Active Directory

Introduction

myDBR facilitates user authentication through Microsoft Active Directory, encompassing user creation, authentication, group creation, and user group management. This functionality mirrors that of myDBR's Single Sign-On (SSO) authentication.

Active Directory settings

To enable Active Directory authentication, the following settings must be configured in the Environment settings:

  • Domain Controller Specify the Active Directory server(s) responsible for handling security authentication requests. To distribute queries across multiple controllers, separate their addresses with commas. Accepted formats include: 'hostname', 'hostname:port', and 'ldaps://hostname:port' (for SSL).
  • Account Suffix The complete account suffix for your domain.
  • Base DN Specify the location to start searches in Active Directory. If left blank, myDBR will attempt to automatically detect this information from your domain controller.
  • Username Username with read privileges to Active Directory.
  • Password Password for the Username

Active Directory users to myDBR users

By default, myDBR will use the AD user's sAMAccountName attribute as the username in myDBR. One can change that definition in user/defaults.php by overriding the $mydbr_defaults['active_directory']['mydbr_username'] value. The default value is {sAMAccountName}. myDBR will replace attribute names wrapped in {} with the corresponding values in the user's record in AD. To use the user's email as the username, one can use the mail attribute {mail} (or {userPrincipalName}).

Active Directory configuration

To configure myDBR's Active Directory-authentication in the Active Directory server, the following groups need to be defined:

  • myDBR Groups A group defining the AD groups which will be considered as myDBR groups. The default name for this group is 'myDBR Groups'. All other myDBR groups must be members of this group. If you wish the change the default group name, place definition $mydbr_defaults['active_directory_mydbr_groups'] = 'NEWMYDBRGROUPNAME'; into user/defaults.php.
  • myDBR Admins If the user belongs to this group (s)he is granted admin rights to myDBR. The default name for this group is 'myDBR Admins' and the group must be a member of 'myDBR Groups'. If you wish the change the default group name, place definition $mydbr_defaults['active_directory_mydbr_admin_group'] = 'NEWADMINGROUPNAME'; into user/defaults.php.
  • Other groups within 'myDBR Groups' are used to define user groups for report designation. Any group added to 'myDBR Groups' will appear as a user group within myDBR, enabling the customization of access rights for various reports. Users can belong to these groups either directly or indirectly through other Active Directory (AD) groups associated with these groups.

All of the predefined group names can be customized in mydbr/.

myDBR determines if the user in Active Directory is a myDBR user by checking if the user belongs to any of the groups listed in Active Directory group 'myDBR Groups' or is a direct member of 'myDBR Groups'.

User's groups

All user group handling is done inside Active Directory. When a user logs in her/his groups are checked against the Active Directory provided group list.

  1. If a user's group does not exist in myDBR it will be added
  2. User will be added to myDBR groups defined in Active Directory
  3. User will be removed from any other group

Defining multiple separate Active Directories to be used

If one has a setup where users defined in multiple separate (different users) Active Directories need to be using myDBR, one can define additional Active Directory entry points. If more than one is defined, the user's login screen will show a popup of available Active Directories. One can name the default Active Directory in mydbr/ with the definition:

$mydbr_defaults['active_directory']['visible_name'] = 'Primary one';

To add additional Active Directories, one can use the `$mydbr_defaults['active_directory']['extra_domains']` array in mydbr/. Each array element represents a Active Directory. To make sure user names will be unique inside myDBR, make sure to use different mydbr_username-values for each AD. The format allows also additional text in the field. For example value 'US1:{sAMAccountName}' might produce a username 'US1:user'. All array fields are mandatory.

$mydbr_defaults['active_directory']['extra_domains'] = array(
  array(
    'domain_controller' => 'hostname',
    'username' => 'username',
    'password' => 'password',
    'accont_suffix' => 'ad_us.yourcompany.com',
    'base_dn' => 'OU=your_organization,DC=ad_us,DC=yourcompany,DC=com',
    'visible_name' => 'US users',
    'mydbr_username' => '{userPrincipalName}'
  )
);

Mapping users to Organizations

One can map the Active Directory users to myDBR Organization, by defining the $mydbr_defaults['active_directory']['organization_ext_id'] value. The value can be constant account_suffix or any of the fields in user's AD record.

$mydbr_defaults['active_directory']['organization_ext_id'] = 'account_suffix';

When the value is set to account_suffix and corresponding entries

Logging to myDBR via Active Directory

Users can use either the sAMAccountName or the email-address when Logging in to myDBR.

Troubleshooting Active Directory over SSL

To use Active Directory over SSL, one needs to define the Domain Controller with "ldaps://hostname:port" (default port being 636). If you have problems connecting to Active Directory over SSL check that your web server has access to ldap-configuration file ldap.conf (see ldap_connect from PHP documentation) and that the configuration file has the Active Directory Root CA certificate defined with TLS_CACERT. You can also test if the fact that PHP not recognizing the AD's certificate is the problem, by adding putenv('LDAPTLS_REQCERT=never'); to the ``. This will disable the certificate check.

If the Active Directory is set as a login method, administrators can still log in with myDBR login by adding &local=1 to the login URL. For example, if you have installed myDBR at localhost/mydbr you would log in locally using http://localhost/mydbr/index.php?a=login&local=1

To prevent users from logging in with the myDBR login when AD is used, remove unnecessary myDBR logins and secure the admin password.

Local myDBR login when AD login is enabled

If the Active Directory is set as a login method, administrators can still log in with myDBR login by adding &local=1 to login URL. For example, if you have installed myDBR at localhost/mydbr you would log in locally using http://localhost/mydbr/index.php?a=login&local=1

To prevent users from logging in with the myDBR login when AD is used, remove unnecessary myDBR logins and secure the admin password.