auth:ad
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
auth:ad [2013-05-28 00:13] – Klap-in | auth:ad [Unknown date] (current) – removed - external edit (Unknown date) 127.0.0.1 | ||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== Active Directory Authentication ====== | ||
- | | Since the release 2013-05-10 “Weatherwax”\\ see [[plugin: | ||
- | |||
- | This [[: | ||
- | |||
- | While Active Directory authentication can be set up with the default [[LDAP]] backend it should be easier to do with this dedicated auth backend. It makes use of the excellent [[http:// | ||
- | |||
- | In addition it allows the use of NTLM and Kerberos based Single-Sign-On . | ||
- | |||
- | This backend is included in DokuWiki since version rc2009-12-02 " | ||
- | |||
- | You will also need to enable LDAP on the PHP server. LDAP is not enabled by default in PHP. This can be as easy as editing php.ini in most of the cases, however you might need to check your php installation to enable the LDAP support if you are using some specialty server installation. | ||
- | |||
- | ===== Server Configuration ===== | ||
- | |||
- | Your server configuration must meet the requirements of the [[http:// | ||
- | |||
- | If you're using Apache on Ubuntu or Debian, just install the '' | ||
- | Installing '' | ||
- | |||
- | For MS IIS7 server '' | ||
- | |||
- | If you're using a web server other than Apache or IIS7, you have to figure it out yourself. :( Please update this article if you succeed. | ||
- | |||
- | ===== Configuration ===== | ||
- | |||
- | To avoid having them overridden by the config manager it is recommended to place the configuration in '' | ||
- | |||
- | You probably want to set at least these options: | ||
- | |||
- | <code php> | ||
- | <?php | ||
- | // general DokuWiki options | ||
- | $conf[' | ||
- | $conf[' | ||
- | $conf[' | ||
- | |||
- | // configure your Active Directory data here | ||
- | $conf[' | ||
- | $conf[' | ||
- | $conf[' | ||
- | </ | ||
- | |||
- | Optionally the following parameters can be given: | ||
- | |||
- | <code php> | ||
- | $conf[' | ||
- | $conf[' | ||
- | $conf[' | ||
- | $conf[' | ||
- | $conf[' | ||
- | $conf[' | ||
- | $conf[' | ||
- | $conf[' | ||
- | $conf[' | ||
- | // warn user about expiring password this many days in advance (in version 2012-03-10 and higher): | ||
- | $conf[' | ||
- | </ | ||
- | |||
- | '' | ||
- | |||
- | Use this code snippet in local.protected.php to set superuser rights: | ||
- | |||
- | <code php> | ||
- | $conf[' | ||
- | $conf[' | ||
- | </ | ||
- | |||
- | AD group names should be preceded with " | ||
- | |||
- | Any other options given in $conf[' | ||
- | |||
- | In combination with Single-Sign-On, | ||
- | |||
- | <code php> | ||
- | $conf[' | ||
- | $conf[' | ||
- | $conf[' | ||
- | $conf[' | ||
- | $conf[' | ||
- | </ | ||
- | |||
- | If you have an organisation with multiple DCs under a single parent, you may need to connect to port 3268, rather than the default port 389. Otherwise, users from the remote DC may not show up as members of any groups. The easiest way to do this is to change adLDAP.php in the source code, because the base call to ldap_connect needs port as a separate argument (line 364 in inc/ | ||
- | ===== User Profile and Password Changes ===== | ||
- | |||
- | Users can change their user details (name, email and passwords) using the profile button. This may require to set up a privileged user through the '' | ||
- | |||
- | Please note that DokuWiki' | ||
- | |||
- | |||
- | |||
- | ===== Group and User Names ===== | ||
- | |||
- | Group and user names are cleaned up internally so they might differ from what is configured in your Active Directory server. Spaces are replaced with underscore and backslashes and hash symbols are removed. | ||
- | |||
- | Example: '' | ||
- | |||
- | Keep this in mind when specifying users and groups in [[:ACL]] setup or configuration. | ||
- | |||
- | ===== Enabling SSO ===== | ||
- | |||
- | Single Sign On (SSO) means that DokuWiki will use your Windows login name to identify you without the need for you to log in. This relies on the server setting the '' | ||
- | |||
- | To make this work you need to enable the '' | ||
- | |||
- | <code php> | ||
- | $conf[' | ||
- | $conf[' | ||
- | $conf[' | ||
- | </ | ||
- | |||
- | Additonally some settings have to be made for your server and the used Browser. | ||
- | |||
- | ==== Web Server ==== | ||
- | |||
- | === NTLM on IIS 7.5 === | ||
- | |||
- | - Open the IIS configuration console (Start -> Internet Information Services (IIS) Manager) | ||
- | - Click on the site or virtual directory | ||
- | - Double-click on IIS -> Authentication | ||
- | - Click " | ||
- | - Click " | ||
- | |||
- | === NTLM on IIS 6 === | ||
- | |||
- | First configure IIS to use the Windows Logon for authentication (see screenshots): | ||
- | |||
- | - Open the IIS configuration console using " | ||
- | - Right click on the " | ||
- | - Switch to the " | ||
- | - Click the " | ||
- | - Disable " | ||
- | - Enable " | ||
- | |||
- | |||
- | {{: | ||
- | |||
- | Then make sure NTLM is used as authentication protocol. This has to be done on the commandline: | ||
- | |||
- | - Open a command line: " | ||
- | - Change to the admin script directory: '' | ||
- | - Check the current protocol: '' | ||
- | - if it doesn' | ||
- | |||
- | Now restart IIS. | ||
- | |||
- | === NTLM on Apache (Windows) === | ||
- | |||
- | Download [[http:// | ||
- | Copy the mod_auth_sspi.so file into your apache modules directory. | ||
- | Add into httpd.conf: | ||
- | < | ||
- | LoadModule sspi_auth_module modules/ | ||
- | |||
- | < | ||
- | AuthName "My Intranet" | ||
- | AuthType SSPI | ||
- | SSPIAuth On | ||
- | SSPIAuthoritative On | ||
- | |||
- | require valid-user | ||
- | |||
- | </ | ||
- | </ | ||
- | |||
- | Now restart Apache | ||
- | |||
- | === NTLM on Apache (Linux) === | ||
- | - Install mod_python, sudo apt-get install libapache2-mod-python | ||
- | - Get PyAuthenNTLM2, | ||
- | - Rename to PyAuthenNTLM2.zip | ||
- | - Unzip | ||
- | - cd to new dir | ||
- | - Install, sudo python setup.py install | ||
- | - Add config to Apache2: | ||
- | < | ||
- | < | ||
- | AuthType NTLM | ||
- | AuthName !!DOMAIN!! | ||
- | require valid-user | ||
- | PythonAuthenHandler pyntlm | ||
- | PythonOption Domain !!DOMAIN!! | ||
- | PythonOption PDC !!PRIMARY_DOMAIN_CONTROLLER!! | ||
- | PythonOption BDC !!BACKUP_DOMAIN_CONTROLLER!! | ||
- | </ | ||
- | </ | ||
- | [[http:// | ||
- | |||
- | === Kerberos on Apache (Linux) === | ||
- | |||
- | This setup enables an Apache Server on Linux to verify Kerberos Tickets against an Active Directory server. | ||
- | |||
- | Good references for Apache/ | ||
- | * http:// | ||
- | * http:// | ||
- | |||
- | The following examples assume your wiki to be running on '' | ||
- | |||
- | **Note: Kerberos is case sensitive, if it is all caps - it should be!** | ||
- | |||
- | - Install Kerberos client((Redhat: | ||
- | - Install [[http:// | ||
- | - Configure Kerberos if necessary, sample ''/ | ||
- | [logging] | ||
- | | ||
- | kdc = FILE:/ | ||
- | | ||
- | |||
- | [libdefaults] | ||
- | | ||
- | | ||
- | | ||
- | |||
- | [realms] | ||
- | | ||
- | kdc = dc1.yourdomain.com | ||
- | admin_server = dc1.yourdomain.com | ||
- | default_domain = yourdomain.com | ||
- | } | ||
- | |||
- | [domain_realm] | ||
- | | ||
- | | ||
- | | ||
- | |||
- | [appdefaults] | ||
- | pam = { | ||
- | debug = false | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | } | ||
- | </ | ||
- | - Verify that the time on the DokuWiki server is within 5 minutes of the Active Directory server. Otherwise Kerberos will not authenticate. | ||
- | - Verify that the Kerberos environment is working by running:< | ||
- | kinit username@YOURDOMAIN.COM | ||
- | klist | ||
- | kdestroy | ||
- | (If you get any errors here, make sure your DNS setup is working and you wrote all marked as " | ||
- | - Create a keytab file for your DokuWiki server. Make sure you have created a non-admin user in Active Directory with no password expiration. Run this as a Domain Admin on a Windows server with Support Tools installed:< | ||
- | - If no errors occurred, copy the keytab file to / | ||
- | - Create / | ||
- | < | ||
- | # Kerberos Auth | ||
- | AuthType Kerberos | ||
- | KrbAuthRealms YOURDOMAIN.COM | ||
- | KrbServiceName HTTP/ | ||
- | Krb5Keytab / | ||
- | KrbMethodNegotiate on | ||
- | KrbMethodK5Passwd on | ||
- | require valid-user | ||
- | </ | ||
- | </ | ||
- | - (Re)start Apache: service httpd restart. | ||
- | |||
- | == Troubleshooting == | ||
- | |||
- | * Restart Apache. Web server config changes won't apply until restarted. | ||
- | * Try using the FQDN of the DokuWiki server, i.e. < | ||
- | * If you are presented with a login window, do not enter domain/ | ||
- | * Verify that the time on the DokuWiki server is within 5 minutes of the Active Directory server. Otherwise Kerberos will not authenticate. | ||
- | * Check all Kerberos files for case inconsistencies. | ||
- | * Review this instruction from start to end. See reference links where possible. | ||
- | ==== Browser ==== | ||
- | |||
- | Your browser needs to be setup to forward authentication info to the Webserver. | ||
- | |||
- | === Setup MS Internet Explorer === | ||
- | |||
- | FIXME add detailed description | ||
- | |||
- | - add dokuwiki server to trusted zone | ||
- | - Enable authentication forwarding (Windows Integrated Authentication). Restart your browser to complete the change. IE 8 shown here: | ||
- | {{http:// | ||
- | |||
- | === Setup Firefox === | ||
- | |||
- | - Open Firefox and type // | ||
- | - In the ‘Filter’ field type one of the following (depending if you're using NTLM or Kerberos) // | ||
- | - Double click the name of the preference that we just searched for | ||
- | - Enter the URLs of the sites you wish to pass NTLM auth info to in the form of: | ||
- | < | ||
- | http:// | ||
- | </ | ||
- | Notice that you can use a comma separated list in this field. | ||
- | |||
- | ===== Effect on Plug-Ins ===== | ||
- | Some plug-ins may not gracefully work once you've switched over to the ad auth backend. Specifically, | ||
- | |||
- | Due to [[http:// |
auth/ad.1369692806.txt.gz · Last modified: 2013-05-28 00:13 by Klap-in