kgrube
Just setup a new install of DokuWiki on a Windows Server 2003 SBS machine running IIS 6 and php 5.2.
I've been trying, over the past week or so, to get LDAP working to authenticate against our DC which is on a different network.
Here's what I have for conf/local.protected.php
<?php
$conf['useacl'] = 1;
$conf['openregister']= 0;
$conf['authtype'] = 'ldap';
$conf['auth']['ldap']['server'] = 'ldap://dc1.***.local:389';
# These settings "work"
$conf['auth']['ldap']['groupfilter'] = '(&(objectClass=Group)(|(gidNumber=%{gid})(memberUid=%{user})))';
$conf['auth']['ldap']['userfilter'] = '(userPrincipalName=%{user}@*****.local)';
$conf['auth']['ldap']['usertree'] = 'OU=*****, OU=Users, OU=MyBusiness, DC=****, DC=local';
$conf['auth']['ldap']['grouptree'] = 'OU=Security Groups, OU=MyBusiness, DC=****, DC=local';
# This is optional and is required to be off when using Active Directory:
$conf['auth']['ldap']['referrals'] = 0;
# Optional bind user and password if anonymous bind is not allowed (develonly)
$conf['auth']['ldap']['binddn'] = 'CN=username, OU=****, OU=Users, OU=MyBusiness, DC=****, DC=local';
$conf['auth']['ldap']['bindpw'] = 'mypassword';
# Mapping can be used to specify where the internal data is coming from.
$conf['auth']['ldap']['mapping']['name'] = 'userPrincipalName';
$conf['auth']['ldap']['mapping']['grps'] = array('memberof' => '/CN=(.+?),/i');
# Optional debugging
$conf['auth']['ldap']['debug'] = 1;
I've got 2 groups in active directory in the same OU as specified by the 'grouptree' element. They are WikiUsers and WikiAdmins, and no users in either group seem to get granted permissions based on these memberships. Users can log in using their network login, but aren't granted access based off AD groups...
My ACL setup is simple: If you're not in one of those 2 groups, you can't see anything.
* @WikiUsers 8
* @WikiAdmins 255
start @ALL 1
* @All 0
I think the problem is with either the grouptree setting, the mapping grps setting, or the groupfilter. I'm no PHP guru by any means, so any help is appreciated!
kgrube
My Test User account is a member of the WikiUsers group, but when I append ?do=check, it just says member of group user.
However, MY user account is a member of WikiAdmins and a bunch of other groups for active directory and ?do=check shows these group memberships. Why would one account's group memberships come through correctly where another user account doesn't?