Authenticationbackend(認証の内部的な設定=バックエンド): LDAP
Authentication against an LDAP directory using the acl feature. Works for me™. ACL機能を用いてLDAPディレクトリ認証を行う。
adjust for new auth mechanisms, put example configs on their own pages
設定
以下はLDAPディレクトリ認証を行うためのconf/local.phpの設定例です。
LDAPのバックエンドを通じて新規ユーザを追加することは出来ません。
2006年より後のバージョンでは、LDAP認証の際、匿名ユーザをバインド出来ないエラーが発生します。修正するためには、下記のコードを追加してください。
$conf['auth']['ldap']['server'] = 'ldap://server.tld:389';
$conf['useacl'] = 1; $conf['openregister']= 0; $conf['authtype'] = 'ldap'; $conf['auth']['ldap']['server'] = 'localhost'; $conf['auth']['ldap']['port'] = 389; $conf['auth']['ldap']['usertree'] = 'ou=People, dc=server, dc=tld'; $conf['auth']['ldap']['grouptree'] = 'ou=Group, dc=server, dc=tld'; $conf['auth']['ldap']['userfilter'] = '(&(uid=%{user})(objectClass=posixAccount))'; $conf['auth']['ldap']['groupfilter'] = '(&(objectClass=posixGroup)(|(gidNumber=%{gid})(memberUID=%{user})))'; # This is optional but may be required for your server: #$conf['auth']['ldap']['version'] = 3; # This enables the use of the STARTTLS command #$conf['auth']['ldap']['starttls'] = 1; # This is optional and is required to be off when using Active Directory: #$conf['auth']['ldap']['referrals'] = 0; # Optional bind user and password if anonymous bind is not allowed (develonly) #$conf['auth']['ldap']['binddn'] = 'cn=admin, dc=my, dc=home'; #$conf['auth']['ldap']['bindpw'] = 'secret'; # Mapping can be used to specify where the internal data is coming from. #$conf['auth']['ldap']['mapping']['name'] = 'displayname'; # Name of attribute Active Directory stores it's pretty print user name. #$conf['auth']['ldap']['mapping']['grps'] = array('memberof' => '/CN=(.+?),/i'); # Where groups are defined in Active Directory # Optional debugging #$conf['auth']['ldap']['debug'] = true;
You can use the version parameter to tell PHP to use Version 3 of the LDAP protocol to connect to your server - default is version 2.
The userfilter defines an LDAP filter which is used to search for a user. The groupfilter is used to fetch the groups a user is in.
The following variables are available for the userfilter and the groupfilter:
| variable | meaning |
|---|---|
| %{user} | The username the user tried to login with |
| %{server} | The server string provided in $conf['auth']['ldap']['server'] |
The groupfilter can also access all the attributes provided in the user object:
| variable | meaning |
|---|---|
| %{dn} | The users dn eg. uid=user,ou=People,dc=server,dc=dk |
| %{uid} | The uid of the user eg. user |
| %{…} |
The mapping is used for directories that uses non “standard” names for attributes, a mapping can be applied a regexp to clean it up before replacing the target variable. For all variables but 'grps' only the first attribute is used to replace the variable if more than one is provided.
| variable | mapping | meaning |
|---|---|---|
| grps | array('memberof' ⇒ '/CN=(.+?),/i') | Replace the content of grps with what is provided in the attribute memberof and apply this regexp /CN=(.+?),/i to every element in it. |
| name | 'displayname' | Replace the content of name with first element of 'displayname' attribute. |
Authentication is done in these steps:
- First see if we need to do an anonymous bind by looking in the usertree for a %{user}:
- If found: Set usertree as DN.
- If not: Try to find a DN for the given login doing a search in the usertree with the given userfilter - there have to be exact one result
- Try to bind with the found DN and the given password - if this succeeds access is granted
- For getting the groups a user is in, the groupfilter is used to search the grouptree.
While configuring the LDAP access you may want to enable the debug option which will print the Error messages your LDAP server is delivering. You should disable it again after setup.
Improvement proposals
- Use
cleanID()when adding groups to the$info['grps']. This will unify the way groups are handled byadmin_acl.phpandldap.php. Besides it will allow to have spaces in LDAP groups names (our groups do have spaces). - Support hierarchical groups, i.e. when a group is a member of another group. Currently only the groups user directly belongs to are detected.
Here's how I added it for our LDAP server:function auth_ldap_getGroups($cnf, $user_result) { if (empty($cnf['grouptree'])) return array(); $conn = auth_ldap_connect(); $base = auth_ldap_makeFilter($cnf['grouptree'], $user_result); $filter = auth_ldap_makeFilter($cnf['groupfilter'], $user_result); $sr = @ldap_search($conn, $base, $filter); if (!$sr) { msg("LDAP: Reading group memberships failed",-1); if($cnf['debug']) msg('LDAP errstr: '.htmlspecialchars(ldap_error($conn)),0); return array(); } $result = ldap_get_entries($conn, $sr); $grps = array(); foreach ($result as $grp) { if (!empty($grp['cn'][0])) { $grpId = cleanID($grp['cn'][0]); if (!in_array($grpId, $grps)) { $grps[] = $grpId; // TODO: move to config ??? reuse mapping code ??? if ($grp['memberof']) { foreach ($grp['memberof'] as $parent) { if (preg_match('/CN=(.+?),/i',$parent,$match)) $grps[] = cleanID($match[1]); } } $grps = array_merge($grps, auth_ldap_getGroups($cnf, $grp)); } } } // remove duplicates return array_unique($grps); }
* The group filter in the example didn't work for me, since %{gid} was empty. When i added the following to getUserData in ldap.class.php, it worked like I expected it to.
This has been added for the new upcoming release — Wouter Schoot 2008-02-19 19:09
$info['gid'] = $user_result['gidnumber'][0];
* Our groups are stored in several attributes in the user ldap record. I have modifed the following code in the getUserData function :
if(is_array($this->cnf['mapping'])){ foreach($this->cnf['mapping'] as $localkey => $key) { if(is_array($key)) { // use regexp to clean up user_result foreach($key as $key => $regexp) { // add a foreach instead of each // so I can parse several attributes // for group list constrution // list($key, $regexp) = each($key); if($user_result[$key]) foreach($user_result[$key] as $grp){ if (preg_match($regexp,$grp,$match)) { if($localkey == 'grps') { $info[$localkey][] = $match[1]; } else { $info[$localkey] = $match[1]; } } } } }else { $info[$localkey] = $user_result[$key][0]; } } }
My config line just looks like that :
$conf['auth']['ldap']['mapping']['grps'] = array('edupersonaffiliation' ⇒ '/(..+)/i','supannaffectation' ⇒ '/(..+)/i');
Notes
Here: http://www.ldapbrowser.com/download/index.php you can find freeware LDAP Browser tool. It helped me a lot when digging out proper settings for $conf['auth']['ldap'].
Problems
Strangely, but when using ldap authentication backend auth_getUserData() behaves weirdly. It allows me to login, properly obtains data of the user (e.g. groups). It also loads other users data fine (blog plugin on the homepage shows users names properly). But as soon as I follow some link and go to another wiki page auth_getUserData() just returns false. Current user data is stored in $INFO['userinfo'] – that's fine. But other users info becomes not available. 
So for example if I return back to homepage blog lacks entries' authors names.
Any ideas how to fix this? (FYI: I'm using Active Directory)
— Dmitry Cherniachenko 2005-10-05 16:18
another problem - Losing Authentication data:
Possibly the same as Dmitry Cherniachenko bug. I can log in but it does not assign me my correct groups. After doing a bit of debuging I have found that the first time it connects to LDAP it get all my sets $this→cnf['grouptree'] correctly but then when it comes to checking grouptree again it is empty. A workaround to this is to add this line, 'unset($this→bound)', at the top of getUserData in ldap.class.php but this is obviouly a nasty hack — David Baggaley 2006-01-07
Another problem:
I was wondering if it possible to get the admin users to be defined as an LDAP group? I can set up the regular users to log in using the examples given, however the admin users defined in wiki/conf/users.auth.php no longer work, using ldap for everything would be great, alternatively is is possible to still use the users.auth.php for the amdin users only. — Maciej Lasota 2006-05-15 16:25
Solution for 'Another problem' above:
To enable admin using LDAP authentication backend, put the admin name in your wiki/conf/local.php.
$conf['superuser'] = 'admin_name';
The admin_name is a user_uid in LDAP.
— Erick Yanuar 2006-06-04 22:12
Email Address using Active Directory
I am able to authenticate to an AD server. However, if i enable page subscription, the email addresses are not set properly. Any body got this to work?
— Shiva 2006-08-10 12:08
I just ran into this myself. If you are using a user bind, i.e. %{user}@domain, subscriptions won't work because the LDAP lookup will fail. The LDAP authenticator doesn't have the user's password! You must use a service type of user with the bindpw set in your configuration.
— ajw 2006-12-15 9:04
No support for Backup LDAP servers
Feature request: Currently only one server can be used, in some setups it would be great to configure more than one server. I suggest to have an array of LDAP servers in the config file like
$conf['auth']['ldap'][1]['server'] = 'ldap://myldap'; (...) $conf['auth']['ldap'][2]['server'] = 'ldap://myldap-backup'; (...)
In case of connect/ and or bind to the first server failed, the next ldap server should be tested.
— Markus 2007-08-07 17:54
Logout behaves strangely
If I log out, but then visit a page that does something similar to the following:
if( $_SERVER["REMOTE_USER"] ) {
doStuff();
}
It still works. Indeed, the $_SERVER array seems to still have REMOTE_USER in it (even though it should've been clobbered in auth_logoff()). What gives?
Moreover (and even weirder) the Login button reappears at the bottom as though REMOTE_USER is empty again.
Fix: You know, they say that responding to your own question is a sign of insanity…
In any case, the fix seems to be to set the cache expiry time way down. What's basically happening is that the dynamically-created content is getting cached and redisplayed (instead of being recomputed). This is OK when we're talking static HTML, but sucks rocks if there's PHP in there.
In any case, I set the expiry time in config to one second and it works great now. The better solution in the long term would be:
- Make login state (or better yet, the read priv tag or similar) part of the cache hash.
- Don't cache pages with PHP tags in them.
I'll poke at the code and see if I can fix.
Fix Redux: Hmm…
Apparently, some of what I want can be accomplished with the:
~~NOCACHE~~
…directive.
— BJ Black 2007-10-10 23:09
Debugging problems
A method/hack described in userinfo debugging allows you to see the complete information on the user currently logged in. This is very usefull in debugging LDAP and ACL problems as it displays group membership.
Using ldap and other authentication method
I was looking for a method that I can use ldap user and wiki only users to have access to the wiki. The answer is “chainedauth” developed by Grant Gardner and available at http://www.dokuwiki.org/wiki:tips:chainedauth. Corey (aliasonline@mac.com) 2008-1-29
Examples
These are examples on how to configure DokuWiki for the use with various LDAP servers.
use %u instead of %{user}, %i for %{uid} … more substitutions see auth_ldap.php
OpenLDAP
OpenLDAP without anonymous bind and userfilter
$conf['auth']['ldap']['server'] = 'ldap.server.tld'; $conf['auth']['ldap']['usertree'] = 'uid=%{user}, ou=People, dc=server, dc=tld'; $conf['auth']['ldap']['grouptree'] = 'ou=Groups, dc=server, dc=tld'; $conf['auth']['ldap']['groupfilter'] = '(&(objectClass=posixGroup)(memberUID=%{uid}))';
OpenLDAP with anonymous bind and userfilter
$conf['auth']['ldap']['server'] = 'ldap.server.tld'; $conf['auth']['ldap']['usertree'] = 'ou=People, dc=server, dc=tld'; $conf['auth']['ldap']['userfilter'] = '(&(objectClass=posixAccount)(uid=%{user}))'; $conf['auth']['ldap']['grouptree'] = 'ou=Groups, dc=server, dc=tld'; $conf['auth']['ldap']['groupfilter'] = '(&(objectClass=posixGroup)(memberUID=%{uid}))';
OpenLDAP with superuser bind and userfilter
$conf['auth']['ldap']['server'] = 'ldap.server.tld'; $conf['auth']['ldap']['binddn'] = 'uid=ldapuser,ou=People,dc=server,dc=tld'; $conf['auth']['ldap']['bindpw'] = 'password'; $conf['auth']['ldap']['usertree'] = 'uid=%{user},ou=People,dc=server,dc=tld';
In version 2006-03-09 I had to change the server entry from
$conf['auth']['ldap']['server'] = 'ldap.server.tld';
to
$conf['auth']['ldap']['server'] = 'ldap://ldap.server.tld:389';
because of DokuWiki telling me that an anonymous bind was impossible with the old entry (which worked fine with release 2005-09-22 before). Maybe this is the same issue as mentioned below with Kolab's OpenLDAP (we use OpenLDAP clients and Sun Java Directory Server). Werner Flamme 2006-03-14
In version 2006-03-09 I had to change the acl.auth.php from
namespace:namespace2:* @my-group 16
to
namespace:namespace2:* @my%2dgroup 16
Caylan Van Larson 2006-04-25
I haven't found a bugreport concerning this problem. Will this be fixed in future releases?
Active Directory
Active Directory with groups
- replace “mydomain” and “dom” with your domain name AD (dc).
- replace “GROUP_DOKUWIKI_ADMIN” with a admin group name (cn) of your AD.
$conf['useacl'] = 1; $conf['openregister']= 0; $conf['authtype'] = 'ldap'; $conf['auth']['ldap']['server'] = 'mydomain.dom'; $conf['auth']['ldap']['binddn'] = '%{user}@%{server}'; $conf['auth']['ldap']['usertree'] = 'dc=mydomain,dc=dom'; $conf['auth']['ldap']['userfilter'] = '(userPrincipalName=%{user}@%{server})'; $conf['auth']['ldap']['mapping']['name'] = 'displayname'; $conf['auth']['ldap']['mapping']['grps'] = array('memberof' => '/CN=(.+?),/i'); $conf['auth']['ldap']['grouptree'] = 'dc=mydomain,dc=dom'; # position for find groups, at root here $conf['auth']['ldap']['groupfilter'] = '(&(cn=*)(Member=%{dn})(objectClass=group))'; # find groups for current user(dn) $conf['auth']['ldap']['referrals'] = 0; # Switch referrals off for use with Active Directory $conf['auth']['ldap']['version'] = 3; $conf['superuser'] = '@GROUP_DOKUWIKI_ADMIN'; #name group AD for dokuwiki administration $conf['auth']['ldap']['debug'] = false; #set true for watch authenticate activity (eg. list of user groups) on html page
Works for me with user groups on AD — Alain Pothin 2007-05-16 15:39
Active Directory others
$conf['auth']['ldap']['server'] = 'addomain.tld'; $conf['auth']['ldap']['binddn'] = '%{user}@%{server}'; $conf['auth']['ldap']['usertree'] = 'dc=addomain,dc=tld'; $conf['auth']['ldap']['userfilter'] = '(userPrincipalName=%{user}@%{server})'; $conf['auth']['ldap']['mapping']['name'] = 'displayname'; $conf['auth']['ldap']['mapping']['grps'] = array('memberof' => '/CN=(.+?),/i'); $conf['auth']['ldap']['referrals'] = 0; # Switch referrals off for use with Active Directory $conf['auth']['ldap']['version'] = 3;
Works for me — Troels Liebe Bentsen 2005-05-30 23:42
The above works for me, for a while then it will stop working?? I'm using ldaps so maybe that's the problem but it's quite confusing that it works for a few days and then will stop contacting the LDAP server. Zeb Bowden 2005-08-29 14:02
Above doesn't work for me, I have to use this config — Simon Spielmann 2005-06-09 08:12
$conf['auth']['ldap']['server'] = 'servername.domain'; $conf['auth']['ldap']['binddn'] = 'administrator@domain'; $conf['auth']['ldap']['bindpw'] = '*********'; $conf['auth']['ldap']['usertree'] = 'cn=Users,dc=domain'; $conf['auth']['ldap']['userfilter'] = '(samaccountname=%{user})'; $conf['auth']['ldap']['mapping']['name'] = 'displayname'; $conf['auth']['ldap']['mapping']['grps'] = array('memberof' => '/CN=(.+?),/i'); $conf['auth']['ldap']['referrals'] = 0; # Switch referrals off for use with Active Directory $conf['auth']['ldap']['version'] = 3;
I search for few hours to understand why it didn't work. There was just a mistake in the configuration on the following line:
$conf['auth']['ldap']['userfilter'] = '(samaccountname=%u)';
Now it works perfectly. I'm browsing an AD Server under WS2003.
- Hervé Leroux
/* * authentication settings */ $conf['useacl'] = 1; $conf['superuser'] = 'ausername'; $conf['openregister'] = 0; $conf['authtype'] = 'ldap'; $conf['auth']['ldap']['server'] = 'ldap://servername.domain.tld:389'; $conf['auth']['ldap']['binddn'] = '%{user}@domain.tld'; $conf['auth']['ldap']['usertree'] = 'ou=Users,dc=domain,dc=tld'; $conf['auth']['ldap']['userfilter'] = '(samaccountname=%{user})'; $conf['auth']['ldap']['mapping']['name'] = 'displayname'; $conf['auth']['ldap']['mapping']['grps'] = array('memberof' => '/CN=(.+?),/i'); $conf['auth']['ldap']['referrals'] = 0; # Switch referrals off for use with Active Directory $conf['auth']['ldap']['version'] = 3;
- a user, 10.07.2006
To use groups from Active Directory try the following:
$conf['useacl'] = 1; $conf['openregister'] = 0; $conf['authtype'] = 'ldap'; $conf['auth']['ldap']['server'] = '127.0.0.1:389'; $conf['auth']['ldap']['binddn'] = '%{user}@yourfulldomainname'; $conf['auth']['ldap']['usertree'] = ''; // point to container where your users are ie OU=x, DC=y etc $conf['auth']['ldap']['userfilter'] = '(userPrincipalName=%{user}@yourfulldomainname)'; $conf['auth']['ldap']['grouptree'] = ''; // point this to container where your groups are ie CN=Users, DC=x etc <del>$conf['auth']['ldap']['groupfilter'] = '(&(cn=USR_*)(objectClass=group))';</del> // specific example of groups starting with USR_ // unfortunately groupfilter returns all the groups so no matter which group you pick for ACL it will match $conf['auth']['ldap']['mapping']['name'] = 'displayname'; $conf['auth']['ldap']['mapping']['grps'] = 'array(\'memberof\' => \'/CN=(.+?),/i\')'; $conf['auth']['ldap']['referrals'] = '0'; $conf['auth']['ldap']['version'] = '3'; $conf['superuser'] = '@USR_Systems_Staff'; // specific example of group which has admin rights, can also set specifics in acl.auth.php
As a plus this doesn't seem to require admin credentials to bind to ldap tree. This is currently working with 2003 SP1 under IIS 6, but groups at the moment definitely don't seem to work. The group membership logic seems to need fixing to work with AD.
Alright, after giving this a second try I managed to get group permissions working with a little fiddling
$conf['auth']['ldap']['groupfilter'] = '(&(cn=USR_*)(Member=%{dn})(ObjectCategory=group))';//selects only the groups with the user as a member //remember dn is the full dn to the user's account - filters on groups starting with USR_
Secondly in the actual ACLS - you need to escape the ascii characters such as '_' by encoding as %5F etc but the the root users definition in local.php is quite happy with the actual user group ie USR_Systems_Staff. Finally, I don't think this handles nested groups - so you may need to specify additional subgroups to get the full coverage for your ACLs.
- Matt, 03.08.2006
the *userPrincipalName* attribute is not required, but the *SAMAccountName* attribute is. thus, this is probably a more correct choice for the userfilter:
$conf['auth']['ldap']['userfilter'] = '(SAMAccountName=%{user})';
Michael Conigliaro 2008-01-15
adLDAP
(yet *another* way to try this…)
Neither of the above worked for me - instead I used the (GPL) adLDAP script. I've written up the solution that worked for me.
On Fri, 2007-03-23 Philipp Krüger wrote: Didn't know where else to put this, so here goes… I've altered the scripts in a way that even special chars from groups are resolved correctly from AD (for example: Domänen-Benutzer or Technical_Support)! :D just change the function auth_nameencode in dokuwiki/inc/auth.php to the following:
function auth_nameencode($name,$skip_group=false){ global $cache_authname; $cache =& $cache_authname; if (!isset($cache[$name][$skip_group])) { $cache[$name][$skip_group] = iconv("UTF-8","ISO-8859-1",$name); } return $cache[$name][$skip_group]; }
and the function _sanitizeGroupName in dokuwiki/inc/auth/ntlm.class.php to:
function _sanitizeGroupName($name) { $sName=iconv("UTF-8","ISO-8859-1",$name); return $sName; }
That should do the trick - hope this helps somebody… I went half-mad trying to encode the groups correctly! :)
Update: The latest versions of DokuWiki use an improved authentication scheme. I've updated my code to take advantage of this, and you can now download the ntlm.class.php for use. (Still requires that you install/configure adLDAP.) Couldn't *quite* get “Windows Integrated Authentication” working the way I wanted to, though. Oh, fixed above link as well. - James Van Lommel - 2006-03-23
Update: For integrated Windows authentication (running the PHP ISAPI module with IIS) I made the following changes to local.php (which I found somewhere else on this site) and James's ntlm.class.php to make login transparent. I had to switch REQUEST to GET because inc/init.php recreates the REQUEST array by merging GET and POST (which makes sense). - Scott Searcy - 2007-11-16
/* added to local.php */ // necessary for automatic ntlm/htaccess authentication if (isset($_SERVER['AUTH_USER']) and !isset($_SESSION[$conf['title']]['auth']['info'])) { list($d, $username) = split("\\\\", strtolower($_SERVER['AUTH_USER']), 2); $_GET['u'] = $username; } /* uncommented in inc/auth/ntlm.class.php */ function auth_checkPass($user, $pass){ // verify that IIS has authenticated this person via NTLM if(isset($_SERVER['AUTH_USER']) and isset($_SERVER['AUTH_TYPE'])) { return true; }else{ return false; } }
Had a hard time with the changed LDAP stuff in the recent versions, but the following works fine for me. - Dietmar Krause - 2005-08-10
$conf['auth']['ldap']['server'] = 'server.corp.company.com'; $conf['auth']['ldap']['usertree'] = 'OU=User,dc=corp,dc=company,dc=com'; $conf['auth']['ldap']['binddn'] = 'CN=someuser,OU=Testuser,OU=User,DC=corp,DC=company,DC=com'; $conf['auth']['ldap']['bindpw'] = '*******'; $conf['auth']['ldap']['userfilter'] = '(samaccountname=%{user})'; $conf['auth']['ldap']['grouptree'] = 'OU=Groups,OU=User,dc=corp,dc=company,dc=com'; $conf['auth']['ldap']['groupfilter'] = '(&(objectClass=group)(member=%{dn}))'; $conf['auth']['ldap']['referrals'] = 0; $conf['auth']['ldap']['version'] = 3;
Lotus Domino (Notes)
$conf['auth']['ldap']['server'] = 'localhost'; $conf['auth']['ldap']['usertree'] = 'O=YourNotesOrganization/C=US'; $conf['auth']['ldap']['grouptree'] = 'O=YourNotesOrganization/C=US'; $conf['auth']['ldap']['userfilter'] = '(&(uid=%{user})(objectClass=dominoPerson))'; $conf['auth']['ldap']['groupfilter'] = '(&(objectClass=dominoGroup)(member=CN=%{user}))';
Domino 7.0 doesn't seem to accept the above format, but the following worked for me. Also, it allows you to login via the CN (Domino 'User Name') or the uid (Domino 'short name').
$conf['auth']['ldap']['server'] = 'localhost'; $conf['auth']['ldap']['usertree'] = 'O=YourNotesOrganization/C=US'; $conf['auth']['ldap']['grouptree'] = ''; $conf['auth']['ldap']['userfilter'] = '(&(|(CN=%{user})(uid=%{user}))(objectClass=dominoPerson))'; $conf['auth']['ldap']['groupfilter'] = '(&(objectClass=dominoGroup)(member=CN=%{cn}*))';
Setting grouptree to Null will stop ldap.class.php from doing the group lookup, these settings work for me on Notes 7:
$conf['auth']['ldap']['server'] = 'ldap://myldap.mydomain.edu'; $conf['auth']['ldap']['port'] = '389'; $conf['auth']['ldap']['usertree'] = 'C=US'; $conf['auth']['ldap']['grouptree'] = 'RootDSE'; $conf['auth']['ldap']['userfilter'] = '(&(uid=%{user})(objectClass=*))'; $conf['auth']['ldap']['groupfilter'] = '(&(objectClass=dominoGroup)(member=CN=%{cn}*))';
Open Directory (Mac OS X Server)
$conf['auth']['ldap']['server'] = 'odmaster.your.domain.com'; $conf['auth']['ldap']['usertree'] = 'cn=users,dc=your,dc=domain,dc=com'; $conf['auth']['ldap']['grouptree'] = 'cn=groups,dc=your,dc=domain,dc=com'; $conf['auth']['ldap']['userfilter'] = '(&(uid=%{user})(objectClass=posixAccount))'; $conf['auth']['ldap']['groupfilter'] = '(&(objectClass=posixGroup)(memberUID=%{uid}))'; $conf['auth']['ldap']['version'] = 3;
Works on a 10.3.9 WebServer with a external 10.3.9 as Open Directory Server, as described above. Exept the @user group doesn't seem to work. The @logged_in group workes as described in acl
OpenLDAP from Kolab2 schema
Im using this at the moment, works fine.
$conf['auth']['ldap']['server'] = 'mykolabserver'; #replace with hostname of your kolab server (must be resolvable by dokuwiki web srvr) $conf['auth']['ldap']['usertree'] = 'dc=mydomain, dc=com'; #replace with your domain $conf['auth']['ldap']['grouptree'] = 'dc=mydomain, dc=com'; #replace with your domain $conf['auth']['ldap']['userfilter'] = '(&(uid=%{user}))'; $conf['auth']['ldap']['groupfilter'] = '(&(objectClass=kolabGroupOfNames)(member=%{dn}))'; $conf['auth']['ldap']['mapping'] = array();
I had to specify a port number on the ldap_connect to get this to work. Maybe it's just me.
Added the following to inc/auth/ldap.php to replace $LDAP_CONNECTION = @ldap_connect($cnf['server']);
if($cnf['port']){
$LDAP_CONNECTION = @ldap_connect($cnf['server'],$cnf['port']);
}
else {
$LDAP_CONNECTION = @ldap_connect($cnf['server']);
}
Then added the following to conf/local.php
# Set the appropriate TCP port number $conf['auth']['ldap']['port'] = 389; // 389 for starttls
Novell eDirectory (OpenLDAP-ish)
Boy this one was tricky. You will notice the new parameter groupkey which is needed if 'cn' does not supply a suitable group name on your LDAP server for group objects but instead 'commonname' does, such as the case with Novell's eDirectory services. Please note the case sensitively, lower case! If you then patch your dokuwiki codebase with the patch 1) from:
http://woodchuck.digriz.org.uk/wiki/_media/common/dokuwiki/dokuwiki-edir.diff // link not working
You should be able to drop the following into your dokuwiki.conf.php file.
/* ldap stuff */ $conf['auth']['ldap']['server'] = 'ldaps://server.example.co.uk/'; $conf['auth']['ldap']['usertree'] = 'ou=example,o=co,c=uk'; $conf['auth']['ldap']['userfilter'] = '(&(objectClass=person)(&(objectClass=ndsLoginProperties)(commonName=%{user})))'; $conf['auth']['ldap']['grouptree'] = 'ou=Groups,ou=example,o=co,c=uk'; $conf['auth']['ldap']['groupfilter'] = '(&(objectClass=groupOfNames)(member=%{dn}))'; $conf['auth']['ldap']['groupkey'] = 'commonname'; #$conf['auth']['ldap']['debug'] = true;
As usually only anonymous lookups are allowed when not using an SSL'ed connection, you will also need to add the following line to /etc/openldap/ldap.conf and if you are using mod_php remember to restart Apache.
TLS_REQCERT never
This disables certificate validation, we currently do not have a CA infrastructure in place but as the dokuwiki web server is physically next to our LDAP server it should be 'safe' for now. If you are putting this in a hostile environment you must validate the certificate, I'll leave that to you as I will be looking into it when I need to ;)
Please, can someone update this page with instructions on connecting to eDirectory via SSL, LDAPS, on Windows 2003 running IIS 6.0. I also need to use a certificate to connect via LDAPS on port 636. The standard
$conf['auth']['ldap']['server'] = 'ldaps://server.example.net/';
format does not work. I receive the following….LDAP bind as superuser: Can't contact LDAP server I have added the eDirectory certificate into the local machine personal certificate store….no success. LDAP on 389 works, but that is not an option for me. I apologize if this is the wrong location for this.
I keep getting this error on my dokuwiki site
User authentication is temporarily unavailable. If this situation persists, please inform your Wiki Admin.
I am not sure what the problem is as there is nothing in the apache logs and it appears that the ldap query doesnt even reach the ldap server as there is nothing in the logs about a failed login attempt. How can I get more info from dokuwiki about the cause of this error?
This error can be due to your PHP infrastructure not having LDAP support. Make sure you have the php-ldap package installed.
dfernandez
Univention Corporate Server (UCS)
$conf['auth']['ldap']['server'] = 'ldap://1.2.3.4'; $conf['auth']['ldap']['port'] = '389'; $conf['auth']['ldap']['usertree'] = 'cn=users, dc=basedn'; $conf['auth']['ldap']['grouptree'] = 'cn=groups, dc=basedn'; $conf['auth']['ldap']['userfilter'] = '(&(uid=%{user})(objectClass=posixAccount))'; $conf['auth']['ldap']['groupfilter'] = '(&(objectClass=posixGroup)(|(gidNumber=%{gid})(uniqueMember=%{dn})))';
Hi I need help…can anyone tell me how to login using alias name …what changes needed to made in ldap.class.php or local.php
Fedora Directory Server With Group
$conf['auth']['ldap']['server'] = 'ldap://1.2.3.4:389'; $conf['auth']['ldap']['usertree'] = 'ou=People,dc=example,dc=com'; $conf['auth']['ldap']['grouptree'] = 'ou=Groups,dc=example,dc=com'; $conf['auth']['ldap']['userfilter'] = '(&(uid=%{user})(objectClass=posixAccount))'; $conf['auth']['ldap']['groupfilter'] = '(&(uniquemember=%{dn}))'; $conf['auth']['ldap']['version'] = 3;
Note that you need to use %{dn} for for the uniquemember. Then for superuser just specify your group
$conf['superuser'] = '@wiki admins';
The group named that i specified does have a space in it, and it is working with a default fedora directory server install.
OpenLDAP on SuSE Linux Enterprise Server
This worked for me with a default SLES 10 configuration:
$conf['auth']['ldap']['server'] = 'ldap://server.tld:389'; $conf['auth']['ldap']['port'] = 389; $conf['auth']['ldap']['usertree'] = 'ou=People,dc=server,dc=tld'; $conf['auth']['ldap']['grouptree'] = 'ou=Group,dc=server,dc=tld'; $conf['auth']['ldap']['userfilter'] = '(&(uid=%{user})(objectClass=posixAccount))'; $conf['auth']['ldap']['groupfilter'] = '(&(Member=%{dn})(objectClass=posixGroup))'; $conf['auth']['ldap']['version'] = 3;
The groupfilter attribute is whats important, and I recommend to create an “admin” group on the directory, setting superuser to ”@admin” and adding the users you want to administer the wiki to that group using the YAST user manager.
Oracle Internet Directory
$conf['openregister']= 0; $conf['authtype'] = 'ldap'; $conf['auth']['ldap']['server'] = 'ldap://servername.com'; $conf['auth']['ldap']['port'] = 389; $conf['auth']['ldap']['version'] = 3; $conf['auth']['ldap']['usertree'] = 'cn=Users,dc=domain,dc=com'; $conf['auth']['ldap']['userfilter'] = '(&(uid=%{user}))';
Authentication against an LDAP directory using the acl feature. Works for me™.
adjust for new auth mechanisms, put example configs on their own pages