Manage authentification with LDAP

It is possible to delegate authentication of the administration console of OCS Inventory. So we will see how to delegate the connection to the OCSInventory NG GUI to LDAP.

Note: We assume that you have a working and fully configured LDAP server

Prerequisites

Keep in mind that we won't explain how to setup an LDAP Server and we won't explain how to debug LDAP connexion. We think that this part is more related to the LDAP Server itself than OCS.

In the first place, you need to enable the advanced configuration : Navigate to Configuration > General configuration Click on the Server tab Set ADVANCE_CONFIGURATION to ON Click on Update

Our only PHP prerequisites for OCS is the php-ldap extension.

In the case you want to setup Ldaps connection, you will need to configure the following file to setup the used certificate : * /etc/ldap/ldap.conf

Configure LDAP options in web gui

Here is a summary of the available web configuration :

Configuration item Description Example
CONEX_LDAP_SERVEUR LDAP Server URL ldap://my.awesome.ldap for unsecured connection or ldaps://my.awesome.ldap for Ldaps
CONEX_ROOT_DN User used to login and synchronize CN=Ocsuser,CN=Users,DC=ocs,DC=loc
CONEX_ROOT_PW Password of the DN User N/A
CONEX_LDAP_PORT LDAP Server PORT 389 for unsecured and 636 for ldaps (by default)
CONEX_DN_BASE_LDAP Base DN where Users which are able to login are located CN=Users,DC=ocs,DC=loc
CONEX_LOGIN_FIELD The attribute with which a user sign in sAMAccountName or uid
CONEX_LDAP_PROTOCOL_VERSION Protocol version number 3
CONEX_LDAP_CHECK_DEFAULT_ROLE Default role of LDAP based user
CONEX_LDAP_CHECK_FIELD1_ROLE Role of the user that match FIELD1_VALUE for FIELD1_NAME

Configure AUTH Method from var.php file

After configuring the LDAP connection from web console, you will need to edit the var.php file located in /usr/share/ocsinventory-reports/ocsreports folder (by default).

In this file you will find a section named : Authentication Configuration (see screenshot below)

var.php Auth section

To change the way OCS manage authentication, you will have to edit the AUTH_TYPE value : 1 => Local database only 2 => Local database and LDAP Connection 3 => LDAP Only (Keep in mind that if the LDAP Server is down, AUTH will be also down) 4 => LDAP with SSO Capabilities * 5 => Always_OK not recommended, will log without checking the password

The second parameter is AUTH_LDAP_SKIP_CERT, this option is only used when performing an LDAPS connection, it will skip certificate checking. Of course we don't recommend using it and is only present for debug, tests purposes.

Configure SSO Authentication

To configure SSO Authentication, you will need to : LDAP Configuration setup and working on OCS AUTH_TYPE value in var.php set to 4 * Apache / Kerberos configuration to pass ticket to OCS Webconsole

Note: We won't provide configuration for Kerberos and Apache since its not related to OCS Inventory