New in 3.1: LDAP Authentication
Edit: LDAP is taking a little longer than we were expecting, but we want to get it done right and proper. Therefore we have decided to release Beta 2 without functioning LDAP support. The interface is there so you can see how it looks, but do not set your authentication method to LDAP as you will be locked out. When we have a functioning addon, we will let you know here on the blog!
As mentioned in a previous post, thanks to the hard work of crazedfred and xaver in the Live Chat service, we are currently implementing support for authentication against LDAP (which includes Microsoft Active Directory). The reason we have delayed Beta 2 is because we really want to have something you can play with in the LDAP department, and within a day or two we will have support for logging in implemented.
So how do I set it up?
LDAP is included as an optional module in The Bug Genie 3.1 beta 2 onwards, and can be installed from the Modules list. This adds a ‘LDAP Authentication’ section to the menu on the left, and also adds LDAP as a mechanism to the new Authentication page. We will come to that later. On the ‘LDAP Authentication’ page, you can specify the server to connect to, the DN strings for the user and group lists (we need the group ones for restriction: see later), as well as what attributes contain the parameters needed by The Bug Genie. We need full name and email address, as these will be synchronised to The Bug Genie so that fields on website render correctly, and you can receive email notifications.
It is very important that you ensure an administrator account still exists after switching over. All accounts with the same username as one in LDAP will still remain accessible and have their old permissions, so if your network logon is ‘joebloggs’, create an account called ‘joebloggs’ and make it an administrator before continuing. This won’t be implemented in beta 2, but you can also import all LDAP users at this point, but this is not necessary as they will be created on their first login. You may wish to do this if you need to set permissions.
You can restrict access to members of certain groups too, just insert a comma separated list of group names into the relevant box, though this functionality may not be implemented in beta 2.
Finally you can prune users on this screen. Don’t do this now as you may delete your own account (besides, this also isn’t coming in beta 2), as this tool deletes all accounts which are on The Bug Genie but not LDAP. This allows you to delete an account from TBG which has been deleted in LDAP, but if the account was deleted in the directory they will not be able to log in anyway, and they will be automatically logged out.
After setting this all up, if you go to the Authentication page you can choose the LDAP backend. Also here are boxes to allow you to insert substitute text for the register, forgot password, change password and account details screens. This is important, as this functionality will be disabled and you will need to provide an alternative means, so you could say ‘Call 1234 for the IT helpdesk’ here.
After saving the settings on this page, you will be switched over to LDAP mode, and logged out. This is because all existing sessions will be invalidated after switching. If all goes well, you can now go to the login screen and use your LDAP credentials to log in.
So what happens next?
A number of things happen with your LDAP database when you log in. We will bind your user to the database, and if the bind is successful and you meet the group criteria (if specified), then you will have a session created. Then what happens next depends on whether you have a user in The Bug Genie. If you don’t (which most LDAP users won’t), then one is created, with its username, full name and email address properties filled in from the directory. The Bug Genie needs a password to be set for internals reasons, so we will autogenerate one for you – it won’t be needed by you.
If the user does exist, then we will just update the properties mentioned before. This ensures that your details are always correct.
And now you will be logged in, and you can carry on using The Bug Genie as before. Note that LDAP will be probed to validate your session on every page load (we do the same with TBG auth – we probe the users table each time), so please be prepared for the load. If, in the time of you logging in for the first time and now, the user has been deleted in LDAP, or has had its groups change so that they aren’t a member of any of the allowed groups, then the validation will fail and the users will be automatically logged out.
And thats about it. Guest access will still work if you have it enabled (if you don’t have a session active, we don’t bother probing LDAP at all, and go straight to the code which looks for CLI sessions and so on). In addition, CLI mode will not use LDAP, so if you use LDAP to authenticate with The Bug Genie and your workstation, please log into TBG via the web interface one to generate your user (unless you were imported). Then, CLI mode will always work.
Is it secure?
We know that these directories contain sensitive information, and so we don’t store credentials for the LDAP database. As mentioned, the user’s password for use by TBG will be randomly set, so the only time we actually use the user’s LDAP password is for logging in. For the administrator tools (such as importing and pruning), the credentials will be discarded after use.
As far as security of libraries is concerned, we use the PHP LDAP libraries, so as long as you keep your system up to date you have nothing to worry about here. We use LDAP client library version 3.