DokuWiki

It's better when it's simple

User Tools

Site Tools

Trace:
auth:ldap

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

auth:ldap [2015-10-26 11:37] – old revision restored (2015-07-26 16:52) achauth:ldap [Unknown date] (current) – removed - external edit (Unknown date) 127.0.0.1
Line 1: Line 1:
-====== LDAP Authentication Backend ====== 
-| Since the release 2013-05-10 “Weatherwax”\\ see [[plugin:AuthLDAP]] plugin page\\ \\ For releases 2012-10-13 “Adora Belle” and older\\ see info below| 
  
-This module allows [[:auth|authentication]] against an LDAP directory using the [[:ACL]] feature. It is included with the DokuWiki releases. Don't forget to install your linux distribution module ''php-net-ldap'' (ex: ''apt-get install php-net-ldap''). In distributions that are not Debian-based this module may have another name, like ''php5-ldap'' in openSUSE (''zypper in php5-ldap''). 
- 
-Users can log into the wiki using their username and password defined in a LDAP server, adding new users is not supported through the LDAP backend. 
- 
-:!: Do not report bugs or problems in the wiki! Use the [[:bugs|bugtracker]], [[:mailinglist]] and [[:forum]] instead. 
- 
-===== Configuration ===== 
- 
-This is an example configuration to  set in your ''conf/local.protected.php'' to authenticate against your LDAP directory. 
- 
-<code php> 
-$conf['useacl'     = 1; 
-$conf['openregister']= 0; 
-$conf['authtype'   = 'ldap'; 
- 
-#$conf['auth']['ldap']['server'     = 'localhost'; 
-#$conf['auth']['ldap']['port'       = 389; 
-$conf['auth']['ldap']['server'     = 'ldap://server.tld:389'; #instead of the above two settings 
-$conf['auth']['ldap']['usertree'   = 'ou=People, dc=server, dc=tld'; 
-$conf['auth']['ldap']['grouptree'  = 'ou=Group, dc=server, dc=tld'; 
-$conf['auth']['ldap']['userfilter' = '(&(uid=%{user})(objectClass=posixAccount))'; 
-$conf['auth']['ldap']['groupfilter'] = '(&(objectClass=posixGroup)(|(gidNumber=%{gid})(memberUID=%{user})))'; 
- 
-# This is optional but may be required for your server: 
-#$conf['auth']['ldap']['version'   = 3; 
- 
-# This enables the use of the STARTTLS command 
-#$conf['auth']['ldap']['starttls'  = 1; 
- 
-# This is optional and is required to be off when using Active Directory: 
-#$conf['auth']['ldap']['referrals' = 0; 
- 
-# Optional bind user and password if anonymous bind is not allowed 
-#$conf['auth']['ldap']['binddn'    = 'cn=admin, dc=my, dc=home'; 
-#$conf['auth']['ldap']['bindpw'    = 'secret'; 
- 
-# Mapping can be used to specify where the internal data is coming from.  
-#$conf['auth']['ldap']['mapping']['name' = 'displayname'; # Name of attribute Active Directory stores it's pretty print user name. 
-#$conf['auth']['ldap']['mapping']['grps' = array('memberof' => '/CN=(.+?),/i'); # Where groups are defined in Active Directory 
- 
-# Limit search scope for user and group searches (sub|one|base) 
-#$conf['auth']['ldap']['userscope' = 'sub'; 
-#$conf['auth']['ldap']['groupscope'] = 'sub'; 
- 
-# Optional debugging 
-#$conf['auth']['ldap']['debug'     = 1; 
-</code> 
- 
-You can use the //version// parameter to tell PHP to use Version 3 of the LDAP protocol to connect to your server - default is version 2. 
- 
-The //userfilter// defines an LDAP filter which is used to search for a user. The //groupfilter// is used to fetch the groups a user is in. 
- 
-The following variables are available for the userfilter and the groupfilter: 
- 
-^ variable     ^ meaning                                                       ^ 
-| %{user}      | The username the user tried to login with                     | 
-| %{server}    | The server string provided in $conf['auth']['ldap']['server'] | 
- 
-The groupfilter can also access all the attributes provided in the user object: 
- 
-^ variable     ^ meaning                                                       ^ 
-| %{dn}     | The users dn eg. uid=user,ou=People,dc=server,dc=dk              | 
-| %{uid}    | The uid of the user eg. user                                     | 
-| %{...}    |                                                                  | 
- 
-The //mapping// is used for directories that uses non "standard" names for attributes, a mapping can be applied a regexp to clean it up before replacing the target variable. For all variables but 'grps' only the first attribute is used to replace the variable if more than one is provided. 
- 
-^ variable  ^ mapping                                 ^ meaning  ^ 
-| grps      | %%array('memberof' => '/CN=(.+?),/i')%% | Replace the content of grps with what is provided in the attribute memberof and apply this regexp /CN=(.+?),/i to every element in it. |  
-| name      | 'displayname'        | Replace the content of name with first element of 'displayname' attribute. |  
- 
-The search scope (depth) can be limited to ''sub'', ''one'' and ''base'' using the optional ''userscope'' and ''groupscope'' parameters. They default to ''sub''. Setting them to more limited searches can improve performance. 
- 
-Authentication is done in these steps: 
-  - First see if we need to do an anonymous bind by looking in the usertree for a %{user}: 
-    * If found: Set usertree as DN. 
-    * If not: Try to find a DN for the given login doing a search in the //usertree// with the given //userfilter// -- there has to be exactly one result 
-  - Try to bind with the found DN and the given password - if this succeeds access is granted 
-  - For getting the groups a user is in, the //groupfilter// is used to search the //grouptree//. 
- 
-==== Notes ==== 
- 
-  * While configuring the LDAP access you may want to enable the //debug// option which will print the error messages your LDAP server is delivering. You should disable it again after setup. 
-  * The freeware [[http://directory.apache.org/studio/|LDAP Browser]] (written in Java) is useful to find the proper settings for ''$conf['auth']['ldap']'' and to determine the structure of your LDAP server. 
-  * Mappings and field names are always lowercase regardless of the case used in the LDAP server! 
-  * Make sure you have the PHP LDAP extension installed. 
-  * If you get the "Protocol error" message, you might have not enabled following config statement: ''$conf['auth']['ldap']['version'] = 3;'' 
- 
-===== Real World Examples ===== 
- 
-Below is a list of example configurations used by various users for various LDAP servers. These are examples! Be sure to adjust them to your specific server settings. 
- 
-  * [[auth:ldap_openldap|OpenLDAP]] 
-  * [[auth:ldap_ad|Active Directory]] 
-  * [[auth:ldap_lotus|Lotus Domino (Notes)]] 
-  * [[auth:ldap_osx|Open Directory (Mac OS X Server)]] 
-  * [[auth:ldap_ucs|Univention Corporate Server (UCS)]] 
-  * [[auth:ldap_oracle|Oracle Internet Directory]] 
-  * [[auth:ldap_eDirectory|Novell eDirectory]] 
-  * [[auth:ldap_tinyldap|tinyldap]] 
-  * [[auth:ldap_apacheds|Apache Directory]] 
-  * [[auth:ldap_ipa|LDAP Auth Backend: Redhat IPA Example (Freeipa)]] 
auth/ldap.1445855869.txt.gz · Last modified: 2015-10-26 11:37 by ach
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki

Global DokuWiki Links