Authentication plugins
From LimeSurvey Manual
This is an overview of the authentication plugins currently shipped with LimeSurvey. If you want to extend or develop your own authentication plugin, please see Authentication_plugin development
Internal database
This plugin is the default and can not be disabled. It uses the built-in LimeSurvey database. It is a fall-back mechanism so that you can always log in to the installation when needed.
LDAP
By activating this plugin, you can perform basic authentication against an LDAP server. If you are using LimeSurvey Community Edition make sure your PHP configuration has LDAP support enabled (these steps are not needed for LimeSurvey Cloud):
- Verify that phpinfo.php shows that LDAP is enabled. The location of LimeSurvey's built-in phpinfo.php is: Upper Right Menu -- Configuration -- Settings -- Global Settings. Then, below the table, you will have a link for "Show PHPInfo".
- Enable LDAP in php.ini.
Enabling and configuring settings for plugin AuthLDAP
- Go to LimeSurvey plugin manager.
- Activate & configure the LDAP plugin.
Simple Example settings
- Ldap server e.g. ldap://ldap.mydomain.com: ldap://ldap.mydomain.com
- Port number (default when omitted is 389):
- LDAP version (LDAPv2 = 2), e.g. 3: 3
- Username prefix cn= or uid=: cn=
- Username suffix e.g. @mydomain.com or remaining part of ldap query: ,OU=people,DC=mydomain,DC=com
- Create a LimeSurvey administrator with the same name as a AD(active directory) user account.
- Log in using the AD credentials(username and password).
Example settings AD2008
Settings working with Active Directory 2008 with AuthLDAP plugin .
Authentication with LDAP and userPrincipalName attribute
Note: Authentication with userPrincipalName attribute (ie: firstname.lastname@example.intra). Create a LimeSurvey user with the same name as an AD(active directory) user account :
Username: firstname.lastname@example.intra
Email: firstname.lastname@example.intra
Full name: Firstname LASTNAME
Then configure the plugin : Plugin Manager > LDAP > Configure.
Ldap server e.g. ldap://ldap.example.intra: ldap://ldap.example.intra
Port number (default when omitted is 389): 389
LDAP version (LDAPv2 = 2), e.g. 3: LDAPv3
Username prefix cn= or uid=: cn=: empty
Username suffix e.g. @example.intra or remaining part of ldap query: empty
Log in using the AD credentials (username: firstname.lastname@example.intra and password).
Authentication with LDAP and sAMaccountName attribute
Note: Authentication with sAMaccountName attribute (ie: firstname.lastname). Create a LimeSurvey user with the same name as a AD(active directory) user account :
Username: firstname.lastname
Email: firstname.lastname@example.intra
Full name: Firstname LASTNAME
Then configure the plugin : Plugin Manager > LDAP > Configure.
Ldap server e.g. ldap://ldap.example.com: ldap://ldap.example.intra
Port number (default when omitted is 389): 389
LDAP version (LDAPv2 = 2), e.g. 3: LDAPv3
Username prefix cn= or uid=: cn=: empty
Username suffix e.g. @example.com or remaining part of ldap query: @example.intra
Log in using the AD credentials (username: firstname.lastname and password).
Authentication with LDAPS and sAMaccountName attribute
Note: Authentication with sAMaccountName attribute (ie: firstname.lastname). Create a LimeSurvey user with the same name as a AD(active directory) user account :
Username: firstname.lastname
Email: firstname.lastname@example.intra
Full name: Firstname LASTNAME
Then configure the plugin : Plugin Manager > LDAP > Configure.
Ldap server e.g. ldap://ldap.example.com: ldaps://ldap.example.intra
Port number (default when omitted is 389): 636
LDAP version (LDAPv2 = 2), e.g. 3: LDAPv3
Username prefix cn= or uid=: cn=: empty
Username suffix e.g. @example.intra or remaining part of ldap query: @example.intra
Log in using the AD credentials (username: firstname.lastname and password).
Example settings OpenLDAP
Settings working with OpenLDAP with AuthLDAP plugin .
Authentication with LDAP and uid attribute
Note: Authentication with uid attribute. Create a LimeSurvey user with the same name as the LDAP user account.
Then configure the plugin : Plugin Manager > LDAP > Configure.
Another Note: With ApacheDS running on the same machine localhost you probably have to strip the ldap:// in your server name. I got the misleading error message "Can't contact LDAP server" which came from PHP 7.4 and not from LimeSurvey. It could connect to the LDAP server but couldn't bind the user, although the credentials were correct. After stripping the ldap:// everything went fine.
- Ldap server e.g. ldap://ldap.mydomain.com: ldap://ldap.mydomain.com
- Port number (default when omitted is 389): (389 or leave blank)
- LDAP version (LDAPv2 = 2), e.g. 3: LDAPv3
- Select true if referrals must be followed (use false for ActiveDirectory): (leave blank)
- Check to enable Start-TLS encryption When using LDAPv3: False
- Select how to perform authentication: Search and bind
- Attribute to compare to the given login can be uid, cn, mail, ...: uid
- Base DN for the user search operation: ou=people,dc=mydomain,dc=com
- Optional extra LDAP filter to be ANDed to the basic (searchuserattribute=username) filter. Don't forget the outmost enclosing parentheses: (leave blank)
- Optional DN of the LDAP account used to search for the end-user's DN. An anonymous bind is performed if empty.: cn=admin,dc=mydomain,dc=com
- Password of the LDAP account used to search for the end-user's DN if previoulsy set.: password (appears!)
- Check to make default authentication method: (as you wish)
Log in using the LDAP credentials (username: user and password).
Authentication with OpenLDAP, uid attribute, and group restriction
Some applications require a separate LDAP query (beyond the user search and bind to check password) to determine if the user has sufficient authorization. For example, let's assume that LDAP has a Groups
OU that includes an entry identified by cn=limeusers
, and our policy is that for a user to be authorized to use LimeSurvey that entry must include an attribute of the form memberUid=username
where username is the username (uid) entered by the user attempting to log in. To configure LDAP for that, set up basic uid authentication as above and then set the following additional (optional) parameters:
- Optional base DN for group restriction:
ou=Groups,dc=mydomain,dc=com
- Optional filter for group restriction:
(&(cn=limeusers)(memberUid=$username))
Note:
$username
is a magic value (in the context of the filter parameter) that is replaced by the username entered by the user when logging in.- Although intended for testing group membership as above, this optional "group restriction" capability can be used to add any authorization check that can be expressed as a separate filtered search like this.
- Before specifying a group restriction this way, verify that basic LDAP authentication is working correctly.
- If either of the group restriction parameters is empty, then the group restriction step will not be applied.
Webserver authentication
This plugin leaves authentication to the web server and reads the result from a configurable server setting. This method has been around for a while, and was configured from config.php. If you used this authentication, you should enable the plugin in the plugins menu and move your configuration from config.php to the plugin's settings. Feel free to contact the team via the bug tracker or Discord if it no longer functions the way it did before.