It's better when it's simple

User Tools

Site Tools


Translations of this page?:

Learn about DokuWiki

Advanced Use

Corporate Use

Our Community

Follow us on Facebook, Twitter and other social networks.


LDAP Auth Backend: OpenLDAP Examples

Since the release 2013-05-10 “Weatherwax”
see OpenLDAP plugin page

For releases 2012-10-13 “Adora Belle” and older
see info below

Below are example configurations for use with the LDAP backend and the OpenLDAP server.

With anonymous bind

$conf['auth']['ldap']['server']      = 'ldap.server.tld';
$conf['auth']['ldap']['usertree']    = 'uid=%{user}, ou=People, dc=server, dc=tld';
$conf['auth']['ldap']['grouptree']   = 'ou=Groups, dc=server, dc=tld';
$conf['auth']['ldap']['groupfilter'] = '(&(objectClass=posixGroup)(|(memberUid=%{uid})(gidNumber=%{gid})))';

With anonymous bind and filters

$conf['auth']['ldap']['server']      = 'ldap.server.tld';
$conf['auth']['ldap']['usertree']    = 'ou=People, dc=server, dc=tld';
$conf['auth']['ldap']['userfilter']  = '(&(objectClass=posixAccount)(uid=%{user}))';
$conf['auth']['ldap']['grouptree']   = 'ou=Groups, dc=server, dc=tld';
$conf['auth']['ldap']['groupfilter'] = '(&(objectClass=posixGroup)(|(memberUid=%{uid})(gidNumber=%{gid})))';

With superuser bind

$conf['auth']['ldap']['server']   = 'ldap.server.tld';
$conf['auth']['ldap']['binddn']   = 'uid=ldapuser,ou=People,dc=server,dc=tld';
$conf['auth']['ldap']['bindpw']   = 'password';
$conf['auth']['ldap']['usertree'] = 'uid=%{user},ou=People,dc=server,dc=tld';

With Kolab2 schema

For use with Kolab.

$conf['auth']['ldap']['server']      = 'mykolabserver'; #replace with hostname of your kolab server
$conf['auth']['ldap']['usertree']    = 'dc=mydomain, dc=com'; #replace with your domain
$conf['auth']['ldap']['grouptree']   = 'dc=mydomain, dc=com'; #replace with your domain
$conf['auth']['ldap']['userfilter']  = '(&(uid=%{user}))';
$conf['auth']['ldap']['groupfilter'] = '(&(objectClass=kolabGroupOfNames)(member=%{dn}))';

Fedora Directory Server With Group

$conf['auth']['ldap']['server']      = 'ldap://';
$conf['auth']['ldap']['usertree']    = 'ou=People,dc=example,dc=com';
$conf['auth']['ldap']['grouptree']   = 'ou=Groups,dc=example,dc=com';
$conf['auth']['ldap']['userfilter']  = '(&(uid=%{user})(objectClass=posixAccount))';
$conf['auth']['ldap']['groupfilter'] = '(&(uniquemember=%{dn}))';
$conf['auth']['ldap']['version']     = 3;

Note that you need to use %{dn} for the uniquemember.

Note: you may need to change line 4:
if users in LDAP directory are “PosixAccount”'s:

$conf['auth']['ldap']['userfilter']  = '(&(uid=%{user})(objectClass=posixAccount))';

if users in LDAP directory are only “InetOrgPerson”'s:

$conf['auth']['ldap']['userfilter']  = '(&(uid=%{user})(objectClass=inetOrgPerson))';

OpenLDAP on SuSE Linux Enterprise Server

This worked for me with a default SLES 10 configuration:

$conf['auth']['ldap']['server']      = 'ldap://server.tld:389';
$conf['auth']['ldap']['port']        = 389;
$conf['auth']['ldap']['usertree']    = 'ou=People,dc=server,dc=tld';
$conf['auth']['ldap']['grouptree']   = 'ou=Group,dc=server,dc=tld';
$conf['auth']['ldap']['userfilter']  = '(&(uid=%{user})objectClass=posixAccount)';
$conf['auth']['ldap']['groupfilter'] = '(&(Member=%{dn})objectClass=posixGroup)';
$conf['auth']['ldap']['version']     = 3;

The groupfilter attribute is what is important, and I recommend to create an “admin” group on the directory, setting superuser to “@admin” and adding the users you want to administer the wiki to that group using the YAST user manager.

Enterprise IPA on Red Hat Enterprise Linux

Zimbra 7 with Posix and Samba extension

$conf['useacl']      = 1;
$conf['openregister']= 0;
$conf['authtype']    = 'ldap';
$conf['auth']['ldap']['server']   = 'ldap://hostname.domain.tld:389';
$conf['auth']['ldap']['binddn']   = 'uid=zmposix,cn=appaccts,cn=zimbra';//can use the config account here too
$conf['auth']['ldap']['bindpw']   = 'password';
$conf['auth']['ldap']['usertree'] = 'uid=%{user},ou=people,dc=domain,dc=tld';
$conf['auth']['ldap']['grouptree'] = 'ou=groups,dc=domain,dc=tld';
$conf['auth']['ldap']['groupfilter']  = '(|(memberUid=%{user})(gidNumber=%{gid}))';
$conf['auth']['ldap']['version']    = 3;
$conf['auth']['ldap']['starttls']   = 1;

Two ldap servers for redundancy

slapd proxy

As far i know dokuwiki do not suppport multiple servers in ldap configuration. My workoround is to create a local slapd proxy. slapd.conf:

# Proxy slapd must contain all schema and objectClass definitions 
include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/nis.schema
include         /etc/ldap/schema/inetorgperson.schema
include         /etc/ldap/schema/kerberos.schema

# Where the pid file is put. The init.d script
# will not stop the server if you change this.
pidfile         /var/run/slapd/

# List of arguments that were passed to the server
argsfile        /var/run/slapd/slapd.args

# Read slapd.conf(5) for possible values
loglevel        stats stats2 ACL filter

# The maximum number of entries that is returned for a search operation
sizelimit 5000

# The tool-threads parameter sets the actual amount of cpu's that is used
# for indexing.
tool-threads 1

# Ensure read access to the base for things like
# supportedSASLMechanisms.  Without this you may
# have problems with SASL not knowing what
# mechanisms are available and the like.
# Note that this is covered by the 'access to *'
# ACL below too but if you change that as people
# are wont to do you'll still need this if you
# want SASL (and possible other things) to work
# happily.

access to dn.base="" by * read

# by default we proxy all request
access to * by * read

# from slapd-ldap(5)
backend         ldap 
database        ldap 
suffix          "dc=mydomain,dc=lan"
rootdn          "dc=mydomain,dc=lan"
uri             "ldaps://server1.mydomain.lan/ ldaps://server2.mydomain.lan/"
tls ldaps 

# timeouts in seconds
network-timeout 2
timeout 2
conn-ttl 2
rebind-as-user yes

# in case of debug problems
# session-tracking-request yes

It's recomended to restrict slapd to loopback interface and socket by demon argument options:

-h ldap:// ldapi:///

If everything is right, u can change url in dokuwiki config

  $conf['auth']['ldap']['server']      = 'ldap://';

and now downtime one of ldap servers is not critical.

auth/ldap_openldap.txt · Last modified: 2016-03-14 02:12 by ach