Question2Answer - CAS + LDAP authentication

This script integrates Question2Answer system with CAS authentication using uphpCAS library. User data and permission levels are retrieved from LDAP server.

Installation

1. Download qa-cas-ldap-auth-master.zip

2. Extract it.

3. Configure module (qa-external/config.php). Options are described in Configuration section below.

4. Copy qa-external directory to the location you installed Question2Answer to.

5. Uncomment line:

   define('QA_EXTERNAL_USERS', true);
   

   in qa-config.php.

6. Follow Question2Answer installation guide.

General information

CAS server returns user ID. This ID is used as userid in Question2Answer system.

Additional information, such as e-mail address and username are retrieved from LDAP directory.

Configuration

This module is configured through qa-external/config.php file.

Available options:

General options

$qa_default_user_level

Default permission level for authenticated user. Used when no other permission level was configured in LDAP directory.

Must be set to one of the following constants:

• QA_USER_LEVEL_BASIC
• QA_USER_LEVEL_APPROVED
• QA_USER_LEVEL_EXPERT
• QA_USER_LEVEL_EDITOR
• QA_USER_LEVEL_MODERATOR
• QA_USER_LEVEL_ADMIN
• QA_USER_LEVEL_SUPER

$qa_session_prefix

Prefix used to distinguish this Question2Answer instance from other ones under the same domain. This value is used to prefix names of entries in $_SESSION array.

If only one instance of Question2Answer system is installed under one session scope (see PHP Session Configuration for more information on session cookies) or all instances use the same set of users & privileges, no modification is necessary.

CAS

$cas_server

URL of a CAS server, without trailing slash, eg. https://cas.corp/cas

/login or /logout with appropriate parameters will be appended to this value.

LDAP - general

$ldap_server

LDAP server address, eg. ldap://ldap.corp or ldaps://ldap.corp

Will be passed as-is to ldap_connect()

$ldap_starttls

Whather to use STARTTLS encryption for LDAP connection.

Set to FALSE if you use LDAPS.

Must be set to TRUE or FALSE.

$ldap_bind_dn

User to bind as during LDAP connection. Set to NULL to do bind anonymously.

$ldap_bind_pass

Password for a user specified in $ldap_bind_dn

LDAP - users

$ldap_user_base_dn

Base DN for user search operation, eg. ou=users,dc=corp

$ldap_user_base_depth

How deep to search under $ldap_user_base_dn

Possible values are:

• one - search the base DN only (one level),
• subtree - search whole subtree (all levels).

$ldap_user_filter

Filter to apply when searching for users, eg. (accountStatus=active). Single key-value pair must be enclosed in parenthesis.

This value will be AND-ed with the search filter.

$ldap_userid_attr

Name of the attribute in the user's LDAP entry, containing userid as returned by the CAS server, eg. uid.

This ID is used internally by Question2Answer in various DB tables and is not displayed.

$ldap_public_username_attr

Name of the attribute in the user entry containing username, which will be used publicly instead of the userid. Values must be unique and map one-to-one to userid.

If unsure, set to the same value as $ldap_userid_attr, eg. uid

$ldap_public_display_attr

Name of the attribute in the user entry containing name, which will be displayed instead of the username - for example this may contain full name - cn

Links to the user profiles will look like this:

<a href="/profile/{username}">{display}</a>

If unsure, set to the same value as $ldap_userid_attr, eg. uid

$ldap_email_attr

Name of the attribute in the user entry containing e-mail address. When multiple values are provided by the LDAP server - first one is used.

LDAP - groups

$ldap_group_base_dn

Base DN for group search operation, eg. ou=qaSite,ou=groups,dc=corp

$ldap_group_base_depth

How deep to search under $ldap_group_base_dn

Possible values are:

• one - search the base DN only (one level),
• subtree - search whole subtree (all levels).

$ldap_group_filter

Filter to apply when searching for groups, eg. (objectClass=groupOfUniqueNames). Single key-value pair must be enclosed in parenthesis.

This value will be AND-ed with the search filter.

$ldap_member_group_attr

Name of the attribute in the group entry containing reference to the user.

$ldap_member_user_attr

Name of the attribute in the user entry, which is referenced by attribute configured by $ldap_member_group_attr.

If group entry contains:

member: jsmith

and user entry contains:

uid: jsmith

Then $ldap_member_group_attr should be set to member and $ldap_member_user_attr to uid.

dn may be used to get full DN of an entry (eg. uid=jsmith,ou=users,dc=corp).

$ldap_level_groups

Mapping of the group DNs to permission levels - eg.:

'cn=SuperUsers,ou=qaSite,ou=groups,dc=corp' => QA_USER_LEVEL_SUPER,
'cn=Admins,ou=qaSite,ou=groups,dc=corp' => QA_USER_LEVEL_ADMIN,
'cn=Moderators,ou=qaSite,ou=groups,dc=corp' => QA_USER_LEVEL_MODERATOR,
'cn=Editors,ou=qaSite,ou=groups,dc=corp' => QA_USER_LEVEL_EDITOR,
'cn=Experts,ou=qaSite,ou=groups,dc=corp' => QA_USER_LEVEL_EXPERT,

When user is in multiple groups, the highest permission level will be applied.

LDAP configuration examples

Example 1

User entries look like this:

dn: uid=u1001,ou=users,dc=corp
objectClass: inetOrgPerson
objectClass: posixAccount
cn: John Smith
mail: john.smith@mail.corp
uid: jsmith
uidNumber: 1001
(...)

Group entries look like this:

dn: cn=Admins,ou=qaSite,ou=groups,dc=corp
objectClass: groupOfUniqueNames
objectClass: top
cn: Admins
uniqueMember: uid=jsmith,ou=users,dc=corp

Configuration 1:

	public static $ldap_user_base_dn = 'ou=users,dc=corp';
	public static $ldap_user_base_depth = 'one'; // one or subtree
	public static $ldap_user_filter = '(objectClass=posixAccount)';
	public static $ldap_userid_attr = 'uidNumber';
	public static $ldap_public_username_attr = 'uid';
	public static $ldap_public_display_attr = 'cn';
	public static $ldap_email_attr = 'mail';

	public static $ldap_group_base_dn = 'ou=qaSite,ou=groups,dc=corp';
	public static $ldap_group_base_depth = 'one'; // one or subtree
	public static $ldap_group_filter = '(objectClass=groupOfUniqueNames)';
	public static $ldap_member_group_attr = 'uniqueMember';
	public static $ldap_member_user_attr = 'dn';
	public static $ldap_level_groups = array(
		// dn -> level
		'cn=Admins,ou=qaSite,ou=groups,dc=corp' => QA_USER_LEVEL_ADMIN,
	);

• uidNumber (eg. 1001) is returned by CAS server,
• uid (eg. jsmith) will be used as a username (in URLs),
• cn (eg. John Smith) will be displayed instead of a username.

Configuration 2:

	public static $ldap_user_base_dn = 'ou=users,dc=corp';
	public static $ldap_user_base_depth = 'one'; // one or subtree
	public static $ldap_user_filter = '(objectClass=posixAccount)';
	public static $ldap_userid_attr = 'uid';
	public static $ldap_public_username_attr = 'uid';
	public static $ldap_public_display_attr = 'uid';
	public static $ldap_email_attr = 'mail';

	public static $ldap_group_base_dn = 'ou=qaSite,ou=groups,dc=corp';
	public static $ldap_group_base_depth = 'one'; // one or subtree
	public static $ldap_group_filter = '(objectClass=groupOfUniqueNames)';
	public static $ldap_member_group_attr = 'uniqueMember';
	public static $ldap_member_user_attr = 'dn';
	public static $ldap_level_groups = array(
		// dn -> level
		'cn=Admins,ou=qaSite,ou=groups,dc=corp' => QA_USER_LEVEL_ADMIN,
	);

• uid (eg. jsmith) is returned by CAS server,
• uid (eg. jsmith) will be used as a username (in URLs),
• uid (eg. jsmith) will be displayed instead of a username.