For ADS, the following options are noteworthy:
Table 12. Options for Active Directory
| Name | Additional Notes |
|---|---|
| host | As with all servers, this option is required. |
| useStartTls |
For the sake of security, this should be TRUE
if the server has the necessary certificate installed.
|
| useSsl | Possibly used as an alternative to useStartTls (see above). |
| baseDn | As with all servers, this option is required. By default AD places all user accounts under the Users container (e.g., CN=Users,DC=foo,DC=net), but the default is not common in larger organizations. Ask your AD administrator what the best DN for accounts for your application would be. |
| accountCanonicalForm |
You almost certainly want this to be 3 for backslash style names
(e.g., FOO\alice), which are most familiar to
Windows users. You should not use the
unqualified form 2 (e.g., alice), as this may
grant access to your application to users with the same username in
other trusted domains (e.g., BAR\alice and
FOO\alice will be treated as the same user).
(See also note below.)
|
| accountDomainName | This is required with AD unless accountCanonicalForm 2 is used, which, again, is discouraged. |
| accountDomainNameShort | The NetBIOS name of the domain that users are in and for which the AD server is an authority. This is required if the backslash style accountCanonicalForm is used. |
Note
Technically there should be no danger of accidental cross-domain authentication
with the current Zend_Auth_Adapter_Ldap implementation,
since server domains are explicitly checked, but this may not be true of a
future implementation that discovers the domain at runtime, or if an alternative
adapter is used (e.g., Kerberos). In general, account name ambiguity is known to
be the source of security issues, so always try to use qualified account names.
For OpenLDAP or a generic LDAP server using a typical posixAccount style schema, the following options are noteworthy:
Table 13. Options for OpenLDAP
| Name | Additional Notes |
|---|---|
| host | As with all servers, this option is required. |
| useStartTls |
For the sake of security, this should be TRUE
if the server has the necessary certificate installed.
|
| useSsl | Possibly used as an alternative to useStartTls (see above). |
| username | Required and must be a DN, as OpenLDAP requires that usernames be in DN form when performing a bind. Try to use an unprivileged account. |
| password | The password corresponding to the username above, but this may be omitted if the LDAP server permits an anonymous binding to query user accounts. |
| bindRequiresDn |
Required and must be TRUE, as OpenLDAP
requires that usernames be in DN form when performing a bind.
|
| baseDn | As with all servers, this option is required and indicates the DN under which all accounts being authenticated are located. |
| accountCanonicalForm |
Optional, but the default value is 4 (principal style names like
alice@foo.net), which may not be ideal if your
users are used to backslash style names (e.g.,
FOO\alice). For backslash style names use
value 3.
|
| accountDomainName | Required unless you're using accountCanonicalForm 2, which is not recommended. |
| accountDomainNameShort |
If AD is not also being used, this value is not required.
Otherwise, if accountCanonicalForm 3 is used,
this option is required and should be a short name that corresponds
adequately to the accountDomainName (e.g., if
your accountDomainName is
foo.net, a good
accountDomainNameShort value might be
FOO).
|