LDAP Tool: Difference between revisions

From Redrock Wiki

No edit summary
No edit summary
Line 60: Line 60:
|}
|}


<!-- this line is the end of the table for the entire page -->
{{DISPLAYTITLE:<span>Technical Documentation</span>}}
__NOTOC__
__NOTOC__

Revision as of 17:09, 30 November 2021


Connect to an LDAP or Active Directory Server

The Trac application can store local usernames and password for your users and students to log in to the Trac system, however, Redrock Software Corporation recommends utilizing and LDAP, Active Directory, or other university authentication protocol to log users into your Trac system. This can easily be configured on your system. The first step is to use the LDAP Tool to test and find the correct configuration to Bind a user to your LDAP or Active Directory server.

Ldap53gt28h.png

LDAP Tool

We have worked with many different LDAP and Active Directory systems, and will help you configure your system. The LDAP Tool is used to find the correct LDAP configuration in order to authenticate users in your Trac System with your campus authentication system. When the correct settings are found with the LDAP Tool, Redrock Software will need a screen shot of the correct configuration settings to create a custom authentication script for your Trac System.

There are three types of binds to an LDAP system: Anonymous, Simple, and Double Bind.

An Anonymous Bind is when the LDAP system allows a user to connect to the LDAP directories without entering a username and password. This is not a secure method of binding to the LDAP directories and cannot be used to authenticate users into your Trac application. No user is authenticated without verifying they have entered valid credentials. That can only be accomplished by a simple or double bind.

A Simple Bind is when the LDAP system allows a user account to connect directly to the LDAP directories by entering a username and password. This is a secure method of binding to the LDAP directories and can be used to authenticate users into your Trac application. When a user enters their username and password on the default login screen, your Trac application takes that information and immediately passes it to the LDAP Server with the settings found in testing. The Search Criteria in the Simple Bind does not have any bearing on the authentication and is typically left as "cn=NOTAUSER" so the LDAP Bind does not produce any results. The results do not matter when authenticating through a simple bind – just that the LDAP Server returns a good status response or an error. If there is an error, then the user is not validated and is not logged into your Trac System. If there is a good status, then the user is found locally in your Trac application by the username that they entered or by a field returned by the LDAP Bind and Search.

A Double Bind is when the LDAP system requires a Bind, Search, and a second Bind to connect to the LDAP directories. This is a secure method of binding to the LDAP directories and can be used to authenticate users into your Trac application. When a user enters their username and password on the default login screen, your Trac application performs a Bind with a specific LDAP account and performs a Search on the username that was entered on the default login page. When the LDAP system returns the directory information for the user, your Trac application finds the Distinguished Name (DN) for the user and then attempts to Bind a second time with the returned DN and the password that was entered on the default login screen. The LDAP Server returns a good status response or an error. If there is an error, then the user is not validated and is not logged into your Trac System. If there is a good status, then the user is found locally in your Trac System by the username that they entered or a field returned by the Search.


LDAP Server Address

The LDAP Server Address field is for the IP Address or DNS for the LDAP Server.

Username & Password
The Username and Password fields are for the user’s credentials to authenticate.

Base DN
The Base DN field is for the directory information to access the LDAP Server.

Encrypted Bind & LDAP Port
Choose if the LDAP connection is secure and specify the port. Standard ports are 389 or 636.

Search Criteria
The default Search Criteria is (cn=NOTAUSER). A Simple Bind does not need to search for any specific user so the search for NOTAUSER is just fine.

Return Attributes
The Return Attributes are only necessary in the Double Bind scenario. This allows for returning specific information about the user from the LDAP directories.