Core: Authentication for LDAP and ActiveDirectory
Allow account authentication to be delegated to LDAP/AD service.
I'm guessing the target market for Flarum does not overlap much with organizations which use LDAP, but there are probably a few who would utilize it. I haven't used PHP in a long time but have some familiarity with LDAP.
PHP has a library for using LDAP
http://php.net/manual/en/book.ldap.php
Here's an article giving an example of authenticating (note that it's specific to Active Directory):
https://www.exchangecore.com/blog/how-use-ldap-active-directory-authentication-php/
Typically what an administrator would need to configure for setting up LDAP authentication is:
- LDAP Server Hostname/IP _[string]_
- LDAP Server Port _[int/short]_ default is 389
- Base Distinguished Name _[string]_ or Base DN, This is a string that most people configuring LDAP would know, specific to their setup it defines how to query LDAP, usually something like
ou=People,dc=myorganization,dc=org - Search Attributes _[string]_ This is the attribute to use for looking up the account. In a simple case this is just a field, something like
uid,sn, orsAMAccountNamebut in more configurable settings this would need to be a filter string which allows using placeholder for the login -([email protected])where $LOGIN would be replaced with the account the user is trying to login as.
There are a slew of other things you can do for integrating with LDAP but this is typically the bare-bones for most LDAP/ActiveDirectory setups.
neandrake
All 7 comments
Sorry I have no idea what LDAP even is, haha! Probably not something we'll tackle in core... I wonder if you could look into implementing it as an extension? http://flarum.org/docs/extend
tobyzerner
on 28 Aug 2015
I took a look through the extension documentation but it wasn't obvious whether it's something that could be accomplished. If it can be then having it as an extension would make sense. The extension would need to be able to hook into the logic that determines whether a login attempt is valid -- instead of checking against values in the MySQL database, it would pass the credentials to an LDAP service which would determine whether the credentials were valid.
LDAP is a protocol for communicating with a "Directory Service". A directory service is a very common database for managing users/members/employees. One of the large benefits of this is that different applications can authenticate against the same users and not require registering accounts on every application -- Once a user is configured in LDAP that account could be used to sign in their install of Flarum, GitLab, and even computers on the network. The password would be changed once and it applies for all applications authenticating against LDAP.
neandrake
on 28 Aug 2015
We will work on making the authentication adapter swappable, so if it isn't now, something like this will definitely be possible.
franzliedke
on 28 Aug 2015
Hey, is it now somehow possible to integrate LDAP to your forum software with an extension or do I need to "hack" the core files? Would be interested because I have a small community website that uses LDAP for SSO for different services.
derkalle4
on 30 Apr 2017
If Laravel can work with an LDAP driver, so can Flarum. You should be able to integrate ldap as an extension.
luceos
on 1 May 2017
If Laravel can work with an LDAP driver, so can Flarum. You should be able to integrate ldap as an extension.
This is not true? Flarum doesn't use any of Laravel's auth stuff.
tobyzerner
on 1 May 2017
What I meant is, if it's possible with Laravel it should also be possible with Flarum. I didn't investigate closely, but something like the following should be possible:
Once a user logs in you automatically check the LDAP server using the username as dn and the password for authentication (middleware or event listener). Then you do a search on the username to retrieve details to insert or update the user.
luceos
on 1 May 2017
Related issues
jordanjay29
路
3Comments
MichaelBelgium
路
4Comments
luceos
路
4Comments
matteocontrini
路
3Comments
webpigeon
路
3Comments
Most helpful comment
What I meant is, if it's possible with Laravel it should also be possible with Flarum. I didn't investigate closely, but something like the following should be possible:
Once a user logs in you automatically check the LDAP server using the username as
dnand the password for authentication (middleware or event listener). Then you do a search on the username to retrieve details to insert or update the user.