Active Directory and Azure OpenID

Introduction

myDBR facilitates user authentication through Microsoft Active Directory, including user creation, authentication, group creation, and user group management. This functionality mirrors that of myDBR's Single Sign-On (SSO) authentication.

myDBR supports Active Directory authentication both against a local AD installation and via Azure OpenID (OEM version).

Local Active Directory

Settings

To enable Active Directory authentication, the following settings must be configured in the Environment settings:

  • Domain Controller Specify the Active Directory server(s) responsible for handling security authentication requests. To distribute queries across multiple controllers, separate their addresses with commas. Accepted formats include: 'hostname', 'hostname:port', and 'ldaps://hostname:port' (for SSL).
  • Account Suffix The complete account suffix for your domain.
  • Base DN Specify the location to start searches in Active Directory. If left blank, myDBR will attempt to automatically detect this information from your domain controller.
  • Username Username with read privileges to Active Directory.
  • Password Password for the Username

Active Directory Users to myDBR Users

By default, myDBR will use the AD user's sAMAccountName attribute as the username in myDBR. One can change that definition in user/defaults.php by overriding the $mydbr_defaults['active_directory']['mydbr_username'] value. The default value is {sAMAccountName}. myDBR will replace attribute names wrapped in {} with the corresponding values in the user's record in AD. To use the user's email as the username, one can use the mail attribute {mail} (or {userPrincipalName}).

Defining Multiple Separate Active Directories for Use

If you have a setup where users from multiple, separate Active Directories (with different user bases) need to access myDBR, you can define additional Active Directory entry points. When more than one is defined, the login screen will display a dropdown allowing the user to select the appropriate Active Directory. You can set the name of the default Active Directory in mydbr/ with the following definition: 

      $mydbr_defaults['active_directory']['visible_name'] = 'Primary one';

To add additional Active Directories, use the $mydbr_defaults['active_directory']['extra_domains'] array in mydbr/. Each array element represents one Active Directory. To ensure usernames remain unique within myDBR, assign different mydbr_username values for each AD. The format also allows custom prefixes or text in the field. For example, the value 'US1:{sAMAccountName}' might result in a username like 'US1:user'. All array fields are required. 

      $mydbr_defaults['active_directory']['extra_domains'] = array(
        array(
          'domain_controller' => 'hostname',
          'username' => 'username',
          'password' => 'password',
          'accont_suffix' => 'ad_us.yourcompany.com',
          'base_dn' => 'OU=your_organization,DC=ad_us,DC=yourcompany,DC=com',
          'visible_name' => 'US users',
          'mydbr_username' => '{userPrincipalName}'
        )
      );

Mapping Users to Organizations

One can map the Active Directory users to myDBR Organization, by defining the $mydbr_defaults['active_directory']['organization_ext_id'] value. The value can be constant account_suffix or any of the fields in user's AD record. 

      $mydbr_defaults['active_directory']['organization_ext_id'] = 'account_suffix';

Logging in to myDBR via local Active Directory

Users can log in to myDBR using either their sAMAccountName or email address.

Troubleshooting Active Directory over SSL

To use Active Directory over SSL, you need to define the Domain Controller using the format ldaps://hostname:port (the default port is 636). If you encounter issues connecting to Active Directory over SSL, ensure that your web server has access to the LDAP configuration file ldap.conf (see the PHP documentation for ldap_connect). Make sure the configuration file includes the Active Directory Root CA certificate specified with the TLS_CACERT directive.

To test if the issue is caused by PHP not recognizing the AD's certificate, you can temporarily bypass the certificate check by adding the following line to your code: 

      putenv('LDAPTLS_REQCERT=never');

This disables certificate validation and can help identify whether the SSL issue is related to certificate trust.

Azure OpenID

Settings

The following settings must be configured in the Environment settings for Azure OpenID:

  • Tenant ID The identifier for your Azure Active Directory instance.
  • Client ID The unique identifier for the myDBR application registered in Azure AD.
  • Client Secret The secret associated with the Client ID that proves the application's identity during authentication.

myDBR will generate the Redirect URI, which must be set in the App Registrations section of the Azure Portal.

Active Directory Users to myDBR Users

myDBR will use the subject claim (sub) from the OpenID identifier as the user's username

Mapping Users to Organizations

Group names like Finance[OrgID:ext_id_xx], will be created as Finance in myDBR and user is added to an organization with matching organizations external_id (ext_id_xx).

Active Directory Configuration

To configure myDBR's Active Directory-authentication in the Active Directory server, the following groups need to be defined:

  • myDBR Groups A group defining the AD groups which will be considered as myDBR groups. The default name for this group is 'myDBR Groups'. All other myDBR groups must be members of this group. If you wish the change the default group name, place definition $mydbr_defaults['active_directory_mydbr_groups'] = 'new_mydbr_groupname'; into user/defaults.php.
  • myDBR Admins If the user belongs to this group (s)he is granted admin rights to myDBR. The default name for this group is 'myDBR Admins' and the group must be a member of 'myDBR Groups'. If you wish the change the default group name, place definition $mydbr_defaults['active_directory_mydbr_admin_group'] = 'new_admin_groupname'; into user/defaults.php.
  • Other groups within 'myDBR Groups' are used to define user groups for report designation. Any group added to 'myDBR Groups' will appear as a user group within myDBR, enabling the customization of access rights for various reports. Users can belong to these groups either directly or indirectly through other Active Directory (AD) groups associated with these groups.

myDBR determines whether a user in Active Directory is a myDBR user by checking if the user is a member of any group listed under the Active Directory group 'myDBR Groups' or if the user is a direct member of the 'myDBR Groups' group.

User's Groups

All user group management is handled within Active Directory. When a user logs in, their groups are validated against the group list provided by Active Directory.

  1. If a user's group does not exist in myDBR, it will be created.
  2. The user will be added to the myDBR groups defined in Active Directory.
  3. The user will be removed from any other groups not defined in Active Directory.

Local MyDBR Login when AD Login is Enabled

If the Active Directory is set as a login method, administrators can still log in with myDBR login by adding &local=1 to login URL. For example, if you have installed myDBR at localhost/mydbr you would log in locally using http://localhost/mydbr/index.php?a=login&local=1

To prevent users from logging in with the myDBR login when AD is used, remove unnecessary myDBR logins and secure the admin password.