DokuWiki

It's better when it's simple

User Tools

Site Tools


auth:ldap_ad

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
auth:ldap_ad [2018-02-23 16:59]
chrishanz
auth:ldap_ad [2018-02-23 19:04] (current)
Aleksandr old revision restored (2016-09-26 09:07)
Line 1: Line 1:
-Bienvenue sur le Wiki informatique+====== LDAP Auth Backend: Active Directory Examples ======
  
-====== Matériel ======+| Since the release 2013-05-10 “Weatherwax”\\ see AuthLDAP [[plugin:AuthLDAP:AD]] plugin page\\ \\ For releases 2012-10-13 “Adora Belle” and older\\ see info below  |
  
-[[Matériel:start|Accueil matériel]]+Below are example configurations for use with the [[auth:LDAP]] backend and the [[wp>Active Directory]] server.
  
-[[Matériel:PC:start|Accueil PC]]+Please note that there is a dedicated [[auth:ad|Active Directory authentication backend]] which should be much easier to set up and can also handle Single-Sign-On via NTLM.
  
-[[Matériel:MAC:start|Accueil MAC]]+Note:  Beware of uppercase in domain names, login will work but the use of Active Directory group won't, use a tool like [[http://technet.microsoft.com/en-us/sysinternals/bb963907.aspx|AD Explorer]] to debug.
  
-[[Matériel:Mobiles:start|Accueil mobiles]]+===== Active Directory with groups =====
  
-====== Logiciel ======+  * replace "mydomain" and "dom" with your domain name AD (dc).
  
-[[Logiciel:Mobiles:start|Accueil logiciel]]+<code php> 
 +$conf['authtype'                        = 'ldap'; 
 +$conf['auth']['ldap']['server'          = 'mydomain.dom'; 
 +$conf['auth']['ldap']['binddn'          = '%{user}@%{server}'; 
 +$conf['auth']['ldap']['usertree'        = 'dc=mydomain,dc=dom'; 
 +$conf['auth']['ldap']['userfilter'      = '(userPrincipalName=%{user}@%{server})'; 
 +$conf['auth']['ldap']['mapping']['name' = 'displayname'; 
 +$conf['auth']['ldap']['mapping']['grps' = array('memberof' => '/CN=(.+?),/i'); 
 +$conf['auth']['ldap']['grouptree'       = 'dc=mydomain,dc=dom'; # position for find groups, at root here 
 +$conf['auth']['ldap']['groupfilter'     = '(&(cn=*)(Member=%{dn})(objectClass=group))'; # find groups for current user(dn) 
 +$conf['auth']['ldap']['referrals'       = 0; # Switch referrals off for use with Active Directory 
 +$conf['auth']['ldap']['version'         = 3; 
 +$conf['auth']['ldap']['debug'           = 0; #set 1 for watch authenticate activity (eg. list of user groups) on html page 
 +</code>
  
 +If you receive a binding error like "LDAP: bind with xxx failed [ldap.class.php:90]", try using
  
-====== OS ======+<code php> 
 +$conf['auth']['ldap']['binddn'          'domain\%{user}'; 
 +</code>
  
-[[Logiciel:OS:start|Accueil OS]]+Replace domain with your domain name.
  
-[[Logiciel:OS:Windows:start|Accueil Windows]]+If you need nested group. 
 +<code php> 
 +$conf['auth']['ldap']['groupfilter'          = '(&(cn=*)(Member:1.2.840.113556.1.4.1941:=%{dn})(objectClass=group))'; 
 +</code>
  
-[[Logiciel:OS:Mac OS X:start|Accueil Mac OS X]] 
  
-[[Logiciel:OS:Linux:start|Accueil Linux]]+===== Limit access to USR_* only =====
  
- +<code php> 
-====== Application ====== +$conf['authtype'                       'ldap'; 
- +$conf['auth']['ldap']['server'         '127.0.0.1:389'; 
- +$conf['auth']['ldap']['binddn'         '%{user}@yourfulldomainname'; 
-[[Logiciel:Application:start|Accueil application]]+$conf['auth']['ldap']['usertree'       ''; // point to container where your users are ie OU=x, DC=y etc 
 +$conf['auth']['ldap']['userfilter'     '(userPrincipalName=%{user}@yourfulldomainname)'; 
 +$conf['auth']['ldap']['grouptree'      ''; // point this to container where your groups are ie CN=Users, DC=x etc 
 +$conf['auth']['ldap']['groupfilter'    = '(&(cn=USR_*)(Member=%{dn})(ObjectCategory=group))';//selects only the groups with the user as a member 
 +//remember dn is the full dn to the user's account - filters on groups starting with USR_ 
 +$conf['auth']['ldap']['mapping']['name'] = 'displayname'; 
 +$conf['auth']['ldap']['mapping']['grps'] = 'array(\'memberof\' => \'/CN=(.+?),/i\')'; 
 +$conf['auth']['ldap']['referrals'      = '0'; 
 +</code>
auth/ldap_ad.txt · Last modified: 2018-02-23 19:04 by Aleksandr