Differences

This shows you the differences between two versions of the page.

--- auth:ldap_openldap [2013-09-17 23:58] – Klap-in
+++ auth:ldap_openldap [2016-03-06 22:06] – removed 197.19.51.8
@@ Line 1: / Line 1: @@
-====== LDAP Auth Backend: OpenLDAP Examples ======
-| Since the release 2013-05-10 “Weatherwax”\\ see [[plugin:AuthLDAP:OpenLDAP]] plugin page\\ \\ For releases 2012-10-13 “Adora Belle” and older\\ see info below|
-Below are example configurations for use with the [[auth:LDAP]] backend and the [[http://www.openldap.org/|OpenLDAP]] server.
-===== With anonymous bind =====
-<code php>
-$conf['auth']['ldap']['server']      = 'ldap.server.tld';
-$conf['auth']['ldap']['usertree']    = 'uid=%{user}, ou=People, dc=server, dc=tld';
-$conf['auth']['ldap']['grouptree']   = 'ou=Groups, dc=server, dc=tld';
-$conf['auth']['ldap']['groupfilter'] = '(&(objectClass=posixGroup)(|(memberUid=%{uid})(gidNumber=%{gid})))';
-</code>
-===== With anonymous bind and filters =====
-<code php>
-$conf['auth']['ldap']['server']      = 'ldap.server.tld';
-$conf['auth']['ldap']['usertree']    = 'ou=People, dc=server, dc=tld';
-$conf['auth']['ldap']['userfilter']  = '(&(objectClass=posixAccount)(uid=%{user}))';
-$conf['auth']['ldap']['grouptree']   = 'ou=Groups, dc=server, dc=tld';
-$conf['auth']['ldap']['groupfilter'] = '(&(objectClass=posixGroup)(|(memberUid=%{uid})(gidNumber=%{gid})))';
-</code>
-===== With superuser bind =====
-<file php>
-$conf['auth']['ldap']['server']   = 'ldap.server.tld';
-$conf['auth']['ldap']['binddn']   = 'uid=ldapuser,ou=People,dc=server,dc=tld';
-$conf['auth']['ldap']['bindpw']   = 'password';
-$conf['auth']['ldap']['usertree'] = 'uid=%{user},ou=People,dc=server,dc=tld';
-</file>
-===== With Kolab2 schema =====
-For use with [[http://www.kolab.org/|Kolab]].
-<code php>
-$conf['auth']['ldap']['server']      = 'mykolabserver'; #replace with hostname of your kolab server
-$conf['auth']['ldap']['usertree']    = 'dc=mydomain, dc=com'; #replace with your domain
-$conf['auth']['ldap']['grouptree']   = 'dc=mydomain, dc=com'; #replace with your domain
-$conf['auth']['ldap']['userfilter']  = '(&(uid=%{user}))';
-$conf['auth']['ldap']['groupfilter'] = '(&(objectClass=kolabGroupOfNames)(member=%{dn}))';
-</code>
-===== Fedora Directory Server With Group =====
-<code php>
-$conf['auth']['ldap']['server']      = 'ldap://1.2.3.4:389';
-$conf['auth']['ldap']['usertree']    = 'ou=People,dc=example,dc=com';
-$conf['auth']['ldap']['grouptree']   = 'ou=Groups,dc=example,dc=com';
-$conf['auth']['ldap']['userfilter']  = '(&(uid=%{user})(objectClass=posixAccount))';
-$conf['auth']['ldap']['groupfilter'] = '(&(uniquemember=%{dn}))';
-$conf['auth']['ldap']['version']     = 3;
-</code>
-Note that you need to use %{dn} for the uniquemember.
-Note: you may need to change line 4:\\
-if users in LDAP directory are "PosixAccount"'s:
-<code>
-$conf['auth']['ldap']['userfilter']  = '(&(uid=%{user})(objectClass=posixAccount))';
-</code>
-if users in LDAP directory are only "InetOrgPerson"'s:
-<code php>
-$conf['auth']['ldap']['userfilter']  = '(&(uid=%{user})(objectClass=inetOrgPerson))';
-</code>
-===== OpenLDAP on SuSE Linux Enterprise Server =====
-This worked for me with a default SLES 10 configuration:
-<code php>
-$conf['auth']['ldap']['server']      = 'ldap://server.tld:389';
-$conf['auth']['ldap']['port']        = 389;
-$conf['auth']['ldap']['usertree']    = 'ou=People,dc=server,dc=tld';
-$conf['auth']['ldap']['grouptree']   = 'ou=Group,dc=server,dc=tld';
-$conf['auth']['ldap']['userfilter']  = '(&(uid=%{user})objectClass=posixAccount)';
-$conf['auth']['ldap']['groupfilter'] = '(&(Member=%{dn})objectClass=posixGroup)';
-$conf['auth']['ldap']['version']     = 3;
-</code>
-The ''groupfilter'' attribute is what is important, and I recommend to create an "admin" group on the directory, setting ''superuser'' to ''"@admin"'' and adding the users you want to administer the wiki to that group using the YAST user manager.
-===== Enterprise IPA on Red Hat Enterprise Linux =====
-[[auth:ldap_ipa|LDAP Auth Backend: Redhat IPA Example (Freeipa)]]
-===== Zimbra 7 with Posix and Samba extension =====
-<code php>
-$conf['useacl']      = 1;
-$conf['openregister']= 0;
-$conf['authtype']    = 'ldap';
-$conf['auth']['ldap']['server']   = 'ldap://hostname.domain.tld:389';
-$conf['auth']['ldap']['binddn']   = 'uid=zmposix,cn=appaccts,cn=zimbra';//can use the config account here too
-$conf['auth']['ldap']['bindpw']   = 'password';
-$conf['auth']['ldap']['usertree'] = 'uid=%{user},ou=people,dc=domain,dc=tld';
-$conf['auth']['ldap']['grouptree'] = 'ou=groups,dc=domain,dc=tld';
-$conf['auth']['ldap']['groupfilter']  = '(|(memberUid=%{user})(gidNumber=%{gid}))';
-$conf['auth']['ldap']['version']    = 3;
-$conf['auth']['ldap']['starttls']   = 1;
-</code>
-====== Two ldap servers for redundancy  ======
-===== slapd proxy =====
-As far i know dokuwiki do not suppport multiple servers in ldap configuration. My workoround is to create a local slapd proxy. slapd.conf:
-<file>
-# Proxy slapd must contain all schema and objectClass definitions
-include         /etc/ldap/schema/core.schema
-include         /etc/ldap/schema/cosine.schema
-include         /etc/ldap/schema/nis.schema
-include         /etc/ldap/schema/inetorgperson.schema
-include         /etc/ldap/schema/kerberos.schema
-# Where the pid file is put. The init.d script
-# will not stop the server if you change this.
-pidfile         /var/run/slapd/slapd.pid
-# List of arguments that were passed to the server
-argsfile        /var/run/slapd/slapd.args
-# Read slapd.conf(5) for possible values
-loglevel        stats stats2 ACL filter
-# The maximum number of entries that is returned for a search operation
-sizelimit 5000
-# The tool-threads parameter sets the actual amount of cpu's that is used
-# for indexing.
-tool-threads 1
-# Ensure read access to the base for things like
-# supportedSASLMechanisms.  Without this you may
-# have problems with SASL not knowing what
-# mechanisms are available and the like.
-# Note that this is covered by the 'access to *'
-# ACL below too but if you change that as people
-# are wont to do you'll still need this if you
-# want SASL (and possible other things) to work
-# happily.
-access to dn.base="" by * read
-# by default we proxy all request
-access to * by * read
-# from slapd-ldap(5)
-backend         ldap
-database        ldap
-suffix          "dc=mydomain,dc=lan"
-rootdn          "dc=mydomain,dc=lan"
-uri             "ldaps://server1.mydomain.lan/ ldaps://server2.mydomain.lan/"
-tls ldaps
-# timeouts in seconds
-network-timeout 2
-timeout 2
-conn-ttl 2
-rebind-as-user yes
-# in case of debug problems
-# session-tracking-request yes
-</file>
-It's recomended to restrict slapd to loopback interface and socket by demon argument options:
-<code>
--h ldap://127.0.0.1:389/ ldapi:///
-</code>
-If everything is right, u can change url in dokuwiki config
-<code>
-  $conf['auth']['ldap']['server']      = 'ldap://127.0.0.1:389';
-</code>
-and now downtime one of ldap servers is not critical.