Limesurvuey v2.05+ using Active Directory / LDAP Autentication on CentOS+Apache

3 years 1 week ago - 3 years 1 week ago #106309 by icebrian
Hello everyone,

After banging my head against the wall for a while trying to get LimeSurvey v2.05 Build 140302 authenticating against an Active Directory I finally made it. Since no clear documentation on this matter exists for the latest version I have decided to post this here in the hopes other might find this useful.

So firstly lets understand what kind of user profiles we have, namely:
  1. Super Administrator
  2. Survey Administrator
  3. Survey Participants

This first post will deal only with point 1 & 2. I haven't yet tackled point 3 but when I do I will post a follow-up.

So firstly one needs to understand that LimeSurvey does not authenticate directly against an Active Directory. It can only pick up on a already authenticated user and provide access to user level 1 or 2. The following will now detail each step required to set things up on a CentOS 6.5 running Apache HTTPd v2.2.15 and authenticating against a Windows Server 2008 R2 Active Directory.

Configure Apache for Active Directory Authentication
First thing one need to guarantee is setting up Apache to authenticate against an Active Directory. Make sure all plugins for HTTP and LDAP authentication are disabled and that you have no LDAP enabled settings in your config.php or config-default.php.
1. Install Apache LDAP module with
yum install mod_authz_LDAP
2. If install correctly you will find a new file named /etc/httpd/conf.d/authz_ldap.conf
3. In this file, after the IfModule tag add the following:
  <Location /limesurvey/admin>
      AuthBasicProvider ldap
      AuthType Basic
      AuthzLDAPAuthoritative off
      AuthName "AD Login"
      AuthLDAPURL "ldap://[ip]:389/cn=Users,DC=[domain],DC=local?sAMAccountName?sub?(&(objectClass=user)(memberOf=CN=LIMESURVEY_ADMINS,OU=GROUPS,DC=[domain],DC=local)(!(userAccountControl=514)))"
      AuthLDAPBindDN "cn=[username],cn=Users,dc=[domain],dc=local"
      AuthLDAPBindPassword "[password]"
      require valid-user
   <Location /limesurvey/index.php/admin>
      AuthBasicProvider ldap
      AuthType Basic
      AuthzLDAPAuthoritative off
      AuthName "AD Login"
      AuthLDAPURL "ldap://[ip]:389/cn=Users,DC=[domain],DC=local?sAMAccountName?sub?(&(objectClass=user)(memberOf=CN=LIMESURVEY_ADMINS,OU=GROUPS,DC=[domain],DC=local)(!(userAccountControl=514)))"
      AuthLDAPBindDN "cn=[username],cn=Users,dc=[domain],dc=local"
      AuthLDAPBindPassword "[password]"
      require valid-user
Note1: Change all values within [] to your own values
Note2: The code above assumes you are running limesurvey under http://your_ip/limesurvey , if you are running at root level then "/limesurvey" should be removed from the location tag
Note3: The configs above are limiting access to users belonging to the group "LIMESURVEY_ADMINS". To enable all users in AD use "AuthLDAPURL "ldap://[ip]:389/cn=Users,DC=[domain],DC=local?sAMAccountName?sub?(objectClass=*)""
4. Restart Apache with service httpd restart
5. Access Limesurvey admin at http://your_ip/limesurvey/admin
6. If everything is working correctly you should get a login box where you can place your active directory username and password. If it works you will be presented with limesurvey's login page, if it doesn't check your /var/log/httpd/error_log for more information why it didn't work.

Change /limesurvey/application/config/config-defaults.php
Yes I am changing the values in config-default.php, this is because when I copied them over to config.php it seemed to never work. In the end I just left config.php only with DB connection values and everything else I do in the default file. Here are all the settings I changed/added/created:
// Changed this temporarily because if you are locked out this could be one of the reasons for future problems when everything is actually correct. (Don't know how to disable this)
$config['maxLoginAttempt']    =   50000;
$config['timeOutTime']        =   10 * 1;
// Ldap settings
$config['enableLdap'] = true;
$config['auth_webserver'] = true;
$config['auth_webserver_user_map'] = array(); // This is important for future "Super Admin privileges"
$config['auth_webserver_autocreate_user'] = true;
function hook_get_auth_webserver_profile($user_name)
        $ldap_connection2 = NULL;
        $LDAP_HOSTNAME = '[ad_hostname]';
       	$ldap_username = '[ad_user]@[domain].local';
        $ldap_password = '[password]';
        $ldap_base_dn = 'DC=[domain],DC=local';
        $ldap_connection2 = ldap_connect($LDAP_HOSTNAME);
        ldap_set_option($ldap_connection2, LDAP_OPT_PROTOCOL_VERSION, 3) or die('Unable to set LDAP protocol version');
        ldap_set_option($ldap_connection2, LDAP_OPT_REFERRALS, 0); // We need this for doing an LDAP search.
        ldap_bind($ldap_connection2, $ldap_username, $ldap_password);
        $attributes = array("displayname", "mail", "samaccountname");
        $search_filter = "(&(objectCategory=person)(sAMAccountname=$user_name))";
        $result = ldap_search($ldap_connection2, $ldap_base_dn, $search_filter, $attributes);
        $entries = ldap_get_entries($ldap_connection2, $result);
        $full_name = $entries[0]['displayname'][0];
        $mail = $entries[0]['mail'][0];
        return Array(
                     	'full_name' => "$full_name",
                        'email' => "$mail",
                        'lang' => 'en',
                        'htmleditormode' => 'inline');

Configure and Activate LimeSurvey Plugins
Ok now the final step is to configure and active the LimeSurvey Plugins. We need to activate two, namely "Core: Basic LDAP authentication" and "Core: Webserver authentication". First lets take care of the LDAP plugin.
1. Click on configure icon for LDAP Plugin and enter the following details:
- LDAP Server: ldap://[ad_ip_or_hostname]
- Port number: 389
- LDAP version: 2
- Username prefix: -empty-
- Username suffix: @[domain].local
- Check for default: Yes

2. Save and click on activate for the LDAP Plugin

3. Click on configure for Webserver authentication, leave as is with "REMOTE_USER" BUT CLICK ON SAVE! If you don't it won't work.

4. Activate Webserver plugin

Now you should have everything set-up to work. Just access your limesurvey admin address at http://ip_address/limesurvey/admin enter your AD user/pass and you should be automatically logged in with Survey Administrator privileges.

If you want to get automatic Super Admin privileges you have to go back to config-default.php and use the "$config = array();" such as "$config = array('username_you_want_as_admin' => 'admin');"

Well I hope this helps people out there.

Good luck.
Last Edit: 3 years 1 week ago by icebrian. Reason: apache limit to group

Please Log in to join the conversation.

3 years 1 week ago #106310 by icebrian
reserved for partcipant LDAP conf

Please Log in to join the conversation.