Using Active Directory

From DreamFactory
Jump to: navigation, search
DreamFactoryTutorialsUsing Active Directory

Tutorial

To use Active Directory (AD) authentication over LDAP in a DreamFactory instance, you must have the PHP LDAP extension enabled. In APT the package is php5-ldap, in Yum it’s php-ldap, and in Windows Bitnami instances it’s provided as php_ldap.dll.

You can then provision an AD service from the 'Services' tab in Admin Console. Click on the 'Create' button on the services tab to create a new service. Select 'adLdap Integration' from the 'Service Type' drop down menu. For the name field use a short, meaningful, one word name for your service. This will be used as your AD service identifier. Fill out rest of the information on this form and then go to the 'Config' tab.

Tutorial using ad 1.png

On the config form you will need to provide all the details of your AD server and select a default role for your AD service. This role will be assigned (for all applications in the system) to all users signing in using this AD service.

Tutorial using ad 2.png

Note: Username and Password fields are optional. Provide your Active Directory Username and Password to enable additional features of this service.

API Endpoint

POST https://your-url/api/v2/user/session?service={ad_service_name}
{
    "username" : "user_name",
    "password" : "password"
}

-- OR --

POST https://your-url/api/v2/user/session
{
    "username" : "user_name",
    "password" : "password",
    "service"  : "ad_service_name"
}

Example - Sign-in using Active Directory Authentication

  • AD service name: demo
  • Request URL:
POST https://your-url/api/v2/user/session?service=demo
{
   "username" : "user_name",
   "password" : "password"
}
  • Response:
{
    "session_token": “abc.123abc.efg,
    "session_id": “abc.123abc.efg,
    "id": 1,
    "name": "John",
    "first_name": "John",
    "last_name": "Doe",
    "email": "[email protected]",
    "is_sys_admin": false,
    "last_login_date": "2015-06-30 16:46:59",
    "host": "your-url"
}

One source of confusion among first time users pertains to the lack of a POST endpoint in the Active Directory or LDAP service's API Docs interface. This does not exist because when authenticating, the URL references /api/v2/user/session?... rather than the Active Directory / LDAP resource. In other words, session creation occurs by way of the user REST resource rather than through the mounted directory service itself, with the directory service being identified by the service=... parameter.