By default, Unomaly uses its built-in user database to authenticate users. Unomaly supports configuring multiple authentication providers, such as LDAP and SAML. This topic discusses configuring Unomaly to authenticate against LDAP directories such as Microsoft Active Directory (AD) or OpenLDAP.

If you have questions about configuring external authentication methods, contact Unomaly Support.

Edit the LDAP configuration file

The LDAP authentication configuration file is located on the Unomaly instance at /DATA/unomaly_ldap.php.

The file contains a PHP array with an overview and a description of each option. You can find examples for AD and OpenLDAP at the end of the file. To add a configuration for either AD or OpenLDAP, edit the relevant example to add your variables to the different options.

If you need to support users from different sources, you can specify an authentication realm for each source. The first one in the list will be the default.

Configuration options

Option Example Value Description
@authrealm @example.com The first value is used to display the current authentication realm on the login page.
servers ‘10.0.0.1 10.0.0.2’ One or more LDAP servers separated by a space.
server_port ’’ Server port. (Empty for default.)
server_security ‘tls’ ‘plain’ for no encryption
‘tls’ for TLS encryption
‘ssl’ for SSL encryption (For example, ldaps.)
server_version 3 Specify the version of LDAP, 2 or 3.
server_referrals 0 Specify whether to follow referrals. 0 Disabled
1 Enabled
username_mask ‘<USERNAME>@example.com’ <USERNAME> will be replaced by current username. For Active Directory, users are usually found using the user principle name like the example. For OpenLDAP, enter the full user DN here instead. See the bind_mode option for further settings.
user_email email address User attribute containing the email address.
user_upn_attr userPrincipalName User attribute containing the user principal name
require_group true Require user to be part of a certain group:
true yes
false no
default_group 2 Default group if require_group is false:
1 administrator
2 user
bind_mode ‘direct’ Specify the mode for finding users.
‘direct’ direct DN binding
‘anon’ anonymous search
‘auth’ authenticated search
search_base ‘cn=users,dc=example,dc=com’ Base domain name for user searches.
search_filter ’(&(objectclass=user)(objectcategory=user)(userPrincipalName=<USERNAME>*))’ Searching accounts (if bind_mode is ‘anon’ or ‘auth’). Search filter for finding user objects.(<USERNAME> will be replaced by current username)
search_user_dn [email protected] A user DN for an initial bind to search users (if bind_mode is ‘auth’).
search_user_pwd ‘abcxyz’ A user password for an initial bind to search users (if bind_mode is ‘auth’).
group_admin_dn ‘cn=Unomaly Admins,cn=Users,dc=authrealm,dc=com’ Finding groups (only if require_group is true). Full group DN for the admin group.
group_user_dn ‘cn=Unomaly Users,cn=users,dc=authrealm,dc=com’ Finding groups (only if require_group is true). Full group DN for the user group.
group_limited_dn ‘cn=Unomaly Limited Users,cn=users,dc=authrealm,dc=com’ Finding groups (only if require_group is true). Full group DN for the limited user group.
group_member_attr ‘member’ Group member attribute.
group_member_type ‘dn’ Group member type.
‘dn’ full distinguishable name
‘cn’ common name

Example configurations

Active Directory

<?php
'@ad.example.com' => array(
    'servers'           => 'dc1.example.com',
    'server_port'       => '',
    'server_security'   => 'tls',
    'server_version'    => 3,
    'server_referrals'  => 0,
    'username_mask'     => '<USERNAME>@ad.example.com',
    'user_email'        => 'mail',
    'user_upn_attr'     => 'userPrincipalName',
    'require_group'     => true,
    'default_group'     => 2,
    'bind_mode'         => 'direct',
    'search_base'       => 'cn=users,dc=ad,dc=example,dc=com',
    'search_filter'     => '(&(objectclass=user)(objectcategory=user)(userPrincipalName=<USERNAME>*))',
    'search_user_dn'    => '[email protected]',
    'search_user_pwd'   => '---',
    'group_admin_dn'    => 'cn=Unomaly Admins,cn=Users,dc=ad,dc=example,dc=com',
    'group_user_dn'     => 'cn=Unomaly Users,cn=users,dc=ad,dc=example,dc=com',
    'group_limited_dn'  => 'cn=Unomaly Limited Users,cn=users,dc=ad,dc=example,dc=com',
    'group_member_attr' => 'member',
    'group_member_type' => 'dn'
),

OpenLDAP

<?php
'@ldap.example.com' => array(
    'servers'           => 'ldap.example.com',
    'server_port'       => '',
    'server_security'   => 'tls',
    'server_version'    => 3,
    'server_referrals'  => 0,
    'username_mask'     => 'uid=<USERNAME>,ou=users,dc=example,dc=com',
    'user_email'        => 'mail',
    'user_upn_attr'     => 'userPrincipalName',
    'require_group'     => true,
    'default_group'     => 2,
    'bind_mode'         => 'direct',
    'search_base'       => 'ou=users,dc=example,dc=com',
    'search_filter'     => '(&(objectClass=inetOrgPerson)(uid=<USERNAME>))',
    'search_user_dn'    => 'cn=admin,dc=example,dc=com',
    'search_user_pwd'   => '---',
    'group_admin_dn'    => 'cn=UnomalyAdmins,ou=Groups,dc=example,dc=com',
    'group_user_dn'     => 'cn=UnomalyUsers,ou=Groups,dc=example,dc=com',
    'group_limited_dn'  => 'cn=UnomalyLimitedUsers,ou=Groups,dc=example,dc=com',
    'group_member_attr' => 'memberuid',
    'group_member_type' => 'cn'
),