History: Tiki Suite LDAP

LDAP's role is central in ClearOS & Tiki Suite. So here is a page to centralize all documentation & issues. Everything related to LDAP and any component of Tiki Suite (Tiki, Prosody, Thunderbird, etc.) should be here or a link to it..

Configuring Tiki to work with ClearOS's LDAP

If Tiki is installed on the ClearOS which has OpenLDAP

Works with 12.2: A user enters his own username/password (which are managed in ClearOS), and the user is logged in to Tiki.

• tiki-admin.php?page=login -> General preferences -> Authentication Method: Tiki and LDAP
• tiki-admin.php?page=login -> LDAP ->check "Create user if not in Tiki"

unconfirmed bug with 12.0 and 12.1: http://dev.tiki.org/item4816

2014-07-30: tikisuite.org with latest 12.x and clearos-updates-testing (thus latest code of ClearOS 6.6) -> Activating "Use SSL (ldaps)" (auth_ldap_ssl) breaks the authentication for users.

Latest 12.x from 2014-08-15: This config works for authentication, and the sync of Real name, country and email, but not groups

If Tiki and ClearOS-LDAP are on different servers

For security reasons, anonymous binds are only allowed from localhost.  To allow anonymous binds from remote connections, change the last configuration block in /etc/openldap/slapd.conf from:

access to *
    by self write
    by peername.ip=127.0.0.1 read
    by * none stop

To:

access to *
    by self write
    by * read
    by * none stop

And restart LDAP: service slapd restart

The Tiki configuration is almost the same as the attached screenshot.  Changes:

- Hostname
- Port (636)
- Use SSL (enabled)
- Base DN (whatever it is on the remote LDAP server)

No such attachment on this page

Old info (still valid?) "If the site is accessible via LDAPS, you need to use the port 636, otherwise the port 389. In this situation you can still access from the same server ldaps via 389 "Publish Policy" to "Local Network". This will set LDAP to listen for incoming requests on your LAN interface. See also:
http://doc.tiki.org/LDAP+authentication#Certificate_Problems"

Todos

Solve binding

So it looks like we need a new ClearOS "bind_type" in lib/auth/ldap.php

Here are some tests as per the script at: http://doc.tiki.org/LDAP+authentication#Debugging
http://tikisuite.org/connect_as_manager.php
http://tikisuite.org/connect_as_tesla.php

Sync user data from ClearOS-LDAP to Tiki upon login

According to http://doc.tiki.org/LDAP+authentication#How_it_works, all this should work if properly configured. Perhaps by solving the binding above, it will all work? 😊

• Users full name
• Users email address
• Users country information
• Users group membership
• Group name and description

Sync OpenLDAP & Tracker data

• It's all documented here: LDAP Tracker Field
  • But binding doesn't seem to work: http://tikisuite.org/tiki-admin_dsn.php

Solve TLS issue

• There is a fix which breaks things for others (ask Marc for details)

Forgot my password

• Tiki has such a feature: https://tikisuite.org/tiki-remind_password.php
• How can this work if password is not managed in Tiki, but in ClearOS-LDAP? (You can just turn off this feature in Tiki, but the admin panel should give you a warning)
  • To make things more tricky, it's actually possible that some users are managed in Tiki, and the rest in ClearOS-LDAP

Prevent naming conflicts

In terms of sync of users/groups between ClearOS & Tiki, analyze & document any limitation to avoid future issues

• See ClearOS conventions for usernames & passwords
• In Tiki, groups can have the same name as a user, but not in ClearOS
• In TIki, restrictions on usernames are configurable. See tiki-admin.php?page=login -> General preferences -> Username
  • Use email as username
  • Minimum & Maximum length
  • Force lowercase
  • Username pattern

Self-registration via Tiki

What happens with LDAP if it's a Tiki-powered site that users self-register?

One option: hook into the ClearOS API. A code example looks something like:
$user = User_Factory::create('test_user');
$user_info['core']['first_name'] = 'Test';
$user_info['core']['last_name'] = 'User';
$user->add($user_info, 'password');

You can add e-mail addresses, and whatever other data you see in the web-based interface. The API is agnostic to the accounts engine (notably, OpenLDAP and Samba 4 Directory).

Make a Tiki Suite profile

With all the optional configuration at tiki-admin.php?page=login (LDAP tab), improve Tiki Suite profile.

FreeSWITCH

This is for later. Here are some notes

• Small proof of concept for FreeSWITCH
• Blue.box feature request
• FusionPBX feature request
• https://wiki.freeswitch.org/wiki/Mod_ldap

SabreDAV

SabreDAV could be interesting for ClearOS, Tiki, and Zarafa

• http://tracker.clearfoundation.com/view.php?id=1260
• LDAP backend for contacts with SabreDAV (which could be included in Tiki)
• https://github.com/bokxing-it/sabre-zarafa/

Documentation

• LDAP authentication
• LDAP Tracker Field How to sync data from OpenLDAP to Tiki Trackers (Tiki's database & form generator)
• A nice guide: http://wiki.gentoo.org/wiki/Centralized_authentication_using_OpenLDAP
• Tiki LDAP FAQ
• http://www.clearcenter.com/support/documentation/user_guide/directory_server
• http://www.clearcenter.com/support/documentation/clearos_guides/accessing_ldap_data
• http://www.clearcenter.com/support/documentation/clearos_deployment_guides/synchronizing_zarafa_mail_contacts_and_calendars_-_mobile_devices
  • By default, the ClearOS UI only exposes username & password. But activating Zarafa adds Email, Phone number, City, Country, etc.
• http://www.clearfoundation.com/docs/howtos/connect_jitsi_to_clearos_directory
• http://www.clearfoundation.com/docs/howtos/connect_thunderbird_to_clearos_directory
• http://www.clearcenter.com/support/documentation/clearos_guides/configuring_prosody_to_work_with_pam_and_the_directory_behind_it
• http://www.clearfoundation.com/docs/howtos/phpldapadmin
• http://plugins.piwik.org/LoginLdap

Forums

• ClearOS LDAP forum
• Tiki LDAP forum

Feature requests & bug reports

• LDAP Sync Not working Correctly Important to check this one
• LDAP External Groups Being Flagged as Internal
• Add Global Address Book app
• Review state of /etc/openldap/ldap.conf
• Add zarafaSendAsPrivilege feature
• Investigate the addition of a Single Sign On (SSO) solution
• Templatable default e-mail address
• phpLDAPadmin reports: "Automatically removed attribute or objectClass from template"
• https://dev.tiki.org/External+Authentication

Developer info

Any development should be done in trunk, and backported to 12.x LTS and/or 13.x if relevant. See Where to commit

• http://sourceforge.net/p/tikiwiki/code/HEAD/tree/branches/12.x/doc/devtools/tiki-sync_ldap.php
  • Should this be on a cron job?
• http://sourceforge.net/p/tikiwiki/code/HEAD/tree/branches/12.x/lib/auth/ldap.php
• http://sourceforge.net/p/tikiwiki/code/HEAD/tree/branches/12.x/lib/userslib.php
• http://sourceforge.net/p/tikiwiki/code/HEAD/tree/branches/12.x/lib/core/Tracker/Field/Ldap.php
• tiki-syslog.php entries can give very useful info when moused over
  • tiki-admin.php?page=login -> LDAP -> Write LDAP debug Information in Tiki Logs Reset to default
• As of Tiki12, vendor_extra/pear/Net/LDAP2.php is used.
  • "This package is not maintained"
  • Zend\Ldap is an alternative
  • Tiki 12.x has version 2.0.9 (2010-02-16), and there are several newer versions available
    • https://packagist.org/packages/zendframework/zend-ldap

Related tools

https://www.openhub.net/p/compare?project_0=phpLDAPadmin&project_1=LDAP+Account+Manager&project_2=LdapSaisie