Installation and Maintenance
Restrict authentication by group membership
Once LDAP authentications are tested successfully, you can consider restricting logins to members of a specifig LDAP group.
Let's assume you configured LDAP like the examples mentioned before, create a group in your users Container calles IliasUsers
Grant all users that are allowed membership to that group.
Now you can login to your ilias installation as administrator and select the LDAP- configuration page again.
To ensure login in case of errors in the procedure make sure you have an active login with an admin-role in the ILIAS-database, else you may encounter a situation where no login is possible without direct manipulation of the ILIAS database!
In the example use
Search Base: ou=mygroups
Membership attribute: member (or member:1.2.840.113556.1.4.1941:, see note below)
GroupName: IliasUsers
Group Attribute Name: samaccountname
and the settings from the image above.
If you use other LDAP-services than Active Directory ®, create a group, add some users and export it to an LDIF file. You find the attribute names in this file if you search for the group name and a member name
When using an LDAP source all names of objects you use must not use language-specific characters. If those characters are used, the ldif communications change the character coding and ilias may not recognize the names.
In Active Directory ® environments group-nesting is often used to aggregate memberships of groups. With standard LDAP attributes users must explictly named as group members for this configuration to work. The membership attirbute "member:1.2.840.113556.1.4.1941:" expands group memberships of nested groups. This way you can create several groups in Active Directory ® which contain users as mambers, create another group that contains all these groups as members and use this in ILIAS to control access to the system.
Example:
Staff users are member of a "staff" group
Students are members of a "Students" group
groups "staff" and "students" are member of a "iliasusers" group
"iliasusers" are allowed to login to ILIAS via LDAP
As an addition to that "iliasusers" can be automatically assigned to the "users" role, while staff members are assigned to a (global or local) ILIAS role with more privileges
This way ILIAS user and role handling can be almost comletely done in the external Active Directory ® database
For multi-domain forests, the user accounts from other domains must be members of a group in the same domain as the domain controller you use for configuration.