External User Authentication
From ProcessMaker
ProcessMaker allows single sign-on to different authentication sources. In this sense administrators can designate which authentication source to use for each individual user account, meaning that one user may be verified by ProcessMaker, another by LDAP, another by Active Directory, etc.
ProcessMaker, from version 1.2-2261 on, is now integrated with LDAP and ACTIVE DIRECTORY. For more information on LDAP, visit: http://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol
How to configure the authentication sources
In the Users menu, the option "Authentication Sources" lists all of the possible authentication sources.
To add a new authentication source please click on "New", then define the Authentication Source Type. By default ProcessMaker only includes LDAP (which is valid for Active Directory as well). To add another authentication source type please see below. After that, you should define the parameters for the authentication source.
Some of the fields for LDAP are self-explanatory. We will only clarify the meaning of the most important ones.
- Type: Defines if the source is LDAP or Active Directory
- Enabled TSL: Defines if the Transport Security Layer protocol is enabled.
- Version: Defines the LDAP Protocol Version.
- Base DN: Corresponds to the Distinguished Name from the Base object.
- Anonymous: If the search allows Anonymous access. For "NO" a search user is requested.
- Identifier for a imported user: Please use for:
- Active Directory: samaccountuser - Open LDAP: uid
- Object Classes: Here you can define the object classes where ProcessMaker will look for users. By default the object class for:
- Active Directory is: user - Open LDAP is: inetOrgPerson
In this parameter, you can use * as well, but in that case ProcessMaker will look in all object classes and this can take a while.
- Atributes: Defines Attributes for search operations.
How to Assign an Authentication Source to a user
You must associate an authentication source with a particular ProcessMaker user to validate their login to the system. In the users list, there is a column with a link called "Authentication". When you click on this link, it takes you to a short form with a dropdown menu that includes all of the registered Authentication Sources.
The default option is "ProcessMaker", which is the way that users are currently verified by ProcessMaker itself. When you change to another type of Authentication Source, a "DN" text field will appear, in which you should enter the LDAP "Distinguished Name" for the user. The DN is a chain of information needed to validate a user, such as the user name, domain, etc. This chain should be written as if walking up the Directory Information Tree (DIT), starting from the specific user and going to the general domain name. For instance, if John Doe has a user ID of "johndoe" and is found in the group of "staff" at the domain of "example.com", then his DN chain would be "uid=johndoe,ou=staff,dc=example,dc=com". See this LDAP guide for more information about constructing DN chains.
Users can also be found by entering a search string into the DN text field and clicking "Save". All users which match the search string will be displayed. The search is case insensitive and the wildcard * can be used to match any number of characters. For instance a search for "jo*" would find users "jo", "John Doe" and "jOannE". If the DN text box is left blank, then a list will be displayed of all the users found in an LDAP source.
How to add an Customized Authentication Source
In order to add customized authentication source type, such as OpenID, it is necessary to include:
- a php class that has the method that does the authentication validation in the following directory:
/opt/processmaker/rbac/engine/classes/plugins
- An xml form where the information needed by the authentication method is defined
/opt/processmaker/workflow/engine/xmlform/authSources
For more details about the php class and the xml form please review the related files for ldap: class.ldap.php and the ldapEdit.xml
