I just installed Dokuwiki on a Windows Server 2012 R2 machine running IIS 8.5. I'm using the AuthAD plugin to enable SSO with Active Directory. The SSO is working but groups are not being pulled.
I get this error when I load a page with "do=check":
AD Auth: Bind to Active Directory failed. Check the login credentials and/or server details. AD said: Can't contact LDAP server
Followed by no groups being reported...
You are part of the groups
Here are the relevant options in local.protected.php:
<?php
// general DokuWiki options
$conf['useacl'] = 1;
$conf['authtype'] = 'authad';
$conf['disableactions'] = 'register,resendpwd,profile,profile_delete,logout';
// configure your Active Directory data here
$conf['plugin']['authad']['account_suffix'] = '@ussndx.Radiometer.RMG';
$conf['plugin']['authad']['base_dn'] = 'DC=ussndx,DC=Radiometer,DC=RMG';
$conf['plugin']['authad']['domain_controllers'] = 'ussndx.Radiometer.RMG'; //multiple can be given
$conf['plugin']['authad']['admin_username'] = '<accountWithADAccess>';
$conf['plugin']['authad']['admin_password'] = '<password>';
$conf['plugin']['authad']['sso'] = 1;
$conf['plugin']['authad']['real_primarygroup'] = 1;
$conf['plugin']['authad']['debug'] = 1;
$conf['plugin']['authad']['recursive_groups'] = 1;
If I remove the lines in the config for
admin_username and
admin_password, then the error goes away altogether but I still can't get any groups.
Using Active Directory Explorer, I can use
<accountWithADAccess> to query AD and I'm able to view users and the groups they belong to, so that account shouldn't have any problems connecting to and querying AD.
Things I've tried but did not work:
- set account suffix to blank
- change password encryption method from smd5 to md5 (not sure how this is related at all but it was suggested in a post)
- modified infoutils.php line 216 just to get the group printing to work without throwing an error with PHP 7.2:
msg('You are part of the groups '.join($INFO['userinfo']['grps'] ?? [],', '),0);
How can I get AuthAD plugin to get the group information with an account that should already be able to query it?