TUTORIAL: Auth via LDAP/Active Directory with users in different OUs
Hello! (I'm from Germany, so please excuse bad english)
I have been searching for a solution to my problem in many threads/forums and found only a lot of people with the same problem but without a solution. Now I solved my problem and want to give you the information I searched for so long.
Scenario: (My case, nothing else was tested but could work)
Webserver: Ubuntu Linux 9.04, Apache 2.2.11, PHP 5.2.6, MySQL 5.0.75
TikiWiki: Version 3.1
LDAP-Server: Microsoft Active Directory, MS Windows Server 2003 R2
Settings in Admin Home - Login - PEAR::Auth:
PEAR::Auth
Create user if not in Tiki: Checked
Create user if not in Auth: Unchecked
Use Tiki authentication for Admin login: Checked
LDAP
URL: Blank
Host: IP-Adress of my AD-Server
Port: 389
Search scope: Subtree
LDAP version: 3
Realname attribute: name
Country attribute: countryCode
Base DN: DC=MyDomain,DC=de (For MyDomain.de)
LDAP User
User DN: Blank
User attribute: sAMAccountName
User OC: * (I think, "person" should work also, but this is what I tried)
LDAP Group (I did not use or change this afaik)
Group DN: Blank
Group attribute: cn
Group OC: groupOfUniqueNames
LDAP Member
Member attribute: uniqueMember
Member is DN: Checked
LDAP Admin
Admin user: CN=usercn,CN=users,DC=MyDomain,DC=de
Admin password: Id0NtTelLYoumYPa$$woRd;-)
You can look up the CN of your admin user via adsiedit.msc on your domain controller.
Now the interesting part:
Open tikiroot/lib/pear/Auth/Container/LDAP.php
Change line ~435 (in function _setDefaults())
$this->options['referrals'] = true
to
$this->options['referrals'] = false
This Option is to enable search directly in the root of the directory.
With these settings you should be able to authenticate with every username/password from your domain.
I hope, this can help someone.
Greetings
Tobias