We have a DokuWiki installation on the intranet that has been up and running, using LDAP authentication, with Windows 2000 and Active Directory. The initial install and authentication setup worked straight off and has been working fine all the way up until two days ago. ACL's have been used and access granted based on AD groups, also without any problem.
Wednesday night some patches was applied to the Active Directory server(s), although we can't find anything remotely LDAP/authentication in the patches. After the patching, DokuWiki authentication only work partially. What seems to be the problem is the listing of groups that is received from the AD server. I can't for the life of me figure out what has changed or how to fix this and hope that someone has had a similar problem or a tip to get us a step further.
The configuration file looks like this:
<?php
/*
* Dokuwiki's Main Configuration File - Local Settings
* Auto-generated by config plugin
* Run for user: twsstbj
* Date: Wed, 10 Jan 2007 10:42:05 +0100
*/
$conf['title'] = 'Home';
$conf['useacl'] = 1;
$conf['authtype'] = 'ldap';
$conf['superuser'] = '@wikiadm';
$conf['spellchecker'] = 1;
$conf['openregister'] = '0';
$conf['pluginmanager'] = '1';
$conf['auth']['ldap']['server'] = '<removed>';
$conf['auth']['ldap']['binddn'] = '%{user}@%{server}';
$conf['auth']['ldap']['usertree'] = 'dc=<removed>,dc=<removed>';
$conf['auth']['ldap']['userfilter'] = '(userPrincipalName=%{user}@%{server})';
$conf['auth']['ldap']['mapping']['name'] = 'displayname';
$conf['auth']['ldap']['mapping']['grps'] = 'array(\'memberof\'=>\'/CN=(.+?),/i\')';
$conf['auth']['ldap']['groupfilter'] = '(&(objectClass=group)(member=%{dn}))';
$conf['auth']['ldap']['referrals'] = '0';
$conf['auth']['ldap']['version'] = '3';
$conf['auth']['ldap']['debug'] = true;
@include(DOKU_CONF.'local.protected.php');
// end auto-generated content
* Settings marked <removed> is changed for anonymity purposes.
* The debug option is turned on for troubleshooting purposes.
At login username and password seems to be accepted and the "Login" button changes to "Logout". Apache spits out the following error messages though:
Warning: in_array(): Wrong datatype for second argument in /srv/www/htdocs/inc/auth/ldap.class.php on line 236
Warning: Cannot modify header information - headers already sent by (output started at /srv/www/htdocs/inc/auth/ldap.class.php:236) in /srv/www/htdocs/inc/auth.php on line 129
Warning: Cannot modify header information - headers already sent by (output started at /srv/www/htdocs/inc/auth/ldap.class.php:236) in /srv/www/htdocs/inc/actions.php on line 128
And the LDAP debug trace gives the following message:
LDAP user search: Success [ldap.class.php:173]
So it seems to me that it works partially. Line 236 in ldap.class.php contain the following:
if(!in_array($conf['defaultgroup'],$info['grps'])){
Which makes me suspect that the problem may be the group listing received from the AD servet, but are at a loss as to why.
Anyone have a tip for further troubleshooting?