Simple Groupware Administration: LDAP, AD, NTLM
LDAP / Active Directory
Normally Simple Groupware authenticates all users against a table in the database containing the usernames/password pairs. This table is named "simple_sys_users".
But Simple Groupware can also use LDAP or Active Directory (AD) services for user authentication.
To enable LDAP, open your webbrowser with the Simple Groupware page and log in as super administrator (username "admin" by default). Navigate to "/Workspace/System" and choose "Change setup settings". Choose "LDAP" as authentication mode and specify the IP address of your LDAP or AD server (secure connections use "ldaps://server/", unencrypted connections use "server"). By default, the connection is done to port 389. When using "ldaps://server/", port 636 will be used instead.
Using Active Directory, you need to specify the windows domain which is added to the username for the authentication (for example when the domain is set to "mydomain.local", the username "administrator" is changed to "administrator@mydomain.local", note that this field should be empty for LDAP).
In order to handle authentication, an entry point in the LDAP directory tree is required. This entry point is called a base DN and Simple Groupware tries to detect it automatically by using NamingContexts (this was successfully tested with openLDAP and Active Directory). However if this technique is not working for you or you want to choose a different "base DN", then you can specify another value in the "base DN" field.
Using LDAP you can use anonymous connections to resolve the DN of a user or provide the necessary credentials which allow searching the LDAP tree (user DN and password). The username is searched by default in the "uid" attribute within LDAP (can be changed in setup settings). For Active Directory, this attribute is automatically set to "sAMAccountName".
Also every user still needs an account within Simple Groupware. You can create these accounts manually or check the option "Enable automatic user creation" to let Simple Groupware create (or update) all accounts automatically. After making changes to setup settings, click "Save" and you're done. Automatic creation uses these fields from LDAP/AD to create or update accounts in Simple Groupware:
| LDAP / AD | Simple Groupware |
| sAMAccountName / <user-defined> | username |
| sn | lastname |
| givenname | firstname |
| telephonenumber | phone |
| mobile | mobile |
| pager | pager |
| fax / facsimiletelephonenumber | fax |
| ipphone | skype |
| street / streetaddress | street |
| postalcode | zipcode |
| l | city |
| st | state |
| c | country |
| department | department |
| description | jobdesc |
| wwwhomepage | homepage |
| <user-defined> | location |
Automatic user creation does not include group memberships. You can create these groups manually or (beginning with Simple Groupware 0.310) check the option "Use LDAP Groups" together with "Enable automatic user creation" to let Simple Groupware create (or update) all users and groups automatically. After making changes to Setup settings, click "Save" and you're done. When a user logs into Simple Groupware, his user account and his groups are automatically created (or updated) within Simple Groupware. The attribute used to identify group memberships is by default "memberOf", but can be changed in setup settings.
Note: Nested groups (groups as member of other groups) are not replicated from LDAP/AD to Simple Groupware.
Note: The super administrator is not authenticated over LDAP/AD. It still uses the username and password defined during Setup. The super administrator username/password can also be changed using "Change setup settings".
NTLM / HTTP Single sign-on
Normally Simple Groupware authenticates all users against a table in the database containing the usernames/password pairs. This table is named "simple_sys_users".
But Simple Groupware can also authenticate against a Windows / Samba / NetApp server using NTLM. That means Active Directory can be used, but is not necessary.
To enable NTLM, open your webbrowser with the Simple Groupware page and log in as super administrator (username "admin" by default). Navigate to "/Workspace/System" and choose "Change setup settings". Choose "NTLM" as authentication mode and specify the IP address of your CIFS server. By default, the connection is done to port 445.
If you want to allow special users or groups to access Simple Groupware, add a share that gives only these persons the right to "list folder contents". The share syntax is "smb://<server-ip>/<share-name>". Please also make sure that the PHP/Java Bridge is installed on your system.
If you want the browser to use "Integrated Windows Authentication" (IWA / NTLM), activate the "Single sign-on" checkbox.That way the browser sends the Windows system credentials automatically to the server and performs a "silent" login without entering username and password manually. Single sign-on is optional: So if it is disabled, the regular login screen will be used to ask for the credentials.
IWA / NTLM Single sign-on needs to be enabled in the browser:
IE: Security Settings -> User Authentication -> Logon -> Automatic Logon
Firefox: about:config -> network.automatic-ntlm-auth.trusted-uris
Also every user still needs an account within Simple Groupware. You can create these accounts manually or check the option "Enable automatic user creation" to let Simple Groupware create all accounts automatically.
After making changes to Setup settings, click "Save" and you're done.
Note: The regular login screen will come up to check the credentials if NTLM Single sign-on is not supported by the browser. If the browser is not sending the credentials automatically, a login window will come up to ask the user.
Note: Simple Groupware uses the jCIFS library. This library is not yet fully compatible with the latest Windows Server 2003 SP2 / 2008, therefore you'll need to disable "SMB signing" if Single sign-on is activated (and reboot the server afterwards):
Local Security Settings / Local Policies / Security Options / Microsoft network server: "Digitally sign communications (always)" -> disabled
Local Security Settings / Local Policies / Security Options / Microsoft network server: "Digitally sign communications (if client agrees)" -> disabled
In case the settings cannot be changed, you may try to modify them directly in the Windows registry (run regedit.exe):
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
enablesecuritysignature -> 0
requiresecuritysignature -> 0
Note: The super administrator is not authenticated over LDAP/AD. It still uses the username and password defined during Setup. The super administrator username/password can also be changed using "Change setup settings".
