Differences

This shows you the differences between two versions of the page.

--- plugin:authad [2017-07-28 07:41] – 76.178.145.97
+++ plugin:authad [2024-01-18 21:06] (current) – [Server Configuration] added Nginx to the other list to correct the sentence. 69.128.51.162
@@ Line 6: / Line 6: @@
 email      : andi@splitbrain.org
 type       : Auth
-lastupdate : 2014-04-03
+lastupdate : 2023-04-04
 compatible : (bundled)
 depends    :
 conflicts  :
 similar    :
-tags       : !bundled, authentication
+tags       : !bundled, authentication, ad
 downloadurl:
-bugtracker : # eg. https://github.com/splitbrain/dokuwiki/issues
+bugtracker : # eg. https://github.com/dokuwiki/dokuwiki/issues
-sourcerepo : https://github.com/splitbrain/dokuwiki/tree/master/lib/plugins/authad
+sourcerepo : https://github.com/dokuwiki/dokuwiki/tree/master/lib/plugins/authad
 donationurl:
 ----
@@ Line 30: / Line 30: @@
 Before this plugin can be used, you need to setup some settings:
   - Prepare your AD server, see also [[#server configuration]] below.
-  - Activate the authad plugin in the [[plugin|Plugin Manager]].
+  - Activate the authad plugin in the [[plugin:extension|Extension Manager]].
   - Define connection details in the [[config|Configuration Manager]]
   - Switch on this Auth plugin via the configuration option [[config:authtype]] by selecting ''authad''.
@@ Line 43: / Line 43: @@
 ===Apache===
-If you're using Apache on Ubuntu or Debian, just install the ''php5-ldap'' package. If you're using Apache on another distro, follow [[http://adldap.sourceforge.net/wiki/doku.php?id=apache|this guide]]. Installing ''php5-ldap'' also works on SLES. If you're using Arch Linux, install the php-ldap package with pacman.
+If you're using Apache on Ubuntu or Debian, just install the ''php5-ldap'' package. If you're using Apache on another distro, follow [[http://adldap.sourceforge.net/wiki/doku.php?id=apache|this guide]]FIXME((broken link : Try searching  https://github.com/Rich2k/adLDAP/wiki)). Installing ''php5-ldap'' also works on SLES. If you're using Arch Linux, install the php-ldap package with pacman.
@@ Line 63: / Line 63: @@
 ===Other===
-If you're using a web server other than Apache or IIS7, you have to figure it out yourself. :( Please update this article if you succeed.
+If you're using a web server other than Apache, Nginx, or IIS7, you have to figure it out yourself. :( Please update this article if you succeed.
 ===== Configuration=====
@@ Line 120: / Line 120: @@
 ==Other options==
-Any other options given in ''$conf['plugin']['authad']'' are directly passed to the adldap library. Please refer to the [[http://adldap.sourceforge.net/wiki/doku.php?id=api|adLDAP documentation]] for a detailed description of what other options might be available.
+Any other options given in ''$conf['plugin']['authad']'' are directly passed to the adldap library. Please refer to the [[http://adldap.sourceforge.net/wiki/doku.php?id=api|adLDAP documentation]]FIXME((broken link : Try searching  https://github.com/Rich2k/adLDAP/wiki)) for a detailed description of what other options might be available.
 In combination with Single-Sign-On, you can also add Windows domain specific setups. E.g. to authenticate against different Active Directory Servers depending on the NTLM or Kerberos Domain of a given user. The (lowercased) Domain just has to be used as a subkey to the ''$conf['plugin']['authad']'' setting. E.g. to identify all users coming from the ''Foobar'' Windows Domain using a non-default AD Server and user just put the following additional lines into your config:
@@ Line 147: / Line 147: @@
 </code>
+==A few caveats==
+  * account suffix is always added to admin username, even when it already contains @ character
+  * different suffix for admin and normal accounts is not supported
+  * empty account suffix, that is entering usernames with suffix, is not supported
 ===== User Profile and Password Changes =====
-Users can change their user details (name, email and passwords) using the profile button. This may require to set up a privileged user through the ''admin_username'' and ''admin_password'' options. Password changing is only supported via SSL or TLS. See [[http://adldap.sourceforge.net/wiki/doku.php?id=ldap_over_ssl|LDAP over SSL]] in the adLDAP documentation.
+Users can change their user details (name, email and passwords) using the profile button. This may require to set up a privileged user through the ''admin_username'' and ''admin_password'' options. Password changing is only supported via SSL or TLS. See [[http://adldap.sourceforge.net/wiki/doku.php?id=ldap_over_ssl|LDAP over SSL]]FIXME((broken link : Try searching  https://github.com/Rich2k/adLDAP/wiki)) in the adLDAP documentation.
 Please note that DokuWiki's auto generated passwords do not match with the Active Directory default [[http://technet.microsoft.com/en-us/library/cc875814.aspx|password policy]]. Either adjust your AD password policy or disable the "Forget Password" option using the [[config:disableactions]] config option.
@@ Line 188: / Line 192: @@
   - Click "Anonymous Authentication" and disable it
   - Click "Windows Authentication" and enable it (Note: If you do not see Windows Authentication, you need to [[http://www.iis.net/configreference/system.webserver/security/authentication/windowsauthentication|install it]] via "Turn Windows features on or off" in Control Panel )
+  - Right-click "Windows Authentication", select "Providers..." and ensure "NTLM" is the first listed provider.
 {{:plugin:iisconfig.png?200 }} Note: Once Windows Authentication is enabled, all write and read access is done as the authenticated users which requires either very permissive permissions on the filesystem or another setting in IIS. The latter is recommended. Simpley switch ''system.webServer/serverRuntime/authenticatedUserOverride'' to ''UseWorkerProcessUser'' in the IIS Configuration Editor as oulined as Option #4 in this [[https://weblogs.asp.net/owscott/iis-using-windows-authentication-with-minimal-permissions-granted-to-disk|Blog Post]].
@@ Line 330: / Line 335: @@
 klist
 kdestroy
-(If you get any errors here, make sure your DNS setup is working and you wrote all marked as "YOURDOMAIN.COM" hosts in uppercase in your krb5.conf. Try resolve every hostname manually.</code>
+</code> If you get any errors here, make sure your DNS setup is working and you wrote all marked as "YOURDOMAIN.COM" hosts in uppercase in your krb5.conf. Try resolve every hostname manually.
-  - Create a keytab file for your DokuWiki server. Make sure you have created a non-admin user in Active Directory with no password expiration. Run this as a Domain Admin on a Windows server with Support Tools installed:<code>ktpass -princ HTTP/dokuwiki.yourdomain.com@YOURDOMAIN.COM -mapuser name_of_ad_user_you_have_created -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -mapop set +desonly -pass the_ad_users_password -out dokuwiki.HTTP.keytab</code> Use the following if you're running Windows 7/Server 2008 R2 clients because [[http://technet.microsoft.com/en-us/library/dd560670(WS.10).aspx|des is disabled by default]] on these operating systems: <code>ktpass -princ HTTP/dokuwiki.yourdomain.com@YOURDOMAIN.COM -mapuser name_of_ad_user_you_have_created@yourdomain.com -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -pass the_ad_users_password -out dokuwiki.HTTP.keytab </code> RC4-HMAC is supported on Windows 2000 and higher.
+  - Create a keytab file for your DokuWiki server. Make sure you have created a non-admin user in Active Directory with no password expiration. Run this as a Domain Admin on a Windows server with Support Tools installed: <code>ktpass -princ HTTP/dokuwiki.yourdomain.com@YOURDOMAIN.COM -mapuser name_of_ad_user_you_have_created@yourdomain.com -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -pass the_ad_users_password -out dokuwiki.HTTP.keytab </code>
   - If no errors occurred, copy the keytab file to /etc/httpd/conf/.
+  - Check if authentication via the keytab file works <code>
+kinit -k -t /etc/httpd/confo/dokuwiki.HTTP.keytab HTTP/dokuwiki.yourdomain.com
+kdestroy
+</code> If this doesn't work, there is no need to continue. Fix this first.
   - Create /etc/httpd/conf.d/dokuwiki.conf:<code apache>
 <Directory "/var/www/html/dokuwiki">
@@ Line 385: / Line 394: @@
 Some plug-ins may not gracefully work once you've switched over to the ad auth backend. Specifically, pulling the user's display name will not work if you don't provide valid authentication information. One such plugin is WikiStatistics, where a simple workaround to only display the username can be employed.
-Due to [[http://adldap.sourceforge.net/wiki/doku.php?id=api_pagingsupport|missing support for paged queries in PHP's LDAP extension]], plugins that try to get all users from the auth backend will fail if you use authAD plugin and have more than 1000 objects in Active Directory. One example is the [[:plugin:issuetracker#faq|IssueTracker]] plugin.
+Due to [[http://adldap.sourceforge.net/wiki/doku.php?id=api_pagingsupport|missing support for paged queries in PHP's LDAP extension]]FIXME((broken link : Try searching  https://github.com/Rich2k/adLDAP/wiki)), plugins that try to get all users from the auth backend will fail if you use authAD plugin and have more than 1000 objects in Active Directory. One example is the [[:plugin:issuetracker#faq|IssueTracker]] plugin.