Active Directory

Introduction

myDBR allows you to use Microsoft Active Directory for user authentication. This includes user creation, authentication, group creation, and user group handling. The functionality is the same as in myDBR's SSO-authentication.

Active Directory settings

In order to use Active Directory authentication, the following settings need to be defined in Environment settings:

  • Domain Controller Active Directory server(s) handling the security authentication requests. If you want to balance the queries over multiple controllers separate them with commas. Formats your can use are "hostname", "hostname:port", "ldaps://hostname:port" (for SSL)
  • Account Suffix The full account suffix for your domain
  • Base DN Where to start the searches in Active Directory. If left empty myDBR will attempt to detect this information automatically from your domain controller
  • Username Username which has read privileges to Active Directory
  • Password Password for the Username

Active Directory users to myDBR users

By default, myDBR will use the AD user's sAMAccountName-attribute as username in myDBR. One can change that definition in mydbr/user/defaults.php by overriding the $mydbr_defaults['active_directory']['mydbr_username'] value. The default value is {sAMAccountName}. myDBR will replace attributen name wrapped in {} with the value in user record in AD. To use the user's email as username, one can use the mail-attribute {mail} (or one can use {userPrincipalName}).

Active Directory configuration

To configure myDBR's Active Directory-authentication in the Active Directory server, the following groups need to be defined:

  • myDBR Groups A group defining the AD groups which will be considered as myDBR groups. The default name for this group is 'myDBR Groups'. All other myDBR groups must be members of this group. If you wish the change the default group name, place definition $mydbr_defaults['active_directory_mydbr_groups'] = 'NEWMYDBRGROUPNAME'; into mydbr/user/defaults.php.
  • myDBR Admins If the user belongs to this group (s)he is granted admin rights to myDBR. The default name for this group is 'myDBR Admins' and the group must be a member of 'myDBR Groups'. If you wish the change the default group name, place definition $mydbr_defaults['active_directory_mydbr_admin_group'] = 'NEWADMINGROUPNAME'; into mydbr/user/defaults.php.
  • Other groups inside 'myDBR Groups' to define user groups to which you can define reports to Any group added to 'myDBR Groups' will be shown as a user group inside myDBR. This will allow one to define different access rights to different reports. Users can be a member of these groups directly or via other AD groups belonging to these groups.

All of the predefined group names can be customized in mydbr/user/defaults.php.

myDBR determines if the user in Active Directory is a myDBR user by checking if the user belongs to any of the groups listed in Active Directory group 'myDBR Groups' or is direct member of 'myDBR Groups'.

User's groups

All user group handling is done inside Active Directory. When a user logs in her/his groups are checked against the Active Directory provided group list.

  1. If a user's group does not exist in myDBR it will be added
  2. User will be added to myDBR groups defined in Active Directory
  3. User will be removed from any other group

Defining multiple separate Active Directories to be used

If one has a setup where users defined in multiple separate (different users) Active Directories needs to be using myDBR, one can define additional Active Directory entry points. If more than one is defined, user's login screen will show a popup of available Active Directories. One can name the default Active Directory in mydbr/user/defaults.php with definition:

$mydbr_defaults['active_directory']['visible_name'] = 'Primary one';

To add additional Active Directories, one can use the `$mydbr_defaults['active_directory']['extra_domains']` array in mydbr/user/defaults.php. Each array element represents a Active Directory. To make sure user names will be unique inside myDBR, make sure to use different mydbr_username-values for each AD. The format allows also additional text in the field. For example value 'US1:{sAMAccountName}' might produce a username 'US1:user'. All array fields are mandatory.

$mydbr_defaults['active_directory']['extra_domains'] = array(
  array(
    'domain_controller' => 'hostname',
    'username' => 'username',
    'password' => 'password',
    'accont_suffix' => 'ad_us.yourcompany.com',
    'base_dn' => 'OU=your_organization,DC=ad_us,DC=yourcompany,DC=com',
    'visible_name' => 'US users',
    'mydbr_username' => '{userPrincipalName}'
  )
);

Mapping users to Organizations

One can map the Active Directory users to myDBR Organization, by defining the $mydbr_defaults['active_directory']['organization_ext_id'] value. The value can be constant account_suffix or any of the fields in user's AD record.

$mydbr_defaults['active_directory']['organization_ext_id'] = 'account_suffix';

When the value is set to account_suffix and corresponding entries

Logging to myDBR via Active Directory

User can use either the sAMAccountName or the email-address when Logging to myDBR.

Troubleshooting Active Directory over SSL

To use Active Directory over SSL, one needs to define the Domain Controller with "ldaps://hostname:port" (default port being 636). If you have problems connecting to Active Directory over SSL check that your web server has access to ldap-configuration file ldap.conf (see ldap_connect from PHP documentation) and that the configuration file has the Active Directory Root CA certificate defined with TLS_CACERT. You can also test if the fact that PHP not recognizing the AD's certificate is the problem, by adding putenv('LDAPTLS_REQCERT=never'); to the `user/defaults.php`. This will disable the certificate check.

If the Active Directory is set as a login method, administrators can still log in with myDBR login by adding &local=1 to login URL. For example, if you have installed myDBR at localhost/mydbr you would log in locally using http://localhost/mydbr/index.php?a=login&local=1

To prevent users from logging in with the myDBR login when AD is used, remove unnecessary myDBR logins and secure the admin password.

Local myDBR login when AD login is enabled

If the Active Directory is set as a login method, administrators can still log in with myDBR login by adding &local=1 to login URL. For example, if you have installed myDBR at localhost/mydbr you would log in locally using http://localhost/mydbr/index.php?a=login&local=1

To prevent users from logging in with the myDBR login when AD is used, remove unnecessary myDBR logins and secure the admin password.