History: Tiki Suite LDAP

LDAP's role is central in ClearOS & Tiki Suite. So here is a page to centralize all documentation & issues. Everything related to LDAP and any component of Tiki Suite (Tiki, Prosody, Thunderbird, etc.) should be here or a link to it..

Configuring Tiki to work with ClearOS's LDAP

If Tiki is installed on the ClearOS which has OpenLDAP

Works with 12.2: A user enters his own username/password (which are managed in ClearOS), and the user is logged in to Tiki.

• tiki-admin.php?page=login -> General preferences -> Authentication Method: Tiki and LDAP
• tiki-admin.php?page=login -> LDAP ->check "Create user if not in Tiki"

unconfirmed bug with 12.0 and 12.1: http://dev.tiki.org/item4816

If Tiki and ClearOS-LDAP are on different servers

For security reasons, anonymous binds are only allowed from localhost.  To allow anonymous binds from remote connections, change the last configuration block in /etc/openldap/slapd.conf from:

access to *
    by self write
    by peername.ip=127.0.0.1 read
    by * none stop

To:

access to *
    by self write
    by * read
    by * none stop

And restart LDAP: service slapd restart

The Tiki configuration is almost the same as the attached screenshot.  Changes:

- Hostname
- Port (636)
- Use SSL (enabled)
- Base DN (whatever it is on the remote LDAP server)

No such attachment on this page

Old info (still valid?) "If the site is accessible via LDAPS, you need to use the port 636, otherwise the port 389. In this situation you can still access from the same server ldaps via 389 "Publish Policy" to "Local Network". This will set LDAP to listen for incoming requests on your LAN interface. See also:
http://doc.tiki.org/LDAP+authentication#Certificate_Problems"

Todos

Solve binding

So it looks like we need a new ClearOS "bind_type" in lib/auth/ldap.php

Sync user data from ClearOS-LDAP to Tiki upon login

According to http://doc.tiki.org/LDAP+authentication#How_it_works, all this should work if properly configured. Perhaps by solving the binding above, it will all work? 😊

• Users full name
• Users email address
• Users country information
• Users group membership
• Group name and description

Self-registration via Tiki

What happens with LDAP if it's a Tiki-powered site that users self-register?

One option: hook into the ClearOS API. A code example looks something like:
$user = User_Factory::create('test_user');
$user_info['core']['first_name'] = 'Test';
$user_info['core']['last_name'] = 'User';
$user->add($user_info, 'password');

You can add e-mail addresses, and whatever other data you see in the web-based interface. The API is agnostic to the accounts engine (notably, OpenLDAP and Samba 4 Directory).

Sync OpenLDAP & Tracker data

• It's all documented here: Tracker Field Type
  • But binding doesn't seem to work: http://tikisuite.org/tiki-admin_dsn.php

Prevent naming conflicts

In terms of sync of users/groups between ClearOS & Tiki, analyze & document any limitation to avoid future issues

• See ClearOS conventions for usernames & passwords
• In Tiki, groups can have the same name as a user, but not in ClearOS
• In TIki, restrictions on usernames are configurable. See tiki-admin.php?page=login -> General preferences -> Username
  • Use email as username
  • Minimum & Maximum length
  • Force lowercase
  • Username pattern

Make a Tiki Suite profile

With all the optional configuration at tiki-admin.php?page=login (LDAP tab), improve Tiki Suite profile.

FreeSWITCH

This is for later. Here are some notes

• Small proof of concept for FreeSwitch
• Blue.box feature request
• FusionPBX feature request

Documentation

• LDAP authentication
• LDAP Tracker Field How to sync data from OpenLDAP to Tiki Trackers (Tiki's database & form generator)
• A nice guide: http://wiki.gentoo.org/wiki/Centralized_authentication_using_OpenLDAP
• http://www.clearcenter.com/support/documentation/user_guide/directory_server
• http://www.clearcenter.com/support/documentation/clearos_guides/accessing_ldap_data
• http://www.clearcenter.com/support/documentation/clearos_deployment_guides/synchronizing_zarafa_mail_contacts_and_calendars_-_mobile_devices
  • By default, the ClearOS UI only exposes username & password. But activating Zarafa adds Email, Phone number, City, Country, etc.
• http://www.clearfoundation.com/docs/howtos/connect_jitsi_to_clearos_directory
• http://www.clearfoundation.com/docs/howtos/connect_thunderbird_to_clearos_directory
• http://www.clearcenter.com/support/documentation/clearos_guides/configuring_prosody_to_work_with_pam_and_the_directory_behind_it
• http://www.clearfoundation.com/docs/howtos/phpldapadmin
• If Tiki and ClearOS-LDAP are on different servers
• http://plugins.piwik.org/LoginLdap

Feature requests & bug reports

• LDAP Sync Not working Correctly
• LDAP External Groups Being Flagged as Internal
• Add Global Address Book app
• Review state of /etc/openldap/ldap.conf
• Add zarafaSendAsPrivilege feature
• Investigate the addition of a Single Sign On (SSO) solution
• Templatable default e-mail address
• https://dev.tiki.org/External+Authentication

Developer info

Any development should be done in trunk, and backported to 12.x LTS and/or 13.x if relevant. See Where to commit

• http://sourceforge.net/p/tikiwiki/code/HEAD/tree/branches/12.x/doc/devtools/tiki-sync_ldap.php
  • Should this be on a cron job?
• http://sourceforge.net/p/tikiwiki/code/HEAD/tree/branches/12.x/lib/auth/ldap.php
• http://sourceforge.net/p/tikiwiki/code/HEAD/tree/branches/12.x/lib/userslib.php
• http://sourceforge.net/p/tikiwiki/code/HEAD/tree/branches/12.x/lib/core/Tracker/Field/Ldap.php
• tiki-syslog.php entries can give very useful info when moused over
  • tiki-admin.php?page=login -> LDAP -> Write LDAP debug Information in Tiki Logs Reset to default
• As of Tiki12, vendor_extra/pear/Net/LDAP2.php is used.
  • "This package is not maintained"
  • Zend\Ldap is an alternative
    • https://packagist.org/packages/zendframework/zend-ldap

Related tools

https://www.openhub.net/p/compare?project_0=phpLDAPadmin&project_1=LDAP+Account+Manager&project_2=LdapSaisie