It's better when it's simple

User Tools

Site Tools


LDAP Auth Plugin: OpenLDAP Examples

Below are example configurations for use with the authLDAP plugin and the OpenLDAP server.

Use the Config Manager or (create and) add it to the conf/local.protected.php to store the config protected.

With anonymous bind

/* OpenLDAP config - details: */
$conf['plugin']['authldap']['server']      = 'ldap.server.tld';
$conf['plugin']['authldap']['usertree']    = 'uid=%{user}, ou=People, dc=server, dc=tld';
$conf['plugin']['authldap']['grouptree']   = 'ou=Groups, dc=server, dc=tld';
$conf['plugin']['authldap']['groupfilter'] = '(&(objectClass=posixGroup)(|(memberUid=%{uid})(gidNumber=%{gid})))';

With anonymous bind and filters

/* OpenLDAP config - details: */
$conf['plugin']['authldap']['server']      = 'ldap.server.tld';
$conf['plugin']['authldap']['usertree']    = 'ou=People, dc=server, dc=tld';
$conf['plugin']['authldap']['userfilter']  = '(&(objectClass=posixAccount)(uid=%{user}))';
$conf['plugin']['authldap']['grouptree']   = 'ou=Groups, dc=server, dc=tld';
$conf['plugin']['authldap']['groupfilter'] = '(&(objectClass=posixGroup)(|(memberUid=%{uid})(gidNumber=%{gid})))';

With superuser bind

/* OpenLDAP config - details: */
$conf['plugin']['authldap']['server']   = 'ldap.server.tld';
$conf['plugin']['authldap']['binddn']   = 'uid=ldapuser,ou=People,dc=server,dc=tld';
$conf['plugin']['authldap']['bindpw']   = 'password';
$conf['plugin']['authldap']['usertree'] = 'uid=%{user},ou=People,dc=server,dc=tld';

With openldap I had to add the following to get the users group list back:

$conf['plugin']['authldap']['grouptree']   = 'ou=groups, dc=tld';
$conf['plugin']['authldap']['groupfilter'] = '(&(objectClass=posixGroup)(Member=%{dn}))';

With Kolab2 schema

For use with Kolab.

/* OpenLDAP config - details: */
$conf['plugin']['authldap']['server']      = 'mykolabserver'; #replace with hostname of your kolab server
$conf['plugin']['authldap']['usertree']    = 'dc=mydomain, dc=com'; #replace with your domain
$conf['plugin']['authldap']['grouptree']   = 'dc=mydomain, dc=com'; #replace with your domain
$conf['plugin']['authldap']['userfilter']  = '(&(uid=%{user}))';
$conf['plugin']['authldap']['groupfilter'] = '(&(objectClass=kolabGroupOfNames)(member=%{dn}))';

Fedora Directory Server With Group

/* OpenLDAP config - details: */
$conf['plugin']['authldap']['server']      = 'ldap://';
$conf['plugin']['authldap']['usertree']    = 'ou=People,dc=example,dc=com';
$conf['plugin']['authldap']['grouptree']   = 'ou=Groups,dc=example,dc=com';
$conf['plugin']['authldap']['userfilter']  = '(&(uid=%{user})(objectClass=posixAccount))';
$conf['plugin']['authldap']['groupfilter'] = '(&(uniquemember=%{dn}))';
$conf['plugin']['authldap']['version']     = 3;

Note that you need to use %{dn} for the uniquemember.

Note: you may need to change line 4:
if users in LDAP directory are PosixAccount's:

$conf['plugin']['authldap']['userfilter']  = '(&(uid=%{user})(objectClass=posixAccount))';

if users in LDAP directory are only InetOrgPerson's:

$conf['plugin']['authldap']['userfilter']  = '(&(uid=%{user})(objectClass=inetOrgPerson))';

OpenLDAP on SuSE Linux Enterprise Server

This worked for me with a default SLES 10 configuration:

/* OpenLDAP config - details: */
$conf['plugin']['authldap']['server']      = 'ldap://server.tld:389';
$conf['plugin']['authldap']['port']        = 389;
$conf['plugin']['authldap']['usertree']    = 'ou=People,dc=server,dc=tld';
$conf['plugin']['authldap']['grouptree']   = 'ou=Group,dc=server,dc=tld';
$conf['plugin']['authldap']['userfilter']  = '(&(uid=%{user})objectClass=posixAccount)';
$conf['plugin']['authldap']['groupfilter'] = '(&(Member=%{dn})objectClass=posixGroup)';
$conf['plugin']['authldap']['version']     = 3;

The groupfilter attribute is what is important, and I recommend to create an “admin” group on the directory, setting superuser config setting to @admin and adding the users you want to administer the wiki to that group using the YAST user manager.

$conf['superuser'] = '@admin';

Enterprise IPA on Red Hat Enterprise Linux

/* OpenLDAP config - details: */
$conf['authtype'] = 'authldap';
$conf['superuser'] = '@wiki';
$conf['plugin']['authldap']['server'] = 'ldap://';
$conf['plugin']['authldap']['usertree'] = 'cn=users,cn=accounts,dc=example,dc=com';
$conf['plugin']['authldap']['grouptree'] = 'cn=groups,cn=accounts,dc=example,dc=com';
$conf['plugin']['authldap']['userfilter'] = '(&(uid=%{user})(objectClass=posixAccount))';
$conf['plugin']['authldap']['groupfilter'] = '(&(member=%{dn})(objectClass=posixGroup))';
$conf['plugin']['authldap']['version'] = '3';

Zimbra 7 with Posix and Samba extension

/* OpenLDAP config - details: */
$conf['useacl']      = 1;
$conf['openregister']= 0;
$conf['authtype']    = 'authldap';
$conf['plugin']['authldap']['server']   = 'ldap://hostname.domain.tld:389';
$conf['plugin']['authldap']['binddn']   = 'uid=zmposix,cn=appaccts,cn=zimbra';//can use the config account here too
$conf['plugin']['authldap']['bindpw']   = 'password';
$conf['plugin']['authldap']['usertree'] = 'uid=%{user},ou=people,dc=domain,dc=tld';
$conf['plugin']['authldap']['grouptree'] = 'ou=groups,dc=domain,dc=tld';
$conf['plugin']['authldap']['groupfilter']  = '(|(memberUid=%{user})(gidNumber=%{gid}))';
$conf['plugin']['authldap']['version']    = 3;
$conf['plugin']['authldap']['starttls']   = 1;

Zentyal 3.0

You can retreive the usertree and grouptree from the “Users and Groups / LDAP Settings” page of the Zentyal administration as the “Users DN” and the “Groups DN” and you must use the “Read-only root DN” and its password password for the binddn/bindpw :

$conf['plugin']['authldap']['server'] = '';
$conf['plugin']['authldap']['port'] = 390;
$conf['plugin']['authldap']['usertree'] = 'ou=Users,dc=domain,dc=name,dc=com';
$conf['plugin']['authldap']['grouptree'] = 'ou=Groups,dc=domain,dc=name,dc=com';
$conf['plugin']['authldap']['version'] = 3;
$conf['plugin']['authldap']['debug'] = 0;
$conf['plugin']['authldap']['binddn'] = 'cn=zentyalro,dc=domain,dc=name,dc=com';
$conf['plugin']['authldap']['bindpw'] = 'EzfCKRAJJW3eQgfAmhM5bCaghQ';
$conf['plugin']['authldap']['userfilter']  = '(&(uid=%{user})(objectclass=inetOrgPerson))';
$conf['plugin']['authldap']['groupfilter'] = '(&(Member=%{dn})(objectClass=posixGroup))';

Two ldap servers for redundancy

slapd proxy

As far i know dokuwiki do not suppport multiple servers in ldap configuration. My workaround is to create a local slapd proxy:

# Proxy slapd must contain all schema and objectClass definitions 
include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/nis.schema
include         /etc/ldap/schema/inetorgperson.schema
include         /etc/ldap/schema/kerberos.schema
# Where the pid file is put. The init.d script
# will not stop the server if you change this.
pidfile         /var/run/slapd/
# List of arguments that were passed to the server
argsfile        /var/run/slapd/slapd.args
# Read slapd.conf(5) for possible values
loglevel        stats stats2 ACL filter
# The maximum number of entries that is returned for a search operation
sizelimit 5000
# The tool-threads parameter sets the actual amount of cpu's that is used
# for indexing.
tool-threads 1
# Ensure read access to the base for things like
# supportedSASLMechanisms.  Without this you may
# have problems with SASL not knowing what
# mechanisms are available and the like.
# Note that this is covered by the 'access to *'
# ACL below too but if you change that as people
# are wont to do you'll still need this if you
# want SASL (and possible other things) to work
# happily.
access to dn.base="" by * read
# by default we proxy all request
access to * by * read
# from slapd-ldap(5)
backend         ldap 
database        ldap 
suffix          "dc=mydomain,dc=lan"
rootdn          "dc=mydomain,dc=lan"
uri             "ldaps://server1.mydomain.lan/ ldaps://server2.mydomain.lan/"
tls ldaps 
# timeouts in seconds
network-timeout 2
timeout 2
conn-ttl 2
rebind-as-user yes
# in case of debug problems
# session-tracking-request yes

It's recomended to restrict slapd to loopback interface and socket by demon argument options:

-h ldap:// ldapi:///

If everything is right, u can change url in dokuwiki config

$conf['plugin']['authldap']['server']      = 'ldap://';

and now downtime one of ldap servers is not critical.

plugin/authldap/openldap.txt · Last modified: 2016-03-03 12:06 by