Although the
AD guide and the
LDAP guide both have some great information, both of them left me in a semi-broken state. After playing with it for way longer than I should have, I've managed to cobble together some configs that work for both. I'll post them here for anyone else that is having the same problems I did. My environment is IIS 7 on Server 2008 R2.
Authtype=AD
<?php
// general DokuWiki options
$conf['useacl'] = 1;
$conf['disableactions'] = 'register,resendpwd,logout';
// User accounts are controlled by AD and since we're using SSO, they don't need to log out.
$conf['authtype'] = 'ad';
// configure your Active Directory data here
$conf['auth']['ad']['account_suffix'] = '@domain.tld';
$conf['auth']['ad']['base_dn'] = 'DC=domain,DC=tld';
$conf['auth']['ad']['domain_controllers'] = 'server.domain.tld';
// Enable SSO
$conf['auth']['ad']['sso'] = 1;
$conf['auth']['ad']['ad_username'] = 'user';
//user account with permission to perform AD lookups
$conf['auth']['ad']['ad_password'] = 'secret';
$conf['auth']['ad']['real_primarygroup'] = 1;
// In my case, enabling SSL and TLS prevented SSO, but still allowed AD Auth. The reason I know this is because when I logged in with it enabled, it prompted me to log in and showed only my first name in all lower case. With it disabled, SSO worked and pulled my full name from AD.
// I disabled this, but that's probably because my domain isn't set up correctly.
/*
$conf['auth']['ad']['use_ssl'] = 1;
$conf['auth']['ad']['use_tls'] = 1;
*/
$conf['auth']['ad']['recursive_groups'] = 1; // If number of groups in AD is large switching to 0 will improve performance, but indirect membership will not work
$conf['auth']['ad']['additional'] = 'department,office'; // additional attributes to fetch
$conf['auth']['ad']['groupfilter'] = '(&(cn=*)(Member=%{dn})(objectClass=group))'; # find groups for current user(dn)
// I'm not sure what this does, but it doesn't seem to break anything
// The domain groups are just to show syntax because @wikiusers contains @domain_users, etc and recursive group lookup *does* work in this config. Note this is different in LDAP auth.
// Admin
$conf['manager'] = '
@domain_users,@wikiusers';
$conf['superuser'] = '
@domain_admins,@wikiadmins';
// Debug
$conf['auth']['ad']['debug'] = 1;
$conf['auth']['ad']['userinfo_debug'] = 1;
// This doesn't seem to do anything, but it doesn't seem to break anything
Authtype=LDAP
<?php
$conf['useacl'] = 1;
$conf['openregister'] = 0;
$conf['authtype'] = 'ldap';
$conf['auth']['ldap']['server'] = 'ldap://server.domain.tld:389';
# These settings "work"
$conf['auth']['ldap']['groupfilter'] = '(&(objectClass=Group)(|(gidNumber=%{gid})(memberUid=%{user})))';
$conf['auth']['ldap']['userfilter'] = '(userPrincipalName=%{user}@domain.tld)';
$conf['auth']['ldap']['usertree'] = 'OU=users, DC=domain, DC=tld';
$conf['auth']['ldap']['grouptree'] = 'OU=Groups, DC=domain, DC=tld';
# This is optional and is required to be off when using Active Directory:
$conf['auth']['ldap']['referrals'] = 0;
# Optional bind user and password if anonymous bind is not allowed (develonly)
$conf['auth']['ldap']['binddn'] = 'CN=user,OU=users,DC=domain,DC=tlc';
$conf['auth']['ldap']['bindpw'] = 'secret';
# Mapping can be used to specify where the internal data is coming from.
$conf['auth']['ldap']['mapping']['name'] = 'userPrincipalName';
$conf['auth']['ldap']['mapping']['grps'] = array('memberof' => '/CN=(.+?),/i');
# Optional debugging
$conf['auth']['ldap']['debug'] = 1;
// In my case I did not need to use underscores or even %5F with LDAP authentication. It recognizes spaces just fine.
// Admin
$conf['manager'] = '
@domain users, @wikiusers';
$conf['superuser'] = '
@domain admins, @wikiadmins';