Good morning!
I just installed ProjectPier, and I'm quite happy with it so far.
I do have a question or two, regarding LDAP authentication. Whilst looking at the source code for the patch, we see this:
===================================================================
--- /trunk/language/en_us/administration.php (revision 2)
+++ /trunk/language/en_us/administration.php (revision 11)
@@ -47,5 +47,12 @@
'config option name theme' => 'Theme',
'config option desc theme' => 'Using themes you can change the default look and feel of ProjectPier',
-
+ 'config option name ldap_domain' => 'LDAP domain',
+ 'config option desc ldap_domain' => 'Your active directory domain',
+ 'config option name ldap_host' => 'LDAP host',
+ 'config option desc ldap_host' => 'Your active directory host name/IP',
+ 'secure ldap connection no' => 'No',
+ 'secure ldap connection tls' => 'Yes, use TLS',
+ 'config option name ldap_secure_connection' => 'Use secure LDAP connection',
+
// ProjectPier
'config option name upgrade_check_enabled' => 'Enable upgrade check',
Index: /trunk/application/models/users/User.class.php
===================================================================
Fair enough.
However, when we do LDAP authentication with our webapps, we have a special user with it's own Distinguished Name, that we use. This user has permission to check records against what's in AD, if you follow me.
It works like this, a user access the login page, and enters his username and password. Next, the application hits our domain controller with the distinguished name and password of that "special user" mentioned above, authenticates, and then checks the domain controller for the username of the person logging in, and verifies that the password entered is indeed correct.
That's how it normally goes.
Now, the code snipped above, for the LDAP patch is (obviously) engineered differently.
The name 'ldap_domain' and desc 'ldap_domain' confuse me. In times past, we use our domain "my-site.blah.mil" and that's fine, provided we specify a distinguished name, like so: "DC=my-site,DC=blah,DC=mil", and of course, the the DN of that special user we use in creating the initial connection.
Can you guys please clarify precisely what's needed, for the 'ldap_domain' and desc 'ldap_domain' values and the "Your active directory host name/IP" (that wouldn't be example_name/000.000.000.000 as in name/ipaddress literally would it?
I apologize if these are dumb questions.
Thanks for your time!
You are correct our patch does not use a single user to access the LDAP server. The user's credentials, who is logging-in, is used to connect to the LDAP server. If they can bind to the LDAP server, they are authenticated. Probably not the most robust or configurable way, but that's how we did it.
I'm not sure you are understanding what the values in "language/en_us/administration.php" are doing. They are not the configuration values themselves. They are just strings that are displayed in the administration area of the website. After installing the patch, you should be able to go to the "General" configuration area of projectpier. You will see 2 values for LDAP: LDAP Domain and LDAP Host
LDAP Domain is a value that is appended to the user name, along with @. You could use your fully qualified domain. Ex: "user" become "user@ldap domain"
LDAP Host is the IP address or hostname of the LDAP server/Active Directory server to bind against
Cheers