Integration of Joomla! (1.5 - this feature is included in the core of 1.6) with Kerberos authentication and LDAP authorization is possible with some third party plugins. The bulk is already integrated into Joomla! however. Sam Moffat's Joomla Authentication Tools (JAuthTools) must be installed and the wiki came in very handy.
The following Plugins must be installed/enabled:
- Authentication - LDAP.Configure the LDAP server settings and username, email and name 'dn's.
- Authentication - Advanced LDAP. Permits authentication using LDAP and synchronisation of account details.
- SSO - HTTP. For enabling HTTP authentication. Ensure that SSL is used to prevent clear text passwords.
- System - JAuthTools Synchronization Plugin. This is for automatically demoting Joomla users whose LDAP group has changed.
- System - Single Sign On. This enables automatic Joomla user creation from LDAP users.
- User Source - LDAP. This is for mapping LDAP groups to Joomla! groups.
Here are the settings which work with Fedora's FreeIPA server.
Authentication - LDAP plugin
Host: ipaserver.example.com
LDAPv3: Yes
Negotiate TLS: No
Follow referrals: No
Authorisation Method:Bind Directly as User
Base DN:dc=example,dc=com
Search String:uid=[search]
User'sDN:uid=[username]@example.com
Connect Username:<<blank>>
Connect Password:<<blank>>
Map Full name: cn
Map Email: mail
Mat User ID: uid
Authentication - Advanced LDAP
Enable User Source Sync: Yes
Require Joomla! User:No
# Ensure that the two plugins above are higher priority (above, in plugin list) than the 'Authentication - Joomla' plugin.
SSO: HTTP
User Key: REMOTE_USER
Username replacement: @EXAMPLE.COM
System SSO:
Auto Create Users: Yes
Enable backend SSO: Yes
Override logged in user: No
User Source - LDAP
Map User Blocked:loginDisabled # I haven't tested for blocked users.
Map User Groups:memberOf
Map Group Members:member
Group Map:
cn=joomlasuperadmins,cn=groups,cn=accounts,dc=example,dc=com;25;Super Administrator;20
cn=joomlapublishers,cn=groups,cn=accounts,dc=example,dc=com;21;Publisher;100
cn=joomlamanagers,cn=groups,cn=accounts,dc=example,dc=com;23;Manager;10
Use reverse group membership:No
Authenticate Group Search:No
Use recursive group membership:No
Use iconv:No
Original Encoding (e.g. ISO8859-1):ISO8859-1
Target Encoding (e.g. your database):UTF-8