Active directory integration - DokuWiki User Forum

aztam

2008-05-11, 12:24 #1

Member since May 2008 · 1 post
Group memberships: Members

Show profile ·

Link to this post

Subject: Active directory integration

I am trying to setup LDAP authentication using dokuwiki and windows 2003 active directory.

my local.php contains the following
<?php

// Superuser
$conf['useacl'] = 1;
$conf['superuser']   = '@ict'; //The admin can be user or @group

// Lang
$conf['lang'] = 'en'; //your language

// For LDAP !
$conf['openregister'] = 0;
$conf['authtype'] = 'ldap';

$conf['auth']['ldap']['server'] = 'ldap://serveraddress.co.uk:389';
$conf['auth']['ldap']['binddn']    = '%{user}@%{server}';
$conf['auth']['ldap']['mapping']['name'] = 'displayname';
$conf['auth']['ldap']['mapping']['grps'] = array('memberof' => '/CN=(.+?),/i');
$conf['auth']['ldap']['referrals'] = 0;
$conf['auth']['ldap']['usertree'] = 'cn=%{user}, OU=test,DC=co, DC=uk';
$conf['auth']['ldap']['grouptree']   = 'OU=test, dc=co dc=uk';

$conf['auth']['ldap']['version'] = 3;

# Optional debugging
$conf['auth']['ldap']['debug'] = true;
?>

I have a test OU in active directory which contains one user (testuser).

When attempting to login using the testuser account I get the following error msgs

LDAP: bind with cn=testuser, OU=test,DC=co, DC=uk failed [ldap.class.php:90]
LDAP user dn bind: Invalid credentials
Sorry, username or password was wrong.

I am a bit stumped as to what the problem could be. Any help would be very much appreciated.

og 2008-06-03, 22:44 #2

Member since May 2006 · 44 posts · Location: 86899 Landsberg
Group memberships: Members

Show profile ·

Link to this post

Hello,

i'm currently trying to do the same thing.
As far as i understand your setup, you're using the login-credentials of dokuwiki to bind against the LDAP of ADS.
Means what you enter to log into dokuwiki (user/password) must match your test-user in AD (mention the password!).

Another thing i was wondering about your setup is the way you choose usertree. I think this should be the OU in which the users are located, not the full DN of the user itself. So for you it should be sufficient to use:
$conf['auth']['ldap']['usertree'] = 'OU=test,DC=co, DC=uk';

I'm currently using another approach. Giving a real bind-account, one which has the rights to list objects from ADS LDAP database. This bind-user (i call it "adbind") has a known password, so i specify it with:
$conf['auth']['ldap']['bindpw'] = 'password';
This way it is assured that dokuwiki can tell if the given user existst. Your approach can't distinguish between "non existend user" and "bad password". Well, i really don't know now, if dokuwikis LDAP-auth will communicate this...

The trickiest thing is the resolution of groups. I want to assign the right to log in by a group membership. Only members of a specific group should be able to log in. The bad thing is, that a group must be given by it's full DN, it can't be looked up in the current version of LDAP-auth. This works, but raises the risk that OU-reorganisation may make dokuwiki unuseable. I think the position of an group in the directory should not have any influence. Therefore i set all lookup-bases to the base OU of our domain.
This might not work for everyone, especially in large environments because it could raise lookup-times and usage dramatically.

The other part is, that you can't use dokuwikis user-management any more. Ok, mailadress could be taken from LDAP, also users real name and groups. But it would be nice to have a list of users allowed to log in, or what groups they belong to. You need this to setup ACLs in dokuwiki. This list of groups would be a great help. Maybe there is a way to improve the ACL plugin to show all available users and groups, just to ease administration ?!

Oli...