Using LDAP to authenticate client and worker logins based on an existing directory of contacts

Introduction

LDAP (Lightweight Directory Access Protocol) is a service designed to share contact information between applications. It is often used to provide centrally managed corporate account information. A single login/password combination can allow access to various applications, and it only needs to be changed in a single place to take effect everywhere.

We provide a plugin for LDAP integration with Cerb5. This article explains how to use it.

Instructions

Prerequisites

This plugin requires the LDAP PHP extension. This is usually available through the package manager for your distribution.

On Debian/Ubuntu:

sudo apt-get install php5-ldap

Installing the plugin

The plugin needs to be installed in the storage/plugins/ directory of your Cerb5 installation.

  1. Change directory to /path/to/cerb5/storage/plugins

  2. Run the command:
    git clone git://github.com/cerb5-plugins/wgm.ldap.git

Enabling the plugin

The plugin can be enabled from the web interface.

  1. Open Cerb5 in your web browser.

  2. Click Setup->Plugins.

  3. Enable the [Cerb5] LDAP Integration plugin and click the Save Changes button.

Configuring the plugin

You should substitute your own LDAP connection details during this section.

  1. Click the Plugins menu and select LDAP from the list.

  2. Enter your LDAP settings:

  3. Click the Save Changes button.

Your connection information will be verified when you save it.

Enabling LDAP logins for workers

A worker account needs to exist in Cerb5 with an associated email address that matches their contact record in your LDAP directory.

A new LDAP option will appear on the login form:

The worker should enter their email address and the password on file in your LDAP directory.

Enabling LDAP logins in the Support Center

Unlike worker authentication, contacts will be automatically created in your Support Center during their first login if they exist in your LDAP directory. Additionally, their given name and surname will be imported if available.

Configuring your Support Center profile

  1. Navigate to Setup->Community Portals->Configure.

  2. Select the Support Center where you want to enable LDAP logins.

  3. On the Settings tab, scroll to the Login section and select LDAP for the "Authenticate logins using these methods:" option. This can be set exclusively, or in conjunction with other login methods.

  4. Click the Save Changes button.

Logging in

Contacts from your LDAP address book should now be able to log in using their existing email address and password.

Next Steps

Alternate credentials

With a relatively simple modification to the plugin's code you could change the login credentials from email/password to any other combination. For example, your users may be familiar with using a screen name or account number instead of an email address.

Multi-factor authentication

You could also modify the plugin's code to use multi-factor authentication for improved security. Two-factor security, for instance, is comprised of "something you know" and "something you have".

For example, at an ATM (automated bank-teller machine), you have an access card and know a secret PIN number. You generally cannot use the ATM to access your account without both factors. Other accounts may also require a security token in addition to a login and password.


Properties ID: 000078   Views: 5613   Updated: 6 months ago
knowledgebase comments powered by Disqus