Active Directory and Azure OpenID
Introduction
myDBR supports user authentication via Microsoft Active Directory (AD), enabling centralized user and group management. This functionality mirrors myDBR's Single Sign-On (SSO) capabilities.
Authentication is supported against both local Active Directory installations and Azure OpenID (available in the OEM version).
Local Active Directory
Settings
To enable Active Directory authentication, configure the following parameters in Environment settings:
- Domain Controller
The address of the Active Directory server(s) handling authentication requests. To distribute load across multiple controllers, separate addresses with commas. Supported formats includehostname,hostname:port, andldaps://hostname:port(for SSL). - Account Suffix
The complete account suffix for your domain (e.g.,@yourdomain.com). - Base DN
The starting point for directory searches. If left blank, myDBR attempts to automatically detect this from the domain controller. - Username
A service account username with read privileges to Active Directory. - Password
The password for the service account.
Mapping AD Users to myDBR Users
By default, myDBR uses the AD user's sAMAccountName attribute as the username. This behavior can be customized in user/defaults.php by overriding $mydbr_defaults['active_directory']['mydbr_username']. The default value is {sAMAccountName}. myDBR replaces attribute names enclosed in braces {} with the corresponding values from the user's AD record. For example, to use the email address as the username, set the value to {mail} or {userPrincipalName}.
Configuring Multiple Active Directories
For environments requiring authentication across multiple, independent Active Directories, myDBR allows the definition of additional entry points. When multiple directories are configured, the login screen presents a dropdown menu for users to select their domain.
The default Active Directory name can be set in user/defaults.php:
$mydbr_defaults['active_directory']['visible_name'] = 'Primary Domain';
Additional directories are defined in the $mydbr_defaults['active_directory']['extra_domains'] array. Each entry represents a separate Active Directory configuration. To prevent username collisions, assign unique mydbr_username formats for each domain (e.g., 'US1:{sAMAccountName}' to prefix usernames with US1:).
$mydbr_defaults['active_directory']['extra_domains'] = [
[
'domain_controller' => 'hostname',
'username' => 'username',
'password' => 'password',
'account_suffix' => 'ad_us.yourcompany.com',
'base_dn' => 'OU=your_organization,DC=ad_us,DC=yourcompany,DC=com',
'visible_name' => 'US Users',
'mydbr_username' => '{userPrincipalName}'
]
];
Mapping Users to Organizations
Active Directory users can be automatically mapped to myDBR Organizations by defining $mydbr_defaults['active_directory']['organization_ext_id']. This value corresponds to the organization's external_id in myDBR. You can map this to a constant value or a user attribute from AD.
$mydbr_defaults['active_directory']['organization_ext_id'] = 'account_suffix';
Logging in to myDBR via local Active Directory
Users can log in to myDBR using either their sAMAccountName or email address.
Troubleshooting Active Directory over SSL
When connecting to Active Directory via SSL (ldaps://hostname:port, default port 636), ensure your web server can access the OpenLDAP configuration file (ldap.conf). This file must specify the correct Root CA certificate using the TLS_CACERT directive. Refer to the PHP ldap_connect documentation for details.
To troubleshoot potential certificate trust issues, you can temporarily disable certificate validation by adding the following line to user/defaults.php or your initialization script:
putenv('LDAPTLS_REQCERT=never');
Warning: Disabling certificate validation reduces security. Use this only for debugging purposes.
Azure OpenID
Settings
To enable Azure OpenID authentication, configure the following in Environment settings:
- Tenant ID
The unique identifier for your Azure Active Directory instance. - Client ID
The Application (client) ID assigned to myDBR in Azure AD. - Client Secret
A secure key generated for the application to authenticate itself.
myDBR generates a Redirect URI based on your installation. This URI must be registered in the Authentication section of your application in the Azure Portal.
User Mapping
- Username: myDBR uses the
sub(subject) claim from the OpenID token as the username. - Organizations: To map users to organizations, Azure AD groups can be named with an organization identifier suffix, e.g.,
Finance[OrgID:ext_id_xx]. myDBR interprets this as the groupFinancebelonging to the organization withexternal_idext_id_xx.
Active Directory Group Configuration
To integrate myDBR permissions with Active Directory, you must define specific groups within your AD environment:
-
myDBR Groups
This is the parent group containing all other groups relevant to myDBR. By default, myDBR looks for a group named'myDBR Groups'. To customize this name, add the following touser/defaults.php:$mydbr_defaults['active_directory_mydbr_groups'] = 'custom_group_name'; -
myDBR Admins
Members of this group are granted full administrative privileges in myDBR. By default, the group name is'myDBR Admins', and it must be a member of the'myDBR Groups'parent group. To customize this name, add the following touser/defaults.php:$mydbr_defaults['active_directory_mydbr_admin_group'] = 'custom_admin_group_name'; -
Report Access Groups
Any other group nested within'myDBR Groups'is treated as a myDBR user group. These groups can be assigned specific access rights to reports and folders within myDBR. Users inherit permissions based on their direct or indirect membership in these groups.
myDBR identifies authorized users by checking for membership (direct or nested) in the 'myDBR Groups' hierarchy.
User Group Synchronization
User group management is centralized within Active Directory. Upon each login, myDBR synchronizes the user's group memberships:
- New AD groups found within
'myDBR Groups'are automatically created in myDBR. - The user is added to all corresponding myDBR groups.
- The user is removed from any myDBR groups they are no longer a member of in AD.
Local Login with Active Directory Enabled
Even when Active Directory authentication is active, administrators can access the system using local myDBR credentials. To bypass AD authentication, append &local=1 to the login URL:
http://yourserver.com/mydbr/index.php?a=login&local=1
Security Note: To secure your installation when AD is enabled, ensure all unnecessary local accounts are removed and that the local administrator password is strong.