LDAP Documentation

Keestash integrates LDAP authentication into it’s eco-system, enabling the integration of LDAP based login.

As an enterprise ready using industrial standards, Keestash is aware of the strategic importance of integrating legacy systems and proven and established systems.

LDAP is an enterprise feature and not available publicly yet. LDAP is enabled by the LDAP app and for now, for enterprise subscriptions only.

Install LDAP app

The LDAP app is for enterprise subscriptions only. To enable the LDAP app, the delivered app folder must be placed under <documentRoot>/apps. Keestash recognizes the app automatically.

After placing the app to the apps folder, Keestash needs to run migrations in order to create the necessary database tables. Find more about database migrations here.

Check LDAP app installation

There are multiple ways to check whether the LDAP app is installed. The easiest way is to use the Keestash CLI tool (more about Keestash CLI here). The following command lists all installed apps, where the LDAP app has to be part of:

sudo -u www-data php bin/console.php apps:list

note: the code above assumes that www-data is the current webserver user.
App List command

If ldap is listed in the result, the LDAP app is installed.

Configure LDAP

There are three main CLI commands to configure LDAP, one for connecting, one for disconnecting Keestash to an existing LDAP server and the last one to configure LDAP options:

sudo -u www-data php bin/console.php ldap:server:create

The create command asks for several details:

HostThe host name or IP address of the LDAP server. 
PortThe port on which to connect to the LDAP server. 
DNThe name as DN of a user who has permissions to do searches in the LDAP directory.
Directory Base DNThe base DN of LDAP, from where all users and groups can be reached.
PasswordThe users password

After submitting the information, Keestash first checks whether an existing Keestash configuration exists. If this is the case, it is not possible to connect to a second LDAP server. If you want to connect Keestash to another LDAP server, you need to remove the existing one first.

Although connecting to multiple LDAP servers is technically possible, however, we decided to implement this feature on demand.

The LDAP configuration is configured and Keestash triggers the sync process to import user (technically: an event is triggered that – among others – has an sync users listener).

The sync users process connects against the LDAP server and lists all users. The user has to have at least the following attributes:

uidan unique identifier, used for the username
mailthe user’s email address, used for the email address
telephoneNumberthe user’s phone number, used for the phone number

If the attributes above does not exist, Keestash assumes that the user is not valid and simply skips.

The next step is check the attributes mentioned above. While LDAP provides multiple values per attribute, we simply take the first one.

If the uid and email address already exists, Keestash does not create these users. Instead, the users are written into a temporary table to get handled manually by the administrator.

Since a LDAP server provides less information, Keestash decided to make some default vaules. While this seems to be unusual, they are technically just needed to create the user.

Show LDAP Configuration

Sometimes, admins need to show the current LDAP configuration. By using the command below, the LDAP host can be shown in order to get to know whether a LDAP backend is connected or not:

sudo -u www-data php bin/console.php ldap:server:show

The command shows an error if the instance is not installed at all or there is no LDAP configured. If LDAP is configured, the command displays the LDAP host.

Remove LDAP connection

sudo -u www-data php bin/console.php ldap:server:remove

The remove command needs the hostname as an argument. Keestash deletes the LDAP connection and their respective users if the a configuration for the host is found. Otherwise the command throws an error.

Configure LDAP options

sudo -u www-data php bin/console.php ldap:option

The following options are available:


Final Notes

For security reasons, Keestash does not allow anonymous logins.