By default, Kimai uses its internal user management, where users and passwords are stored in the Kimai database. But there are more authenticators, which can be used to connect to existing user repositories.
The authenticator that will be used is configured in includes/auth.php
within the key $authenticator
.
$authenticator = 'kimai';
kimai is the last part of the classname without the namespace and the first character in lowercase. For example “ldap” comes from Kimai_Auth_Ldap: remove Kimai_Auth_ and lowercase the first character in the word “ldap”.
If the used authenticator supports configuration parameters, you can set those with the file includes/auth.php
(supported since Kimai > 1.0.1).
Therefor you need to create the file includes/auth.php
with the content:
<?php
return array(
'key_1' => 'value',
'key_2' => 'value',
);
Set the parameters according to the authenticator documentation below (‘key_1’ and ‘key_2’ can be safely removed, they are just examples for the structure of the file).
If you use Kimai 1.0.1 or lower, you have to set these Configuration-parameters in the PHP files directly, for example in the LDAP class here.
The built-in authenticator, using the Kimai database.
$authenticator = "kimai";
in includes/autoconf.php
It has no configuration parameters and is working out-of-the-box.
A Basic-Auth authenticator
$authenticator = "http";
in includes/autoconf.php
AuthType Basic
AuthName "kimai"
AuthUserFile /absolute/path/to/.htpasswd
Require valid-user
http://admin:changeme@kimai.localhost/index.php
Default settings and full example for includes/auth.php
:
<?php
return array(
'HTAUTH_ALLOW_AUTOLOGIN' => true,
'HTAUTH_FORCE_USERNAME_LOWERCASE' => false,
'HTAUTH_USER_AUTOCREATE' => false,
'HTAUTH_PHP_AUTH_USER' => false,
'HTAUTH_REMOTE_USER' => true,
'HTAUTH_REDIRECT_REMOTE_USER' => false,
);
Basic LDAP authenticator.
$authenticator = "ldap";
in includes/autoconf.php
Default settings and full example for includes/auth.php
:
<?php
return array(
'LDAP_SERVER' => 'ldap://localhost',
'LDAP_FORCE_USERNAME_LOWERCASE' => true,
'LDAP_USERNAME_PREFIX' => 'cn=',
'LDAP_USERNAME_POSTFIX' => ',dc=example,dc=com',
'LDAP_LOCAL_ACCOUNTS' => array('admin'),
'LDAP_USER_AUTOCREATE' => true,
);
An advanced LDAP authenticator, that allows further configuration options.
$authenticator = "ldapadvanced";
in includes/autoconf.php
ldap://ldap.example.com
or ldaps://ldap.example.com:1234
o=example,c=org
%1$s
will be replaced with what the user entered as login name. You can use that string multiple times to enable login by UID and email. The filter would then be (|(uid=%1$s)(mail=%1$s))
%1$s
will be replaced by the value of the attribute defined by usernameAttribute
of the user-entry. The string %2$s
will be replaced by the DN of the users entry;allowedGroupIds
groupidAttribute
. Members of the LDAP-groups referenced here will be allowed access to kimai!Default settings and full example for includes/auth.php
:
<?php
return array(
'host' => 'ldap://localhost',
'bindDN' => '',
'bindPW' => '',
'searchBase' => 'dc=example,c=org',
'userFilter' => 'uid=%s',
'groupFilter' => 'memberUid=%1$s',
'usernameAttribute' => 'uid',
'commonNameAttribute' => 'cn',
'groupidAttribute' => 'cn',
'mailAttribute' => 'mail',
'allowedGroupIds' => array('kimai-access'),
'forceLowercase' => true,
'nonLdapAcounts' => array('admin'),
'autocreateUsers' => true,
'defaultGlobalRoleName' => 'User',
'defaultGroupMemberships' => array('Users' => 'User'),
);
Kimai support authentication with Microsofts Active Directory through LDAP.
$authenticator = "activeDirectory";
in includes/autoconf.php
Default settings and full example for includes/auth.php
:
<?php
return array(
'enhancedIdentityPrivacy' => 'false',
);
As this class is a subclass of the LDAP-Advanced authenticator (see above), you can set all Configuration-parameters from there as well, for example the host:
<?php
return array(
'host' => 'ldap://localhost',
'enhancedIdentityPrivacy' => 'false',
);