It's better when it's simple

User Tools

Site Tools



This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
auth:ldap_ad [2018-02-23 16:59]
auth:ldap_ad [2018-02-23 19:04] (current)
Aleksandr old revision restored (2016-09-26 09:07)
Line 1: Line 1:
-Bienvenue sur le Wiki informatique+====== LDAP Auth Backend: Active Directory Examples ======
-====== Matériel ======+| Since the release 2013-05-10 “Weatherwax”\\ see AuthLDAP [[plugin:AuthLDAP:AD]] plugin page\\ \\ For releases 2012-10-13 “Adora Belle” and older\\ see info below  |
-[[Matériel:start|Accueil matériel]]+Below are example configurations for use with the [[auth:LDAP]] backend and the [[wp>Active Directory]] server.
-[[Matériel:PC:start|Accueil PC]]+Please note that there is a dedicated [[auth:ad|Active Directory authentication backend]] which should be much easier to set up and can also handle Single-Sign-On via NTLM.
-[[Matériel:MAC:start|Accueil MAC]]+Note:  Beware of uppercase in domain names, login will work but the use of Active Directory group won't, use a tool like [[|AD Explorer]] to debug.
-[[Matériel:Mobiles:start|Accueil mobiles]]+===== Active Directory with groups =====
-====== Logiciel ======+  * replace "mydomain" and "dom" with your domain name AD (dc).
-[[Logiciel:Mobiles:start|Accueil logiciel]]+<code php> 
 +$conf['authtype'                        = 'ldap'; 
 +$conf['auth']['ldap']['server'          = 'mydomain.dom'; 
 +$conf['auth']['ldap']['binddn'          = '%{user}@%{server}'; 
 +$conf['auth']['ldap']['usertree'        = 'dc=mydomain,dc=dom'; 
 +$conf['auth']['ldap']['userfilter'      = '(userPrincipalName=%{user}@%{server})'; 
 +$conf['auth']['ldap']['mapping']['name' = 'displayname'; 
 +$conf['auth']['ldap']['mapping']['grps' = array('memberof' => '/CN=(.+?),/i'); 
 +$conf['auth']['ldap']['grouptree'       = 'dc=mydomain,dc=dom'; # position for find groups, at root here 
 +$conf['auth']['ldap']['groupfilter'     = '(&(cn=*)(Member=%{dn})(objectClass=group))'; # find groups for current user(dn) 
 +$conf['auth']['ldap']['referrals'       = 0; # Switch referrals off for use with Active Directory 
 +$conf['auth']['ldap']['version'         = 3; 
 +$conf['auth']['ldap']['debug'           = 0; #set 1 for watch authenticate activity (eg. list of user groups) on html page 
 +If you receive a binding error like "LDAP: bind with xxx failed [ldap.class.php:90]", try using
-====== OS ======+<code php> 
 +$conf['auth']['ldap']['binddn'          'domain\%{user}'; 
-[[Logiciel:OS:start|Accueil OS]]+Replace domain with your domain name.
-[[Logiciel:OS:Windows:start|Accueil Windows]]+If you need nested group. 
 +<code php> 
 +$conf['auth']['ldap']['groupfilter'          = '(&(cn=*)(Member:1.2.840.113556.1.4.1941:=%{dn})(objectClass=group))'; 
-[[Logiciel:OS:Mac OS X:start|Accueil Mac OS X]] 
-[[Logiciel:OS:Linux:start|Accueil Linux]]+===== Limit access to USR_* only =====
- +<code php> 
-====== Application ====== +$conf['authtype'                       'ldap'; 
- +$conf['auth']['ldap']['server'         ''; 
- +$conf['auth']['ldap']['binddn'         '%{user}@yourfulldomainname'; 
-[[Logiciel:Application:start|Accueil application]]+$conf['auth']['ldap']['usertree'       ''; // point to container where your users are ie OU=x, DC=y etc 
 +$conf['auth']['ldap']['userfilter'     '(userPrincipalName=%{user}@yourfulldomainname)'; 
 +$conf['auth']['ldap']['grouptree'      ''; // point this to container where your groups are ie CN=Users, DC=x etc 
 +$conf['auth']['ldap']['groupfilter'    = '(&(cn=USR_*)(Member=%{dn})(ObjectCategory=group))';//selects only the groups with the user as a member 
 +//remember dn is the full dn to the user's account - filters on groups starting with USR_ 
 +$conf['auth']['ldap']['mapping']['name'] = 'displayname'; 
 +$conf['auth']['ldap']['mapping']['grps'] = 'array(\'memberof\' => \'/CN=(.+?),/i\')'; 
 +$conf['auth']['ldap']['referrals'      = '0'; 
auth/ldap_ad.txt · Last modified: 2018-02-23 19:04 by Aleksandr