The RackForms editor can login and authenticate users with Active Directory via LDAP. This process can happen when we first install RackForms, or be applied to an existing installation. To use this feature we must be running RackForms 6 or higher.
Please note we cannot mix AD and standard RackForms logins with two exceptions:
1. The master account we create during the install process can always access RackForms without needing AD login credentials.
2. Any admin account we create using the User Management system.
All other accounts created after the install process will use AD authentication automatically at the RackForms login screen. That is to say, at the RackForms login prompt, any non-admin user must supply valid AD credentials.
In general, to use this feature, we must:
1. Have the PHP LDAP extension installed on our server.
2. Select the Use AD Login checkbox on the installer screen.
3. Properly configure our app/config.php file with valid AD/LDAP info.
Please see below for details on each step.
1. LDAP Extension
Before we can use Active Directory login, we must have the PHP LDAP extension installed on our server. This extension is generally used on Windows hosts, and for users of Microsoft's Web Platform Installer, is installed by default.
2. Select Use AD Login During Installation
Although not required as we can perform this task in step 3, if we know ahead of time our installation will always use Active Directory login, checking this box will enable Active Directory login for the very first login.
Please note checking this box will not create the master admin login as an AD user. The master account (the one we create during the install process), is never authenticated via AD, and thus can login at any point without needing valid AD credentials. However, any non-admin user who logs into the system after the installation process will use AD.
Finally, it's key to note the User Management system, when using AD logins, is not used for any non-admin users. Any non-admin users we create in this manner will always use AD login.
3. Configure app/config.php
In this step we must provide the RackForms config.php file, located at rackforms/app/config.php, the needed configuration data to contact and process AD login requests. This consists of three pieces of data:
1. The LDAP host. This will usually be the domain name of your organization and a port number. See this link for more details on the host value.
2. The domain prefix of your connection, which is used to form a domain name + user name. In the example below, CORP + the user name we type in the login screen would be used.
3. The base distinguished name for the username+password lookup. In Active Directory, user information is stored in a tree-like structure. If we do not point to the right location, an authentication lookup would not know where in the tree to look and will thus fail. The distinguished name property tells the LDAP call where to look for user account info. In the example below, we use a simple form of the domain name separated into zones.
The default values our config.php file could contain after are shown below. Note the 1 next to 'AUTH_AD', which means the RackForms instance will use Active Directory logins. Sample values are shown next to each setting.
define('AUTH_AD', '1'); // 1 To Use AD Authentication. define('AUTH_LDAP_HOST', ''); // Host Name: e.g. LDAP://corp.sample.com:389 define('AUTH_LDAP_PREFIX', ''); // Prefix: e.g. CORP\\ define('AUTH_LDAP_DN', ''); // Distinguished Names: e.g. DC=corp,DC=sample,DC=com
To make changes, we'll edit the value in-between the empty single quote marks for that setting.
If we have an existing instillation of RackForms, we can simple update the app/config.php file to enforce LDAP logins for all non-admin users. To do so, simply follow the items outlined in step 3. Once saved, these settings will ensure all non-admin users who attempt a login must have valid AD credentials as outlined in the config file.
For the RackForms administrator, one additional step may be required. If the non-admin user who logs in via LDAP had existing jobs, the admin will need to update, via Job Ownership, those items to match with the new AD user. This is because when we login with LDAP, a new user record is created in the fb_admin database table, and this user id will be different than the previous value. As job ownership is tied to this id value, the update is required.