⟡ hearthere ⟢
  • Quick start
  • Install MIT
  • Install PRO
  • Updating
  • Optimization
  • Update v4-v5
  • Backups
  • Console utility bin/totum
  • Basics for users
  • Interface and Layout
  • Tables and their parameters
  • Prefilter
  • Fields and their parameters
  • Syntax
  • Code, actions, formatting
  • Relational relationships
  • Calculation order and calculation units
  • Auto-complete calculations and timing
  • Duplicate rows and cycles
  • Comparisons
  • Functions
  • Debugging
  • Print and CSV
  • API
  • Roles and users
  • Notifications
  • Scheduled Actions
  • System tables
  • Trees
  • Anonymous tables
  • External Forms
  • Exporting and importing tables
  • [PRO] MeiliSearch
  • [PRO] Databases
  • [PRO] Custom CSS
  • [PRO] Custom docs
  • [PRO] LDAP AD
  • Role Assignment Parameters in Totum
  • Authorization Sequence
  • Stunnel as a Proxy from Client to LDAP Server
  • [PRO] File versions
  • [PRO] List-unsubscribe
  • [PRO] Dynamic fields
  • [PRO] Only Office
  • [PRO] Auth Tokens
  • [PRO] 2FA
  • [PRO] Superlang
  • [PRO] Daemons
  • [PRO] Profiler
  • Connecting functions
  • [SRV] Installation and Connection
  • [SRV] Export, PDF, Upload, and Preview
  • [SRV] XLSX/DOCX Generators

    • PRO LDAP AD

    The server must have the PHP module for LDAP installed. It is added to the auto-installation, but if you see an error indicating its absence, install it on the server with the command:

    apt install php8.3-ldap

    To connect Totum to your LDAP server, fill in the ttm__ldap_settings table:

    • h_host β€” LDAP server host

    • h_port β€” LDAP server port. Usually 389.

      If your internal network configuration has multiple domains on different hosts, these parameters are passed in an array in h_domains_settings (see further) to a specific domain. If the parameter is passed in h_domains_settings, it will be used from there. If not, it will be taken from the general settings:

      • h_host -β€Ί host
      • h_port -β€Ί port
      • h_version -β€Ί version
      • h_ssl -β€Ί ssl
      • h_cert_file -β€Ί cert_file
      • h_bind_format -β€Ί bind_format [at|dn]
      • h_login_param -β€Ί login_param
      • h_fio_param -β€Ί fio_param
      • h_email_type -β€Ί email_type [bind|param]
      • h_email_param -β€Ί email_param
      • h_get_groups -β€Ί get_groups
      • h_group_param -β€Ί group_param

    • h_version β€” if the field is not filled, {"LDAP_OPT_PROTOCOL_VERSION":"3"} is used, but you can set custom PHP connection settings in key-value format.

    • h_ssl β€” check the box if you need to verify the LDAP server's SSL certificate.

    • h_cert_file β€” upload two .key and .crt certificate files if the LDAP server uses a certificate issued by a non-public certification authority.

    • h_ldap_on β€” enable after configuring all parameters.

      Important! Do not enable until you have verified the connection's functionality.

    • h_domains_settings β€” domain settings (one or more)

      • You can fill in the default example with the right button.

      • The domain is specified in the top key (fully with dots):

      • DC=totum,DC=local β€” should be specified as totum.local

      • user β€” the login of the user who has access to search in this domain.

      • pass β€” the password of the access user.

        If the server supports anonymous requests, user and pass may be absent. They should be absent, not just empty!

      • basedn β€” the base DN where the filtering will be performed. If you don't know what this is, set the DN of the specified domain.

        For AD, you cannot simply set the DN equal to the domain. Either a more specific OU where the search will be performed must be specified, or the parameter "LDAP_OPT_REFERRALS": "0", must be passed in the h_versions field. More details here.

      • filter β€” the search filter based on which users will be selected from the LDAP server:

      • // example for AD server
(&(objectCategory=Person)(memberOf=CN=totum,OU=AccessGroup,DC=totum,DC=local)(!(useraccountcontrol:1.2.840.113556.1.4.803:=2)))

      • // example for unix
(uid=*)

      • Documentation on search filters in AD: https://social.technet.microsoft.com/...

      • filter_single β€” the search filter by which a single user will be searched by their login:

      • // for AD
(&(objectCategory=Person)({USER_LOGIN_PARAM}={USER_LOGIN}))

      • // for unix
({USER_LOGIN_PARAM}={USER_LOGIN})

      • Two value replacements are used:

        • {USER_LOGIN_PARAM} β€” will be taken from h_login_param.

        • {USER_LOGIN} β€” will be the user's login.

    • h_bind_format β€” the format of user binding on the LDAP server:

      • @ type β€” for AD servers

      • dn type β€” for Linux servers (in this case, in h_domains_settings β€” domain β€” user] the dn of the access user must be specified)

      For DN-type authorization, the modes of creating users β€œLoad on first bind” in h_user_processing_type are not available. Only preloading!

    • h_domain_selector β€” the type of domain switcher on the authorization page (see further for the authorization sequence):

      • Hidden

      • Totum/LDAP

      • Totum/Domain list

    • h_login_param β€” which parameter is the login on your password server.

      • The standard value for AD is sAMAccountName, which can be filled in with the right button.

      • For Linux systems, it is likely to be dn.

    • h_fio_param β€” what to record in FIO in the Totum users table. It can be changed directly in Totum. It will be updated from Ldap only if this parameter changes in Ldap.

    • email type for recording in the Totum users table:

      • From bind: login@domain.zone β€” the email will be formed from the login and domain.

      • From param β€” the email will be taken from the parameter on the LDAP server specified in h_email_param.

      • In both cases, the email can be changed directly in Totum. It will be updated from Ldap only if it changes in Ldap.

    • h_show_result β€” checks the connection with the entered values. You can get data from the Ldap server considering the group search parameters with the right button.

    • h_user_processing_type β€” determines when users will be created in Totum:

      • Load on first bind β€” users will not be pre-created in Totum, only at the moment of successful binding.

      • Load on first bind with role matching β€” the user will be authorized and created in Totum only with a successful bind and role matching.

      • All found users β€” users will be loaded and created in Totum when h_import_users is pressed, regardless of role matching. If there is no role match, such users will have empty roles.

      • Only with matching roles β€” users will be loaded and created in Totum when h_import_users is pressed only if they have matching roles.

    • h_get_groups β€” group retrieval settings. Additional requests will be made for each user with the substitution of {USER_DN}, and the result will be placed in the specified key (for AD, it can be filled in with the right button):

      • Empty β€” do not load groups.

      • get direct group membership:

      groups: (&(objectCategory=group)(member={USER_DN}))
      • get indirect group membership (for cases where groups are nested within groups):
      all_groups: (&(objectCategory=group)(member:1.2.840.113556.1.4.1941:={USER_DN}))

    • h_group_param β€” the parameter that will be requested when performing h_get_groups and by which group matching will occur. For AD, CN is usually used.

    • h_import_users β€” imports users (adds and updates) from Ldap to Totum according to the settings.

      Features of creating a user in Totum

      The Totum login for ldap-users is empty.

      The value ldap is set in the ttm__auth_type field.

      The login in ldap in the format loginParam@domain.zone is recorded in a separate field ttm__extparams (data type) + DN and loaded parameters are also recorded there + roles assigned according to the matching rules.

    • h_update_one_user β€” adds and updates a single user.

    • h_generate_cron β€” creates a cron job in the Crons table, which presses the h_import_users button according to the schedule.

    Role Assignment Parameters in Totum

    In comparison_parameters, parameters are collected, and in roles_in_totum β€” the corresponding roles in Totum.

    Rules:

    • Results for each row will be summed up. If the user's parameters match several rows, they will receive the sum of the roles.

    • In comparison_parameters:

      • The key specifies the parameter by which the comparison is made.

      • If the parameter is a string, the comparison will be made by the full value.

      • If the parameter is a list, the comparison will be made by individual elements, separated by commas in the Ldap response.

      • For group parameters, the comparison is always made by individual elements, even if specified as a string value for the entire parameter.

      • All conditions are processed based on the AND principle (all specified parameters must be present).

      • Keys are case-insensitive.

      • Values are case-sensitive!

    Examples:

    User dn + role Creator:

    dn=cn=polunin,ou=Totum,dc=totum,dc=online

    {
  "dn": "cn=polunin,ou=Totum,dc=totum,dc=online"
}

    Belongs to the domain totum.online and direct membership in the group Totum:

    {
"dn": [
    "dc=totum",
    "dc=online"
  ],
  "groups": "Totum"
}

    Direct membership in the group totum and managers:

    {
  "groups": [
    "Totum",
    "Boss" ]
}

    Direct membership in the group managers and indirect in totum:

    {
  "groups_all": "totum",
  "groups": "managers"
}

    Authorization Sequence

    1. If Ldap is enabled and if there is an @ in the entered value, then check by email.

    2. If this email belongs to an Ldap user, then the authorization is sent to bind to the ldap-server.

    3. If the email is not found, then search in ttm__extparams by login + domain.

    4. If the selector is in the display state, and the domain after the at sign matches one of the domains, the selector will switch and remember for the next authorization in the browser.

    5. If only the login is specified, then we look at the selected domain in the selector and search again in login or in ttm__extparams.

    6. If the selector is in the Hidden status and only the login is specified, then first search in logins, and if not found and we have one domain in the list, then substitute this domain and search in ttm__extparams.

      1. Login (those Totum users) in this case have priority.

      2. If there are multiple domains in the list, then we say that it was not found and do not go further.

    7. If we did not find the user in Totum, then we will search for them in Ldap under the access user.

      1. If not found in Ldap either, then "User not found".

      2. If found, we create them and try to bind them.

        1. If there are no matching roles and the setting is "Only with matching roles" β€” "User does not have access to Totum".

        2. If the bind fails β€” "Authorization unsuccessful".

    Stunnel as a Proxy from Client to LDAP Server

    This instruction is taken from Google documentation.

    Using Stunnel as a proxy server.

    If the client does not provide a way to authenticate to LDAP using a client certificate (or for some other non-standard reasons, a secure connection to your LDAP server does not work), use the Stunnel service as a proxy server.

    To do this, you need to configure Stunnel to provide the client certificate to the LDAP server, and in the client β€” connect to Stunnel. It is advisable to run Stunnel on the same server as your application and perform local listening (so that the LDAP directory is not accessible outside this server).

    Install Stunnel:

    apt-get install stunnel4

    Create the configuration file /etc/stunnel/google-ldap.conf with the following content (in the example below, ldap-client.crt is the certificate file, and ldap-client.key is the key file, this is an example of connecting to Google AD):

    [ldap]
client = yes
accept = 127.0.0.1:1636
connect = ldap.google.com:636
cert = ldap-client.crt
key = ldap-client.key

    To enable Stunnel, open the file /etc/default/stunnel4 and set the parameter ENABLED=1.

    Restart Stunnel:

    service stunnel restart

    Configure the application to point to ldap://127.0.0.1:1636.

    If you also changed the accept line in the configuration file, you can replace 1636 with any other unused port number. Since the data exchange between the client and the Stunnel service occurs locally, the LDAP credentials are stored as plain text (the StartTLS/SSL/TLS parameter is disabled).