myDBR allows you to use Microsoft Active Directory for user authentication. This includes user creation, authentication, group creation, and user group handling. The functionality is the same as in myDBR's SSO-authentication.
In order to use Active Directory authentication, the following settings need to be defined in Environment settings:
Domain Controller
Active Directory server(s) handling the security authentication requests. If you want to balance the queries over multiple controllers separate them with commas. Formats your can use are "hostname", "hostname:port", "ldaps://hostname:port" (for SSL) Account Suffix
The full account suffix for your domainBase DN
Where to start the searches in Active Directory. If left empty myDBR will attempt to detect this information automatically from your domain controllerUsername
Username which has read privileges to Active DirectoryPassword
Password for the Username
By default, myDBR will use the AD user's sAMAccountName-attribute as the username in myDBR. One can change that definition in mydbr/user/defaults.php by overriding the $mydbr_defaults['active_directory']['mydbr_username'] value. The default value is {sAMAccountName}. myDBR will replace attribute name wrapped in {} with the value in user's record in AD. To use the user's email as the username, one can use the mail-attribute {mail} (or one can use {userPrincipalName}).
To configure myDBR's Active Directory-authentication in the Active Directory server, the following groups need to be defined:
myDBR Groups
A group defining the AD groups which will be considered as myDBR groups. The default name for this group is 'myDBR Groups'. All
other myDBR groups must be members of this group.
If you wish the change the default group name, place definition
$mydbr_defaults['active_directory_mydbr_groups'] = 'NEWMYDBRGROUPNAME'; into mydbr/user/defaults.php.
myDBR Admins
If the user belongs to this group (s)he is granted admin rights to myDBR. The default name for this group is 'myDBR Admins' and the group
must be a member of 'myDBR Groups'.
If you wish the change the default group name, place definition
$mydbr_defaults['active_directory_mydbr_admin_group'] = 'NEWADMINGROUPNAME'; into mydbr/user/defaults.php.
Other groups inside 'myDBR Groups' to define user groups to which you can define reports to
Any group added to 'myDBR Groups' will be shown as a user group inside myDBR. This will allow one to define different access rights
to different reports. Users can be a member of these groups directly or via other AD groups belonging to these groups.
All of the predefined group names can be customized in mydbr/user/defaults.php.
myDBR determines if the user in Active Directory is a myDBR user by checking if the user belongs to any of the groups listed in Active Directory group 'myDBR Groups' or is a direct member of 'myDBR Groups'.
All user group handling is done inside Active Directory. When a user logs in her/his groups are checked against the Active Directory provided group list.
If one has a setup where users defined in multiple separate (different users) Active Directories need to be using myDBR, one can define additional Active Directory entry points. If more than one is defined, the user's login screen will show a popup of available Active Directories. One can name the default Active Directory in mydbr/user/defaults.php with the definition:
$mydbr_defaults['active_directory']['visible_name'] = 'Primary one';
To add additional Active Directories, one can use the `$mydbr_defaults['active_directory']['extra_domains']` array in mydbr/user/defaults.php. Each array element represents a Active Directory. To make sure user names will be unique inside myDBR, make sure to use different mydbr_username-values for each AD. The format allows also additional text in the field. For example value 'US1:{sAMAccountName}' might produce a username 'US1:user'. All array fields are mandatory.
$mydbr_defaults['active_directory']['extra_domains'] = array(
array(
'domain_controller' => 'hostname',
'username' => 'username',
'password' => 'password',
'accont_suffix' => 'ad_us.yourcompany.com',
'base_dn' => 'OU=your_organization,DC=ad_us,DC=yourcompany,DC=com',
'visible_name' => 'US users',
'mydbr_username' => '{userPrincipalName}'
)
);
One can map the Active Directory users to myDBR Organization, by defining the $mydbr_defaults['active_directory']['organization_ext_id'] value. The value can be constant account_suffix or any of the fields in user's AD record.
$mydbr_defaults['active_directory']['organization_ext_id'] = 'account_suffix';
When the value is set to account_suffix and corresponding entries
Users can use either the sAMAccountName or the email-address when Logging in to myDBR.
To use Active Directory over SSL, one needs to define the Domain Controller with "ldaps://hostname:port" (default port being 636). If you have problems connecting to
Active Directory over SSL check that your web server has access to ldap-configuration file ldap.conf (see ldap_connect from PHP documentation) and that the configuration file has the Active Directory Root CA certificate defined with TLS_CACERT. You can also test if the fact that PHP not recognizing the AD's certificate is the problem, by adding putenv('LDAPTLS_REQCERT=never'); to the `user/defaults.php`. This will disable the certificate check.
If the Active Directory is set as a login method, administrators can still log in with myDBR login by adding &local=1 to the login URL. For example,
if you have installed myDBR at localhost/mydbr you would log in locally using http://localhost/mydbr/index.php?a=login&local=1
To prevent users from logging in with the myDBR login when AD is used, remove unnecessary myDBR logins and secure the admin password.
If the Active Directory is set as a login method, administrators can still log in with myDBR login by adding &local=1 to login URL. For example,
if you have installed myDBR at localhost/mydbr you would log in locally using http://localhost/mydbr/index.php?a=login&local=1
To prevent users from logging in with the myDBR login when AD is used, remove unnecessary myDBR logins and secure the admin password.