Citadel has the ability to authenticate users against an external LDAP server. Two schemas are supported: the standard RFC 2307 POSIX compliant schema, and the completely non-standard Microsoft Active Directory schema. This knowledge base article covers the latter, which should work with any Active Directory server from Windows 2000 onward. We will be demonstrating it using Windows Server 2003.
This is not intended to be an exhaustive tutorial on Active Directory, but it is included in order to point out what information you will need in order to connect Citadel to your directory. As always, a new directory domain is created by running the DCPROMO tool on your Windows server.
After the directory is installed, go to the “Active Directory Users and Computers” administration screen.
In the above screenshots you have created a domain called example.com. This means that your Base DN will be:
Although not strictly necessary, it is a good idea to create an account that Citadel will use for the purpose of performing directory queries. Again, from the “Active Directory Users and Computers” screen, perform the operation to create a new user:
You have created a user called “queries”. This means that your Bind DN will be:
But don't take our word for it – ask the DSQUERY tool, which will tell you the exact DN for your query user:
You will probably want to put this user in the “Domain Guests” group, since it will only be used to perform LDAP queries.
Now it is time to install Citadel and configure it to authenticate against your directory. If you are using Easy Install, please ensure that the OpenLDAP development libraries are installed (for example, “yum install openldap-devel” on RedHat/CentOS/Fedora) before you run the Easy Install script.
When you run the Citadel setup program, you must answer these prompts accurately:
*** Citadel setup program *** <System Administrator> Enter the name of the system administrator (which is probably you). When an account is created with this name, it will automatically be given administrator-level access. This is currently set to: Enter new value or press return to leave unchanged: Administrator
Configuring the System Administrator (aide) for Citadel with the setup has some caveats! The name of the user depends on what your directory server contains:
- If Full Name of the user is set to Edward Xavier Ample, use that Full Name as System Admnistrator name.
- If First Name is Edward and Last Name is Ample, use both, as in “Edward Ample”.
- If and only if you did not set the above fields for any reason, then and only then use User Logon Name, such as example for the System Administrator name!
Again, if you only use the “User Logon Name” or “Login” while you have a complete name entered in other fields, your account will be able to log in, but you will not be an aide and you will not see the Administration menu.
<Administrator Password> Enter a password for the system administrator. When setup completes it will attempt to create the administrator user and set the password specified here. This is currently set to: Enter new value or press return to leave unchanged: pass!word
This isn't strictly required but it does make sense for your AD administrator and your Citadel administrator to be one and the same.
<Citadel User ID> Citadel needs to run under its own user ID. This would typically be called "citadel", but if you are running Citadel as a public BBS, you might also call it "bbs" or "guest". The server will run under this user ID. Please specify that user ID here. You may specify either a user name or a numeric UID. This is currently set to: citadel Enter new value or press return to leave unchanged:
Don't try to do anything fancy here. Citadel still runs as its own user ID on the host system.
<Server IP address> Specify the IP address on which your server will run. If you leave this blank, or if you specify 0.0.0.0, Citadel will listen on all addresses. You can usually skip this unless you are running multiple instances of Citadel on the same computer. This is currently set to: Enter new value or press return to leave unchanged: <Server port number> Specify the TCP port number on which your server will run. Normally, this will be port 504, which is the official port assigned by the IANA for Citadel servers. You will only need to specify a different port number if you run multiple instances of Citadel on the same computer and there is something else already using port 504. This is currently set to: 504 Enter new value or press return to leave unchanged:
Again, nothing special here.
<Authentication mode> Specify which authentication mode you wish to use. 0. Self contained authentication 1. Host system integrated authentication 2. External LDAP - RFC 2307 compliant directory 3. External LDAP - nonstandard MS Active Directory For help: http://www.citadel.org/doku.php/faq:installation:authmodes ANSWER "0" UNLESS YOU COMPLETELY UNDERSTAND THIS OPTION. This is currently set to: 0 Enter new value or press return to leave unchanged: 3
Select option 3 for Active Directory. Do not attempt to use the standard RFC2307 mode LDAP unless you know for sure that your schema is POSIX compliant. You're on your own if you want to try this.
<LDAP host> Please enter the host name or IP address of your LDAP server. This is currently set to: Enter new value or press return to leave unchanged: 10.250.250.142 <LDAP port number> Please enter the port number of the LDAP service (usually 389). This is currently set to: 0 Enter new value or press return to leave unchanged: 389
Enter the IP address or host name of your domain controller. The port number will almost always be 389.
<LDAP base DN> Please enter the Base DN to search for authentication (for example: dc=example,dc=com) This is currently set to: Enter new value or press return to leave unchanged: dc=example,dc=com <LDAP bind DN> Please enter the DN of an account to use for binding to the LDAP server for performing queries. The account does not require any other privileges. If your LDAP server allows anonymous queries, you can. leave this blank. This is currently set to: Enter new value or press return to leave unchanged: cn=queries,cn=Users,dc=example,dc=com <LDAP bind password> If you entered a Bind DN in the previous question, you must now enter the password associated with that account. Otherwise, you can leave this blank. This is currently set to: Enter new value or press return to leave unchanged: 00!!xxx1
Enter the Base DN and Bind DN that you determined earlier. The Bind Password is the password for the query user you set up.
The rest of the setup program proceeds as usual.