Howto Setup and Configure Ldapweb

 

Introduction_ 1

Differences between Versions_ 1

Installation_ 1

Configuration and Customisation_ 2

Table and Data Records Explanation_ 2

baseinformation” explanation_ 3

features” explanation_ 3

searchfields” explanation_ 5

directorytype” explanation_ 7

Attributes” explanation_ 8

Script configuration_ 8

Recommendations_ 8

 

Introduction

This guide will explain the modules required to install LDAPweb, and how one can customize it. LDAPweb is a LAMP (Linux, Apache, MySQL, PHP) web application to access LDAP compliant directories. One can assume that LDAPweb will also work on a Windows platform, but I have not tested this.

Differences between Versions

In version 2.x of LDAPweb, MySQL has been introduced and is being used to contain configuration data, and also for holding a list of all well known directory attributes with a value to state whether the attribute is displayable or not. The version 1.x method of finding out whether an attribute was displayable has been scrapped.

The password handling, if required, has been improved. The password is passed to successive screens using session handling features of PHP

A default installation contains several potential configurations. Pre-set configurations include a full feature configuration, a search only configuration and a reset password only. The default is the full feature configuration.

As of version 2.x there is no support for old LDAP version 2 servers.

Installation

The following packages are required.

ldapweb-2-x.tgz (or ldapweb-2-x.zip)
Base Apache
Base PHP (versions 4 or 5)
MySQL (version 5 and upwards)
PHP ldap module

Optional recommended packages:

PHP mcrypt (if installed this will encrypt/decrypt password)
PHP mhash (only required for the change/reset password feature)

Unzip ldapweb-2-x.tgz/zip into a temporary location (tar -txzf ldapweb-2-x.tgz). The are a couple of minor adjustments that need to be made which are explained in the Configuration and Customisation section.

Move the contents of the scripts directory to a location that is accessible by your Apache web server.

One will need to populated MySQL with a database and it is recommended that you define a read only user to have access to this database. Recommended is a Database called ldapweb. The DB can be populated by importing ldapweb.sql into the ldapweb database. ldapweb.sql is in the ldapweb-2-x.tgz/zip package in directory mysql.

Configuration and Customisation

I recommend the quick start method which will be fine if one intends to use the default full feature interface. Just go ahead and talk nicely to your DB administrator requesting help, or if you have basic MySQL know-how, and also MySQL access, then you can create an "ldapweb" database and import the sqldump "ldapweb.sql" using the following commands:

mysql -h host -u priviligedDBuser -p
create database ldapweb;
exit;
mysql -h host -u priviligedDBuser -ppassword ldapweb < ldapweb.sql

For those not wanting a full feature interface or wishing to customise then read on which is recommendable. It is also recommendable to have a tool to manage MySQL. I use the excellent and freely available phpMyAdmin.

Table and Data Records Explanation

There are 5 tables, baseinformation, features, searchfields, attributes and directorytypes. The baseinformation, features and searchfields table all have a name column and are associated with one another by the value of this column. NOTE: Currently the tables are not related using MySQL features but is on the agenda for future releases.

The name column is the key to how you want to use ldapweb. Three configurations have been set-up for you. These configurations have a key of "Admin", "Search" and "Password". You can change the default key of "Admin" by editting the variable $key in configuration.php. The $key value means that the PHP scripts will be looking for records with a matching value in the name column like Admin for example.

The attributes table is very simple. It's just a column of possible attributes with an associated value stating whether LDAP directory attributes of that type are displayable or not. Basically a value of txt (text) indicates the attribute is displayable and a value of bin (binary) indicates it's non-displayable. By the way, if an LDAP attribute is not found it is treated as a text displayable attribute.

baseinformation” explanation

name – the key as previously explained
host –
the host name of an ldap server
port –
the port number that the ldap server is running on
sesstype
the type of seesion (ldap, ldaps or ldap/tls)
showhostportsess
if non-zero host, port, sessiontype and dirtype will be user definable
basedn
Base Distinguished Name (search start point)
showbasedn - if non-zero basedn and password will be user definable
dirtype - The type of LDAP directory - openldap, active directory etc.
admindnAdministrator Distinguished Name
password –
Administrator Password
showcredentials -
if non-zero admindn and password will be user definable
scope –
The scope of a search (base, one or tree)
andor
specify “and” or “or” search filter
showcriteria -
if non-zero admindn and password will be user definable
showfilter -
if non-zero an ldap search filter will be user definable
optionsizelimit
Size limit option
optiontimelimit
Time limit option
optionderefalias
Alias dereference option
showoptions -
if non-zero optionsizelimit/timelimit/derefalias will be user definable
showotheratt
if non-zero user has the option of defining their own attribute/value pair
controlscount
the number of control fields to display
showcontrolsif non-zero controls will be user definable
encoding –
Directory character encoding. Usually UTF-8
maxuploadsize
Maximum size file allowed for an LDIF import

If the showoptions, showcriteria, showcredentials, and showhostportsess are set to false then their associated fields will not be displayed and the default values are used.

If showoptions, showcriteria, showcredentials, and showhostportsess are set to true the values that you may potentially put into the associated fields are used as defaults. NOTE: Cookies are used for LDAPweb and take preference.

features” explanation

You can control how many features you make available using the features table

name – the key as previously explained
friendlyname – a self-explanatory description of what action does
action – a text string used by PHP scripts

Here are the default Admin values:

INSERT INTO features (name, action, friendlyname) VALUES ('Admin','search','Search');

INSERT INTO features (name, action, friendlyname) VALUES ('Admin','resetPWD','Reset User Password');

INSERT INTO features (name, action, friendlyname) VALUES ('Admin','changePWD','Change My Password');

INSERT INTO features (name, action, friendlyname) VALUES ('Admin','add','Add an Entry');

INSERT INTO features (name, action, friendlyname) VALUES ('Admin','generic_add','Add an Entry - Generic');

INSERT INTO features (name, action, friendlyname) VALUES ('Admin','add_string_attribute','Add a String Attribute value');

INSERT INTO features (name, action, friendlyname) VALUES ('Admin','add_binary_attribute','Add a Binary Attribute value');

INSERT INTO features (name, action, friendlyname) VALUES ('Admin','delete','Delete an Entry');

INSERT INTO features (name, action, friendlyname) VALUES ('Admin','generic_delete','Delete an Entry - Generic');

INSERT INTO features (name, action, friendlyname) VALUES ('Admin','delete_attribute','Delete Attribute values');

INSERT INTO features (name, action, friendlyname) VALUES ('Admin','expand','Expand the Directory');

INSERT INTO features (name, action, friendlyname) VALUES ('Admin','update','Modify an existing entry');

INSERT INTO features (name, action, friendlyname) VALUES ('Admin','move','Modify or Move a DN');

INSERT INTO features (name, action, friendlyname) VALUES ('Admin','NameContext','Get Naming Context');

INSERT INTO features (name, action, friendlyname) VALUES ('Admin','RootDSE','Get Root DSE');

INSERT INTO features (name, action, friendlyname) VALUES ('Admin','import_ldif','LDIF Import');

INSERT INTO features (name, action, friendlyname) VALUES ('Admin','export_ldif','LDIF Export');

INSERT INTO features (name, action, friendlyname) VALUES ('Admin','generate_ldif','LDIF Generate');

Below is a screenshot of typical features for an "Admin" homepage:

 


 

searchfields” explanation

For nearly every feature of LDAPweb a search will be performed. With this table you can maximise or minimise how many attribute fields you want to display.

You can control how many search fields are available to build a search filter using the searchfields table

name – the key as previously explained
attribute – this must be an attribute that is defined within your particular LDAP server(s) friendlynamea description of what attribute actually is

Here are the default Admin values:

INSERT INTO searchfields (name, attribute, friendlyname) VALUES ('Admin','sn','Surname');

INSERT INTO searchfields (name, attribute, friendlyname) VALUES ('Admin','givenname','Christian Name');

INSERT INTO searchfields (name, attribute, friendlyname) VALUES ('Admin','cn','Common Name');

INSERT INTO searchfields (name, attribute, friendlyname) VALUES ('Admin','uid','User ID');

INSERT INTO searchfields (name, attribute, friendlyname) VALUES ('Admin','mail','Email address');

INSERT INTO searchfields (name, attribute, friendlyname) VALUES ('Admin','l','Location');

Below is a partial "Admin" search screenshot based on the "searchfield settings:

directorytype” explanation

This is just a simple list of the different types of directories like Openldap, Sun One, Active Directory etc. The idea is that one can make small updates to the scripts based on which type of directory is selected. For example, the way password change handling is done, is different for Active Directory compared to Openldap. Generally there will not be a difference between directories but at least the option is there for one to do something special based on the type of Directory.

Attributes” explanation

A very simple list consisting of known LDAP attribute types and whether that attribute type should be treated as a text value (displayable) or a binary value (non-displayable). LDAP attribute types not found are handled as text values. Current valid values are “txt” for displayable, “bin” for binary and “pict” for picture (currently always assume the picture is in Jpeg format).

 

Script configuration

The only script that needs adjusting is "configuration.php". Here you need to define the DB which most likely will remain ldapweb, the DB connection parameters, a random string for password encryption purposes and the key as previously explained. Here is an example "configuration.php" file.

 

<?php

// Configuration parameters are held in a My SQL DB

// DB connection parameters (ldapweb only requires read access)

$mysql_db = 'ldapweb';

$mysql_host = 'localhost';

$mysql_user = 'ldapwebDBuser';

$mysql_password = 'ldapwebDBpassword';

// Key to determine what records to read from the ldapweb DB

$key = 'Admin';

//$key = 'Search';

//$key = 'Password';

// mcrypt-key. Only of use if mcrypt package is installed. Password will be encrypted/decrypted. Please change the default string.

$mcrypt_key = "any text you wish to put here";

?>

 

Recommendations

It's recommended to install everything as is and to experiment with the "Admin" setup to get a feel of how things work. Using this documentation and an MySQL tool like phpMyAdmin you can edit the database entries to meet your needs. In the "baseinformation" table at least the "host" and "basedn" will need to changed. One can edit this directly in ldapweb.sql if one so wishes.