-
Notifications
You must be signed in to change notification settings - Fork 204
Configuration settings
To use adLDAP you need to first define some important parameters, specifically the Domain Controller you wish to query and the base domain details of your Active Directory structure. You may also need to define a username and password of an account with higher privileges than your standard domain user account.
These can be defined directly in the adLDAP.php script itself or you can pass them in an array as part of the constructor. See more information about connecting and disconnecting.
The configuration options declared in the class itself are protected variables. That means they cannot be set from directly outside the class. You can, however, set them at run time by passing an array to the adLDAP constructor. You can override objects to allow specific configuration options to be changed at runtime.
Below are a list of all configuration options you can define, and most likely the only part of adLDAP.php you'll need to edit.
$accountSuffix = "@mydomain.local";
Default: @mydomain.local The full account suffix for your domain.
$baseDn = "DC=mydomain,DC=local";
Default: DC=mydomain,DC=local
The base dn for your domain. This is generally the same as your account suffix, but broken up and prefixed with DC=. Your base dn can be located in the extended attributes in Active Directory Users and Computers MMC.
For example if your account suffix is @mydomain.local then your base DN is usually DC=mydomain,DC=local
If you can authenticate users ok, but searching doesn't work, it's generally because you have specified an incorrect base_dn.
If you set this to null, adLDAP will attempt to detect this information automatically from your domain controller
$domainControllers = array("dc01.mydomain.local");
Default: array("dc01.mydomain.local") An array of Domain Controllers. If you would like your class to balance the queries over multiple controllers, you can specify multiple controllers in the array (or just specify the domain name, as it will resolve to any Domain Controller in the Active Directory Domain).
Bear in mind when setting this option, requests will still be sent to offline domain controllers specified in this array. This array implements load balancing, not fault tolerance.
##User Authentication
$adminUsername = null;
Default: null
By default, adLDAP will perform your searches with permissions of the user account you have called with authenticate(). You may wish to specify an account with higher privileges to perform privileged operations.
It is strongly recommended to do this, as a standard domain user account will not have many permissions to query over Active Directory.
$adminPassword = null;
Default: null
The corresponding password for adminUsername.
$realPrimaryGroup = true;
Default: true AD does not always return the primary group. http://support.microsoft.com/?kbid=321360 This tweak will resolve the real primary group, but may be resource intensive. Setting to false will fudge "Domain Users" and is much faster. Keep in mind though that if someone's primary group is NOT domain users, this is obviously going to mess up the results.
adLDAP >= 3.1 has a re-written function to reveal the true primary group and should be much less intensive that versions prior to 3.1
$useSSL = false;
Default: false adLDAP can use LDAP over SSL to provide extra functionality such as password changes. Both your domain controller and your web server need to be configured to allow LDAP over SSL for this to happen, it cannot just be set to true. By default domain controllers do not have SSL enabled. Please see the section on LDAP over SSL for more information.
$useTLS = false;
Default: false adLDAP can use LDAP over TLS connections rather than SSL to provide extra functionality such as password changes. Both your domain controller and your web server need to be configured for this to happen, it cannot just be set to true. Please see the section on LDAP over SSL for more information. If you enable TLS, you must disable SSL and vice-versa.
$recursiveGroups = true;
Default: true When querying group membership, do it recursively, eg. User Fred is a member of group “Business Unit” “Business Unit” is a member of group “Department” “Department” is a member of group “Company”
$adldap->user()->inGroup("Fred","Company") will returns true with this option turned on, false if turned off.
Any function in adLDAP that involves checking group memberships of contacts, users, etc will use this property. In many of these functions you can enable this or disable it on a function by function basis as well.