authentication
Content
Authentication in Joomla! 1.5
An introduction to the authentication plugins
Sam Moffatt
Joomla!Day Bangkok, 2008
About Me Sam Moffatt
[ pasamio ] [ [email protected] ] Developer Migration Tool JAuthTools Joined Joomla! after Summer of C ode (SOC) 2005 Has mentored for 2006, 2007 and 2008 SOC Toowoomba, Queensland, Australia Uni student, local government officer and freelancer developer
Authentication in Joomla! 1.5
2
Authentication from 1.0 to 1.5
• Joomla! 1.0 had no authentication plugins making custom authentication hard. • JAuthTools provided LDAP support for 1.0, but it was limited. • Joomla! 1.5 now supports multiple authentication methods, including:
– – – – Joomla! (the default) LDAP OpenID GMail
Authentication in Joomla! 1.5
3
Authentication Methods in 1.5
• Joomla! This is the default authentication plugin that uses the built-in tables like in 1.0 • LDAP LDAP is available from most corporate directories like Active Directory, eDirectory or OpenDirectory • OpenID OpenID is a decentralized authentication system that communicates between sites. • GMail GMail works with any valid Google Mail account, including Google Apps for your Domain
Authentication in Joomla! 1.5
4
Selecting an Authentication Method
• Stand-alone website
– Use Joomla!
• Community Website
– Use Joomla!, OpenID and Gmail
• Corporate Website/Intranet
– Use Joomla!, LDAP and OpenID
Authentication in Joomla! 1.5
5
Configuration
• OpenID and GMail are easy to configure by just enabling the plugins. • LDAP requires additional configuration.
Authentication in Joomla! 1.5
6
Intro to LDAP
• LDAP is a popular protocol used by various products:
– – – – Microsoft Active Directory Novell eDirectory Fedora Directory Services Apple OpenDirectory
• OpenLDAP is an open source LDAP compatible directory, also powers Apple OpenDirectory.
Authentication in Joomla! 1.5
7
User Benefits
• In a corporate environment LDAP already exists with users details, including their passwords • When planning large scale deployments, LDAP can provide single password control for multiple sites and solutions • Many other products integrate into LDAP as well making it a good solution for maintaining a single user source.
Authentication in Joomla! 1.5
8
Connecting to LDAP Directories
• Joomla! 1.5 comes with a LDAP authentication plugin to allow you to connect into a LDAP directory out of the box • Joomla! 1.0 has limited support for LDAP via the JAuthTools project
– http://sammoffatt.com.au/jauthtools
• Both systems support automatic user creation from LDAP information
Authentication in Joomla! 1.5
9
Connecting to LDAP Directories
• User autocreation requires the following pieces of information:
– Username – Name – Email Address
• To authenticate you need to be able to provide an ability to 'bind' against the directory • Some directories (AD) may require a 'service' user to operate properly.
Authentication in Joomla! 1.5
10
Connecting to LDAP Directories - 1.5
• The LDAP Plugin is available via the Extensions -> Plugins menu. • Some options have defaults already, but most will need to be filled in with specific settings
Authentication in Joomla! 1.5
11
Connecting to LDAP Directories - 1.5
• Host needs to be your LDAP server • Port should be fine for most users • LDAP V3 is required for some directories (e.g. OpenLDAP) • TLS is encryption, not available for all systems • Do not follow referrals is an option useful especially for AD servers
Authentication in Joomla! 1.5
12
Connecting to LDAP Directories - 1.5
• Authorization Method:
– Bind directly as user is useful for flat directory structures (e.g. all users in one container) – Search and bind is useful for when you have multiple OU's or containers in the tree (such as Active Directory)
• Base DN: This is the base of your directory. Active Directory users may wish to make this their Users container
Authentication in Joomla! 1.5
13
Connecting to LDAP Directories - 1.5
• Search String is used for the search method to find users, typically in the form:
– uid=[search] – sAMAccountName=[search] (Active Directory)
• Users DN is used with the direct bind and the initial bind before a search (for AD):
– uid=[username],OU=Users,O=Joomla – [username]@joomla.org (Active Directory using site name at the end)
Authentication in Joomla! 1.5
14
Connecting to LDAP Directories - 1.5
• Connect username and connect password are used if your directory requires an authorized user before they conduct a search.
– An example of this is Active Directory. – This should be a special user account for Joomla! - it only needs to be able to bind and search the LDAP directory. – This username should match up with the User DN to form the full DN of the user
Authentication in Joomla! 1.5
15
Connecting to LDAP Directories - 1.5
• Map Values:
– Full Name: The attribute that stores the full name – Email: The attribute that stores the users email address – User ID: The attribute that stores the username or user id of the user (this is used with the username the user is trying to log in with).
Authentication in Joomla! 1.5
16
Active Directory Specific Notes
• Your Active Directory Base DN is typically your site name, e.g.:
– DC=joomla,DC=org
• All attribute names are capitalized (e.g. CN, OU, DC) • Default user container is CN=Users:
– CN=Users,DC=joomla,DC=org
• Use a tool like LDAP browser to see what your directory looks like via LDAP if you don't know
– http://www-unix.mcs.anl.gov/~gawor/ldap/
Authentication in Joomla! 1.5
17
Active Directory Specific Notes
• Active Directory has some different map values from the defaults:
– Name: displayName – User ID: sAMAccountName
Authentication in Joomla! 1.5
18
Active Directory Specific Notes
• There is a tool to automatically configure Joomla! 1.5 in JDiagnostics and tools to help test settings • Unfortunately it is English only! • Available here:
– http://joomlacode.org/gf/project/pasamioprojects/frs/
Authentication in Joomla! 1.5
19
Pitfalls
• Active Directory is case sensitive for everything • By default emails have to be unique, this may cause user autocreation to fail with an authorization failed message.
– For example your installed admin user may have your email address already
Authentication in Joomla! 1.5
20
More Information
• For more information check out the JauthTools website for:
– sample configuration files, – instructions on deploying an OpenLDAP directory – Joomla! 1.0 options (very similar to 1.5!) – Other 1.5 authentication options (passwordless login) – Links to useful resources
• http://sammoffatt.com.au/jauthtools
Authentication in Joomla! 1.5
21
Demonstration
Demonstration and questions URLs:
http://www-unix.mcs.anl.gov/~gawor/ldap/ http://joomlacode.org/gf/project/pasamioprojects/frs http://sammoffatt.com.au/jauthtools
Authentication in Joomla! 1.5
22
An introduction to the authentication plugins
Sam Moffatt
Joomla!Day Bangkok, 2008
About Me Sam Moffatt
[ pasamio ] [ [email protected] ] Developer Migration Tool JAuthTools Joined Joomla! after Summer of C ode (SOC) 2005 Has mentored for 2006, 2007 and 2008 SOC Toowoomba, Queensland, Australia Uni student, local government officer and freelancer developer
Authentication in Joomla! 1.5
2
Authentication from 1.0 to 1.5
• Joomla! 1.0 had no authentication plugins making custom authentication hard. • JAuthTools provided LDAP support for 1.0, but it was limited. • Joomla! 1.5 now supports multiple authentication methods, including:
– – – – Joomla! (the default) LDAP OpenID GMail
Authentication in Joomla! 1.5
3
Authentication Methods in 1.5
• Joomla! This is the default authentication plugin that uses the built-in tables like in 1.0 • LDAP LDAP is available from most corporate directories like Active Directory, eDirectory or OpenDirectory • OpenID OpenID is a decentralized authentication system that communicates between sites. • GMail GMail works with any valid Google Mail account, including Google Apps for your Domain
Authentication in Joomla! 1.5
4
Selecting an Authentication Method
• Stand-alone website
– Use Joomla!
• Community Website
– Use Joomla!, OpenID and Gmail
• Corporate Website/Intranet
– Use Joomla!, LDAP and OpenID
Authentication in Joomla! 1.5
5
Configuration
• OpenID and GMail are easy to configure by just enabling the plugins. • LDAP requires additional configuration.
Authentication in Joomla! 1.5
6
Intro to LDAP
• LDAP is a popular protocol used by various products:
– – – – Microsoft Active Directory Novell eDirectory Fedora Directory Services Apple OpenDirectory
• OpenLDAP is an open source LDAP compatible directory, also powers Apple OpenDirectory.
Authentication in Joomla! 1.5
7
User Benefits
• In a corporate environment LDAP already exists with users details, including their passwords • When planning large scale deployments, LDAP can provide single password control for multiple sites and solutions • Many other products integrate into LDAP as well making it a good solution for maintaining a single user source.
Authentication in Joomla! 1.5
8
Connecting to LDAP Directories
• Joomla! 1.5 comes with a LDAP authentication plugin to allow you to connect into a LDAP directory out of the box • Joomla! 1.0 has limited support for LDAP via the JAuthTools project
– http://sammoffatt.com.au/jauthtools
• Both systems support automatic user creation from LDAP information
Authentication in Joomla! 1.5
9
Connecting to LDAP Directories
• User autocreation requires the following pieces of information:
– Username – Name – Email Address
• To authenticate you need to be able to provide an ability to 'bind' against the directory • Some directories (AD) may require a 'service' user to operate properly.
Authentication in Joomla! 1.5
10
Connecting to LDAP Directories - 1.5
• The LDAP Plugin is available via the Extensions -> Plugins menu. • Some options have defaults already, but most will need to be filled in with specific settings
Authentication in Joomla! 1.5
11
Connecting to LDAP Directories - 1.5
• Host needs to be your LDAP server • Port should be fine for most users • LDAP V3 is required for some directories (e.g. OpenLDAP) • TLS is encryption, not available for all systems • Do not follow referrals is an option useful especially for AD servers
Authentication in Joomla! 1.5
12
Connecting to LDAP Directories - 1.5
• Authorization Method:
– Bind directly as user is useful for flat directory structures (e.g. all users in one container) – Search and bind is useful for when you have multiple OU's or containers in the tree (such as Active Directory)
• Base DN: This is the base of your directory. Active Directory users may wish to make this their Users container
Authentication in Joomla! 1.5
13
Connecting to LDAP Directories - 1.5
• Search String is used for the search method to find users, typically in the form:
– uid=[search] – sAMAccountName=[search] (Active Directory)
• Users DN is used with the direct bind and the initial bind before a search (for AD):
– uid=[username],OU=Users,O=Joomla – [username]@joomla.org (Active Directory using site name at the end)
Authentication in Joomla! 1.5
14
Connecting to LDAP Directories - 1.5
• Connect username and connect password are used if your directory requires an authorized user before they conduct a search.
– An example of this is Active Directory. – This should be a special user account for Joomla! - it only needs to be able to bind and search the LDAP directory. – This username should match up with the User DN to form the full DN of the user
Authentication in Joomla! 1.5
15
Connecting to LDAP Directories - 1.5
• Map Values:
– Full Name: The attribute that stores the full name – Email: The attribute that stores the users email address – User ID: The attribute that stores the username or user id of the user (this is used with the username the user is trying to log in with).
Authentication in Joomla! 1.5
16
Active Directory Specific Notes
• Your Active Directory Base DN is typically your site name, e.g.:
– DC=joomla,DC=org
• All attribute names are capitalized (e.g. CN, OU, DC) • Default user container is CN=Users:
– CN=Users,DC=joomla,DC=org
• Use a tool like LDAP browser to see what your directory looks like via LDAP if you don't know
– http://www-unix.mcs.anl.gov/~gawor/ldap/
Authentication in Joomla! 1.5
17
Active Directory Specific Notes
• Active Directory has some different map values from the defaults:
– Name: displayName – User ID: sAMAccountName
Authentication in Joomla! 1.5
18
Active Directory Specific Notes
• There is a tool to automatically configure Joomla! 1.5 in JDiagnostics and tools to help test settings • Unfortunately it is English only! • Available here:
– http://joomlacode.org/gf/project/pasamioprojects/frs/
Authentication in Joomla! 1.5
19
Pitfalls
• Active Directory is case sensitive for everything • By default emails have to be unique, this may cause user autocreation to fail with an authorization failed message.
– For example your installed admin user may have your email address already
Authentication in Joomla! 1.5
20
More Information
• For more information check out the JauthTools website for:
– sample configuration files, – instructions on deploying an OpenLDAP directory – Joomla! 1.0 options (very similar to 1.5!) – Other 1.5 authentication options (passwordless login) – Links to useful resources
• http://sammoffatt.com.au/jauthtools
Authentication in Joomla! 1.5
21
Demonstration
Demonstration and questions URLs:
http://www-unix.mcs.anl.gov/~gawor/ldap/ http://joomlacode.org/gf/project/pasamioprojects/frs http://sammoffatt.com.au/jauthtools
Authentication in Joomla! 1.5
22
