It's better when it's simple

User Tools

Site Tools


OpenLDAP + Kerberos Auth Plugin

Compatible with DokuWiki

  • 2023-04-04 "Jack Jackrum" unknown
  • 2022-07-31 "Igor" unknown
  • 2020-07-29 "Hogfather" yes
  • 2018-04-22 "Greebo" unknown

plugin Provides user authentication against a OpenLDAP + Kerberos server using GSSAPI

Last updated on


This plugin provides an integrated OpenLDAP + Kerberos authentication using GSSAPI with user listing and groups support.

This plugin is capable to bind an OpenLDAP server using GSSAPI and it's capable to check the username and password using PHP's Kerberos library without relying on the webserver as other DokuWiki plugins such as authad.

This plugin is intended to serve as an OpenLDAP interface to access the user list and groups in a read only mode. It doesn't support the editing of the groups, user data or password.


:!: External requirements: This plugin assumes:

  • A working OpenLDAP and Kerberos servers.
  • A local Kerberos client installation with a valid /etc/krb5.conf file.
  • A valid Kerberos ticket associated with the webserver UID. It could be managed vía kinit or kstart.
  • PHP with LDAP support enabled (on Debian distributions it's provided by the php-ldap package).
  • GSSAPI library installed on the system (on Debian distributions it's provided by the libsasl2-modules-gssapi-mit package).
  • PECL krb5 package installed and enabled.

Install the plugin using the Plugin Manager and the download URL above, which points to latest version of the plugin. Refer to Plugins on how to install plugins manually.

OpenLDAP schema

This plugin assumes a typical POSIX account/group schema where the user is stored as a register in an organizational unit (OU) having a default group ID (GID) number, and the groups are stored in another OU where if a group isn't the default for a user the user ID (UID) must be listed in the group data.

As an example the user data could be something like:

dn: uid=user,ou=people,dc=example,dc=com
uid: user
uidNumber: 1000
gidNumber: 2000
cn: Username
objectClass: posixAccount
objectClass: inetOrgPerson

While the group data could be something like:

dn: cn=users,ou=groups,dc=example,dc=com
cn: users
gidNumber: 2000
objectClass: posixGroup

dn: cn=admin,ou=groups,dc=example,dc=com
cn: admin
gidNumber: 2001
memberUid: user
memberUid: otheruser
objectClass: posixGroup

In this example the user has name Username, email and belongs to users and admin groups.


The basic configuration needs the LDAP server and base DN to be configured:

// general DokuWiki options
$conf['useacl']         = 1;
$conf['authtype']       = 'authopenldapkerberos';
// configure your OpenLDAP + Kerberos data here
$conf['plugin']['authopenldapkerberos']['server']     = 'ldap://';
$conf['plugin']['authopenldapkerberos']['base_dn']    = 'dc=example,dc=com';

In case that the OU or attribs differ from the example it's possible to redefine any of the keys, here's the complete config parameters:

// Server:
$conf['plugin']['authopenldapkerberos']['server']    = 'ldap://';
$conf['plugin']['authopenldapkerberos']['port']      = 389;
// Basic structure:
$conf['plugin']['authopenldapkerberos']['base_dn']   = 'dc=example,dc=com';
$conf['plugin']['authopenldapkerberos']['user_ou']   = 'people';
$conf['plugin']['authopenldapkerberos']['group_ou']  = 'groups';
// User attribs:
$conf['plugin']['authopenldapkerberos']['userkey']   = 'uid';
$conf['plugin']['authopenldapkerberos']['username']  = 'cn';
$conf['plugin']['authopenldapkerberos']['usermail']  = 'mail';
$conf['plugin']['authopenldapkerberos']['usergid']   = 'gidnumber';
// Group attribs:
$conf['plugin']['authopenldapkerberos']['groupkey']  = 'cn';
$conf['plugin']['authopenldapkerberos']['groupgid']  = 'gidnumber';
$conf['plugin']['authopenldapkerberos']['groupuids'] = 'memberuid';


plugin/authopenldapkerberos.txt · Last modified: 2022-01-07 10:25 by Klap-in

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki