auth:ldap_ad
This is an old revision of the document!
Table of Contents
LDAP Auth Backend: Active Directory Examples
Below are example configurations for use with the LDAP backend and the Active Directory server.
Please note that there is a dedicated Active Directory authentication backend which should be much easier to set up and can also handle Single-Sign-On via NTLM.
Note: Beware of uppercase in domain names, login will work but the use of Active Directory group won't, use a tool like AD Explorer to debug.
Active Directory with groups
- replace “mydomain” and “dom” with your domain name AD (dc).
$conf['authtype'] = 'ldap'; $conf['auth']['ldap']['server'] = 'mydomain.dom'; $conf['auth']['ldap']['binddn'] = '%{user}@%{server}'; $conf['auth']['ldap']['usertree'] = 'dc=mydomain,dc=dom'; $conf['auth']['ldap']['userfilter'] = '(userPrincipalName=%{user}@%{server})'; $conf['auth']['ldap']['mapping']['name'] = 'displayname'; $conf['auth']['ldap']['mapping']['grps'] = array('memberof' => '/CN=(.+?),/i'); $conf['auth']['ldap']['grouptree'] = 'dc=mydomain,dc=dom'; # position for find groups, at root here $conf['auth']['ldap']['groupfilter'] = '(&(cn=*)(Member=%{dn})(objectClass=group))'; # find groups for current user(dn) $conf['auth']['ldap']['referrals'] = 0; # Switch referrals off for use with Active Directory $conf['auth']['ldap']['version'] = 3; $conf['auth']['ldap']['debug'] = 0; #set 1 for watch authenticate activity (eg. list of user groups) on html page
If you receive a binding error like “LDAP: bind with xxx failed [ldap.class.php:90]”, try using
$conf['auth']['ldap']['binddn'] = 'domain\%{user}';
Replace domain with your domain name.
Different Setup
$conf['authtype'] = 'ldap'; $conf['auth']['ldap']['server'] = 'ldap://servername.domain.tld:389'; $conf['auth']['ldap']['binddn'] = '%{user}@domain.tld'; $conf['auth']['ldap']['usertree'] = 'ou=Users,dc=domain,dc=tld'; $conf['auth']['ldap']['userfilter'] = '(SAMAccountName=%{user})'; $conf['auth']['ldap']['mapping']['name'] = 'displayname'; $conf['auth']['ldap']['mapping']['grps'] = array('memberof' => '/CN=(.+?),/i'); $conf['auth']['ldap']['referrals'] = 0; # Switch referrals off for use with Active Directory $conf['auth']['ldap']['version'] = 3;
Limit access to USR_* only
$conf['authtype'] = 'ldap'; $conf['auth']['ldap']['server'] = '127.0.0.1:389'; $conf['auth']['ldap']['binddn'] = '%{user}@yourfulldomainname'; $conf['auth']['ldap']['usertree'] = ''; // point to container where your users are ie OU=x, DC=y etc $conf['auth']['ldap']['userfilter'] = '(userPrincipalName=%{user}@yourfulldomainname)'; $conf['auth']['ldap']['grouptree'] = ''; // point this to container where your groups are ie CN=Users, DC=x etc $conf['auth']['ldap']['groupfilter'] = '(&(cn=USR_*)(Member=%{dn})(ObjectCategory=group))';//selects only the groups with the user as a member //remember dn is the full dn to the user's account - filters on groups starting with USR_ $conf['auth']['ldap']['mapping']['name'] = 'displayname'; $conf['auth']['ldap']['mapping']['grps'] = 'array(\'memberof\' => \'/CN=(.+?),/i\')'; $conf['auth']['ldap']['referrals'] = '0'; $conf['auth']['ldap']['version'] = '3';
auth/ldap_ad.1232738873.txt.gz · Last modified: 2012-02-02 14:06 (external edit)