LDAP support

Warning: this article is really intended for advanced users who already fully understand LDAP systems and who wish to have their SPIP site rely on an existing LDAP directory.

LDAP (Lightweight Directory Access Protocol) is a protocol used to interrogate a directory that contains user credentials information (name, login, authentication...). Since version SPIP 1.5, it has been possible to see if an editor is in the LDAP database before granting that user access to the private zone.

During installation, SPIP checks to see if PHP has been compiled with support for LDAP. If so, the fifth installation step ("create access") will provision a button that enables addition of an LDAP directory into the SPIP configuration. The configuration steps which follow are relatively simple as SPIP attempts to determine as many of the configuration parameters as it can by itself. Specifically, though, it enables the selection of the default status to be assigned to authors recognised by the directory: they can be assigned as editors (recommended), administrators or just simple visitors.

Note: by default, the PHP extension for LDAP is not generally activated, so SPIP will not generally display the corresponding form during installation. Remember to activate the LDAP extension in your PHP installation if you do wish to use LDAP from SPIP.

If SPIP has already been installed, and you want to configure in the LDAP directory, you must restart the installation by erasing the config/connect.php file.

Once the configuration has been correctly executed, all the LDAP directory usres will be identified by entering their login (or name) as it is in the LDAP directory and then their passwords. Note that this does not prevent you in any way from creating authors directly in the SPIP interface; those authors will not be recopied into the directory but will be managed directly from within SPIP. By the same token, the personal data of authors identified using the LDAP database (biography, PHP key...) will not be copied across into the SPIP directory. This means that SPIP only needs to provide read only accessto the LDAP directory.

Important: always create your first administrator in the "normal" (non LDAP) fashion when you install SPIP. This is necessary if you wish to avoid being locked out of your SPIP back end in the event that the LDAP server goes off-line.

To find out more:

The connection credentials to the LDAP server are written into the connect.php file. Corollary: you will need to delete this file and re-run the SPIP installation if you want to activate LDAp for an existing SPIP site.

In the spip_auteurs table, there is a "source" field added which indicates where the author’s information was sourced from. By default this will be "spip", but it can also be equal to "ldap". This makes it possible to know which fields should not be changed: in particular, we must not authorise the modification of the login name, otherwise the SPIP-LDAP synchronisation will be compromised.

During authentication, the two methods are tested one after the other: first SPIP, then LDAP. In fact, an LDAP author can not be authenticated using the SPIP method (standard method with an md5 challenge), since the password is left empty in the spip_auteurs table. A SPIP author, created within SPIP, will be directly authenticated against the spip_auteurs table. On the other hand, if the login name entered does not originate from SPIP, then the password is transmitted in the clear.

When an LDAP author connects for the first time, that author’s record is added into the spip_auteurs table. The fields that are recorded at that time are: name, login and email, which come from the LDAP (the ’cn’, ’uid’ and ’mail’ fields respectively), and the status is assigned the default value defined by the SPIP installation (editor, admin or visitor). Important: you can modify that status later on, if you wish, so that you may select your administrators by hand, for example - their status will not be overwritten by the default value on subsequent log-ins.

Once an author has logged in, that author is authenticated by the standard mechanism, i.e. with a simple session cookie. In addition, the data taken into consideration for display in loops and tags are those from the spip_auteurs table, not those stored in the LDAP directory.

For SPIP-created authors, nothing changes at all. You can create them and modify just as you would normally.

Author Mark Published : Updated : 26/10/12

Translations : عربي, català, English, Español, français, italiano, Nederlands