x

Principaux chapitres

  1. LimeSurvey Cloud ou LimeSurvey CE
  2. LimeSurvey Cloud - Guide de démarrage rapide
  3. LimeSurvey CE - Installation
  4. Comment concevoir une bonne enquête (Guide)
  5. Commencer
  6. Configuration de LimeSurvey
  7. Introduction - Enquêtes
  8. Afficher les paramètres de l'enquête
  9. Afficher le menu de l'enquête
  10. Afficher la structure de l'enquête
  11. Présentation - Questions
  12. Introduction - Groupes de questions
  13. Introduction - Enquêtes - Gestion
  14. Options de la barre d'outils de l'enquête
  15. Enquête multilingue
  16. Guide de démarrage rapide - ExpressionScript
  17. Fonctionnalités avancées
  18. FAQ générale
  19. Dépannage
  20. Solutions de contournement
  21. Licence
  22. Journal des changements de version
  23. Plugins - Avancé
 Actions

Paramètres LDAP

From LimeSurvey Manual

Revision as of 07:21, 28 September 2023 by Maren.fritz (talk | contribs) (Created page with "=== Requêtes simples ===")
Other languages:
  Attention : Cette fonctionnalité permet aux administrateurs d'enquêtes LimeSurvey d'importer des jetons via LDAP. Si vous avez besoin d'une authentification LDAP, veuillez vous référer à Plugin AuthLDAP.


Général

Vous devez activer la prise en charge LDAP dans config.php et configurer les paramètres LDAP dans config/ldap.php afin d'utiliser cette fonction.

Template:Alerte

Activation de LDAP dans config.php

  • $enableLdap: si vous souhaitez utiliser les fonctions LDAP dans LimeSurvey, vous devez définir ce paramètre sur true (il est défini sur false par défaut) :
'config'=>array(
 'debug'=>0,
 'debugsql'=>0,
 'enableLdap'=>true,
 )

Définition des serveurs LDAP

Définissez d'abord les options de connexion au serveur LDAP dans "application/config/ldap.php". Pour chaque serveur, les options suivantes sont disponibles :

  • $serverId: Un entier qui identifie ce serveur LDAP. Il est utilisé dans les définitions de requêtes pour lier un serveur à une requête spécifique ;
  • $ldap_server [ $IDserveur] [ 'server'] : L'adresse IP ou le nom DNS du serveur LDAP. Si vous utilisez des connexions sécurisées SSL (LDAPs ou LDAP+Start-TLS), ce nom doit correspondre au Certificat CN (ou SubjectAlternativeName) du serveur ;
  • $ldap_server [ $IDserveur] [ 'protoversion']: Peut être 'ldapv2' ou 'ldapv3' selon le protocole pris en charge par votre serveur. « ldapv3 » est le protocole préféré. Cependant, si vous souhaitez utiliser des connexions cryptées, notez que LDAP est pris en charge en mode 'ldapv2' alors que Start-TLS est la méthode de cryptage pour 'ldapv3';
  • $ldap_server [ $IDserveur] [ 'encrypt']: Définit la méthode de cryptage utilisée. 'ldaps' est pris en charge pour les serveurs 'ldav2', 'start-tls' pour les serveurs 'ldapv3'. Le mot clé 'none' est utilisé pour les communications LDAP en clair ;
    • N'oubliez pas que pour le chiffrement 'ldaps' ou 'start-tls', le serveur web doit être capable de vérifier le certificat du serveur LDAP. Ainsi, vous devez définir votre autorité de certification dans votre bibliothèque openldap (généralement cela se fait dans le fichier /etc/openldap/ldap.conf sous Linux).
  • $ldap_server [ $IDserveur] [ 'referrals']: C'est un paramètre booléen qui définit si les références doivent être suivies ou non (utilisez false pour ActiveDirectory);
  • $ldap_server [ $IDserveur] [ 'encoding']: C'est un paramètre optionnel qui donne l'encodage utilisé par l'annuaire LDAP pour stocker les chaînes. Vous n'avez généralement pas besoin de configurer ce paramètre car le codage par défaut, « utf-8 », est le codage standard pour les annuaires LDAP. Cependant, si vous utilisez Active Directory et rencontrez des problèmes pour importer des chaînes accentuées, essayez de configurer ce paramètre sur l'encodage utilisé dans votre région (par exemple « cp850 » pour l'Europe occidentale). Vous pouvez vous référer à la liste déroulante « Jeu de caractères du fichier » dans l'interface graphique Import Token from CSV file pour avoir la liste complète des encodages pris en charge.

Ensuite, vous devez définir quelle authentification est nécessaire pour accéder au répertoire. Si l'accès « anonyme » est autorisé, ne définissez PAS les deux paramètres suivants, sinon définissez-les en conséquence :

  • $ldap_server [ $IDserveur] [ 'binddn']: DN de l'utilisateur 'LDAP' autorisé à lire l'annuaire;
  • $ldap_server [ $IDserveur] [ 'bindpw'] : Mot de passe de l'utilisateur LDAP ci-dessus.

Si vous devez définir d'autres serveurs LDAP, ajoutez la ligne suivante pour incrémenter le serverID et définir de nouveaux paramètres :

  • $serverId++.

Définition des requêtes dans config/ldap.php

Attention : lorsqu'un nom d'attribut ldap est requis dans l'un de ces paramètres, utilisez uniquement des noms en minuscules : par exemple displayname et NON displayName.

Veuillez vous référer au fichier config/ldap.php car il contient des exemples de configuration.

Requêtes simples

Let's begin with simples queries. These queries only filter LDAP entries based on their own attributes and location. They are usually enough for querying ActiveDirectory.

  • $query_id: is the id of the LDAP query;
  • $ldap_queries[$query_id]['ldapServerId']: Binds the query to a specific server;
  • $ldap_queries[$query_id]['name']: String describing the query. It will be displayed in the GUI;
  • $ldap_queries[$query_id]['userbase']: Root DN to use for user searches;
  • $ldap_queries[$query_id]['userfilter']: It is a filter used to select potential users' entries. It must be enclosed in parentheses;
  • $ldap_queries[$query_id]['userscope']: scope of the LDAP search for users ('base', 'one' or 'sub');
  • $ldap_queries[$query_id]['firstname_attr']: Ldap attribute that will be mapped to the Firstname field of the token entry;
  • $ldap_queries[$query_id]['lastname_attr']: Ldap attribute that will be mapped to the Lastname field of the token entry;
  • $ldap_queries[$query_id]['email_attr']: Ldap attribute that will be mapped to the email address field of the token entry.

Optionally, you can retrieve more information from the directory:

  • $ldap_queries[$query_id]['token_attr']: Ldap attribute that will be mapped to the token code;
  • $ldap_queries[$query_id]['language']: Ldap attribute that will be mapped to the user language code;
  • $ldap_queries[$query_id]['attr1']: Ldap attribute that will be mapped to the attribute_1 field;
  • $ldap_queries[$query_id]['attr2']: Ldap attribute that will be mapped to the attribute_2 field.

Combined Group Queries with DN members

Let's now see how to define a more complicated query.

The following queries use a first LDAP search that looks into LDAP groups. An LDAP group is an LDAP entry containing references to users' entries in the form of:

  • user ids (for instance posixGroups do)    ==> See the next section
  • Or user DNs (for instance groupofnames and groupofuniquenames do) ==> see below

Here we deal with groups containing user DNs:

  • define $query_id, $ldap_queries[$query_id]['ldapServerId'], $ldap_queries[$query_id]['name'] as explained above.

Then define the group filter parameters:

  • $ldap_queries[$query_id]['groupbase']: The Root DN from which you want to start searching for group entries;
  • $ldap_queries[$query_id]['groupfilter']: The LDAP filter that will select potential group entries;
  • $ldap_queries[$query_id]['groupscope']: The scope of the LDAP search for groups ('on', 'base' or 'sub');
  • $ldap_queries[$query_id]['groupmemberattr']: The Name of the LDAP attribute in the group entry that will contain references to users' entries;
  • $ldap_queries[$query_id]['groupmemberisdn']: TRUE.

At this point, everything is set up to let the first LDAP search find users corresponding to the selected groups. However, you can restrict which of these "user candidates" will be selected by applying another filter on them. This is, of course, optional:

  • $ldap_queries[$query_id]['userbase']: Base DN for the user LDAP search (only user candidate matching this base) will be selected;
  • $ldap_queries[$query_id]['userscope']: Scope for the user LDAP search (only user candidate matching the userbase+scope) will be selected;
  • $ldap_queries[$query_id]['userfilter']: It is a filter that applies to each user candidate entry (on its attributes) to add another selection.

Combined Group Queries with UID members

Let's now see how to define a combined Group query when group members are user UIDs and not User DNs.

As for the Group queries with DNs members, these queries use a first LDAP search that looks for LDAP groups entries and get their members. These members values are then used in a user search filter to search for corresponding entries. Thus another parameter must be configured to define the user attribute in the user's entry that should match the member UID found in the groups.

Let's review the required parameters:

  • define $query_id, $ldap_queries[$query_id]['ldapServerId'], $ldap_queries[$query_id]['name'] as explained above

Then define the group filter parameters:

  • $ldap_queries[$query_id]['groupbase']: The Root DN from which you want to start searching for group entries;
  • $ldap_queries[$query_id]['groupfilter']: The LDAP filter that will select potential group entries;
  • $ldap_queries[$query_id]['groupscope']: The scope of the LDAP search for groups ('on', 'base' or 'sub');
  • $ldap_queries[$query_id]['groupmemberattr']: The name of the LDAP attribute in the group entry that will contain references to users' entries;
  • $ldap_queries[$query_id]['groupmemberisdn']: FALSE;
  • $ldap_queries[$query_id]['useridattr']: name of the user attribute that must match the UID found in the group members.

At this point everything is set up to let the first LDAP search find users UIDs corresponding to selected groups and a user search filter will be automatically filled.

However, you can restrict which of these 'user candidates' will be selected by completing the automatic user filter computed from member UIDs. This is, of course, optional:

  • $ldap_queries[$query_id]['userbase']: Base DN for the user LDAP search (only user candidate matching this base) will be selected;
  • $ldap_queries[$query_id]['userscope']: Scope for the user LDAP search (only user candidate matching the userbase+scope) will be selected;
  • $ldap_queries[$query_id]['userfilter']: It is a filter that applies to each user candidate entry (on its attributes) to add another selection.

What about Active Directory?

Active Directory (AD) is a Microsoft registry that can be queried by using the LDAP protocol.

It is then possible to use its content for LimeSurvey token queries, but this requires knowledge on how AD is organized.

  • The LDAP root base is dc=my_windows_domain_name,dc=dns_suffix2,dc=dns_suffix1

==> For instance, if your company owns the DNS domain 'my-company.com' and your Windows domain is 'employees', then your root base is dc=employees,dc=my-company,dc=com

  • Users and users-groups are stored below the cn=Users,dc=my_windows_domain_name,dc=dns_suffix2,dc=dns_suffix1 (please note this is not ou=users);
  • Active Directory Groups:
    • Groups objects contain DN of members in their 'member' attribute;
    • Group memberships are also stored in the memberOf attribute of each user entry. This attribute contains DNs of groups the user belongs to;
    • some groups are in CN=Builtin,dc=my_windows_domain_name,dc=dns_suffix2,dc=dns_suffix1:
      • For instance: cn=Administrator,CN=Builtin,dc=my_windows_domain_name,dc=dns_suffix2,dc=dns_suffix1;

In some cases it is not as easy to query an active directory so here is a sample configuration for getting some infomations of an active directory: 

//Connection to the active directory Server:
$serverId=0;
$ldap_server[$serverId]['server'] = "10.10.10.10";
$ldap_server[$serverId]['port'] = "389";
$ldap_server[$serverId]['protoversion'] = "ldapv2";
$ldap_server[$serverId]['encrypt'] = "none"; // Most AD LDAP servers will not have encryption set by default
$ldap_server[$serverId]['referrals'] = false;
$ldap_server[$serverId]['binddn'] = "domain\\user";
$ldap_server[$serverId]['bindpw'] = "userpassword";
//$ldap_server[$serverId]['binddn'] = "CN=user,OU=user_group,DC=xxx,DC=yyy"; this one will not work with active directory, that´s why you need to use "domain\\user"
//Here is a sample query for getting all active users of an active directory:
$query_id=0;
$ldap_queries[$query_id]['ldapServerId'] = 0;
$ldap_queries[$query_id]['name'] = 'Staff with an enabled account';
$ldap_queries[$query_id]['userbase'] = 'OU=USER_GROUP,DC=xxx,DC=yyy';
$ldap_queries[$query_id]['userfilter'] = '(&(objectClass=user)(!(userAccountControl=514)))';
//(!(userAccountControl=514)) you are not able to ask active directory for an active user but you are able to ask for a non inactive user
$ldap_queries[$query_id]['userscope'] = 'sub';
$ldap_queries[$query_id]['firstname_attr'] = 'givenname';
$ldap_queries[$query_id]['lastname_attr'] = 'sn';
$ldap_queries[$query_id]['email_attr'] = 'mail';
$ldap_queries[$query_id]['token_attr'] = ''; // Leave empty for Auto Token generation by phpsv
$ldap_queries[$query_id]['language'] = '';
$ldap_queries[$query_id]['attr1'] = '';
$ldap_queries[$query_id]['attr2'] = '';
//Group filtering was not possible in active directory, you need to add the memberOf attribute of an user. Here is a sample query for getting all active users that are member of the group "samplegroup" in active directory:
$query_id++;
$ldap_queries[$query_id]['ldapServerId'] = 0;
$ldap_queries[$query_id]['name'] = 'All members of samplegroup';
$ldap_queries[$query_id]['userbase'] = 'OU=USER_GROUP,DC=xxx,DC=yyy';
$ldap_queries[$query_id]['userfilter'] = '(&(objectClass=user)(memberOf=CN=samplegroup,OU=Group Global,OU=USER_GROUP,DC=xxx,DC=yyy)(!(userAccountControl=514)))';
$ldap_queries[$query_id]['userscope'] = 'sub';
$ldap_queries[$query_id]['firstname_attr'] = 'givenname';
$ldap_queries[$query_id]['lastname_attr'] = 'sn';
$ldap_queries[$query_id]['email_attr'] = 'mail';
$ldap_queries[$query_id]['token_attr'] = ''; // Leave empty for Auto Token generation by phpsv
$ldap_queries[$query_id]['language'] = '';
$ldap_queries[$query_id]['attr1'] = '';
$ldap_queries[$query_id]['attr2'] = '';

Another example User query: 

$ldap_queries[$query_id]['userfilter'] = '(&('''objectCategory=Person''')(objectClass='''user''')(!('''userAccountControl=514''')))'; // AD doesn't recognise enabled accounts in the normal way, so instead, we check users are not disabled
  • As suggested in the config file, consider adding (!(email=*)) to your user filters to ignore users with no email address.

Example group query: 

$ldap_queries[$query_id]['groupfilter'] = '(&(objectClass='''group''')(cn=Domain Admins))'; // AD doesn't use the standard attribute name for groups, so use this example instead.

Find more information about the Active Directory LDAP structure on Active Directory Architecture and Active Directory Technical Specification.

Retrieved from "http://www.limesurvey.org/manual/index.php?title=LDAP_settings/fr&oldid=248095"