[horde] Sample AD authentication on Horde

Tue May 4 17:51:59 PDT 2004

Chip,

These are some patches to make passwd work with Active Directory allowing
users on a Windows Active Directory Domain change their passwords inside
Horde.

When you say sync Windows 2000 passwords with horde/imp you mean allowing
Active Directory users to login with their domain credentials to horde/imp?

Either way I'm sending a sample of authentication config for Horde using
Active Directory since many people ask such things around.

Don't hesitate posting to the list, because more people can see and help you
with the issues.

-----

Authentication of Horde/IMP on Active Directory domain is already possible.
It's just a matter of configuring your authentication driver properly.

All settings can be easily configured inside Horde interface, but for this
example I'm using whats inside the config file /horde/config/conf.php.

For an AD domain called "somedomain.net", here is the example config of
Horde:

$conf['auth']['driver'] = 'ldap';

Domain accounts that you want to be Administrators of Horde. Enter multiple
values as: array('value','value',.); 

$conf['auth']['admins'] = array('WhoYouWantToBeHordeAdminWinADAccountHere');

$conf['auth']['checkip'] = false;

The AD server to use for authentication

$conf['auth']['params']['hostspec'] = 'localhost';

Below you provide the base DN that will be picked as a start point for
searching users to authenticate.

In my particular case I have users organized on departmental OUs all below a
root Departments OU, so I'm using 'OU=Departments,DC=somedomain,DC=net' to
narrow the scope of the search for the user that is trying to authenticate.
This is also good to secure Horde if you don't want special system users to
authenticate like the ones on the 'Users' default OU. If you open the search
to the entire domain like in this example _all_ the users (including Domain
Admins, etc) on that domain are able to login to Horde. Doesn't smells good
to me so I recommend tighten the search, but this also involves how your AD
is designed.

$conf['auth']['params']['basedn'] = 'DC=somedomain,DC=net';

This is a simple filter to narrow the search a bit more, since we're looking
for users and not printers, etc.

$conf['auth']['params']['objectclass'] = array('top', 'person',
'organizationalPerson', 'user');

Here you provide the full DN of an account that will be used to query the AD
to lookup the username and password of the person trying to authenticate.

This is needed because AD does not like anonymous queries. So you create a
'minimal privilege' account just for this task, in this example the LOGIN
name is 'ldap'. BUT AD wants to know the FULL DN of this account, so we must
pick the CN of that account. CN in this case is the account's Name 'LDAP
Query' - the same name that is visible on 'AD Users and Computers', so:

$conf['auth']['params']['binddn'] = 'CN=LDAP
Query,CN=Users,DC=somedomain,DC=net';

Yes you need to provide the password here, so make sure your query account
has only the privileges that it requires for operation and nothing else.

$conf['auth']['params']['password'] = 'Query at 2004';

Below you provide which attribute of the object that will be checked against
the Horde username entered for authentication

The 'sAMAccountName' is the true login name of the user on the domain. Many
(if not all) people I've seen are using 'CN' here.

Imagine if you rename some user on 'AD Users and Computers' (just the
displayed name but not the login name), and you're using 'CN' here - It's
very probable something will break up.

$conf['auth']['params']['uid'] = 'sAMAccountName';

-----

That's it basically. You can even install Horde from scratch and admin it
with the config set properly like this.

Hope this helps,

LRM

----- Original Message ----- 

From: "Chip Bell" <cbell at msbv.com>

Sent: Tuesday, May 04, 2004 6:02 PM

Subject: RE: [horde] UPDATED Patch for Passwd LDAP driver

Hey man,

I didn't want to ask on the list, kinda felt stupid.  Does this allow

people's Win2000 passwords to sync with their horde/imp login?