Howto Setup and Configure Ldapweb
Configuration and Customisation
This guide will explain the modules required to install LDAPweb, and how one can customize it. LDAPweb is a LAMP (Linux, Apache, MySQL, PHP) web application to access LDAP compliant directories. One can assume that LDAPweb will also work on a Windows platform, but I have not tested this.
In version 2.x of LDAPweb, MySQL has been introduced and is being used to contain configuration data, and also for holding a list of all well known directory attributes with a value to state whether the attribute is displayable or not. The version 1.x method of finding out whether an attribute was displayable has been scrapped.
The password handling, if required, has been improved. The password is passed to successive screens using session handling features of PHP
A default installation contains several potential configurations. Pre-set configurations include a full feature configuration, a search only configuration and a reset password only. The default is the full feature configuration.
As of version 2.x there is no support for old LDAP version 2 servers.
The following packages are required.
ldapweb-2-x.tgz
(or ldapweb-2-x.zip
Base Apache
Base PHP (versions 4 or
5)
MySQL (version 5 and upwards)
PHP ldap module
Optional recommended packages:
PHP
mcrypt (if installed this will encrypt/decrypt password)
PHP mhash
(only required for the change/reset password feature)
Unzip ldapweb-2-x.tgz/zip into a temporary location (tar -txzf ldapweb-2-x.tgz). The are a couple of minor adjustments that need to be made which are explained in the Configuration and Customisation section.
Move the contents of the scripts directory to a location that is accessible by your Apache web server.
One will need to populated MySQL with a database and it is recommended that you define a read only user to have access to this database. Recommended is a Database called ldapweb. The DB can be populated by importing ldapweb.sql into the ldapweb database. ldapweb.sql is in the ldapweb-2-x.tgz/zip package in directory mysql.
I recommend the quick start method which will be fine if one intends to use the default full feature interface. Just go ahead and talk nicely to your DB administrator requesting help, or if you have basic MySQL know-how, and also MySQL access, then you can create an "ldapweb" database and import the sqldump "ldapweb.sql" using the following commands:
mysql
-h host -u
priviligedDBuser
-p
create database
ldapweb;
exit;
mysql -h host
-u priviligedDBuser
-ppassword
ldapweb < ldapweb.sql
For those not wanting a full feature interface or wishing to customise then read on which is recommendable. It is also recommendable to have a tool to manage MySQL. I use the excellent and freely available phpMyAdmin.
There are 5 tables, baseinformation, features, searchfields, attributes and directorytypes. The baseinformation, features and searchfields table all have a name column and are associated with one another by the value of this column. NOTE: Currently the tables are not related using MySQL features but is on the agenda for future releases.
The name column is the key to how you want to use ldapweb. Three configurations have been set-up for you. These configurations have a key of "Admin", "Search" and "Password". You can change the default key of "Admin" by editting the variable $key in configuration.php. The $key value means that the PHP scripts will be looking for records with a matching value in the name column like Admin for example.
The attributes table is very simple. It's just a column of possible attributes with an associated value stating whether LDAP directory attributes of that type are displayable or not. Basically a value of txt (text) indicates the attribute is displayable and a value of bin (binary) indicates it's non-displayable. By the way, if an LDAP attribute is not found it is treated as a text displayable attribute.
name
– the key as previously
explained
host – the
host name of an ldap server
port – the
port number that the ldap server is running on
sesstype
– the type of seesion (ldap,
ldaps or ldap/tls)
showhostportsess – if
non-zero host, port, sessiontype and
dirtype will be user
definable
basedn – Base
Distinguished Name (search start point)
showbasedn
- if non-zero basedn and password
will be user definable
dirtype - The
type of LDAP directory - openldap, active directory etc.
admindn
– Administrator Distinguished
Name
password – Administrator
Password
showcredentials - if
non-zero admindn and password will be user definable
scope
– The scope of a search (base,
one or tree)
andor – specify
“and” or “or” search filter
showcriteria - if
non-zero admindn and password will be user definable
showfilter
- if non-zero an ldap search
filter will be user definable
optionsizelimit – Size
limit option
optiontimelimit – Time
limit option
optionderefalias – Alias
dereference option
showoptions - if
non-zero optionsizelimit/timelimit/derefalias will be user
definable
showotheratt – if
non-zero user has the option of defining their own attribute/value
pair
controlscount – the
number of control fields to display
showcontrols – if
non-zero controls will be user definable
encoding –
Directory character encoding.
Usually UTF-8
maxuploadsize – Maximum
size file allowed for an LDIF import
If the showoptions, showcriteria, showcredentials, and showhostportsess are set to false then their associated fields will not be displayed and the default values are used.
If showoptions, showcriteria, showcredentials, and showhostportsess are set to true the values that you may potentially put into the associated fields are used as defaults. NOTE: Cookies are used for LDAPweb and take preference.
You can control how many features you make available using the features table
name
– the key as previously
explained
friendlyname – a
self-explanatory description of what action does
action
– a text string used by PHP
scripts
Here are the default Admin values:
INSERT INTO features (name, action, friendlyname) VALUES ('Admin','search','Search');
INSERT INTO features (name, action, friendlyname) VALUES ('Admin','resetPWD','Reset User Password');
INSERT INTO features (name, action, friendlyname) VALUES ('Admin','changePWD','Change My Password');
INSERT INTO features (name, action, friendlyname) VALUES ('Admin','add','Add an Entry');
INSERT INTO features (name, action, friendlyname) VALUES ('Admin','generic_add','Add an Entry - Generic');
INSERT INTO features (name, action, friendlyname) VALUES ('Admin','add_string_attribute','Add a String Attribute value');
INSERT INTO features (name, action, friendlyname) VALUES ('Admin','add_binary_attribute','Add a Binary Attribute value');
INSERT INTO features (name, action, friendlyname) VALUES ('Admin','delete','Delete an Entry');
INSERT INTO features (name, action, friendlyname) VALUES ('Admin','generic_delete','Delete an Entry - Generic');
INSERT INTO features (name, action, friendlyname) VALUES ('Admin','delete_attribute','Delete Attribute values');
INSERT INTO features (name, action, friendlyname) VALUES ('Admin','expand','Expand the Directory');
INSERT INTO features (name, action, friendlyname) VALUES ('Admin','update','Modify an existing entry');
INSERT INTO features (name, action, friendlyname) VALUES ('Admin','move','Modify or Move a DN');
INSERT INTO features (name, action, friendlyname) VALUES ('Admin','NameContext','Get Naming Context');
INSERT INTO features (name, action, friendlyname) VALUES ('Admin','RootDSE','Get Root DSE');
INSERT INTO features (name, action, friendlyname) VALUES ('Admin','import_ldif','LDIF Import');
INSERT INTO features (name, action, friendlyname) VALUES ('Admin','export_ldif','LDIF Export');
INSERT INTO features (name, action, friendlyname) VALUES ('Admin','generate_ldif','LDIF Generate');
Below is a screenshot of typical features for an "Admin" homepage:
|
|
|
|
For nearly every feature of LDAPweb a search will be performed. With this table you can maximise or minimise how many attribute fields you want to display.
You can control how many search fields are available to build a search filter using the searchfields table
name
– the key as previously
explained
attribute – this
must be an attribute that is defined within your particular LDAP
server(s) friendlyname – a
description of what attribute actually
is
Here are the default Admin values:
INSERT INTO searchfields (name, attribute, friendlyname) VALUES ('Admin','sn','Surname');
INSERT INTO searchfields (name, attribute, friendlyname) VALUES ('Admin','givenname','Christian Name');
INSERT INTO searchfields (name, attribute, friendlyname) VALUES ('Admin','cn','Common Name');
INSERT INTO searchfields (name, attribute, friendlyname) VALUES ('Admin','uid','User ID');
INSERT INTO searchfields (name, attribute, friendlyname) VALUES ('Admin','mail','Email address');
INSERT INTO searchfields (name, attribute, friendlyname) VALUES ('Admin','l','Location');
Below is a partial "Admin" search screenshot based on the "searchfield settings:
|
|
|
|
This is just a simple list of the different types of directories like Openldap, Sun One, Active Directory etc. The idea is that one can make small updates to the scripts based on which type of directory is selected. For example, the way password change handling is done, is different for Active Directory compared to Openldap. Generally there will not be a difference between directories but at least the option is there for one to do something special based on the type of Directory.
A very simple list consisting of known LDAP attribute types and whether that attribute type should be treated as a text value (displayable) or a binary value (non-displayable). LDAP attribute types not found are handled as text values.
The only script that needs adjusting is "configuration.php". Here you need to define the DB which most likely will remain ldapweb, the DB connection parameters, a random string for password encryption purposes and the key as previously explained. Here is an example "configuration.php" file.
<?php
// Configuration parameters are held in a My SQL DB
// DB connection parameters (ldapweb only requires read access)
$mysql_db = 'ldapweb';
$mysql_host = 'localhost';
$mysql_user = 'ldapwebDBuser';
$mysql_password = 'ldapwebDBpassword';
// Key to determine what records to read from the ldapweb DB
$key = 'Admin';
//$key = 'Search';
//$key = 'Password';
// mcrypt-key. Only of use if mcrypt package is installed. Password will be encrypted/decrypted. Please change the default string.
$mcrypt_key = "any text you wish to put here";
?>
It's recommended to install everything as is and to experiment with the "Admin" setup to get a feel of how things work. Using this documentation and an MySQL tool like phpMyAdmin you can edit the database entries to meet your needs. In the "baseinformation" table at least the "host" and "basedn" will need to changed. One can edit this directly in ldapweb.sql if one so wishes.
