When you click the extension in the extension manager you may activate some basic (reads: not dependent on a server definition) features of the extension. For instance you may restrict authentication to your directory without a fallback against the TYPO3 user database.
The default settings prevent the extension to do anything! You have to activate it for the frontend and backend separately!
To create FE-users and LDAP servers follow the following steps:
Define a SysFolder for storing your FE-users.
When you use the LDAP attribute “department” you can create corresponding usergroups in the SysFolder. A user in the department “Software” for example will then be joined the group “Software”. This way you can apply access rules on pages and content elements depending on the department.
Create a new LDAP server in the above mentioned SysFolder by choosing “new” and selecting “LDAP server”. Fill in the appropriate parameters for your organization.
You may create multiple LDAP servers per SysFolder.
Click on “LDAP Integration” in the “web” section and choose the above mentioned SysFolder. You should see a short summary with the numbers of users both in TYPO3 and in the directory.
Now choose an option from the dropdown menue. You may import new users, update the existing ones (without importing new ones!) or delete users without a corresponding entry in the directory.
Used for authentication purposes, "loginname" -> "domain\\loginname"
Searchfilter for the LDAP query, <search> is replaced by the users's loginname
Active Directory does not fulfill the X.500 standard when doing authenticated binds. To authenticate your FE-users against the directory you must set the server type correctly.
Optional, user must be allowed to search LDAP directory
Active Directory (and NDS as far as I know) extends the LDAP standard by an attribute “memberOf”. For each group the user is a member of, this attribute is added holding the group's DN.
When the box is checked the user's groups are evaluated by using this attribute and the next parameter “build usergroup” is ignored.
Optional, when set the user is assigned the group resulting from the given LDAP attributes.
Suppose you have a user in the division “Seattle” and department “Production”. The example string would put him into the group “seattle_production”.
User name (full name for display)
LDAP attribute holding the user's (full) name
Various address related fields
Only users with email address
When checked only LDAP entries with a filled email address (attribute mail) are imported. To avoid import of guest and dummy accounts.
When activated users don't have to be imported in the backend. If a FE-user is successfully authenticated against the LDAP directory the user record in the database is imported/updated.
Ingmar Schlecht and Olivier Dobberkau provide an extension for synchronizing FE and BE users. When you activate this checkbox this extension is used to sync users automatically (extension Feuser->BElogin must be installed and loaded)
What is my base DN?In a W2k environment it should be the domain name.
Which servers support the “memberOf/groupMembership” attribute?Win2k Active Directory and Novell e-directory definitely support this attribute.
Why can I choose between two Active Directory modes and what is the difference?When authenticating against a Windows domain controller th “old” Windows NT syntax is domain\user, e.g. eumedia\norman. With W2k the new format is user@domain, e.g. firstname.lastname@example.org. In most cases it does not matter which format you choose but some users reported problems when using the wrong format.
Users are imported but their password as I see it in the backend is wrong. Why?The passwords you see in the backend are created randomly. There is no import of passwords but authentication is done everytime against the LDAP server.
Can I assign users to groups?Yes, currently standard implementations of AD, NDS and OpenLDAP are supported. Additionally you may define own attributes to build your usergroups.
Can I import user groups automatically?Yes, you can.
Can I encrypt my connection to the LDAP server?Yes, begin your server definition with “ldaps://”. The default setting for encrypted connections is port 636.You need to compile PHP with SSL support (or load the module under Windows).
How does the SSO integration work?For single sign on the user's password is encrypted and cached, the key is stored in a cookie. Just tick the checkbox in the extension's settings.