To configure LDAP on the server, you need three things
- Configuration for which LDAP server to use and what base and domain.
- Role configuration for the user to select what role the user will have.
- Groups in AD to allow DISE Server login
First, the configuration of the LDAP server, this is done for each network.
You will need a function to help create the settings, run this SQL file on the server.
CREATE OR REPLACE FUNCTION set_setting_on_network(in_network_id integer, in_name text, in_value text, in_datatype integer) RETURNS void AS $$ DECLARE sg_id integer; DECLARE sc_id integer; DECLARE s_id integer; BEGIN SELECT setting_group_id FROM network WHERE id = in_network_id INTO sg_id; IF sg_id IS NOT NULL THEN SELECT id FROM setting_collection WHERE setting_group_id = sg_id INTO sc_id; IF sc_id IS NOT NULL THEN SELECT id FROM setting WHERE setting_collection_id = sc_id AND name = in_name INTO s_id; IF s_id IS NOT NULL THEN UPDATE setting SET value = in_value, data_type_id = in_datatype WHERE id = s_id; END IF; END IF; END IF; IF sg_id IS NULL THEN INSERT INTO setting_group (network_id) VALUES (network_id) RETURNING id INTO sg_id; UPDATE network SET setting_group_id=sg_id WHERE id=network_id; END IF; IF sc_id IS NULL THEN INSERT INTO setting_collection (schedule_id, setting_group_id) VALUES (NULL, sg_id) RETURNING id INTO sc_id; END IF; IF s_id IS NULL THEN INSERT INTO setting (setting_collection_id, name, value, data_type_id) VALUES (sc_id, in_name, in_value, in_datatype); END IF; END; $$ LANGUAGE plpgsql VOLATILE COST 100;
The following SQL will configure LDAP for the network, the below settings are what we have been using for test here, and our domain is called TEST, and the FQDN is TEST.dise.local. It expects the users to be in that domain, as shown in the LDAPBase parameter
DO $$ DECLARE network_id integer = 1; DECLARE LDAPServer text = 'ldap://10.1.23.140'; DECLARE LDAPBase text = 'DC=TEST,DC=dise,DC=local'; DECLARE LDAPDomain text = 'TEST'; BEGIN PERFORM set_setting_on_network(network_id, 'LDAPServer', LDAPServer, 1); PERFORM set_setting_on_network(network_id, 'LDAPBase', LDAPBase, 1); PERFORM set_setting_on_network(network_id, 'LDAPDomain', LDAPDomain, 1); END $$ ;
Then we need to create the roles that will be used, currently only two roles are supported: user and admin.
Before you run the SQL below create two groups on your network, then open the console and take the ID from one of these groups and add it where it says '<user_group_id>' in the sql below. You also need to the enter your network id, you can find your network ID by checking the 'Network' table in the database. Add your network id to the SQL below where it says '<network_id>'.
Another thing that you need to do before running the SQL below is that you need to create two groups in your AD, for example 'DISE Server User' and 'DISE Server Admin', if you want to name them something else or use existing ones you need to change the SQL below accordingly.
Now you are ready to run the SQL.
INSERT INTO external_role_translation (id, network_id, external_role, user_role_definition_name, user_group_id) VALUES (1, <network_id>, 'DISE Server User', 'user', <user_group_id>); INSERT INTO external_role_translation (id, network_id, external_role, user_role_definition_name) VALUES (2, <network_id>, 'DISE Server Admin', 'admin');
When the server is configured with LDAP this is the user authentication logic:
- MultiNetwork admin (all users created on the control panel) can always login to any network.
- If LDAP is configured for the network, login for the network is always done using LDAP credentials. No previously created local users can login.
- The user in the AD has to be a member of any of the “DISE” groups in the AD.
- This user will be created as an “external” user, and can only be authenticated through LDAP.
- The user will now behave as a normal user, and permissions etc., can be created as normal. e-mail and name will be populated from the AD.
- If user_group_id was specified then the user will join this group. It is possible to join multiple user groups by adding the same AD group again with another user group. Please note that users with the admin role will not apply any permissions imported from the user group.
To remove all LDAP settings (from all networks) you can use the following SQL query:
DELETE FROM setting WHERE name LIKE 'LDAP%'