DokuWiki

It's better when it's simple

User Tools

Site Tools


plugin:authldap

LDAP Authentication Plugin

Compatible with DokuWiki

(bundled)

plugin This plugin allows authentication against an LDAP directory using the ACL feature.

Last updated on
2015-07-13
Provides
Auth
Repository
Source

Tagged with !bundled

Description

This module allows authentication against an LDAP directory using the ACL feature. It is included with the DokuWiki release.

Users can log into the wiki using their username and password defined in a LDAP server, adding new users is not supported through the LDAP backend.

Usage

Before this plugin can be used, you need to ensure the LDAP PHP module is installed, then setup some settings:

  1. Activate the authLDAP plugin in the Extension Manager.
  2. Define the LDAP server in the Configuration Manager
  3. Define trees, filters and connection settings too.
  4. Switch on this Auth plugin via the configuration option authtype by selecting authldap.

The version supplied on this page shows a basic setup, this needs to be modified to your own database setup. Different setups are provided.

Save the configuration settings to the conf/local.protected.php file to protect the settings against changes via Config Manager.

Adding and changing users is not supported through this plugin. So the User Manager, self registration of users and password reset are disabled by this plugin.

Configuration

The backend will be enabled with the authtype configuration option by selecting authldap this is part of “Authentication settings” section.

In the “Plugin Settings” are settings for the authLDAP plugin. Here you define your LDAP server and connection settings.

There are more general authentication related settings available too.

Real World Examples

Below is a list of example configurations used by various users for various LDAP servers. These are examples! Be sure to adjust them to your specific server settings.

Plugin Configuration Settings

This is an example configuration to set via the Config Manager or in your conf/local.protected.php to authenticate against your LDAP directory.

conf/local.protected.php
<?php
/**
 * Protected settings
 * LDAP configuration example
 */
$conf['useacl']         = 1;           //enable ACL
$conf['authtype']       = 'authldap';  //enable this Auth plugin
 
 
#$conf['plugin']['authldap']['server']      = 'localhost';
#$conf['plugin']['authldap']['port']        = 389;
$conf['plugin']['authldap']['server']      = 'ldap://server.tld:389'; #instead of the above two settings
$conf['plugin']['authldap']['usertree']    = 'ou=People, dc=server, dc=tld';
$conf['plugin']['authldap']['grouptree']   = 'ou=Group, dc=server, dc=tld';
$conf['plugin']['authldap']['userfilter']  = '(&(uid=%{user})(objectClass=posixAccount))';
$conf['plugin']['authldap']['groupfilter'] = '(&(objectClass=posixGroup)(memberUID=%{user}))';
$conf['plugin']['authldap']['attributes']  = array('cn', 'displayname', 'mail', 'givenname', 'objectclass', 'sn', 'uid', 'memberof');
 
# This is optional but may be required for your server:
#$conf['plugin']['authldap']['version']    = 3;

# This enables the use of the STARTTLS command
#$conf['plugin']['authldap']['starttls']   = 1;

# This is optional and is required to be off when using Active Directory:
#$conf['plugin']['authldap']['referrals']  = 0;

# Optional bind user and password if anonymous bind is not allowed
#$conf['plugin']['authldap']['binddn']     = 'cn=admin, dc=my, dc=home';
#$conf['plugin']['authldap']['bindpw']     = 'secret';

 
# Limit search scope for user and group searches (sub|one|base)
#$conf['plugin']['authldap']['userscope']  = 'sub';
#$conf['plugin']['authldap']['groupscope'] = 'sub';

# Optional debugging
#$conf['plugin']['authldap']['debug']      = 1;

#### not available via Config Manager ####
# Mapping can be used to specify where the internal data is coming from. 
#$conf['plugin']['authldap']['mapping']['name']  = 'displayname'; # Name of attribute the directory stores its pretty print user name.
#$conf['plugin']['authldap']['mapping']['grps']  = array('memberof' => '/CN=(.+?),/i'); # Where groups are defined in directory

You can use the version parameter to tell PHP to use Version 3 of the LDAP protocol to connect to your server - default is version 2.

The userfilter defines an LDAP filter which is used to search for a user. The groupfilter is used to fetch the groups a user is in.

The following variables are available for the userfilter and the groupfilter:

variable meaning
%{user} The username the user tried to login with
%{server} The server string provided in $conf['plugin']['authldap']['server']

The groupfilter can also access all the attributes provided in the user object:

variable meaning
%{dn} The users dn eg. uid=user,ou=People,dc=server,dc=dk
%{uid} The uid of the user eg. user
%{…}

The search scope (depth) can be limited to sub, one and base using the optional userscope and groupscope parameters. They default to sub. Setting them to more limited searches can improve performance.

The mapping is used for directories that uses non “standard” names for attributes, a mapping can be applied a regexp to clean it up before replacing the target variable. For all variables but 'grps' only the first attribute is used to replace the variable if more than one is provided.

variable mapping meaning
grps array('memberof' => '/CN=(.+?),/i') Replace the content of grps with what is provided in the attribute memberof and apply this regexp /CN=(.+?),/i to every element in it.
name 'displayname' Replace the content of name with first element of 'displayname' attribute.

attributes is an array that defines what attributes needs to be fetched during a LDAP user search.

Authentication is done in these steps:

  1. First see if we need to do an anonymous bind by looking in the usertree for a %{user}:
    • If found: Set usertree as DN.
    • If not: Try to find a DN for the given login doing a search in the usertree with the given userfilter – there has to be exactly one result
  2. Try to bind with the found DN and the given password - if this succeeds access is granted
  3. For getting the groups a user is in, the groupfilter is used to search the grouptree.

Notes

  • While configuring the LDAP access you may want to enable the debug option which will print the error messages your LDAP server is delivering. You should disable it again after setup.
  • The freeware LDAP Browser (written in Java) is useful to find the proper settings for $conf['plugin']['authldap'] and to determine the structure of your LDAP server.
  • Mappings and field names are always lowercase regardless of the case used in the LDAP server!
  • Make sure you have the PHP LDAP extension installed.
  • to check if the LDAP connection is working, the plugin trys to bind as an anonymous user. If anonymous authentication is disable on the LDAP server the plugin can not connect to server
  • If you get the “Protocol error” message, you might have not enabled following config statement: $conf['plugin']['authldap']['version'] = 3;
plugin/authldap.txt · Last modified: 2023-08-24 17:03 by 65.128.43.215

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki