Home Download FAQ / Knowledge Base Screenshots Documentation Support Roadmap

Single sign-on with Citadel and Microsoft Active Directory

Citadel has the ability to authenticate users against an external LDAP server. The standard RFC 2307 POSIX schema is supported. Active Directory does not follow this schema, but since it is arguably the most widely deployed directory server, Citadel supports its schema as well.

Installing Active Directory

This is not intended to be an exhaustive tutorial on Active Directory, but it is included in order to point out what information you will need in order to connect Citadel to your directory. This example is shown with Windows 2008, which begins by the DCPROMO tool on your Windows server. For Windows 2012 or 2016, use the Server Manager tool to add the Directory Server role.

After the directory is installed, go to the "Active Directory Users and Computers" administration screen.

In the above screenshots you have created a domain called example.com. This means that your Base DN will be:

dc=example,dc=com

Creating the query user

Active Directory does not do well with anonymous queries, so it is a good idea to create an account that Citadel will use for the purpose of performing directory queries. Again, from the "Active Directory Users and Computers" screen, perform the operation to create a new user:

You have created a user called "queries". This means that your Bind DN will be:

cn=queries,cn=Users,dc=example,dc=com

But don't take our word for it -- ask the DSQUERY tool, which will tell you the exact DN for your query user:

You will probably want to put this user in the "Domain Guests" group, since it will only be used to perform LDAP queries.

Configuring Citadel

Now it is time to install Citadel and configure it to authenticate against your directory. If you are using Easy Install, please ensure that the OpenLDAP development libraries are installed (for example, yum install openldap-devel on RedHat/CentOS/Fedora) before you run the Easy Install script.

When you run the Citadel setup program, you must answer these prompts accurately:

  	       *** Citadel setup program ***
  
  <System Administrator>
  
  Enter the name of the system administrator (which is probably
  you).  When an account is created with this name, it will
  automatically be given administrator-level access.
  
  This is currently set to:
  
  Enter new value or press return to leave unchanged:
  Administrator

Important Note

Configuring the System Administrator (aide) for Citadel with the setup has some caveats! The name of the user depends on what your directory server contains:

Again, if you only use the "User Logon Name" or "Login" while you have a complete name entered in other fields, your account will be able to log in, but you will not be an administrator and you will not see the Administration menu.

  <Administrator Password>
  
  Enter a password for the system administrator. When setup
  completes it will attempt to create the administrator user
  and set the password specified here.
  
  This is currently set to:
  
  Enter new value or press return to leave unchanged:
  pass!word

This isn't strictly required but it does make sense for your AD administrator and your Citadel administrator to be one and the same.

  <Citadel User ID>
  
  Citadel needs to run under its own user ID.  This would
  typically be called "citadel", but if you are running Citadel
  as a public BBS, you might also call it "bbs" or "guest".
  The server will run under this user ID.  Please specify that
  user ID here.  You may specify either a user name or a numeric
  UID.
  
  This is currently set to:
  citadel
  Enter new value or press return to leave unchanged:

Don't try to do anything fancy here. Citadel still runs as its own user ID on the host system.

  <Server IP address>
  
  Specify the IP address on which your server will run.  If you
  leave this blank, or if you specify 0.0.0.0, Citadel will listen
  on all addresses.  You can usually skip this unless you are
  running multiple instances of Citadel on the same computer.
  
  This is currently set to:
  
  Enter new value or press return to leave unchanged:
    
  
  
  <Server port number>
  
  Specify the TCP port number on which your server will run.
  Normally, this will be port 504, which is the official port
  assigned by the IANA for Citadel servers.  You will only need
  to specify a different port number if you run multiple instances
  of Citadel on the same computer and there is something else
  already using port 504.
  
  This is currently set to:
  504
  Enter new value or press return to leave unchanged:

Again, nothing special here.

  <Authentication mode>
  
  Specify which authentication mode you wish to use.
  
   0. Self contained authentication
   1. Host system integrated authentication
   2. External LDAP - RFC 2307 compliant directory
   3. External LDAP - nonstandard MS Active Directory
  
  For help: http://www.citadel.org/doku.php/faq:installation:authmodes
  
  ANSWER "0" UNLESS YOU COMPLETELY UNDERSTAND THIS OPTION.
  
  This is currently set to:
  0
  Enter new value or press return to leave unchanged:
  3

Select option 3 for Active Directory. Do not attempt to use the standard RFC2307 mode LDAP unless you've installed that schema on your directory server.

  <LDAP host>
  
  Please enter the host name or IP address of your LDAP server.
  
  This is currently set to:
  
  Enter new value or press return to leave unchanged:
  10.250.250.142
    
  
  <LDAP port number>
  
  Please enter the port number of the LDAP service (usually 389).
  
  This is currently set to:
  0
  Enter new value or press return to leave unchanged:
  389

Enter the IP address or host name of your domain controller. The port number will almost always be 389.

  <LDAP base DN>
  
  Please enter the Base DN to search for authentication
  (for example: dc=example,dc=com)
  
  This is currently set to:
  
  Enter new value or press return to leave unchanged:
  dc=example,dc=com  
  
  <LDAP bind DN>
  
  Please enter the DN of an account to use for binding to the LDAP server
  for performing queries.  The account does not require any other
  privileges.  If your LDAP server allows anonymous queries, you can.
  leave this blank.
  
  This is currently set to:
  
  Enter new value or press return to leave unchanged:
  cn=queries,cn=Users,dc=example,dc=com
  
  <LDAP bind password>
  
  If you entered a Bind DN in the previous question, you must now enter
  the password associated with that account.  Otherwise, you can leave this
  blank.
  
  This is currently set to:
  
  Enter new value or press return to leave unchanged:
  00!!xxx1

Enter the Base DN and Bind DN that you determined earlier. The Bind Password is the password for the query user you set up.

The rest of the setup program proceeds as usual.

There are no social media links here. Enjoy a friendly Citadel community instead. Or go outside.