LDAP connection
Server address
Use an LDAP URI to configure the location of your LDAP server in
$ldap_url
:
$ldap_url = "ldap://localhost:389";
You can set several URI, so that next server will be tried if the previous is down:
$ldap_url = "ldap://server1 ldap://server2";
To use SSL, set ldaps
in the URI:
$ldap_url = "ldaps://localhost";
To use StartTLS, set true
in $ldap_starttls
:
$ldap_starttls = true;
Warning
LDAP certificate management in PHP relies on LDAP
system libraries. Under Linux, you can configure /etc/ldap.conf
(or
/etc/ldap/ldap.conf
on Debian/Ubuntu, or
C:\OpenLDAP\sysconf\ldap.conf
for Windows).
Provide the certificate from the certificate authority that issued your LDAP server’s certificate:
TLS_CACERT /etc/ssl/ca.crt
Or, disable server certificate checking:
TLS_REQCERT allow
If you face issues with non matching TLS versions between SSP and your
LDAP server, you should try to modify TLS_CIPHER_SUITE
to match
the requirements of your server. For example:
TLS_CIPHER_SUITE TLSv1+RSA
You can also define the ldap connection timeout:
$ldap_network_timeout = true;
Credentials
Configure DN and password in $ldap_bindn
and $ldap_bindpw
, for example a service account:
$ldap_binddn = "cn=ssp,ou=dsa,dc=example,dc=com";
$ldap_bindpw = "secret";
Tip
You can leave these parameters empty to bind anonymously or using GSSAPI (see below). In this case, the password modification must be done with user’s credentials. But this will not work for password reset.
If you want an SSP account to do this on behalf of the user set the value of $who_change_password
to manager
.
To instead use user’s credentials when writing in LDAP directory, replace manager
with user
in $who_change_password
:
$who_change_password = "user";
Warning
The user account can only be used for standard password
change, when user is giving its old password. For other password changes
(token, questions, …), manager account will always be used, whatever
value is set in $who_change_password
.
For Kerberos authentication (GSSAPI) comment out comment out $ldap_bind*
and uncomment $ldap_krb5ccname
lines
$ldap_krb5ccname = "/tmp/krb5cc_apache";
Make sure the web server is able to read /tmp/krb5cc_apache
:
# ls -l /etc/krb5.keytab /tmp/krb5cc_apache
-rw------- 1 apache apache 1212 May 28 15:13 /tmp/krb5cc_apache
/tmp/krb5cc_apache
- is a Kerberos auth cache file generated by k5start service from an AD administrator’s keytab, like:
# systemctl cat k5start@apache.service
# /etc/systemd/system/k5start@.service
[Unit]
Description=Service User Kerberos Auth (Keytab)
After=dbus.service
After=network.target
After=NetworkManager.service
[Service]
Environment="KEYTAB=/usr/local/etc/aduser.keytab"
Type=forking
ExecStart=/usr/bin/k5start -f ${KEYTAB} -b -a -K 120 -L -l 1d -k /tmp/krb5cc_%i -U -o %i -p /var/run/k5start_%i.pid
ExecStop=/usr/bin/kill $(/usr/bin/cat /var/run/k5start_%i.pid)
[Install]
WantedBy=multi-user.target
Search parameters
You can set the base of the search in $ldap_base
:
$ldap_base = "dc=example,dc=com";
The filter can be set in $ldap_filter
:
$ldap_filter = "(&(objectClass=person)(uid={login}))";
Tip
The string {login}
is replaced by submitted login.
The scope can be set in $ldap_scope
:
$ldap_scope = "sub";
Tip
sub is the default value. Possible values are sub, one, or base
You can retrieve users with a paged search, for example if your directory does not allow you to get all entries at once. You can enable this feature by setting a non-zero value to the page size parameter:
$ldap_page_size = 100;
Tip
when setting a $ldap_page_size
value > 0, self-service-password sends a LDAP_CONTROL_PAGEDRESULTS
control along with the search, and loop for each page
Extensions
You can use LDAP password modify extended operation with
$ldap_use_exop_passwd
:
$ldap_use_exop_passwd = true;
You can also enable LDAP password policy control with $ldap_use_ppolicy_control
:
$ldap_use_ppolicy_control = true;
Special modes
Active Directory
Password in Active Directory is not managed like in other LDAP
directories. Use option $ad_mode
to use unicodePwd
as password
field:
$ad_mode = true;
You must also use SSL on LDAP connection because AD refuses to change a password on a clear connection. See this documentation to manage Active Directory certificates.
Adapt the search filter too:
$ldap_filter = "(&(objectClass=user)(sAMAccountName={login})(!(userAccountControl:1.2.840.113556.1.4.803:=2)))";
You can tune some options:
Force unlock: will unlock a locked account when password is changed
$ad_options['force_unlock'] = true;
Force user to change password at next login:
$ad_options['force_pwd_change'] = true;
Allow user to change password if password is expired (this will force the password to be changed as manager):
$ad_options['change_expired_password'] = true;
You need to have an account on Active Directory with rights to change password of users. To set the minimum rights for this account, do the following:
Create a basic domain account without any additional privileges
Use Delegate control wizard within “User and computers”, then
User Object
Reset Password
Write lockoutTime (if unlock is enabled)
Write shadowlastchange
If you enabled the reset by questions feature (see Reset by questions), you also need to give rights on the question attribute:
Right click the OU where you want delegation of permissions to propagate down from and select “Delegate Control…”
Add the account to delegate to, click Next
Create a custom task to delegate
Select the radio button for “Only the following objects in the folder”, then select “User objects” at the bottom of the list, click Next
Select the “Property-specific” checkbox only, then locate the attribute you are using to store the “Reset by questions” answer in.
Samba 3 or lower
To manage compatibility with Windows world, Samba stores a specific hash
of the password in a second attribute (sambaNTpassword
). It also
store modification date in sambaPwdLastSet
. Use $samba_mode
to
manage these attributes:
$samba_mode = true;
You can also update sambaPwdCanChange
and sambaPwdMustChange
attributes by settings minimal and maximal age, in days:
$samba_options['min_age'] = 5;
$samba_options['max_age'] = 45;
To set an expiration date for a Samba account (attribute
sambaKickofftime
), configure a maximal age, in days:
$samba_options['expire_days'] = 90;
Tip
Samba modifications will only be done on entries of class
sambaSamAccount
Tip
For Samba 4, you must use AD mode, not Samba mode.
Shadow
If using shadowAccount
object class for users, you can update the
shadowLastChange
attribute when changing password:
$shadow_options['update_shadowLastChange'] = true;
You can also update the shadowExpire
attribute to define when the
password will expire. Use -1
to never expire, else configure the
number of days:
$shadow_options['update_shadowExpire'] = true;
$shadow_options['shadow_expire_days'] = 365;
Tip
Shadow modifications will only be done on entries of class
shadowAccount