LDAP / Active Directory Authentication

This article describes how authenticating backend users (BE users) and/or frontend users (FE users) against a LDAP server or against Active Directory (MS Windows Server).

Searching for “ldap” on  typo3.org returns a few extensions that are mainly outdated. I first tried the well-known extension  eu_ldap (kind of a reference) but then switched to extension  ig_ldap_sso_auth which has some nice backend console to fine-tune the connection and filtering of data.

I must admit though that manual of ig_ldap_sso_auth is written in French and even if understanding French is not a problem to me — as you all know ;-) — I found it a bit sparing with details.

Extension ig_ldap_sso_auth provides a mechanism to authenticate FE users against a  CAS server but I won’t describe this here.

Once you’re done, you may consider providing single sign-on facility to your users. Simply follow the single sign-on tutorial

Installing Extension ig_ldap_sso_auth

Install this extension and its dependency (extension  iglib) as usual from Extension Manager.

Do not enable any feature at this point, simply create and update your database schema.

Configuring LDAP Connection

Switch to Web > List and click on the root of your website (the earth icon) and add a record of type “Configuration LDAP / SSO” named e.g., LDAP Configuration:

Then move to second tab and configure the LDAP connection itself. I guess you don’t need explanation for filling this form:

Authenticating Backend Users

Move to third tab in the LDAP record editor. This allows you to describe where the users are stored (Base DN) and how LDAP record should be fetched (Filter). Placeholder {USERNAME} stands for the username coming from the login form.

Finally, the Mapping allows you to specify how LDAP record information should be mapped to a TYPO3 backend user record. It should work as this in most cases.

If you wish to restrict a bit more who is allowed to be authenticated, you may filter allowed backend users based on a group they should be member of (in term of LDAP of Active Directory I mean). This is simply done with a LDAP filter query:

(&(sAMAccountName={USERNAME})(memberof=cn=groupName,ou=Groups,dc=domain,dc=loc))

More examples of LDAP search query:

Now it’s time to specify which groups the authenticated user belongs to we want to import into TYPO3.

This could be none of them if you wish to hard code some already existing TYPO3 backend user group (typically a group where you configured Editor security access). In this case you may specify this group from the configuration dialog of the ig_ldap_sso_auth extension in Extension Manager. Or you wish to import some of them based e.g., on some name pattern to let you grant access to different part of the TYPO3 website based on group membership.

All of this is configured in the fourth tab. Example below imports all groups the user is member of whose name is starting with CMS_.

At any time you may use the backend module to test your configuration and discover if your LDAP filters are working as expected.

Configuration is done for backend users. You should be able to update extension’s configuration from Extension Manager to activate the Backend LDAP authentication and successfully log in again but with a LDAP username this time.

Authenticating Frontend Users

The configuration for authenticating Frontend users is pretty the same as for Backend users. Configuration is done with tabs FE_USERS and FE_GROUPS.

The real difference is in Mapping section where the real name of the user is not mapped the same way and where the pid of the storage folder you wish to use to hold user and usergroup records should be given if you don’t want all those records to be stored on root page.

FE_USERS Mapping

pid=sysfolder for fe_users
tstamp={DATE}
name=<cn>
usergroup=<memberOf>
email=<mail>

FE_GROUPS Mapping

pid=sysfolder for fe_groups
tstamp={DATE}
title=<cn>

Use the standard felogin extension on your login page and update ig_ldap_sso_auth’s configuration from Extension Manager to activate the Frontend LDAP authentication.

Where to go next?

You may now consider providing single sign-on facility to your users. This is easily done with my single sign-on tutorial or you may take advantage of Extbase and Fluid to create a form that will let your users modify their own piece of data right back into LDAP. If so, just keep on reading how to create a LDAP persistence backend for Extbase.

Tool for LDAP / Active Directory

A while ago I found a small tool written by Jarek Gawor. Recently I discovered that all download links were not working anymore and, as such, I thought it would be great to let you download it from my website:

It requires Java and works on Windows, Linux/Unix and Mac OS X.

Flattr