DokuWiki

It's better when it's simple

User Tools

Site Tools


plugin:authldap:ad

LDAP Auth plugin: Active Directory

Below is an example configuration for use of the authLDAP Auth plugin to authenticate with a Active Directory server.

Please note that there is a dedicated Active Directory authentication backend which should be much easier to set up and can also handle Single-Sign-On via NTLM.

Note: Beware of uppercase in domain names, login will work but the use of Active Directory group won't, use a tool like AD Explorer to debug.

Active Directory with groups

Use the Config Manager or add it to the conf/local.protected.php to store the config protected.

  • replace mydomain and dom with your domain name AD (dc).
conf/local.protected.php
<?php
/**
 * AD configuration for LDAP Auth Plugin
 * See https://www.dokuwiki.org/plugin:authldap:ad for details and explanation
 */
 
$conf['authtype']                               = 'authldap';
$conf['plugin']['authldap']['server']           = 'mydomain.dom';
$conf['plugin']['authldap']['binddn']           = '%{user}@%{server}';
$conf['plugin']['authldap']['usertree']         = 'dc=mydomain,dc=dom';
$conf['plugin']['authldap']['userfilter']       = '(userPrincipalName=%{user}@%{server})';
$conf['plugin']['authldap']['mapping']['name']  = 'displayname';
$conf['plugin']['authldap']['mapping']['grps']  = array('memberof' => '/CN=(.+?),/i');
$conf['plugin']['authldap']['grouptree']        = 'dc=mydomain,dc=dom'; # position for find groups, at root here
$conf['plugin']['authldap']['groupfilter']      = '(&(cn=*)(Member=%{dn})(objectClass=group))'; # find groups for current user(dn)
$conf['plugin']['authldap']['referrals']        = 0; # Switch referrals off for use with Active Directory
$conf['plugin']['authldap']['version']          = 3;
$conf['plugin']['authldap']['debug']            = 0; #set 1 for watch authenticate activity (eg. list of user groups) on html page

If you receive a binding error like “LDAP: bind with xxx failed [ldap.class.php:90]”, try using

$conf['plugin']['authldap']['binddn']           = 'domain\%{user}';

Replace domain with your domain name.

Limit access to USR_* only

Use the Config Manager or add it to the conf/local.protected.php to store the config protected.

conf/local.protected.php
<?php
/**
 * AD configuration for LDAP Auth Plugin
 * See https://www.dokuwiki.org/plugin:authldap:ad for details and explanation
 */
 
$conf['authtype']                              = 'ldap';
$conf['plugin']['authldap']['server']          = '127.0.0.1:389';
$conf['plugin']['authldap']['binddn']          = '%{user}@yourfulldomainname';
$conf['plugin']['authldap']['usertree']        = ''; // point to container where your users are ie OU=x, DC=y etc
$conf['plugin']['authldap']['userfilter']      = '(userPrincipalName=%{user}@yourfulldomainname)';
$conf['plugin']['authldap']['grouptree']       = ''; // point this to container where your groups are ie CN=Users, DC=x etc
$conf['plugin']['authldap']['groupfilter']     = '(&(cn=USR_*)(Member=%{dn})(ObjectCategory=group))';//selects only the groups with the user as a member
//remember dn is the full dn to the user's account - filters on groups starting with USR_
$conf['plugin']['authldap']['mapping']['name'] = 'displayname';
$conf['plugin']['authldap']['mapping']['grps'] = 'array(\'memberof\' => \'/CN=(.+?),/i\')';
$conf['plugin']['authldap']['referrals']       = '0';

Windows Server 2012 R2

An example for a working connection to a Windows Server 2012 R2. Use the Config Manager or add it to the conf/local.protected.php to store the config protected.

conf/local.protected.php
<?php
/**
 * AD configuration for LDAP Auth Plugin
 * See https://www.dokuwiki.org/plugin:authldap:ad for details and explanation
 */
$conf['authtype']                          = 'authldap';
$conf['plugin']['authldap']['server']      = 'ldap://my.dom:389';
$conf['plugin']['authldap']['userfilter']  = '(&(objectClass=user)(sAMAccountName=%{user}))';
$conf['plugin']['authldap']['groupfilter'] = '(&(objectClass=*)(member=%{dn}))';
$conf['plugin']['authldap']['usertree']    = 'ou=Users,dc=my,dc=dom';
$conf['plugin']['authldap']['grouptree']   = 'OU=Groups,DC=my,DC=dom';
$conf['plugin']['authldap']['binddn']      = 'CN=LDAPUser,OU=TechAccounts,DC=my,DC=dom';
$conf['plugin']['authldap']['bindpw']      = 'BASEENCODEDPASSWORDHERE=';
$conf['plugin']['authldap']['modPass']     = 0;
plugin/authldap/ad.txt · Last modified: 2017-09-14 14:50 by 62.128.13.164