This is an old revision of the document!
Table of Contents
LDAP Auth Backend: OpenLDAP Examples
Since the release 2013-05-10 “Weatherwax” see OpenLDAP plugin page For releases 2012-10-13 “Adora Belle” and older see info below |
Below are example configurations for use with the LDAP backend and the OpenLDAP server.
With anonymous bind
$conf['auth']['ldap']['server'] = 'ldap.server.tld'; $conf['auth']['ldap']['usertree'] = 'uid=%{user}, ou=People, dc=server, dc=tld'; $conf['auth']['ldap']['grouptree'] = 'ou=Groups, dc=server, dc=tld'; $conf['auth']['ldap']['groupfilter'] = '(&(objectClass=posixGroup)(|(memberUid=%{uid})(gidNumber=%{gid})))';
With anonymous bind and filters
$conf['auth']['ldap']['server'] = 'ldap.server.tld'; $conf['auth']['ldap']['usertree'] = 'ou=People, dc=server, dc=tld'; $conf['auth']['ldap']['userfilter'] = '(&(objectClass=posixAccount)(uid=%{user}))'; $conf['auth']['ldap']['grouptree'] = 'ou=Groups, dc=server, dc=tld'; $conf['auth']['ldap']['groupfilter'] = '(&(objectClass=posixGroup)(|(memberUid=%{uid})(gidNumber=%{gid})))';
With superuser bind
$conf['auth']['ldap']['server'] = 'ldap.server.tld'; $conf['auth']['ldap']['binddn'] = 'uid=ldapuser,ou=People,dc=server,dc=tld'; $conf['auth']['ldap']['bindpw'] = 'password'; $conf['auth']['ldap']['usertree'] = 'uid=%{user},ou=People,dc=server,dc=tld';
With Kolab2 schema
For use with Kolab.
$conf['auth']['ldap']['server'] = 'mykolabserver'; #replace with hostname of your kolab server $conf['auth']['ldap']['usertree'] = 'dc=mydomain, dc=com'; #replace with your domain $conf['auth']['ldap']['grouptree'] = 'dc=mydomain, dc=com'; #replace with your domain $conf['auth']['ldap']['userfilter'] = '(&(uid=%{user}))'; $conf['auth']['ldap']['groupfilter'] = '(&(objectClass=kolabGroupOfNames)(member=%{dn}))';
Fedora Directory Server With Group
$conf['auth']['ldap']['server'] = 'ldap://1.2.3.4:389'; $conf['auth']['ldap']['usertree'] = 'ou=People,dc=example,dc=com'; $conf['auth']['ldap']['grouptree'] = 'ou=Groups,dc=example,dc=com'; $conf['auth']['ldap']['userfilter'] = '(&(uid=%{user})(objectClass=posixAccount))'; $conf['auth']['ldap']['groupfilter'] = '(&(uniquemember=%{dn}))'; $conf['auth']['ldap']['version'] = 3;
Note that you need to use %{dn} for the uniquemember.
Note: you may need to change line 4:
if users in LDAP directory are “PosixAccount”'s:
$conf['auth']['ldap']['userfilter'] = '(&(uid=%{user})(objectClass=posixAccount))';
if users in LDAP directory are only “InetOrgPerson”'s:
$conf['auth']['ldap']['userfilter'] = '(&(uid=%{user})(objectClass=inetOrgPerson))';
OpenLDAP on SuSE Linux Enterprise Server
This worked for me with a default SLES 10 configuration:
$conf['auth']['ldap']['server'] = 'ldap://server.tld:389'; $conf['auth']['ldap']['port'] = 389; $conf['auth']['ldap']['usertree'] = 'ou=People,dc=server,dc=tld'; $conf['auth']['ldap']['grouptree'] = 'ou=Group,dc=server,dc=tld'; $conf['auth']['ldap']['userfilter'] = '(&(uid=%{user})objectClass=posixAccount)'; $conf['auth']['ldap']['groupfilter'] = '(&(Member=%{dn})objectClass=posixGroup)'; $conf['auth']['ldap']['version'] = 3;
The groupfilter
attribute is what is important, and I recommend to create an “admin” group on the directory, setting superuser
to “@admin”
and adding the users you want to administer the wiki to that group using the YAST user manager.
Enterprise IPA on Red Hat Enterprise Linux
Zimbra 7 with Posix and Samba extension
$conf['useacl'] = 1; $conf['openregister']= 0; $conf['authtype'] = 'ldap'; $conf['auth']['ldap']['server'] = 'ldap://hostname.domain.tld:389'; $conf['auth']['ldap']['binddn'] = 'uid=zmposix,cn=appaccts,cn=zimbra';//can use the config account here too $conf['auth']['ldap']['bindpw'] = 'password'; $conf['auth']['ldap']['usertree'] = 'uid=%{user},ou=people,dc=domain,dc=tld'; $conf['auth']['ldap']['grouptree'] = 'ou=groups,dc=domain,dc=tld'; $conf['auth']['ldap']['groupfilter'] = '(|(memberUid=%{user})(gidNumber=%{gid}))'; $conf['auth']['ldap']['version'] = 3; $conf['auth']['ldap']['starttls'] = 1;
Two ldap servers for redundancy
slapd proxy
As far i know dokuwiki do not suppport multiple servers in ldap configuration. My workoround is to create a local slapd proxy. slapd.conf:
# Proxy slapd must contain all schema and objectClass definitions include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/kerberos.schema # Where the pid file is put. The init.d script # will not stop the server if you change this. pidfile /var/run/slapd/slapd.pid # List of arguments that were passed to the server argsfile /var/run/slapd/slapd.args # Read slapd.conf(5) for possible values loglevel stats stats2 ACL filter # The maximum number of entries that is returned for a search operation sizelimit 5000 # The tool-threads parameter sets the actual amount of cpu's that is used # for indexing. tool-threads 1 # Ensure read access to the base for things like # supportedSASLMechanisms. Without this you may # have problems with SASL not knowing what # mechanisms are available and the like. # Note that this is covered by the 'access to *' # ACL below too but if you change that as people # are wont to do you'll still need this if you # want SASL (and possible other things) to work # happily. access to dn.base="" by * read # by default we proxy all request access to * by * read # from slapd-ldap(5) backend ldap database ldap suffix "dc=mydomain,dc=lan" rootdn "dc=mydomain,dc=lan" uri "ldaps://server1.mydomain.lan/ ldaps://server2.mydomain.lan/" tls ldaps # timeouts in seconds network-timeout 2 timeout 2 conn-ttl 2 rebind-as-user yes # in case of debug problems # session-tracking-request yes
It's recomended to restrict slapd to loopback interface and socket by demon argument options:
-h ldap://127.0.0.1:389/ ldapi:///
If everything is right, u can change url in dokuwiki config
$conf['auth']['ldap']['server'] = 'ldap://127.0.0.1:389';
and now downtime one of ldap servers is not critical.