Macareux LDAP Authentication

Easily integrate LDAP (Lightweight Directory Access Protocol) authentication into Concrete CMS with this package. Connect multiple LDAP servers for user authentication with flexible configuration options, including user and group synchronization.

Features

✔ LDAP Authentication

  • Supports Active Directory, OpenLDAP, and other LDAP v3-compliant systems.
  • Secure authentication using LDAPS and StartTLS.

✔ Group Mapping

  • Link LDAP security groups to Concrete CMS groups, including nested groups.

✔ Multiple LDAP Servers

  • High availability and failover support.

✔ User Management

  • Auto-create Concrete CMS users on LDAP login.
  • Sync user groups based on LDAP group mappings.

✔ Task Scheduler

  • Automate user synchronization and deactivation.

Prerequisites

🔹 Software Requirements

  • Concrete CMS version 9.0.0 or higher
  • PHP 7.4 or higher with LDAP extension enabled

🔹 LDAP Environment Knowledge

  • Server details
  • Directory structure

🔹 Security Considerations

  • LDAPS/StartTLS may require additional setup.
  • Shared hosting may limit LDAP configurations.

Quick Start Guide

1️⃣ Install the “Macareux LDAP Authentication” package.
2️⃣ Configure a directory at /dashboard/system/md_ldap.
3️⃣ Enable authentication at /dashboard/system/registration/authentication.
4️⃣ Adjust settings and activate the authentication type.
5️⃣ Authenticate using your LDAP directory credentials.

Directory Configuration

🔧 Managing Directories

  • Navigate to /dashboard/system/md_ldap.
  • Add, edit, or reorder directories.
  • Active Directory Users: Use the “Load Active Directory Preset” to auto-fill schema details.

🔑 Key Configuration Details

Basic Information

  • Display Name: Friendly name for display.
  • Domain Access Credentials: Used for LDAP queries, securely stored.

LDAP Servers

  • Multiple Server Support: For redundancy and failover.
  • Encryption Options: None, LDAPS, or StartTLS.
  • Server Selection: Ordered or random selection.

LDAP Schema

  • Base DN: Root for all queries.
  • User & Group DNs: Optional sub-OUs for filtering queries.

User & Group Attributes

  • Filters: Define LDAP filters for user and group objects.
  • Attribute Mapping: Map LDAP attributes to Concrete CMS fields.

Authentication & Sync Settings

🔄 Sync Options

  • Queue Batch Size: Adjust for performance vs. timeout risk.
  • User Deletion Handling: Choose between:
    • “Do Nothing”
    • “Deactivate User”
    • “Delete User”
  • Automatic Directory Selection: Try authentication across all configured directories.

🌐 Network Settings

  • Timeout & Caching: Configure response time limits and cache duration.

🔍 Debug Settings

  • Log Level: Set verbosity (default: WARNING).

Group Mapping

📌 Automatically assign Concrete CMS roles based on LDAP group membership. If a user is removed from an LDAP group, they will also be removed from the corresponding Concrete CMS group during the next sync.

Events for Customization

⚡ md_ldap_on_directory_init

Triggered when a directory object is initialized.

Events::addListener('md_ldap_on_directory_init', function($event) {  
  $event->getDirectoryObject()->additionalUserFields[] = 'employeeID';  
});

🔄 md_ldap_on_directory_user_sync

Triggered after an LDAP user syncs.

Events::addListener('md_ldap_on_directory_user_sync', function($event) {  
 $ldapEmployeeID = $event->getDirectoryUserObject()->getLdapUser()['employeeid'][0];  
  $event->getDirectoryUserObject()->getConcreteUser()->setAttribute('employee_id', $ldapEmployeeID);  
});

🗑 md_ldap_on_directory_user_delete

Triggered after an LDAP user is deleted.

Events::addListener('md_ldap_on_directory_user_delete', function($event) {  
  $event->getDirectoryUserObject()->getConcreteUser()->clearAttribute('employee_id');  
});

Syncing LDAP Users

🔑 On Login

User and group sync occurs automatically during LDAP authentication.

🔄 Scheduled Sync

  • Configure automated user sync at System & Settings -> Automation -> Tasks.
  • Recommended: Use cron jobs for efficiency:
    • Windows./concrete/bin/concrete5.bat c5:task md_ldap_user_sync
    • Linux/macOS./concrete/bin/concrete5 c5:task md_ldap_user_sync

Configuring SSO (Windows Authentication)

🖥 IIS Setup

  1. Open IIS Manager.
  2. Navigate to the site and select “Authentication”.
  3. Disable all authentication types except “Windows Authentication”.
  4. Set samaccountname as “Remote Auth Username Attribute” in Dashboard -> System & Settings -> LDAP Directories.

📞 Support

  • Configuration support: Available at an additional cost.
  • Pre-sales inquiries: Open a ticket on the Concrete CMS package page.
  • Technical issues: Submit a support ticket via the Concrete CMS package page.

By following this guide, you can seamlessly integrate LDAP authentication into Concrete CMS for secure and efficient user management.