Manage authentification with LDAP
It is possible to delegate authentication of the administration console of OCS Inventory. So we will see how to delegate the connection to the OCSInventory NG GUI to LDAP.
Note: We assume that you have a working and fully configured LDAP server
Keep in mind that we won't explain how to setup an LDAP Server and we won't explain how to debug LDAP connexion. We think that this part is more related to the LDAP Server itself than OCS.
In the first place, you need to enable the advanced configuration :
Configuration > General configuration
Click on the
ADVANCE_CONFIGURATION to ON
Our only PHP prerequisites for OCS is the php-ldap extension.
In the case you want to setup Ldaps connection, you will need to configure the following file to setup the used certificate : * /etc/ldap/ldap.conf
Configure LDAP options in web gui
Here is a summary of the available web configuration :
|CONEX_LDAP_SERVEUR||LDAP Server URL||ldap://my.awesome.ldap for unsecured connection or ldaps://my.awesome.ldap for Ldaps|
|CONEX_ROOT_DN||User used to login and synchronize||CN=Ocsuser,CN=Users,DC=ocs,DC=loc|
|CONEX_ROOT_PW||Password of the DN User||N/A|
|CONEX_LDAP_PORT||LDAP Server PORT||389 for unsecured and 636 for ldaps (by default)|
|CONEX_DN_BASE_LDAP||Base DN where Users which are able to login are located||CN=Users,DC=ocs,DC=loc|
|CONEX_LOGIN_FIELD||The attribute with which a user sign in||sAMAccountName or uid|
|CONEX_LDAP_PROTOCOL_VERSION||Protocol version number||3|
|CONEX_LDAP_CHECK_DEFAULT_ROLE||Default role of LDAP based user|
|CONEX_LDAP_CHECK_FIELD1_ROLE||Role of the user that match FIELD1_VALUE for FIELD1_NAME|
Configure AUTH Method from var.php file
After configuring the LDAP connection from web console, you will need to edit the
var.php file located in
/usr/share/ocsinventory-reports/ocsreports folder (by default).
In this file you will find a section named :
Authentication Configuration (see screenshot below)
To change the way OCS manage authentication, you will have to edit the AUTH_TYPE value : 1 => Local database only 2 => Local database and LDAP Connection 3 => LDAP Only (Keep in mind that if the LDAP Server is down, AUTH will be also down) 4 => LDAP with SSO Capabilities * 5 => Always_OK not recommended, will log without checking the password
The second parameter is AUTH_LDAP_SKIP_CERT, this option is only used when performing an LDAPS connection, it will skip certificate checking. Of course we don't recommend using it and is only present for debug, tests purposes.
Configure SSO Authentication
To configure SSO Authentication, you will need to : LDAP Configuration setup and working on OCS AUTH_TYPE value in var.php set to 4 * Apache / Kerberos configuration to pass ticket to OCS Webconsole
Note: We won't provide configuration for Kerberos and Apache since its not related to OCS Inventory