Differences

This shows you the differences between two versions of the page.

--- auth:ldap_ad [2016-09-26 09:07] – [Active Directory with groups] 124.39.43.146
+++ auth:ldap_ad [Unknown date] (current) – removed - external edit (Unknown date) 127.0.0.1
@@ Line 1: / Line 1: @@
-====== LDAP Auth Backend: Active Directory Examples ======
-| Since the release 2013-05-10 “Weatherwax”\\ see AuthLDAP [[plugin:AuthLDAP:AD]] plugin page\\ \\ For releases 2012-10-13 “Adora Belle” and older\\ see info below  |
-Below are example configurations for use with the [[auth:LDAP]] backend and the [[wp>Active Directory]] server.
-Please note that there is a dedicated [[auth:ad|Active Directory authentication backend]] which should be much easier to set up and can also handle Single-Sign-On via NTLM.
-Note:  Beware of uppercase in domain names, login will work but the use of Active Directory group won't, use a tool like [[http://technet.microsoft.com/en-us/sysinternals/bb963907.aspx|AD Explorer]] to debug.
-===== Active Directory with groups =====
-  * replace "mydomain" and "dom" with your domain name AD (dc).
-<code php>
-$conf['authtype']                         = 'ldap';
-$conf['auth']['ldap']['server']           = 'mydomain.dom';
-$conf['auth']['ldap']['binddn']           = '%{user}@%{server}';
-$conf['auth']['ldap']['usertree']         = 'dc=mydomain,dc=dom';
-$conf['auth']['ldap']['userfilter']       = '(userPrincipalName=%{user}@%{server})';
-$conf['auth']['ldap']['mapping']['name']  = 'displayname';
-$conf['auth']['ldap']['mapping']['grps']  = array('memberof' => '/CN=(.+?),/i');
-$conf['auth']['ldap']['grouptree']        = 'dc=mydomain,dc=dom'; # position for find groups, at root here
-$conf['auth']['ldap']['groupfilter']      = '(&(cn=*)(Member=%{dn})(objectClass=group))'; # find groups for current user(dn)
-$conf['auth']['ldap']['referrals']        = 0; # Switch referrals off for use with Active Directory
-$conf['auth']['ldap']['version']          = 3;
-$conf['auth']['ldap']['debug']            = 0; #set 1 for watch authenticate activity (eg. list of user groups) on html page
-</code>
-If you receive a binding error like "LDAP: bind with xxx failed [ldap.class.php:90]", try using
-<code php>
-$conf['auth']['ldap']['binddn']           = 'domain\%{user}';
-</code>
-Replace domain with your domain name.
-If you need nested group.
-<code php>
-$conf['auth']['ldap']['groupfilter']           = '(&(cn=*)(Member:1.2.840.113556.1.4.1941:=%{dn})(objectClass=group))';
-</code>
-===== Limit access to USR_* only =====
-<code php>
-$conf['authtype']                        = 'ldap';
-$conf['auth']['ldap']['server']          = '127.0.0.1:389';
-$conf['auth']['ldap']['binddn']          = '%{user}@yourfulldomainname';
-$conf['auth']['ldap']['usertree']        = ''; // point to container where your users are ie OU=x, DC=y etc
-$conf['auth']['ldap']['userfilter']      = '(userPrincipalName=%{user}@yourfulldomainname)';
-$conf['auth']['ldap']['grouptree']       = ''; // point this to container where your groups are ie CN=Users, DC=x etc
-$conf['auth']['ldap']['groupfilter']     = '(&(cn=USR_*)(Member=%{dn})(ObjectCategory=group))';//selects only the groups with the user as a member
-//remember dn is the full dn to the user's account - filters on groups starting with USR_
-$conf['auth']['ldap']['mapping']['name'] = 'displayname';
-$conf['auth']['ldap']['mapping']['grps'] = 'array(\'memberof\' => \'/CN=(.+?),/i\')';
-$conf['auth']['ldap']['referrals']       = '0';
-</code>