Howto
Setup and Configure Ldapweb
Configuration and Customisation
Table and Data Records Explanation
This
guide will explain the modules required to install LDAPweb, and how one can customize it. LDAPweb
is a LAMP (Linux, Apache, MySQL, PHP)
web application to access LDAP compliant directories. One can assume that LDAPweb will also work on a Windows platform, but I have
not tested this.
In
version 2.x of LDAPweb, MySQL
has been introduced and is being used to contain configuration data, and also
for holding a list of all well known directory attributes with a value to state
whether the attribute is displayable or not. The version 1.x method of finding
out whether an attribute was displayable has been scrapped.
The
password handling, if required, has been improved. The password is passed to
successive screens using session handling features of PHP
A
default installation contains several potential configurations. Pre-set
configurations include a full feature configuration, a search only
configuration and a reset password only. The default is the full feature
configuration.
As
of version 2.x there is no support for old LDAP version 2 servers.
The
following packages are required.
ldapweb-2-x.tgz (or ldapweb-2-x.zip)
Base Apache
Base PHP (versions 4 or 5)
MySQL (version 5 and upwards)
PHP ldap module
Optional
recommended packages:
PHP
mcrypt (if installed this will encrypt/decrypt
password)
PHP mhash (only required for the change/reset
password feature)
Unzip
ldapweb-2-x.tgz/zip into a temporary location (tar -txzf
ldapweb-2-x.tgz). The are a couple of minor
adjustments that need to be made which are explained in the Configuration and Customisation section.
Move
the contents of the scripts directory to a location that is accessible
by your Apache web server.
One
will need to populated MySQL with a database and it
is recommended that you define a read only user to have access to this
database. Recommended is a Database called ldapweb.
The DB can be populated by importing ldapweb.sql
into the ldapweb database. ldapweb.sql is in the
ldapweb-2-x.tgz/zip package in directory mysql.
I
recommend the quick start method which will be fine if one intends to use the
default full feature interface. Just go ahead and talk nicely to your DB
administrator requesting help, or if you have basic MySQL
know-how, and also MySQL access, then you can create
an "ldapweb" database and import the sqldump "ldapweb.sql"
using the following commands:
mysql -h host -u priviligedDBuser -p
create database ldapweb;
exit;
mysql -h host -u priviligedDBuser
-ppassword ldapweb
< ldapweb.sql
For
those not wanting a full feature interface or wishing to customise
then read on which is recommendable. It is also recommendable to have a tool to
manage MySQL. I use the excellent and freely
available phpMyAdmin.
There
are 5 tables, baseinformation, features,
searchfields, attributes and directorytypes. The baseinformation,
features and searchfields table
all have a name column and are associated with one another by the value
of this column. NOTE: Currently the tables are not related
using MySQL features but is on the agenda for
future releases.
The
name column is the key to how you want to use ldapweb.
Three configurations have been set-up for you. These configurations have a key
of "Admin", "Search" and "Password".
You can change the default key of "Admin" by editting the variable $key in configuration.php.
The $key value means that the PHP scripts will be looking for
records with a matching value in the name column like Admin for
example.
The
attributes table is very simple. It's just a column of possible
attributes with an associated value stating whether LDAP directory attributes
of that type are displayable or not. Basically a value of txt (text)
indicates the attribute is displayable and a value of bin (binary)
indicates it's non-displayable. By the way, if an LDAP attribute is not found
it is treated as a text displayable attribute.
name – the
key as previously explained
host – the host name of an ldap server
port – the port number that the ldap server is
running on
sesstype – the type of seesion
(ldap, ldaps or ldap/tls)
showhostportsess – if non-zero host, port, sessiontype and dirtype
will be user definable
basedn – Base Distinguished Name (search start
point)
showbasedn - if non-zero basedn
and password will be user definable
dirtype - The type of LDAP directory - openldap, active directory etc.
admindn – Administrator Distinguished
Name
password – Administrator Password
showcredentials - if non-zero admindn
and password will be user definable
scope – The scope of a search (base, one or tree)
andor – specify “and” or “or” search filter
showcriteria - if non-zero admindn
and password will be user definable
showfilter - if non-zero an ldap
search filter will be user definable
optionsizelimit – Size limit option
optiontimelimit – Time limit option
optionderefalias – Alias dereference option
showoptions - if non-zero optionsizelimit/timelimit/derefalias
will be user definable
showotheratt – if non-zero user has the option of
defining their own attribute/value pair
controlscount – the number of control fields to
display
showcontrols – if non-zero controls
will be user definable
encoding – Directory character encoding. Usually UTF-8
maxuploadsize – Maximum size file allowed for an
LDIF import
If
the showoptions, showcriteria,
showcredentials, and showhostportsess
are set to false then their associated fields will not be displayed and the
default values are used.
If
showoptions, showcriteria,
showcredentials, and showhostportsess
are set to true the values that you may potentially put into the associated
fields are used as defaults. NOTE: Cookies are used for LDAPweb
and take preference.
You
can control how many features you make available using the features table
name – the key as previously explained
friendlyname – a self-explanatory description
of what action does
action – a text string used by PHP scripts
Here
are the default Admin values:
INSERT
INTO features (name, action, friendlyname) VALUES ('Admin','search','Search');
INSERT
INTO features (name, action, friendlyname) VALUES ('Admin','resetPWD','Reset User Password');
INSERT
INTO features (name, action, friendlyname) VALUES ('Admin','changePWD','Change My Password');
INSERT
INTO features (name, action, friendlyname) VALUES ('Admin','add','Add an Entry');
INSERT
INTO features (name, action, friendlyname) VALUES ('Admin','generic_add','Add an Entry - Generic');
INSERT
INTO features (name, action, friendlyname) VALUES ('Admin','add_string_attribute','Add a String Attribute
value');
INSERT
INTO features (name, action, friendlyname) VALUES ('Admin','add_binary_attribute','Add a Binary Attribute
value');
INSERT
INTO features (name, action, friendlyname) VALUES ('Admin','delete','Delete an Entry');
INSERT
INTO features (name, action, friendlyname) VALUES ('Admin','generic_delete','Delete an Entry - Generic');
INSERT
INTO features (name, action, friendlyname) VALUES ('Admin','delete_attribute','Delete Attribute values');
INSERT
INTO features (name, action, friendlyname) VALUES ('Admin','expand','Expand the
Directory');
INSERT INTO
features (name, action, friendlyname) VALUES ('Admin','update','Modify an existing entry');
INSERT
INTO features (name, action, friendlyname) VALUES ('Admin','move','Modify or Move a DN');
INSERT
INTO features (name, action, friendlyname) VALUES ('Admin','NameContext','Get Naming Context');
INSERT
INTO features (name, action, friendlyname) VALUES ('Admin','RootDSE','Get Root DSE');
INSERT
INTO features (name, action, friendlyname) VALUES ('Admin','import_ldif','LDIF Import');
INSERT
INTO features (name, action, friendlyname) VALUES ('Admin','export_ldif','LDIF Export');
INSERT
INTO features (name, action, friendlyname) VALUES ('Admin','generate_ldif','LDIF Generate');
Below
is a screenshot of typical features for an "Admin" homepage:
|
|
|
For
nearly every feature of LDAPweb a search will be
performed. With this table you can maximise or minimise how many attribute fields you want to display.
You
can control how many search fields are available to build a search filter using
the searchfields table
name – the key as previously explained
attribute – this must be an attribute that is defined within your
particular LDAP server(s) friendlyname – a
description of what attribute actually is
Here
are the default Admin values:
INSERT
INTO searchfields (name, attribute, friendlyname) VALUES ('Admin','sn','Surname');
INSERT
INTO searchfields (name, attribute, friendlyname) VALUES ('Admin','givenname','Christian
Name');
INSERT
INTO searchfields (name, attribute, friendlyname) VALUES ('Admin','cn','Common
Name');
INSERT
INTO searchfields (name, attribute, friendlyname) VALUES ('Admin','uid','User
ID');
INSERT
INTO searchfields (name, attribute, friendlyname) VALUES ('Admin','mail','Email
address');
INSERT
INTO searchfields (name, attribute, friendlyname) VALUES ('Admin','l','Location');
Below
is a partial "Admin" search screenshot based on the "searchfield settings:
This is
just a simple list of the different types of directories like Openldap, Sun One, Active
Directory etc. The idea is that one can make small updates to the scripts based
on which type of directory is selected. For example, the way password change
handling is done, is different for Active Directory compared to Openldap. Generally there will not be a difference between
directories but at least the option is there for one to do something special
based on the type of Directory.
A very
simple list consisting of known LDAP attribute types and whether that attribute type should be treated as a text value
(displayable) or a binary value (non-displayable). LDAP attribute types not
found are handled as text values. Current valid values are “txt” for
displayable, “bin” for binary and “pict” for picture
(currently always assume the picture is in Jpeg format).
The
only script that needs adjusting is "configuration.php".
Here you need to define the DB which most likely will remain ldapweb, the DB connection parameters, a random string for
password encryption purposes and the key as previously explained. Here is an
example "configuration.php" file.
<?php
//
Configuration parameters are held in a My SQL DB
// DB
connection parameters (ldapweb only requires read
access)
$mysql_db = 'ldapweb';
$mysql_host = 'localhost';
$mysql_user = 'ldapwebDBuser';
$mysql_password = 'ldapwebDBpassword';
// Key
to determine what records to read from the ldapweb DB
$key =
'Admin';
//$key
= 'Search';
//$key
= 'Password';
// mcrypt-key. Only of use if mcrypt
package is installed. Password will be encrypted/decrypted.
Please change the default string.
$mcrypt_key = "any text you wish to put here";
?>
It's recommended to install everything as is
and to experiment with the "Admin" setup to get a feel of how
things work. Using this documentation and an MySQL tool like phpMyAdmin you
can edit the database entries to meet your needs. In the "baseinformation" table at least the "host"
and "basedn" will need to changed. One can edit this directly in ldapweb.sql
if one so wishes.