1<?php 2/* 3 * LimeSurvey 4 * Copyright (C) 2007-2011 The LimeSurvey Project Team / Carsten Schmitz 5 * All rights reserved. 6 * License: GNU/GPL License v2 or later, see LICENSE.php 7 * LimeSurvey is free software. This version may have been modified pursuant 8 * to the GNU General Public License, and as distributed it includes or 9 * is derivative of works licensed under the GNU General Public License or 10 * other free or open source software licenses. 11 * See COPYRIGHT.php for copyright notices and details. 12 * 13 */ 14 15/*********** LDAP Parameters and Functions *********************** 16 * 17 * - First define your ldap servers and remember the serverId 18 * - Then define your ldap_query and 'attach' it to the serverId 19 ******************************************************************/ 20 21/*********************************************/ 22/* LDAP servers */ 23/*********************************************/ 24 25$serverId = 0; 26// Define the server DNS name or IP Address 27// If encryption is enabled, make sure the name given here 28// corresponds to the certificate's identity 29$ldap_server[$serverId]['server'] = "ldap.mycompany.org"; 30 31// Define the TCP port on which the LDAP server is listenning 32// This should be 389 for standard LDAP servers 33// or 636 for standard LDAPS connections 34$ldap_server[$serverId]['port'] = "636"; 35 36// Define the ldap protocol to use 37// 'ldapv2' and 'ldapv3' are supported 38$ldap_server[$serverId]['protoversion'] = "ldapv2"; 39 40// Define the encryption method to use 41// 'ldaps' is supported for 'ldapv2' servers 42// 'start-tls' is supproted for 'ldapv3' servers 43// 'none' is supproted for no encryption at all 44// Don't forget to setup your CA's certificate in 45// the openldap ldap.conf file 46$ldap_server[$serverId]['encrypt'] = "ldaps"; 47 48// Define the referral option 49// 'false' is recommended for ActiveDirectory servers 50$ldap_server[$serverId]['referrals'] = false; 51 52// Define the encoding used by the Ldap directory 53// You may omit this parameter (let it commented out) 54// as the default value, 'utf-8', should work for most installations. 55// However, Active Directory in West Europe may use 'cp850'. 56// $ldap_server[$serverId]['encoding'] = 'utf-8'; 57 58// Define the authentication used to bind to the directory 59// We currently support simple authentication 60// If anonymous bind must be performed, comment the following two lines 61// Note that Active Directory (AD) usually requires authentication before 62// you are authorized to read its content. Remeber as well that user's DN 63// in AD are in the form of CN=username,CN=Users,DC=WindowsDomainName,DC=mycompany,DC=org 64// 65$ldap_server[$serverId]['binddn'] = "uid=mybinduser,dc=mycompany,dc=org"; 66$ldap_server[$serverId]['bindpw'] = "AsecretPassword"; 67 68/********* Copy for more definitions ***** 69 $serverId++; 70 $ldap_server[$serverId]['server'] = "ldap.mycompany.org"; 71 $ldap_server[$serverId]['port'] = "389"; 72 $ldap_server[$serverId]['protoversion'] = "ldapv3"; 73 $ldap_server[$serverId]['encrypt'] = "start-tls"; 74 $ldap_server[$serverId]['referrals'] = false; 75 $ldap_server[$serverId]['binddn'] = "uid=mybinduser,dc=mycompany,dc=org"; 76 $ldap_server[$serverId]['bindpw'] = "AsecretPassword"; 77 *****************************************/ 78 79/**********************************************************************/ 80/* Predefined Queries for Token Imports */ 81/* */ 82/* This sample query definition is just an fake theme: do not */ 83/* expect it to do something intelligent on your directory */ 84/* Instead have a look at the online documentation: */ 85/* - Section Installation, paragraph LDAP_Settings */ 86/* And for Active Directory tips: */ 87/* - Section Installation FAQ, paragraph */ 88/* How_do_I_configure_LDAP_settings_to_work_with_Active_Directory_ */ 89/**********************************************************************/ 90 91$query_id = 0; 92 93// First define the serverId on which you want to run the query 94$ldap_queries[$query_id]['ldapServerId'] = 0; 95 96// Give a name that will appear on the user interface 97$ldap_queries[$query_id]['name'] = 'Staff with an enabled account'; 98 99// Define the ldap base used for user searches 100$ldap_queries[$query_id]['userbase'] = 'ou=staff,dc=mycompany,dc=org'; 101 102// Define the user filter to apply 103// Must begin with '(' and end with ')' 104// Note that for AD, checking the 'active' status of a user is done with the following filter: 105// "(&(objectCategory=Person)(objectClass=user)(!(userAccountControl=514)))" 106$ldap_queries[$query_id]['userfilter'] = '(&(objectClass=inetOrgPerson)(my-fake-accountstatus-attribute=enabled))'; 107 108// Define how deep under the userbase you want to search 109// 'sub' means: search on the entire subtree 110// 'one' means: only search 1 level under the userbase 111// 'base' means: only search the userbase DN entry 112$ldap_queries[$query_id]['userscope'] = 'sub'; 113 114// Define the user's attribute that provides the firstname 115// do not use capital letters in the attribute name 116// for instance use 'givenname' and not 'givenName' 117$ldap_queries[$query_id]['firstname_attr'] = 'givenname'; 118 119// Give the user's attribute that provides the lastname 120// do not use capital letters in the attribute name 121$ldap_queries[$query_id]['lastname_attr'] = 'sn'; 122 123// Give the user's attribute that provides the email address 124// do not use capital letters in the attribute name 125// If multivalued, only the first entry is read 126$ldap_queries[$query_id]['email_attr'] = 'mail'; 127 128 129// Optionnally give the user's attributes that provides the 130// token, language, attr1 and attr2 piece of information 131// do not use capital letters in the attribute name 132// if unused, leave empty or comment the lines 133$ldap_queries[$query_id]['token_attr'] = ''; // Leave empty for Auto Token generation bu phpsv 134$ldap_queries[$query_id]['language'] = ''; 135$ldap_queries[$query_id]['attr1'] = ''; 136$ldap_queries[$query_id]['attr2'] = ''; 137 138/********** Other queries examples ********************/ 139 140// This query is an example of a group search in which group members are DNs 141// The query runs in two steps: 142// 1- Look for user candidates matching the group filter part 143// 2- Then, Apply a user filter to user candidates found in step 1 144$query_id++; 145$ldap_queries[$query_id]['ldapServerId'] = 0; 146$ldap_queries[$query_id]['name'] = 'Administrator group'; 147// Define a group filter (base, filter, scope) 148// Note that in AD, user groups are defined in the foloowing base: 149// CN=Users,DC=WindowsDomainName,DC=mycompany,DC=org 150$ldap_queries[$query_id]['groupbase'] = 'ou=groups,dc=mycompany,dc=org'; 151$ldap_queries[$query_id]['groupfilter'] = '(&(objectClass=groupOfNames)(cn=AdministratorGroup))'; 152$ldap_queries[$query_id]['groupscope'] = 'sub'; 153// Define which group's attribute is used to get users' Ids 154$ldap_queries[$query_id]['groupmemberattr'] = 'member'; 155// Define if the groupmemberattr contains users's DNs or NOT 156$ldap_queries[$query_id]['groupmemberisdn'] = true; 157 158// Optionnally you can complete the group query with an additionnal 159// user filter that will be applied to the user's found by the group search 160// Comment the userbase, userfilter, and userscope lines 161// if you don't use this extra filter. 162$ldap_queries[$query_id]['userbase'] = 'ou=users,dc=mycompany,dc=org'; 163$ldap_queries[$query_id]['userfilter'] = '(my-fake-accountstatus-attribute=enabled)'; 164$ldap_queries[$query_id]['userscope'] = 'sub'; 165 166$ldap_queries[$query_id]['firstname_attr'] = 'givenname'; 167$ldap_queries[$query_id]['lastname_attr'] = 'sn'; 168$ldap_queries[$query_id]['email_attr'] = 'mail'; 169$ldap_queries[$query_id]['token_attr'] = ''; // Leave empty for Auto Token generation bu phpsv 170$ldap_queries[$query_id]['language'] = ''; 171$ldap_queries[$query_id]['attr1'] = ''; 172$ldap_queries[$query_id]['attr2'] = ''; 173 174 175// This query is an example of a group search in which group members are UIDs 176// an additionnal user filter is applied to a already found users 177$query_id++; 178$ldap_queries[$query_id]['ldapServerId'] = 0; 179$ldap_queries[$query_id]['name'] = 'Admins via POSIXGroups'; 180$ldap_queries[$query_id]['groupbase'] = 'ou=group,dc=mycompany,dc=org'; 181$ldap_queries[$query_id]['groupfilter'] = '(&(cn=admins)(objectclass=posixgroup))'; 182$ldap_queries[$query_id]['groupscope'] = 'sub'; 183// Define which attribute within the group entry contains users' IDs 184$ldap_queries[$query_id]['groupmemberattr'] = 'memberuid'; 185// Declare that groupmemberattr contains users' IDs and not DNs 186$ldap_queries[$query_id]['groupmemberisdn'] = false; 187// Give the name of the attribute in the user entry that matches the 188// 'groupmemberattr' value 189$ldap_queries[$query_id]['useridattr'] = 'uid'; 190// Give the base DN used to search the users based on the users' IDs 191$ldap_queries[$query_id]['userbase'] = 'ou=people,dc=mycompany,dc=org'; 192// Optionnally give an additionnal filter to filter users 193$ldap_queries[$query_id]['userfilter'] = '(objectclass=*)'; 194$ldap_queries[$query_id]['userscope'] = 'sub'; 195 196$ldap_queries[$query_id]['firstname_attr'] = 'givenname'; 197$ldap_queries[$query_id]['lastname_attr'] = 'sn'; 198$ldap_queries[$query_id]['email_attr'] = 'mail'; 199$ldap_queries[$query_id]['token_attr'] = ''; // Leave empty for Auto Token generation bu phpsv 200$ldap_queries[$query_id]['language'] = ''; 201$ldap_queries[$query_id]['attr1'] = ''; 202$ldap_queries[$query_id]['attr2'] = ''; 203 204/******** 205 $query_id++; 206 //Copy previous definition lines 207 ********/ 208 209 210//DO NOT CHANGE BELOW HERE -------------------- 211 212return array('ldap_server' => $ldap_server, 'ldap_queries' => $ldap_queries); 213