====== LDAP Auth Backend: Active Directory Examples ======

Below are example configurations for use with the [[auth:LDAP]] backend and the [[wp>Active Directory]] server.

Please note that there is a dedicated [[auth:ad|Active Directory authentication backend]] which should be much easier to set up and can also handle Single-Sign-On via NTLM.

Note:  Beware of uppercase in domain names, login will work but the use of Active Directory group won't, use a tool like [[http://technet.microsoft.com/en-us/sysinternals/bb963907.aspx|AD Explorer]] to debug.

===== Active Directory with groups =====

  * replace "mydomain" and "dom" with your domain name AD (dc).

<code php>
$conf['authtype']                         = 'ldap';
$conf['auth']['ldap']['server']           = 'mydomain.dom';
$conf['auth']['ldap']['binddn']           = '%{user}@%{server}';
$conf['auth']['ldap']['usertree']         = 'dc=mydomain,dc=dom';
$conf['auth']['ldap']['userfilter']       = '(userPrincipalName=%{user}@%{server})';
$conf['auth']['ldap']['mapping']['name']  = 'displayname';
$conf['auth']['ldap']['mapping']['grps']  = array('memberof' => '/CN=(.+?),/i');
$conf['auth']['ldap']['grouptree']        = 'dc=mydomain,dc=dom'; # position for find groups, at root here
$conf['auth']['ldap']['groupfilter']      = '(&(cn=*)(Member=%{dn})(objectClass=group))'; # find groups for current user(dn)
$conf['auth']['ldap']['referrals']        = 0; # Switch referrals off for use with Active Directory
$conf['auth']['ldap']['version']          = 3;
$conf['auth']['ldap']['debug']            = 0; #set 1 for watch authenticate activity (eg. list of user groups) on html page
</code>

If you receive a binding error like "LDAP: bind with xxx failed [ldap.class.php:90]", try using

<code>
$conf['auth']['ldap']['binddn']           = 'domain\%{user}';
</code>

Replace domain with your domain name.

===== Different Setup =====

<code php>
$conf['authtype']                         = 'ldap';
$conf['auth']['ldap']['server']           = 'ldap://servername.domain.tld:389';
$conf['auth']['ldap']['binddn']           = '%{user}@domain.tld';
$conf['auth']['ldap']['usertree']         = 'ou=Users,dc=domain,dc=tld';
$conf['auth']['ldap']['userfilter']       = '(SAMAccountName=%{user})';
$conf['auth']['ldap']['mapping']['name']  = 'displayname';
$conf['auth']['ldap']['mapping']['grps']  = array('memberof' => '/CN=(.+?),/i');
$conf['auth']['ldap']['referrals']        = 0; # Switch referrals off for use with Active Directory
$conf['auth']['ldap']['version']          = 3;
</code>


===== Limit access to USR_* only =====

<code php>
$conf['authtype']                        = 'ldap';
$conf['auth']['ldap']['server']          = '127.0.0.1:389';
$conf['auth']['ldap']['binddn']          = '%{user}@yourfulldomainname';
$conf['auth']['ldap']['usertree']        = ''; // point to container where your users are ie OU=x, DC=y etc
$conf['auth']['ldap']['userfilter']      = '(userPrincipalName=%{user}@yourfulldomainname)';
$conf['auth']['ldap']['grouptree']       = ''; // point this to container where your groups are ie CN=Users, DC=x etc
$conf['auth']['ldap']['groupfilter']     = '(&(cn=USR_*)(Member=%{dn})(ObjectCategory=group))';//selects only the groups with the user as a member
//remember dn is the full dn to the user's account - filters on groups starting with USR_
$conf['auth']['ldap']['mapping']['name'] = 'displayname';
$conf['auth']['ldap']['mapping']['grps'] = 'array(\'memberof\' => \'/CN=(.+?),/i\')';
$conf['auth']['ldap']['referrals']       = '0';
$conf['auth']['ldap']['version']         = '3' ;
</code>