Hello,
We are looking for a serious groupware application in our organization, and FengOffice looks like a good candidate. Thus, we have installed Community Version 1.7.4 and we have started testing.
We would like to express our appreciation for a well-thought and well-built application.
One problem we face is that our organization user accounts are LDAP-based (
NOT Active Directory). We are using OpenLDAP.
We have activated the ldap login functionality by configuring [ROOT]/config/ldap.config.php and it works. Here is the working config:
<?php
$config_ldap = array (
'binddn' => 'uid=authenticate,ou=System,dc=example,dc=com',
'bindpw' => 'secret',
'port' => '389',
'basedn' => 'ou=people,dc=example,dc=com',
'host' => 'ldap://ldap.example.com:389',
'uid' => 'uid'
);
return true;
?>
However, there are some issues:
1. It seems that ldaps (secure ldap) is not supported. Tried using:
'port' => '636'
'host' => 'ldaps://ldap.example.com:636'
but it didn't work.
Is there a way ldaps can be used?
2. Even LDAP-based accounts must be manually created in FengOffice. One would expect that once LDAP is enabled, anyone with an LDAP account could successfully login and FengOffice should create a local account for fengoffice system needs. There is an effort here:
http://forums.fengoffice.com/index.php?topic=5407.0 to create such functionality but it seems it is not working very well.
I have also tried the patch mentioned here:
http://forums.fengoffice.com/index.php?topic=2297.msg18408#msg18408 but it didn't work for me (I got no errors in cache/log.php, although I also have Debug On). I still have to pre-create users in FengOffice.
When will such functionality be included in FengOffice?
3. Normal accounts (i.e. not existing in LDAP Server) created directly in FengOffice are not accessible when ldap.config.php exists. This might be expected behavior, but it should be clearly documented.
4. LDAP filter support in the LDAP connector; in config_ldap array there should be an optional 'filter' option with configurable values, like: 'schacUserStatus=feng'.
5. LDAP query scope in LDAP connector; in config_ldap array there should be an optional 'scope' option with configurable values, like: sub | one.
I guess the current default value is sub(tree)?
6. When LDAP accounts are enabled (by existence of ldap.config.php), then password change functionality should be disabled in FengOffice (login screen, Account options etc.), to avoid user confusion, because it doesn't work anymore. ...Unless, of course, FengOffice-LDAP functionality that enables changing LDAP-based passwords is included, which should be made clear to the Administrator in the documentation / installation procedure*. Fortunately, FengOffice uses the right password, when it is updated in an LDAP account. It seems that passwords stored in db table
prefix_user_passwords are not really being used for authentication. They are just there. (If a record is deleted manually from the above table, it is automatically recreated when the user logs in again - however, it still is not being used).
Could you please inform us about current status and plans regarding the above, which constitute basic features with LDAP-based accounts?
Unfortunately, there is not much information in the forum about these features, at least in versions 1.7.x where LDAP functionality has been officially added (one can find info about older patches).
* {Password updates on LDAP based accounts should probably be disabled. If allowed, they should be done using the logged-in user's username/password and FengOffice admin should be able to enforce particular password rules! Generally, organizations have their own means of changing user passwords, so this functionality should most probably be disabled in FengOffice when LDAP is enabled.}
Thanks,
Nick
