AD integration user sync with groups
-
En webserver som kan køre PHP scripts.
-
PHP version nyere end 5.3.0.
-
Understøttelse af følgende PHP udvidelser:
- Påkrævet: date, dom, hash, libxml, openssl, pcre, SPL, zlib, json
- Hvis der bruges kryptering eller digitale signaturer: mcrypt
- Ved brug af LDAP: ldap
- Hvis der skal gemmes sessionsdata: memcache
- Ved brug af databaser:
- Påkrævet: PDO
- Database driver: (mysql, pgsql, ...)
Alt efter hvilken installation der arbejdes med kan der forekomme variationer i de faktiske udvidelser på serveren.
Den seneste version kan altid hentes her: https://simplesamlphp.org/download.
Skift til det bibliotek, hvori filen er blevet hentet til og pak denne ud ved hjælp af nedenstående kommandoer.
- cd /var
- tar xzf simplesamlphp-1.x.y.tar.gz
- mv simplesamlphp-1.x.y simplesamlphp
- mv simplesamlphp /var/www//simplesamlphp
Kør følgende som root på serveren:
openssl req -x509 -nodes -sha256 -days 3650 -newkey rsa:2048 -keyout saml.key -out saml.pem
Her angives også brugen af letsencrypt. AD-FS plejer ikke at være fan af selv signerede certificater. Da der kommer en accept prompt.
Certifikaterne skal ligge på servere i følgende stier og indsat i saml20-sp-remote.php:
/var/www//simplesamlphp/metadata/saml20-sp-remote.php
/var/www//simplesamlphp/cert/saml.crt
/var/www//simplesamlphp/cert/saml.pem
<VirtualHost *> ServerName DocumentRoot /var/www//public_html
Alias /simplesaml /var/www/<domain>/simplesamlphp
<Directory /var/www/<domain>/simplesamlphp>
<IfModule !mod_authz_core.c>
# For Apache 2.2:
Order allow,deny
Allow from all
</IfModule>
<IfModule mod_authz_core.c>
# For Apache 2.4:
Require all granted
</IfModule>
</Directory>
- Definer et administrator password. 'auth.adminpassword' => 'NYT PASSWORD HER',
- Generer en tilfældig streng af tal og bogstaver ved at bruge følgende kommando tr -c -d '0123456789abcdefghijklmnopqrstuvwxyz' </dev/urandom | dd bs=32 count=1 2>/dev/null;echo
- Indsæt den genererede streng i følgende linje i config.php: 'secretsalt' => '<INDSÆT STRENG HER>’,
- Opdater nedenstående oplysninger så de er korrekte for din organisation: 'technicalcontact_name' => 'NAVN HER', 'technicalcontact_email' => 'EMAIL HER',
'language.default' => 'da', 'timezone' => 'Europe/Copenhagen',
Efter installation af SimpleSAML kan du bruge følgende side til at teste services og se mere infomation omkring din installation: https:///simplesaml/
Indsamling af diverse oplysninger AD Mapning
Server installation Apache2 /var/www//simplesamlphp ← Installation mappe til Simplesamlphp. /var/www//public_html ← Drupal installation
Need to be enabled follows modules
- simpleSAMLphp Authentication
- OS2intra simplesamlphp
simpleSAMLphp needs to be running on the server and have SSL enabled.
Open /admin/config/people/simplesamlphp_auth
Check Activate authentication via SimpleSAMLphp option. Check Force https for login links option. Make sure your server has SSL certificate.
Then we plugged in the attribute data from the claims to map into the Drupal user attributes.
Check Allow authentication with local Drupal accounts option if f you want to let people log in with local Drupal accounts (without using simpleSAMLphp). If you want to restrict this privilege to user roles you can select needed roles in field below
“Register users” and “Enable authentication for manually created users” checkboxes need to be set, if Drupal account should be automatically created for users that authenticate using SimpleSAMLphp and manually created users can use SimpleSAMLphp for authentication
Need to be enabled follows modules
- LDAP Authentication
- LDAP Authorization
- LDAP Authorization Drupal Roles
- LDAP Profile
- LDAP SSO
- LDAP Servers
- OS2Dagsorden AD Integration
Proceed to Administer -> Site Configuration -> LDAP Configuration (/admin/config/people/ldap/)
Start by selecting Add LDAP Server Configuration
Connection Settings - set up LDAP server attributes, such as Server name, server type, LDAP server IP and port.
Binding Method - "Anonymous Bind" should be selected
Within Base DNs for LDAP users, groups, and other entries set up the common high-level DN for get all of the groups and their users. Next have to define some basic attributes, the AuthName attribute that hold username and the Email attribute that hold mail.
Ldap pagination – define max number of entries returned at a time by your ldap server.
Be sure that “Mixed Mode” is selected in the Allowable Authentications
In "Drupal User Account Creation" section select "Associate Drupal account with the LDAP entry...", in "Existing Drupal User Account Conflict" group and “Create accounts automatically for ldap authenticated users…” In "Account Creation for LDAP Authenticated Users" group
For the entire Email section select follows options
Main goal of these settings to map of LDAP user to drupal role
Use strategy II and define DN string attribute that you want to use for role mapping
Map “raw authorization ids" to drupal roles using follows syntax raw authorization ids|drupal_role
Define base DNs for users search. Each DNs start in new line. Each Base DN will be queried and results merged
Define base DNs for inactive users
Define LDAP query filter and attributes that will be returned
