Table of Contents
LDAP Auth plugin: Active Directory
Below is an example configuration for use of the authLDAP Auth plugin to authenticate with a Active Directory server.
Please note that there is a dedicated Active Directory authentication plugin which should be much easier to set up and can also handle Single-Sign-On via NTLM.
Note: Beware of uppercase in domain names, login will work but the use of Active Directory group won't, use a tool like AD Explorer to debug.
Active Directory with groups
Use the Config Manager or add it to the conf/local.protected.php
to store the config protected.
- replace
mydomain
anddom
with your domain name AD (dc).
- conf/local.protected.php
<?php /** * AD configuration for LDAP Auth Plugin * See https://www.dokuwiki.org/plugin:authldap:ad for details and explanation */ $conf['authtype'] = 'authldap'; $conf['plugin']['authldap']['server'] = 'mydomain.dom'; $conf['plugin']['authldap']['binddn'] = '%{user}@%{server}'; $conf['plugin']['authldap']['usertree'] = 'dc=mydomain,dc=dom'; $conf['plugin']['authldap']['userfilter'] = '(userPrincipalName=%{user}@%{server})'; $conf['plugin']['authldap']['mapping']['name'] = 'displayname'; $conf['plugin']['authldap']['mapping']['grps'] = array('memberof' => '/CN=(.+?),/i'); $conf['plugin']['authldap']['grouptree'] = 'dc=mydomain,dc=dom'; # position for find groups, at root here $conf['plugin']['authldap']['groupfilter'] = '(&(cn=*)(Member=%{dn})(objectClass=group))'; # find groups for current user(dn) $conf['plugin']['authldap']['referrals'] = 0; # Switch referrals off for use with Active Directory $conf['plugin']['authldap']['version'] = 3; $conf['plugin']['authldap']['debug'] = 0; #set 1 for watch authenticate activity (eg. list of user groups) on html page
If you receive a binding error like “LDAP: bind with xxx failed [ldap.class.php:90]”, try using
$conf['plugin']['authldap']['binddn'] = 'domain\%{user}';
Replace domain with your domain name.
Limit access to USR_* only
Use the Config Manager or add it to the conf/local.protected.php
to store the config protected.
- conf/local.protected.php
<?php /** * AD configuration for LDAP Auth Plugin * See https://www.dokuwiki.org/plugin:authldap:ad for details and explanation */ $conf['authtype'] = 'ldap'; $conf['plugin']['authldap']['server'] = '127.0.0.1:389'; $conf['plugin']['authldap']['binddn'] = '%{user}@yourfulldomainname'; $conf['plugin']['authldap']['usertree'] = ''; // point to container where your users are ie OU=x, DC=y etc $conf['plugin']['authldap']['userfilter'] = '(userPrincipalName=%{user}@yourfulldomainname)'; $conf['plugin']['authldap']['grouptree'] = ''; // point this to container where your groups are ie CN=Users, DC=x etc $conf['plugin']['authldap']['groupfilter'] = '(&(cn=USR_*)(Member=%{dn})(ObjectCategory=group))';//selects only the groups with the user as a member //remember dn is the full dn to the user's account - filters on groups starting with USR_ $conf['plugin']['authldap']['mapping']['name'] = 'displayname'; $conf['plugin']['authldap']['mapping']['grps'] = 'array(\'memberof\' => \'/CN=(.+?),/i\')'; $conf['plugin']['authldap']['referrals'] = '0';
Windows Server 2012 R2
An example for a working connection to a Windows Server 2012 R2.
Use the Config Manager or add it to the conf/local.protected.php
to store the config protected.
- conf/local.protected.php
<?php /** * AD configuration for LDAP Auth Plugin * See https://www.dokuwiki.org/plugin:authldap:ad for details and explanation */ $conf['authtype'] = 'authldap'; $conf['plugin']['authldap']['server'] = 'ldap://my.dom:389'; $conf['plugin']['authldap']['userfilter'] = '(&(objectClass=user)(sAMAccountName=%{user}))'; $conf['plugin']['authldap']['groupfilter'] = '(&(objectClass=*)(member=%{dn}))'; $conf['plugin']['authldap']['usertree'] = 'ou=Users,dc=my,dc=dom'; $conf['plugin']['authldap']['grouptree'] = 'OU=Groups,DC=my,DC=dom'; $conf['plugin']['authldap']['binddn'] = 'CN=LDAPUser,OU=TechAccounts,DC=my,DC=dom'; $conf['plugin']['authldap']['bindpw'] = 'BASEENCODEDPASSWORDHERE='; $conf['plugin']['authldap']['modPass'] = 0;