LDAP Authentication

From FiFormsWiki

The development (CVS) version of FiForms contains a new experimental feature to allow FiForms applications to authenticate against an LDAP server, such as Active Directory. This could be particularly useful, for example, in a business or organization in which user accounts are already setup in Active Directory, since users could log in to their FiForms applications using their Windows login password.

Configuring LDAP or LDAPS Authentication

Add the following settings into your localconfig.php:

$FIFORMS_CONFIG['AUTH_MODULE'] = $FIFORMS_CONFIG['INCLUDE_PATH']."FiForms_CookieAuthLDAP.inc.php";
$FIFORMS_CONFIG['LDAP_DOMAIN'] = 'example.com';
$FIFORMS_CONFIG['LDAP_SERVER'] = 'ldaps://adserver.example.com';

Using Secure LDAP (LDAPS)

We strongly recommend that you use LDAPS (LDAP over SSL) to securely authenticate against your LDAP server, especially if your LDAP server is located on a separate machine and there is any possibility that the connection between your servers could be compromised. Your LDAP or Active Directory server must be configured to support LDAP over SSL (For Active Directory see http://support.microsoft.com/kb/321051). On your web server, you will need a copy your CA's root certificate (the one that identifies the certificate authority that issued the SSL certificate for your LDAP server). Copy this file to a location that is readable by your web server process, for example, /etc/ssl/certs/my_ad_cacert.pem. Then add the following lines to the file /etc/ldap/ldap.conf (C:\OpenLDAP\sysconf\ldap.conf on Windows):

TLS_CACERT /etc/ssl/certs/my_ad_cacert.pem
TLS_REQCERT demand

Many forums online recommend the following setting

TLS_REQCERT never

However, this looses almost all the benefit of using SSL, as your connection is susceptible to being redirected to a bogus LDAP server without any warning.

Finally, restart your web server to reload the LDAP settings, and try logging in.