#982 Add multiple LDAP AD's for login
I apologize for my bad English, I use Google Translator to be assisted.
This was my problem. I needed to use the system iTop but on condition that users must use LDAP to access iTop in multiple AD's on different clients.
The iTop system runs on an Apache 2 under Windows. This should not change anything at all. The Apache service using vhosts. For this example, assume the following:
http://support.client1.com and http://support.client2.com
Both vhost's, redirect to the same folder on the server, for example, imagine the following:
C:\http\itop\support
The vhost file will look as follows:
<VirtualHost *:80>
ServerAdmin support@client1.com
DocumentRoot "C:/http/itop/support"
ServerName support.client1.com
ErrorLog "logs/support.client1.com-error.log"
CustomLog "logs/support.client1.com-access.log" common
</VirtualHost>
<VirtualHost *:80>
ServerAdmin support@client2.com
DocumentRoot "C:/http/itop/support"
ServerName support.client2.com
ErrorLog "logs/support.client2.com-error.log"
CustomLog "logs/support.client2.com-access.log" common
</VirtualHost>
In each client's firewall I opened the port 1983, you can put the desired port. In the rule I did that all packets sent to port 1983 automatically transfer to my AD, on port 389.
In the "webservices" folder I have these files with the following contents:
AD-client1.bat
php.exe -q AD-cllient1.php --auth_user=iTopAdminUser --auth_pwd=iTopAdminPassword --simulation=0**
AD-cllient1.php // Download original full script file "AD_import_accounts.php" from iTop documentation (wiki.openitop.org)
$aConfig = array(
'host' => 'ldap.client1.com',
'port' => '1983',
'dn' => 'DC=client1,DC=local',
'username' => 'client1local\administrator',
'password'=> 'AdministratorPwd',
'ldap_query' => '(&(objectCategory=user))',
'login' => 'samaccountname',
'profiles_mapping' => array(
'Administrators' => 'Administrator',
),
'default_profile' => 'Portal user',
'default_language' => 'EN US',
'default_organization' => 1,
);
AD-client2.bat
php.exe -q AD-cllient2.php --auth_user=iTopAdminUser --auth_pwd=iTopAdminPassword --simulation=0**
AD-cllient2.php // Download original full script file "AD_import_accounts.php" from iTop documentation (wiki.openitop.org)
$aConfig = array(
'host' => 'ldap.client2.com',
'port' => '1983',
'dn' => 'DC=client2,DC=local',
'username' => 'client1local\administrator',
'password'=> 'AdministratorPwd',
'ldap_query' => '(&(objectCategory=user))',
'login' => 'samaccountname',
'profiles_mapping' => array(
'Administrators' => 'Administrator',
),
'default_profile' => 'Portal user',
'default_language' => 'EN US',
'default_organization' => 2,
);
And now, the only file that I modified to work with iTop as multi client, config-itop.php (only the modified code, the rest of the code is as it was developed)
The new variables have the own_ prefix
<?php
$own_get_host = $_SERVER["SERVER_NAME"];
$own_app_root_url = 'http://'.$own_get_host.'/';
/**
*
* Configuration file, generated by the iTop configuration wizard
*
* The file is used in MetaModel::LoadConfig() which does all the necessary initialization job
*
*/
$MySettings = array(
// access_message: Message displayed to the users when there is any access restriction
// default: 'iTop is temporarily frozen, please wait... (the admin team)'
'access_message' => 'iTop is temporarily frozen, please wait... (the admin team)',
// access_mode: Combination of flags (ACCESS_USER_WRITE | ACCESS_ADMIN_WRITE, or ACCESS_FULL)
// default: 3
'access_mode' => 3,
'allowed_login_types' => 'form|basic|external',
// apc_cache.enabled: If set, the APC cache is allowed (the PHP extension must also be active)
// default: true
'apc_cache.enabled' => true,
// apc_cache.query_ttl: Time to live set in APC for the prepared queries (seconds - 0 means no timeout)
// default: 3600
'apc_cache.query_ttl' => 3600,
// app_root_url: Root URL used for navigating within the application, or from an email to the application (you can put $SERVER_NAME$ as a placeholder for the server's name)
// default: ''
**'app_root_url' => $own_app_root_url,**
// buttons_position: Position of the forms buttons: bottom | top | both
// default: 'both'
'buttons_position' => 'both',
... more php code ...
/**
*
* Modules specific settings
*
*/
switch ($own_get_host) {
case 'support.client1.com';
$own_host = 'ldap.client1.com';
$own_port = 1983;
$own_default_user = 'client1local\itop';
$own_default_pwd = 'PwdForLDAPRead';
$own_base_dn = 'dc=client1,dc=local';
break;
case 'support.client2.com';
$own_host = 'ldap.client2.com';
$own_port = 1983;
$own_default_user = 'client2local\itop';
$own_default_pwd = 'PwdForLDAPRead';
$own_base_dn = 'dc=client2,dc=local';
break;
default:
$own_host = '';
$own_port = 389;
$own_default_user = '';
$own_default_pwd = '';
$own_base_dn = 'dc=domain,dc=local';
break;
}
$MyModuleSettings = array(
'itop-attachments' => array (
'allowed_classes' => array (
0 => 'Ticket',
),
'position' => 'relations',
),
'authent-ldap' => array (
'host' => $own_host,
'port' => $own_port,
'default_user' => $own_default_user, /* works also with DOMAIN\username */
'default_pwd' => $own_default_pwd,
'base_dn' => $own_base_dn,
'user_query' => '(samaccountname=%1$s)',
'options' => array (
17 => 3,
8 => 0,
),
'debug' => true, /* set to true for errors in itop/log/error.log */
),
);
... more php code ...
I hope it will be useful.
Related
Also review how to support several (per login) LDAP server.
Long ago I made this request. I saw that the amendment would be a candidate for new versions. You have implemented my request?
iTop 2.4 and we are still waiting
Hi, maybe it helps for someone:
https://github.com/knowitop/knowitop-multi-ldap-auth
Hello,
There are no plan to develop this at Combodo. But anyone can sponsor this development, if you are interested write to sales@combodo.com
Also note that iTop 2.7.0 will offer a complete new authentication mechanism, that will allow greater customization, and could help with such needs.
See Authentication process [iTop Documentation]