Connect Azure AD DS with Joomla LDAP

Azure Active Directory (Azure AD) is Microsoft’s cloud-based Identity and Access Management (IAM) service, which helps your employees sign into your Joomla site and access its resources. miniOrange Joomla LDAP provides a solution where existing identities in Azure Active Directory Services can be leveraged for Single Sign-On (SSO) onto your Joomla site. To interact with your Azure Active Directory Domain Services (Azure AD DS) managed domain, the Lightweight Directory Access Protocol (LDAP) is mostly used. By default, the LDAP traffic isn't encoded, which is a security concern for many environments. With Azure Active Directory Domain Services, you can configure the managed domain to use secure Lightweight Directory Access Protocol (LDAPS). When you use secure LDAP, the traffic is encrypted. Secure LDAP is also known as LDAP over Secure Sockets Layer (SSL).

Follow the Step-by-Step guide given below to configure Secure LDAP Connection between Azure Active Directory and miniOrange Joomla LDAP for Intranet

1. Create and configure an Azure Active Directory Domain Services instance

(Skip this if you have already configured a AADDS instance for a subscription)

1. Prerequisites

• An active Azure subscription.
• You need global administrator privileges in your Azure AD tenant to enable Azure Active Directory Domain Services either synchronized with an on-premises directory or a cloud-only directory.
• You need Contributor privileges in your Azure subscription to create the required Azure Active Directory Domain Services resources.

1.1 Create an instance and configure basic settings

• In the upper left-hand corner of the Azure portal, click on + Create a resource.
• Enter Domain Services into the search bar, then choose Azure AD Domain Services from the search suggestions.



• On the Azure AD Domain Services page, click on Create. The Enable Azure AD Domain Services wizard is launched.



• Complete the fields in the Basics window of the Azure portal to create an Azure AD DS instance:
  • Enter a DNS domain name for your managed domain, taking into consideration the previous points.
  • Select the Azure Subscription in which you would like to create the managed domain.
  • Select the Resource group to which the managed domain should belong. Choose to Create new or select an existing resource group.
  • Choose the Azure Location in which the managed domain should be created.
  • Click OK to move on to the Network section.

1.2 Create and configure the virtual network

• Complete the fields in the Network window as follows:
  • On the Network window, choose Select virtual network.
  • For this tutorial, choose to Create new virtual network to deploy Azure AD DS into.
  • Enter a name for the virtual network, such as myVnet, then provide an address range, such as 10.1.0.0/16.
  • Create a dedicated subnet with a clear name, such as DomainServices. Provide an address range, such as 10.1.0.0/24.
• With the virtual network and subnet created, the subnet should be automatically selected, such as DomainServices. You can instead choose an alternate existing subnet that's part of the selected virtual network.
• Click on OK to confirm the virtual network configuration.

1.3 Configure an administrative group

• The wizard automatically creates the AAD DC Administrators group in your Azure AD directory. If you have an existing group with this name in your Azure AD directory, the wizard selects this group. You can optionally choose to add additional users to this AAD DC Administrators group during the deployment process.
  
  NOTE: We have included members in the administrator group further ahead in this document.

1.4 Configure Synchronization

• Azure Active Directory Domain Services lets you synchronize all users and groups available in Azure AD, or a scoped synchronization of only specific groups.
• Select the scope and then click OK.
  
  NOTE: Scope cannot be changed later. If the need arises, then creation of new domain will be required.

1.5 Deploy your managed domain

• On the Summary page of the wizard, review the configuration settings for the managed domain. You can go back to any step of the wizard to make changes
• To create the managed domain, click on OK.
• The process of provisioning your managed domain can take up to an hour. A notification is displayed in the portal that shows the progress of your Azure AD DS deployment. Select the notification to see detailed progress for the deployment.
• When the managed domain is fully provisioned, the Overview tab shows the domain status as Running.



NOTE: During the provisioning process, Azure AD DS creates two Enterprise Applications named Domain Controller Services and AzureActiveDirectoryDomainControllerServices in your directory. These Enterprise Applications are needed to service your managed domain. It's imperative that these applications are not deleted at any time.

2. Create and delegate certificates for secure LDAP

2.1 Create a Self-Signed Certificate

• To use Secure LDAP, a digital certificate is used to encrypt the communication. This digital certificate is applied to your Azure AD DS managed domain.
• Open a PowerShell window as Administrator and run the following commands.
  
  NOTE: Replace the $dnsName variable with the DNS name used by your own managed domain, such as exampledomain.com. This domain shoud be same as your ADDS managed domain.
Make the following entry in your hosts file <Define your own DNS name used by your Azure AD DS managed domain
$dnsName="exampledomain.com"
# Get the current date to set a one-year expiration
$lifetime=Get-Date
# Create a self-signed certificate for use with Azure AD DS New-SelfSignedCertificate -Subject *.$dnsName `

-NotAfter $lifetime.AddDays(365) -KeyUsage DigitalSignature, KeyEncipherment `
-Type SSLServerAuthentication -DnsName *.$dnsName, $dnsName
2.2 Export a certificate for Azure AD DS
Before you can use the digital certificate created in the previous step with your Azure AD DS managed domain, export the certificate to a .PFX certificate file that includes the private key.


• To open the Run dialog, press the Windows and R keys.
• Open the Microsoft Management Console (MMC) by entering MMC in the Run dialog, then select OK.
• On the User Account Control prompt, click Yes to launch MMC as administrator.
• From the File menu, click Add/Remove Snap-in…
• In the Certificates snap-in wizard, choose Computer account, then select >Next
• On the Select Computer page, choose Local computer: (the computer this console is running on), then select Finish.
• In the Add or Remove Snap-ins dialog, click OK to add the certificates snap-in to MMC.
• In the MMC window, expand Console Root. Select Certificates (Local Computer), then expand the Personal node, followed by the Certificates node.



• The self-signed certificate created in the previous step is shown, such as exampledomain.com. Right-click this certificate, then choose All Tasks > Export.



• In the Certificate Export Wizard, select Next.
• The Private key for the certificate must be exported. If the private key is not included in the exported certificate, the action to enable secure LDAP for your managed domain fails.
  On the Export Private Key page, choose Yes, export the private key, then select Next.



• Azure AD DS managed domains only support the .PFX certificate file format that includes the private key. Don't export the certificate as .CER certificate file format without the private key.
• On the Export File Format page, select Personal Information Exchange - PKCS #12 (.PFX) as the file format for the exported certificate. Check the box for Include all certificates in the certification path if possible and click next.



• On the Security page, choose the option for Password to protect the .PFX certificate file. Enter and confirm a password, then select Next. This password is used in the next section to enable secure LDAP for your Azure AD DS managed domain.



• On the File to Export page, specify the file name and location where you'd like to export the certificate, such as C:\Users\accountname\azure-ad-ds.pfx.
• On the review page, click on Finish to export the certificate to a .PFX certificate file. A confirmation dialog is displayed when the certificate has been successfully exported
• Leave the MMC open for use in the following section.
2.3 Export a certificate for Client Computers
Client computers must trust the issuer of the secure LDAP certificate to be able to connect successfully to the managed domain using LDAPS. The client computers need a certificate to successfully encrypt data that is decrypted by Azure AD DS. Follow the following steps to export and then install the self-signed certificate into the trusted certificate store on the client computer:

• Go back to the MMC for Certificates (Local Computer) > Personal > Certificates store. The self-signed certificate created in a previous step is shown, such as exampledomain.com. Right-click this certificate, then choose All Tasks > Export…
• In the Certificate Export Wizard, select Next.
• As you don't need the private key for clients, on the Export Private Key page choose No, do not export the private key, then select Next.



• On the Export File Format page, select Base-64 encoded X.509 (.CER) as the file format for the exported certificate:



• On the File to Export page, specify the file name and location where you'd like to export the certificate, such as C:\Users\accountname\client.cer.



• On the review page, select Finish to export the certificate to a .CER certificate file. A confirmation dialog is displayed when the certificate has been successfully exported.

3. Enable Secure LDAP for Azure AD DS

• In the Azure portal, search for domain services in the Search resources box. Select Azure AD Domain Services from the search result.



• Choose your managed domain, such as exampledomain.com.



• On the left-hand side of the Azure AD DS window, choose Secure LDAP.



• By default, secure LDAP access to your managed domain is disabled. Toggle Secure LDAP to Enable.
• Toggle Allow secure LDAP access over the internet to Enable.
• Select the folder icon next to .PFX file with a secure LDAP certificate. Browse to the path of the .PFX file, then select the certificate created in a previous step that includes the private key.
• Enter the Password to decrypt .PFX file set in a previous step when the certificate was exported to a .PFX file.
• Click on Save to enable secure LDAP.
  
  NOTE: A notification is displayed that secure LDAP is being configured for the managed domain. You can't modify other settings for the managed domain until this operation is complete. It takes a few minutes to enable secure LDAP for your managed domain.



• A notification is displayed that secure LDAP is being configured for the managed domain. You can't modify other settings for the managed domain until this operation is complete. It takes a few minutes to enable secure LDAP for your managed domain.



4. Adding Security Rules

• On the left-hand side of the Azure AD DS window, choose Properties.
• Then select the relevant Network Group Associated with this domain under Network security group associated with subnet.



• The list of existing inbound and outbound security rules are displayed. On the left-hand side of the network security group windows, choose Security > Inbound security rules.
• Select Add, then create a rule to allow TCP port 636.
• Option A: Add an Inbound Security Rule to allow all incoming TCP requests.

Settings	Value
Source	Any
Source port ranges	*
Destination	Any
Destination port ranges	636
Protocol	TCP
Action	Allow
Priority	401
Name	AllowLDAPS

• Option B: Add an Inbound Security Rule to allow incoming TCP requests from a specified set of IP Addresses.(Recommended)

Settings	Value
Source	IP Addresses
Source IP addresses / CIDR ranges	Valid IP address or range for your environment.
Source port ranges	*
Destination	Any
Destination port ranges	636
Protocol	TCP
Action	Allow
Priority	401
Name	AllowLDAPS





• When ready, click on Add to save and apply the rule.

5. Configure DNS for External Access

• With secure LDAP access enabled over the internet, update the DNS zone so that client computers can find this managed domain. The Secure LDAP external IP address is listed on the Properties tab for your Azure AD DS managed domain:



• Make the following entry in your hosts file <Secure LDAP external IP address>ldaps.<domainname>
Replace <Secure LDAP external IP address> with the IP we get from azure portal and replace
&l;tdomainname> with the domain name for which the certificate was created.(Value used in $dnsName)
Eg: 99.129.99.939 ldaps.exampledomain.com

6. Enabling a user to bind successfully

• On the left-hand side of the Azure AD DS window, choose Properties.
• Then select the relevant Admin Group Associated with this domain.



• Then select Members under the Manage tab from the left hand side panel.



• Click on Add Members and select the member that you would use to do the bind operation. Then log in to azure portal using the same user that is now admin.(If not already logged in)
• Select the user setting from top right corner and click on view account.



• Then select Set up self service password reset and go along with its setup.



• After Successful setup select Azure Portal from the list of apps.



• Then again go to the user profile and select change password.



• Once the password is changed successfully then this user is eligible for binding operation.

7. Configure Joomla LDAP using Azure Active Directory

• Download the zip file for the miniOrange LDAP plugin for Joomla from the link here.
• Login into your Joomla site’s Administrator console.
• From left toggle menu, click on System, then under Install section click on Extensions.

• Here click on Browse for file button to locate and install the plugin file downloaded earlier.

• Once Installation of plugin is successful. Now click on Start Using miniOrange LDAP plugin.

• You will be redirected to the Configure LDAP tab. To connect your Joomla site to Microsoft Azure Active Directory, you will have to configure the following settings:

Field	Value
Directory Server	Microsoft Active Directory
LDAP Server URL	LDAP Server URL - This is the domain name that we had added in the host file configuration of the Domain Name Systems. You can get the LDAP Server URL from here.
Service Account Domain	You can get the Service Account Domain Name from here.
Service Account Password	Password for the Accout used for binding here.
Search Base	Provide distinguished name of the Search Base object Eg:cn=User,dc=domain,dc=com. You can Select the search base as provided in the dropdown
Search Filter	Search filters enable you to define search criteria and provide a more efficient and effective searches. Eg: userprincipalname


• Under the User LDAP Mapping configurations select your Search Base (the LDAP tree in which your users will be searched) and your Username Attribute (the value with which your user will be searched in the AD). Click on Save User Mapping button to save your settings.

• Under the Test Authentication section, you can enter your user’s username and password to test your connection and authentication with the LDAP Server.

• In the Attribute Mapping tab, enter the Username of the user present in your AD and click on Check Attributes Receiving button to get a list of the attributes received from the AD.

• From the Sign-in Settings tab, select the ,Enable LDAP login checkbox to enable login using LDAP. Click on the Save button to save this option. You can enable it only after configuring the plugin configuration.

• Congratulations, you have successfully configured the miniOrange LDAP plugin with your Active Directory.

24*7 Active Support

If you face any issues or if you have any questions, please feel free to reach out to us at joomlasupport@xecurify.com. In case you want some additional features to be included in the Plugin, please get in touch with us, and we can get that custom-made for you. Also, If you want, we can also schedule an online meeting to help you configure the Joomla LDAP Plugin.