Connect to an LDAP/AD using Joomla 2.5

Sometimes, things that should be straightforward, they just aren't!

After some fiddling around I managed to connect to an AD from Joomla, so I would like to share with you the configuration.

Apart from being a requirement in many projects, here are the benefits of using an LDAP/AD for Joomla authentication:

  • Centralised user database which can be used from many different systems
  • Users have only one username/password for all systems utilizing LDAP/AD
  • Users can still be administered inside Joomla, since they are imported into Joomla db the first time they connect to Joomla using LDAP
  • Keeps users happy! (no more extra signups)
  • Best practice, IT integration
In order to achieve this you just have to follow these steps:

1. Go to the Joomla's administration plugin manager and enable the Authentication - LDAP plugin:


2. Configure the plugins with your AD/LDAP data. This is the tricky part, which could make you spend many hours and frustrate you a lot if you are not sure about the parameters.


The parameters shown above are for Microsoft's Active Directory and should be ok for the majority of the systems and should allow you to connect using your email credentials, for example user@staff.domain.com

The CN of this is the Full Name of the user.
sAMAccountName: user
email: user@staff.domain.com

Notes:
  • Host: This is the AD/LDAP hostname of your enterprise.
  • Port: 389 for the majority of the systems.
  • Base DN is usually something like: DC=staff,DC=domain,DC=com, but if you are not sure then you should ask your LDAP/AD administrator
  • Map: User ID is case sensitive. This parameter alone could make you feel stupid if you are not aware of the case sensitivity part!
  • Map: User ID is LDAP attribute to be used for the username mapping for Joomla's database. If this is different in your system, then use corresponding attribute. In most cases though the correct attribute is the sAMAccountName.
  • Search String: this the LDAP filter which is used for searching and get the required attributes. This is very important, since if Joomla cannot find the user in the LDAP it doesn't authorize them (although the user binds ok with his/her credentials)
Now the final step is to check whether the option "Auto-create Users" is set to "Yes" in Joomla's Users-Joomla plug-in manager.



Using this configuration, users can connect to joomla using their email account and its password.
Additionally, Joomla automatically gets user's real name, email and username and uses those for its own database.
Joomla 2.5 administrators can then apply extra security, for example change user group and access levels.

Troubleshooting

Check the following articles for extra info and troubleshooting:

31 comments:

  1. Hello,

    I have configured joomla to authenticate user, I can login but joomla profile is not created - for instance I can't set the permissions for this user (I would like to make one of my LDAP accouns superuser).

    Any ideas?

    Thanks in advance!

    ReplyDelete
    Replies
    1. Check joomla's plug-in manager the plugin "User - Joomla!".
      Is the option "Auto-create Users" enabled (YES)?

      Delete
  2. Hi!
    My joomla 2.5 site was working fine with the LDAP authentication. But this week the server that hosts the application changed to a linux server, in the same local LAN connection. After that LDAP login doesn't work, as when I try, a white page loads. There is no mention of error as well, so how can I understand what is wrong?
    Thank you for the help!!

    ReplyDelete
    Replies
    1. Hi elida,
      Have you tried this?
      http://ourlife01.blogspot.gr/2012/05/debugging-ldap-php-scripts.html

      Delete
    2. Sorry, wrong link!
      I actually meant this:
      http://ourlife01.blogspot.gr/2012/04/how-to-connect-to-ssl-openldap.html

      Delete
  3. Thanks for the instructions, they were very easy to follow. I am wondering what I can do about the need to pull in users from multiple OU's? we have a single ad domain, 5 store ou's and a Users Ou under each. There is no single central store for me to get users from. Any suggestions?

    I am using Joomla! 2.5.7 on the latest version of OpenSuse.

    ReplyDelete
    Replies
    1. Although I haven't tried it, I think you can use the usual LDAP filter notation in Joomla's "search string" field, eg: (|(exp1)(exp2)(exp3)) means: exp1 OR exp2 OR exp3, so for your organisation, would be something like:
      (|(ou=orgunit1)(ou=orgunit2)(ou=orgunit3))

      Delete
  4. This comment has been removed by the author.

    ReplyDelete
    Replies
    1. Thanks Man , It is Working great you can also get in
      Joomla CMS

      Delete
  5. This comment has been removed by the author.

    ReplyDelete
  6. I have OpenLDAP in a Linux environment.

    But I can't make this to work properly...

    Have run the php script and it returns the correct info.
    My params are:

    Host: my ip host
    port: 389
    ldapv3: yes
    tls: no
    referrals: no

    bind as user
    base dn: ou=people,dc=mydomain,dc=com
    search string: uid=[search]
    user dn: uid=[username],ou=people,dc=mydomain,dc=com
    connect username: empty
    connect password: empty (I have tried with the manager too)
    Map full name: cn
    map email: mail
    map user id: uid

    What I'm doing wrong????

    ReplyDelete
    Replies
    1. Openldap can be different...
      Have you tried this?
      http://ourlife01.blogspot.gr/2012/05/debugging-ldap-php-scripts.html
      Is your LDAP with SSL? Then you should check this:
      http://ourlife01.blogspot.gr/2012/04/how-to-connect-to-ssl-openldap.html

      Delete
    2. Thanks for replying...

      Have done the following:
      http://ourlife01.blogspot.gr/2012/04/how-to-connect-to-ssl-openldap.html

      and the result is ok!!

      That's why I wonder what can be wrong in joomla config....

      Delete
    3. Strange..I suppose you are doing the tests from the same host, right?
      If all attributes AND mapping are OK, then your only option is to try to enable debugging in Joomla and check joomla's logs...(you can also modify joomla's ldap plugin to log more info for debugging)

      Delete
  7. Folks - we have a project were we need consulting help from someone who's done active directory authentication between internal .Net intranet and external PHP website. Would you kindly email me at andy at rabinovicionline.com if you're interested, and we'll discuss the details?

    ReplyDelete
  8. Alguien me puede ayudar, soy nueva en joomla trabajo bajo la versión 2.5 y quiero conectar una Intranet con el LDAP, si alguien me puede explicar el paso a paso de cómo hacerlo y que debe ingresar en cada uno de los campos, e investigado y no he sido capaz de conectarlos.

    Muchas Gracias

    ReplyDelete
    Replies
    1. Sam, envíame un mail (mira en mi perfil)

      Delete
  9. I am having trouble getting LDAP Auth to work. I've tried the following php code just to make sure that it's working and the following code works and seems to bind.

    $ldapurl = "192.168.1.18";
    $ldaprdn = 'uid=bmcwhirt,cn=users,cn=accounts,dc=myhhca,dc=com';
    // connect to ldap server
    $ldapconn = ldap_connect($ldapurl) or die ("Couldn't connect");

    // binding to ldap server
    echo "Trying to bind with $ldapuser - $ldappass\n";
    $ldapbind = ldap_bind($ldapconn, $ldaprdn, $ldappass);

    if (!$ldapbind) {
    echo "Unable to bind to server $ldapurl\n";
    echo "OpenLdap error message: " . ldap_error($ldapconn) . "\n";
    exit;
    }

    This works with no errors and seems to bind.

    Here are my settings in Joomla

    Host: 192.168.1.18
    Port: 389
    LDAP V3: Yes
    Negotiate TLS: No
    Follow Referrals: No
    Authorisation Method: Bind Directly as User
    Base DN: o=myhhca.com
    Search String: uid=[search]
    User's DN: uid=[username],cn=users,cn=accounts,dc=myhhca,dc=com


    I am using Joomla 2.5 and the auth server is FreeIPA with OpenLDAP
    I would appreciate any advice or corrections.

    ReplyDelete
    Replies
    1. Try to troubleshoot at joomla level...
      If you still can't do it drop me an email (look at my profile)

      Delete
    2. I found the problem. Though Community Builder claims 1.9 is LDAP capable with the Joomla Auth LDAP module, that is only partly true. You can not use the CB Login Form. Everything else CB-wise seems to work just fine after you hav authenticated. Here were my final settings for the LDAP module.

      Host: 192.168.1.18
      Port: 389
      LDAP V3: Yes
      Negotiate TLS: No
      Follow Referrals: No
      Authorisation Method: Bind Directly as User
      Base DN: cn=users,cn=accounts,dc=myhhca,dc=com
      Search String: uid=[search]
      User's DN: uid=[username],cn=users,cn=accounts,dc=myhhca,dc=com

      Map: Full Name: cn
      Map: email: mail
      Map: User ID: hid

      This setup using the default joomla login form works well for authenticating off Fedora 18 running FreeIPA 3.1.2

      This site, Michael, and everyone who has commented with their thoughts has been very helpful and I hope my contribution will save someone some time in the future. Next time I will be authentication off a Mac mini server. When that happens I'll post what setup works for that as well.

      Thanks

      Delete
    3. That should read:

      Map: User ID: uid

      Delete
  10. hi, thanks for posting this! unfortunately, I get error 500 when I try it with my site.

    I used the settings as shown in your post, except I want the users to log in with their uid, not their email address. So I tried setting the search string to uid=[search] as well as sAMAccountName=[search] but error 500 either way.

    my Joomla site is 2.5.8 on Ubuntu 12 server, and my AD server is 2008r2.

    ReplyDelete
    Replies
    1. Hi Luke,

      do you found any solution to this issue? I got the same:
      "POST /administrator/index.php HTTP/1.1" 500 388 "
      "POST /administrator/index.php HTTP/1.1" 500 533 "

      Axel

      Delete
    2. Have you tried:
      Map: User ID uid ?

      Delete
    3. Of course... other apps like subversion or redmine successfully authenticated against my Samba 4 AD or 2k8R2 AD. Only Joomla not...

      Delete
    4. Do you have command line access on your server?
      Have you tried this? http://ourlife01.blogspot.gr/2012/05/debugging-ldap-php-scripts.html

      Delete
    5. I have command line access, but i don't know, what i have to do with the script...

      Delete
    6. Better use this one:
      http://ourlife01.blogspot.com/2013/10/sample-active-directory-command-line.html
      And check if everything is OK...

      Delete
    7. Yay, very nice. I've found the problem. Need to install php5-ldap, then "$ldapconn = ldap_connect($ldapserver, $ldapport);" found the LDAP-Directory and my login works :)

      Thank you man!!

      Delete
  11. Hola yo tengo un servidor ad dc samba 4 y con la configuración que figura en la imagen "ldap_joomla_params.png" funciona.
    El problemas que tenemos es que el email de los usuarios no pertenecen al mismo dominio y si no lo cambio en el ADdc no funciona.
    Existe alguna posibilidad que los usuarios se conecten con su nombre de usuario solamente (no email) probé de diferentes maneras con diferentes campos y no tuve buenos resultados

    gracias
    ---------------
    google traslate

    Hello I have a server ad dc samba 4 and with the configuration that appears in the image "ldap_joomla_params.png" works.
    The problem we have is that the email of the users do not belong to the same domain and if I do not change it in the ADdc it does not work.
    There is some possibility that the users connect with their name alone (without email) I tried different ways with different fields and I did not have good results


    Muchas gracias

    ReplyDelete