Using LDAP to authenticate client and worker logins based on an existing directory of contacts
LDAP (Lightweight Directory Access Protocol) is a service designed to share contact information between applications. It is often used to provide centrally managed corporate account information. A single login/password combination can allow access to various applications, and it only needs to be changed in a single place to take effect everywhere.
We provide a plugin for LDAP integration with Cerb. This article explains how to use it.
This plugin requires the LDAP PHP extension. This is usually available through the package manager for your distribution.
sudo apt-get install php5-ldap
Installing the plugin
The plugin needs to be installed in the
storage/plugins/ directory of your Cerb5 installation.
Change directory to
Run the command:
git clone git://github.com/cerb5-plugins/wgm.ldap.git
Enabling the plugin
The plugin can be enabled from the web interface.
Open Cerb5 in your web browser.
Enable the [Cerb5] LDAP Integration plugin and click the Save Changes button.
Configuring the plugin
You should substitute your own LDAP connection details during this section.
Click the Plugins menu and select LDAP from the list.
Enter your LDAP settings:
Click the Save Changes button.
Your connection information will be verified when you save it.
Enabling LDAP logins for workers
A worker account needs to exist in Cerb5 with an associated email address that matches their contact record in your LDAP directory.
A new LDAP option will appear on the login form:
The worker should enter their email address and the password on file in your LDAP directory.
Enabling LDAP logins in the Support Center
Unlike worker authentication, contacts will be automatically created in your Support Center during their first login if they exist in your LDAP directory. Additionally, their given name and surname will be imported if available.
Configuring your Support Center profile
Navigate to Setup->Community Portals->Configure.
Select the Support Center where you want to enable LDAP logins.
On the Settings tab, scroll to the Login section and select LDAP for the "Authenticate logins using these methods:" option. This can be set exclusively, or in conjunction with other login methods.
Click the Save Changes button.
Contacts from your LDAP address book should now be able to log in using their existing email address and password.
With a relatively simple modification to the plugin's code you could change the login credentials from email/password to any other combination. For example, your users may be familiar with using a screen name or account number instead of an email address.
You could also modify the plugin's code to use multi-factor authentication for improved security. Two-factor security, for instance, is comprised of "something you know" and "something you have".
For example, at an ATM (automated bank-teller machine), you have an access card and know a secret PIN number. You generally cannot use the ATM to access your account without both factors. Other accounts may also require a security token in addition to a login and password.