Active Directory

Introduction

myDBR allows you to use Microsoft Active Directory for user authentication. This includes user creation, authentication, group creation , and user group handling. The functionality is the same as in myDBR's SSO-authentication.

Active Directory settings

In order to use Active Directory authentication, the following settings need to be defined in Environment settings:

  • Domain Controller Active Directory server(s) handling the security authentication requests. If you want to balance the queries over multiple controllers separate them with commas.
  • Account Suffix The full account suffix for your domain
  • Base DN Where to start the searches in Active Directory. If left empty myDBR will attempt to detect this information automatically from your domain controller
  • Username Username which has read privileges to Active Directory
  • Password Password for the Username

Active Directory configuration

To configure myDBR's Active Directory-authentication in the Active Directory server, the following groups need to be defined:

  • myDBR Groups A group defining the AD groups which will be considered as myDBR groups. The default name for this group is 'myDBR Groups'. All other myDBR groups must be members of this group. If you wish the change the default group name, place definition $mydbr_defaults['active_directory_mydbr_groups'] = 'NEWMYDBRGROUPNAME'; into mydbr/user/defaults.php.
  • myDBR Admins If the user belongs to this group (s)he is granted admin rights to myDBR. The default name for this group is 'myDBR Admins' and the group must be a member of 'myDBR Groups'. If you wish the change the default group name, place definition $mydbr_defaults['active_directory_mydbr_admin_group'] = 'NEWADMINGROUPNAME'; into mydbr/user/defaults.php.
  • Other groups inside 'myDBR Groups' to define user groups to which you can define reports to Any group added to 'myDBR Groups' will be shown as a user group inside myDBR. This will allow one to define different access rights to different reports. Users can be a member of these groups directly or via other AD groups belonging to these groups.

All of the predefined group names can be customized in mydbr/user/defaults.php.

myDBR determines if the user in Active Directory is a myDBR user by checking if the user belongs to any of the groups listed in Active Directory group 'myDBR Groups' or is direct member of 'myDBR Groups'.

User's groups

All user group handling is done inside Active Directory. When a user logs in her/his groups are checked against the Active Directory provided group list.

  1. If a user's group does not exist in myDBR it will be added
  2. User will be added to myDBR groups defined in Active Directory
  3. User will be removed from any other group

Local myDBR login when AD login is enabled

If the Active Directory is set as a login method, administrators can still log in with myDBR login by adding &local=1 to login URL. For example, if you have installed myDBR at localhost/mydbr you would log in locally using http://localhost/mydbr/index.php?a=login&local=1

To prevent users from logging in with the myDBR login when AD is used, remove unnecessary myDBR logins and secure the admin password.