[[ja:auth:ad]]
 
トレース: template tips good_style wikitext abbreviations namespace_templates pagename rewrite antispam ad
This translation is older than the original page and might be outdated. See what has changed.
Translations of this page?:
目次

Active Directory 認証バックエンド

この 認証バックエンド は、 DokuWiki が Active Directory サーバを用いて認証できるようにします。

Active Directory 認証は、汎用の LDAP認証バックエンド を用いても可能ですが、専用の認証バックエンドを使うと、より簡単になります。 素晴らしい adLDAP ライブラリJames Van Lommel の貢献が元となっています。 adLDAP ライブラリは DokuWiki 本体に同梱されており、自分でダウンロードする必要はありません。

さらに、このバックエンドでは NTLM と Kerberos に基づいたシングルサインオンの使用も可能です。

このバックエンドは DokuWiki rc2009-12-02 “Mulled Wine” バージョンから同梱されています。

設定

設定管理画面によって上書きないように、このバックエンドの設定を conf/local.protected.php に置くことをお奨めします。

おそらく、最低限の設定項目は以下の通りです。 

 <?php
  // 一般的な DokuWiki 設定項目
  $conf['useacl']         = 1;
  $conf['disableactions'] = 'register';
  $conf['authtype']       = 'ad';
 
  // 各自の Active Directory 設定項目
  $conf['auth']['ad']['account_suffix']     = '@my.domain.org';
  $conf['auth']['ad']['base_dn']            = 'DC=my,DC=domain,DC=org';
  $conf['auth']['ad']['domain_controllers'] = 'srv1.domain.org, srv2.domain.org'; //複数の設定も可能

必要に応じて、以下の設定項目も可能です。 

  $conf['auth']['ad']['ad_username']        = 'root';
  $conf['auth']['ad']['ad_password']        = 'pass';
  $conf['auth']['ad']['sso']                = 1;
  $conf['auth']['ad']['real_primarygroup']  = 1;
  $conf['auth']['ad']['use_ssl']            = 1;
  $conf['auth']['ad']['debug']              = 1;
  $conf['auth']['ad']['recursive_groups']   = 1; // If number of groups in AD is large switching to 0 will improve performance, but indirect membership will not work

ad_username and ad_password are e.g. required to enable user email subscriptions. This account binds to the AD for querying user details.

Use this code snippet in local.protected.php to set superuser rights: 

$conf['manager']   = '@LDAPGROUPNAME';
$conf['superuser'] = '@LDAPGROUPNAME';

Any other options given in $conf['auth']['ad'] are directly passed to the adldap library. Please refer to the adLDAP documentation for a detailed description of what other options might be available.

In combination with Single-Sign-On, you can also add Windows domain specific setups. E.g. to authenticate against different Active Directory Servers depending on the NTLM or Kerberos Domain of a given user. The (lowercased) Domain just has to be used as a subkey to the $conf['auth']['ad'] setting. E.g. to identify all users coming from the Foobar Windows Domain using a non-default AD Server and user just put the following additional lines into your config: 

$conf['auth']['ad']['foobar']['account_suffix']     = '@foobar.domain.org';
$conf['auth']['ad']['foobar']['base_dn']            = 'DC=foobar,DC=domain,DC=org';
$conf['auth']['ad']['foobar']['domain_controllers'] = 'otherad.domain.org';
$conf['auth']['ad']['foobar']['ad_username']        = 'otherroot';
$conf['auth']['ad']['foobar']['ad_password']        = 'otherpass';

If you have an organisation with multiple DCs under a single parent, you may need to connect to port 3268, rather than the default port 389. Otherwise, users from the remote DC may not show up as members of any groups. The easiest way to do this is to change adLDAP.php in the source code, because the base call to ldap_connect needs port as a separate argument.

グループ名とユーザー名

グループ名とユーザー名は DokuWiki 内部で整形されます。そのため Active Directory サーバに設定されている内容と異なる場合があります。 スペースはアンダースコアに置き換えられます。”\”(バックスラッシュ)と”#“(ハッシュ記号)は削除されます。

例)Domain Users は DokuWiki 内では Domain_Users になります。ACL を手作業で編集する場合、 Domain%5fUsers と正しくエンコーディングする必要があります。 ”%5f” はアンダースコアを表します。

アクセス制御リスト 設定時、ユーザー名やグループ名を指定する際、このことを念頭においてください。

Enabling SSO

Single Sign On (SSO) means that DokuWiki will use your Windows login name to identify you without the need for you to log in. This relies on the server setting the REMOTE_USER environment variable. The ad backend then will use this username to fetch additional data like your group membership.

To make this work you need to enable the sso setting in local.protected.php and most probably also need to setup a management account with enough permissions to fetch the user info: 

$conf['auth']['ad']['sso'] = 1;
$conf['auth']['ad']['ad_username'] = 'MyManager';
$conf['auth']['ad']['ad_password'] = 'ManagerPass';

Additonally some setting have to be made for your server and the used Browser.

Web Server

NTLM on IIS

First configure IIS to use the Windows Logon for authentication (see screenshots):

  1. Open the IIS configuration console using “Start” → “Run” → inetmgr
  2. Right click on the “Default Web Site” entry and choose “Properties”
  3. Switch to the “Directory Security” tab
  4. Click the “Edit” button on “Anonymous access and authentication control”.
  5. Disable “Anonymous access”
  6. Enable “Integrated Windows Authentication”

Choose properties on the default website Switch to the Security Tab and edit the authentication controls Disable anonymous access and select Integrated Authentication

Then make sure NTLM is used as authentication protocol. This has to be done on the commandline:

  1. Open a command line: “Start” → “Run” → cmd
  2. Change to the admin script directory: cd \Inetpub\Adminscripts
  3. Check the current protocol: cscript adsutil.vbs get w3svc/NTAuthenticationProviders
  4. if it doesn't say NTLM, set it: cscript adsutil.vbs set w3svc/NTAuthenticationProviders “NTLM”

Now restart IIS.

NTLM on Apache (Windows)

Download http://sourceforge.net/projects/mod-auth-sspi/ Copy the mod_auth_sspi.so file into your apache modules directory. Add into httpd.conf: 

LoadModule sspi_auth_module modules/mod_auth_sspi.so 

<Directory "c:/wamp/www/">
    AuthName "My Intranet"
    AuthType SSPI
    SSPIAuth On
    SSPIAuthoritative On

    require valid-user

</Directory>

Now restart Apache

NTLM on Apache (Linux)

FIXME add info about mod_ntlm and similar here

Kerberos on Apache (Linux)

This setup enables an Apache Server on Linux to verify Kerberos Tickets against an Active Directory server.

Good references for Apache/Kerberos can be found at

The following examples assume your wiki to be running on dokuwiki.yourdomain.com, with your Active Directory server running at dc1.yourdomain.com;

Note: Kerberos is case sensitive, if it is all caps - it should be!

  1. Install Kerberos client1)
  2. Install mod_auth_kerb2)
  3. Configure Kerberos if necessary, sample /etc/krb5.conf:
    [logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = YOURDOMAIN.COM
 ticket_lifetime = 24h
 forwardable = yes

[realms]
 YOURDOMAIN.COM = {
  kdc = dc1.yourdomain.com
  admin_server = dc1.yourdomain.com
  default_domain = yourdomain.com
 }

[domain_realm]
 dokuwiki.yourdomain.com = YOURDOMAIN.COM
 .yourdomain.com = YOURDOMAIN.COM
 yourdomain.com = YOURDOMAIN.COM

[appdefaults]
 pam = {
  debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }
  4. Verify that the time on the DokuWiki server is within 5 minutes of the Active Directory server. Otherwise Kerberos will not authenticate.
  5. Verify that the Kerberos environment is working by running:
    kinit username@YOURDOMAIN.COM
klist
kdestroy
  6. Create a keytab file for your DokuWiki server. Make sure you have created a non-admin user in Active Directory with no password expiration. Run this as a Domain Admin on a Windows server with Support Tools installed:
    ktpass -princ HTTP/dokuwiki.yourdomain.com@YOURDOMAIN.COM -mapuser name_of_ad_user_you_have_created -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -mapop set +desonly -pass the_ad_users_password -out dokuwiki.HTTP.keytab
  7. If no errors occurred, copy the keytab file to /etc/httpd/conf/.
  8. Create /etc/httpd/conf.d/dokuwiki.conf:
    <Directory "/var/www/html/dokuwiki">
        # Kerberos Auth
        AuthType Kerberos
        KrbAuthRealms YOURDOMAIN.COM
        KrbServiceName HTTP
        Krb5Keytab /etc/httpd/conf/dokuwiki.HTTP.keytab
        KrbMethodNegotiate on
        KrbMethodK5Passwd on
        require valid-user
</Directory>
  9. (Re)start Apache: service httpd restart.
Troubleshooting
  • Restart Apache. Web server config changes won't apply until restarted.
  • Try using the FQDN of the DokuWiki server, i.e. http://dokuwiki.yourdomain.com/dokuwiki.
  • If you are presented with a login window, do not enter domain/realm info, just user name and password.
  • Verify that the time on the DokuWiki server is within 5 minutes of the Active Directory server. Otherwise Kerberos will not authenticate.
  • Check all Kerberos files for case inconsistencies.
  • Review this instruction from start to end. See reference links where possible.

Browser

Your browser needs to be setup to forward authentication info to the Webserver.

Setup MS Internet Explorer

FIXME add detailed description

  1. add dokuwiki server to trusted zone
  2. Enable authentication forwarding (Windows Integrated Authentication). Restart your browser to complete the change. IE 8 shown here:

Setup Firefox

  1. Open Firefox and type about:config in the address bar.
  2. In the ‘Filter’ field type one of the following (depending if you're using NTLM or Kerberos) network.automatic-ntlm-auth.trusted-uris or network.negotiate-auth.trusted-uris
  3. Double click the name of the preference that we just searched for
  4. Enter the URLs of the sites you wish to pass NTLM auth info to in the form of:
    http://intranet.company.com,http://email.company.lan

Notice that you can use a comma separated list in this field.

1) Redhat: yum install krb5-workstation, Debian: krb5-user
2) Redhat: yum install mod_auth_kerb, Debian: libapache2-mod-auth-kerb
ja/auth/ad.txt · 最終更新: 2010/10/29 15:36 by 124.210.68.116
 
特に明示されていない限り、本Wikiの内容は次のライセンスに従います: CC Attribution-Share Alike 3.0 Unported
Imprint Recent changes RSS feed Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki
WikiForumIRCBugsGitXRefTranslate