Home Download News FAQ / Knowledge Base Screenshots Documentation Support Site map
philosophical imaginary
Table of Contents

Single sign-on with Citadel and Microsoft Active Directory

Citadel has the ability to authenticate users against an external LDAP server. Two schemas are supported: the standard RFC 2307 POSIX compliant schema, and the completely non-standard Microsoft Active Directory schema. This knowledge base article covers the latter, which should work with any Active Directory server from Windows 2000 onward. We will be demonstrating it using Windows Server 2003.

Installing Active Directory

This is not intended to be an exhaustive tutorial on Active Directory, but it is included in order to point out what information you will need in order to connect Citadel to your directory. As always, a new directory domain is created by running the DCPROMO tool on your Windows server.

After the directory is installed, go to the “Active Directory Users and Computers” administration screen.

In the above screenshots you have created a domain called example.com. This means that your Base DN will be:

dc=example,dc=com

Creating the query user

Although not strictly necessary, it is a good idea to create an account that Citadel will use for the purpose of performing directory queries. Again, from the “Active Directory Users and Computers” screen, perform the operation to create a new user:

You have created a user called “queries”. This means that your Bind DN will be:

cn=queries,cn=Users,dc=example,dc=com

But don't take our word for it – ask the DSQUERY tool, which will tell you the exact DN for your query user:

You will probably want to put this user in the “Domain Guests” group, since it will only be used to perform LDAP queries.

Configuring Citadel

Now it is time to install Citadel and configure it to authenticate against your directory. If you are using Easy Install, please ensure that the OpenLDAP development libraries are installed (for example, “yum install openldap-devel” on RedHat/CentOS/Fedora) before you run the Easy Install script.

When you run the Citadel setup program, you must answer these prompts accurately:

	       *** Citadel setup program ***

<System Administrator>

Enter the name of the system administrator (which is probably
you).  When an account is created with this name, it will
automatically be given administrator-level access.

This is currently set to:

Enter new value or press return to leave unchanged:
Administrator

Important Note

Configuring the System Administrator (aide) for Citadel with the setup has some caveats! The name of the user depends on what your directory server contains:

Again, if you only use the “User Logon Name” or “Login” while you have a complete name entered in other fields, your account will be able to log in, but you will not be an aide and you will not see the Administration menu.

<Administrator Password>

Enter a password for the system administrator. When setup
completes it will attempt to create the administrator user
and set the password specified here.

This is currently set to:

Enter new value or press return to leave unchanged:
pass!word

This isn't strictly required but it does make sense for your AD administrator and your Citadel administrator to be one and the same.

<Citadel User ID>

Citadel needs to run under its own user ID.  This would
typically be called "citadel", but if you are running Citadel
as a public BBS, you might also call it "bbs" or "guest".
The server will run under this user ID.  Please specify that
user ID here.  You may specify either a user name or a numeric
UID.

This is currently set to:
citadel
Enter new value or press return to leave unchanged:

Don't try to do anything fancy here. Citadel still runs as its own user ID on the host system.

<Server IP address>

Specify the IP address on which your server will run.  If you
leave this blank, or if you specify 0.0.0.0, Citadel will listen
on all addresses.  You can usually skip this unless you are
running multiple instances of Citadel on the same computer.

This is currently set to:

Enter new value or press return to leave unchanged:
  


<Server port number>

Specify the TCP port number on which your server will run.
Normally, this will be port 504, which is the official port
assigned by the IANA for Citadel servers.  You will only need
to specify a different port number if you run multiple instances
of Citadel on the same computer and there is something else
already using port 504.

This is currently set to:
504
Enter new value or press return to leave unchanged:

Again, nothing special here.

<Authentication mode>

Specify which authentication mode you wish to use.

 0. Self contained authentication
 1. Host system integrated authentication
 2. External LDAP - RFC 2307 compliant directory
 3. External LDAP - nonstandard MS Active Directory

For help: http://www.citadel.org/doku.php/faq:installation:authmodes

ANSWER "0" UNLESS YOU COMPLETELY UNDERSTAND THIS OPTION.

This is currently set to:
0
Enter new value or press return to leave unchanged:
3

Select option 3 for Active Directory. Do not attempt to use the standard RFC2307 mode LDAP unless you know for sure that your schema is POSIX compliant. You're on your own if you want to try this.

<LDAP host>

Please enter the host name or IP address of your LDAP server.

This is currently set to:

Enter new value or press return to leave unchanged:
10.250.250.142
  

<LDAP port number>

Please enter the port number of the LDAP service (usually 389).

This is currently set to:
0
Enter new value or press return to leave unchanged:
389

Enter the IP address or host name of your domain controller. The port number will almost always be 389.

<LDAP base DN>

Please enter the Base DN to search for authentication
(for example: dc=example,dc=com)

This is currently set to:

Enter new value or press return to leave unchanged:
dc=example,dc=com  

<LDAP bind DN>

Please enter the DN of an account to use for binding to the LDAP server
for performing queries.  The account does not require any other
privileges.  If your LDAP server allows anonymous queries, you can.
leave this blank.

This is currently set to:

Enter new value or press return to leave unchanged:
cn=queries,cn=Users,dc=example,dc=com

<LDAP bind password>

If you entered a Bind DN in the previous question, you must now enter
the password associated with that account.  Otherwise, you can leave this
blank.

This is currently set to:

Enter new value or press return to leave unchanged:
00!!xxx1

Enter the Base DN and Bind DN that you determined earlier. The Bind Password is the password for the query user you set up.

The rest of the setup program proceeds as usual.

Copyright © 1987-2014 Uncensored Communications Group. All rights reserved.     Login (site admin)