GUI I couldn’t find it. Hope this helps somebody else out there.

Elgg LDAP Problem Solved…

Andrew Chlup — Wed, 05 Mar 2008 03:17:22 +0000

As I was experimenting with Elgg and LDAP, I realized that none of the users create via LDAP authentication would so up in browse until somebody added them as a friend. Of course adding somebody who doesn’t show up in the list is a bit difficult so it was sort of a deal breaker.

It turns out that the friends able is used someway in the browse feature and users that register themselves are automatically made friends with a “0″ user that doesn’t really exist. So basically, you have to add a little code to the /auth/LDAP/lib.php and then your LDAP created users will work wonderfully.

Basically, I slightly modified a post that I found on the Elgg forums.

1. Find line 153:

$user_id = insert_record(‘users’,$user);

2. Add the following below:

// adds “virtual” friend, so that user has at least one connection, and shows up in the browse feature.
$newid = user_info_username(‘ident’, $username);
$owner = 0;
$f = new StdClass;
$f->owner = $owner;
$f->friend = $newid;
$f->status = ‘perm’;

insert_record(‘friends’,$f);

The additionally code simple grabs the new users “ident” from the User table and inserts a friend record with the shadowy “0″ user.

Now, if I can just figure out how to setup the tag cloud to work correctly.

edsysad.org » ldap