External User Management using the Enterprise Solution
In the standard version of Movable Type users, groups, and passwords are managed within the Movable Type application.
The Enterprise Solution allows you to optionally configure your Movable Type installation to support managing user and group authentication information from an external LDAP directory service. The most commonly used LDAP directory services are OpenLDAP for Unix/Linux and Active Directory for Windows.
When you set up Movable Type to work with an LDAP directory, users sign in to Movable Type with the same user name and password they use to access other services on your network. In technical terms, user and group authentication is managed by the LDAP service, instead of Movable Type. To set up Movable Type to work with LDAP, you need to know where your directory is located and how it is configured to uniquely identify users.
LDAP configuration is a highly complex and specific topic. We recommend that you consult with someone who is expert in LDAP integration and familiar with your LDAP directory configuration before you set up Movable Type to use LDAP.
LDAP Authentication Modes
You have two options for configuring Movable Type to authenticate users with LDAP. You can use External User Management or Authentication Only.
External User Management
When you use LDAP for External User Management (default configuration) you do not manage users and groups directly within Movable Type. Instead, users and groups are created within the LDAP directory.
Any LDAP user can log in and use Movable Type. When an LDAP user logs into Movable Type their profile information within Movable Type is synchronized with their profile information within the LDAP directory. If the user who is logging into Movable Type does not yet have a user record in Movable Type, a user record will be created for them automatically.
Once a user record has been created in Movable Type, administrators can control the access that user has within Movable Type by setting blog permissions for that user and the groups they belong to.
Authentication Only
In the alternate configuration, called Authentication Only, only the users you create in Movable Type have access to the Movable Type application. When a user logs into Movable Type, Movable Type uses the LDAP directory to confirm (authenticate) the match between the user name and password the user entered. This configuration allows you to directly limit Movable Type access to a subset of the LDAP directory users. You must make sure that the user names you create in Movable Type match the usernames stored in the LDAP directory, or the users won’t be able to log in.
In this mode, synchronization of user profile data stored in Movable Type and the LDAP directory still occurs, but Movable Type will not provision user records within Movable Type automatically. In this mode all user records must be created manually.
Once a user record has been created, administrators can manage a user’s access, blog permissions and associate that user with groups in Movable Type.
LDAP Synchronization
Movable Type must synchronize with the LDAP directory in order to load the latest user and group information. It is important to synchronize periodically to make sure Movable Type has current information about users and groups.
Manual Synchronization
To manually synchronize Movable Type with the LDAP directory:
Log into Movable Type.
Select “Users” or “Groups” from the Manage menu.
From either the group or user listing page select the “Synchronize” link found in the right hand column under Actions. Doing so will trigger the synchronization process.
Don’t see the Synchronize Users or Synchronize Groups Link? Make sure you have External Group Management and/or External User Management enabled in your system.
Automatic Synchronization
You can set up Movable Type to synchronize with the LDAP directory automatically at regular intervals. On the LDAP configuration page in the installation wizard, set the interval (in minutes) in the External User Synch Frequency text box.
You must also set up Movable Type to run background tasks. You do this by editing the Movable Type configuration file. Use a text editor to open the file mt-config.cgi in your mt installation directory.
Find the following line.
LaunchBackgroupdTasks 0
Change the 0 to 1 to turn on background tasks.
You can also change the synchronization interval in the mt-config.cgi file. Look for the following line.
ExternalUserSynchFrequency 60
Change the number of minutes between synchronizations.
Individual User Synchronization
Each time a user logs in to Movable Type, it connects to the LDAP directory and updates that user’s information. Specifically, it checks for the user’s status and group membership. For example a user who has been removed from the LDAP directory is not allowed to log in.