Loading...
 
LDAP / Active directory

LDAP / Active directory


TUTORIAL: Auth via LDAP/Active Directory with users in different OUs

Hello! (I'm from Germany, so please excuse bad english)

I have been searching for a solution to my problem in many threads/forums and found only a lot of people with the same problem but without a solution. Now I solved my problem and want to give you the information I searched for so long.

Scenario: (My case, nothing else was tested but could work)
Webserver: Ubuntu Linux 9.04, Apache 2.2.11, PHP 5.2.6, MySQL 5.0.75
TikiWiki: Version 3.1
LDAP-Server: Microsoft Active Directory, MS Windows Server 2003 R2

Settings in Admin Home - Login - PEAR::Auth:
PEAR::Auth
Create user if not in Tiki: Checked
Create user if not in Auth: Unchecked
Use Tiki authentication for Admin login: Checked

LDAP
URL: Blank
Host: IP-Adress of my AD-Server
Port: 389
Search scope: Subtree
LDAP version: 3
Realname attribute: name
Country attribute: countryCode
Base DN: DC=MyDomain,DC=de (For MyDomain.de)

LDAP User
User DN: Blank
User attribute: sAMAccountName
User OC: * (I think, "person" should work also, but this is what I tried)

LDAP Group (I did not use or change this afaik)
Group DN: Blank
Group attribute: cn
Group OC: groupOfUniqueNames

LDAP Member
Member attribute: uniqueMember
Member is DN: Checked

LDAP Admin
Admin user: CN=usercn,CN=users,DC=MyDomain,DC=de
Admin password: Id0NtTelLYoumYPa$$woRd;-)

You can look up the CN of your admin user via adsiedit.msc on your domain controller.

Now the interesting part:
Open tikiroot/lib/pear/Auth/Container/LDAP.php
Change line ~435 (in function _setDefaults())

$this->options['referrals'] = true

to

$this->options['referrals'] = false


This Option is to enable search directly in the root of the directory.

With these settings you should be able to authenticate with every username/password from your domain.

I hope, this can help someone.

Greetings
Tobias

Thankyouthankyouthankyouthankyou!

After pulling my hairs and getting myself knee-deep in LDAP documentation (you'll find an excellent overview/help/tutorial here) your tutorial solved it all for me. I was unable to get TikiWiki to traverse our domain when authenticating users and that small change to User DN and LDAP.php made all the bad things go away.

My hat off to you!

Best regards,
Björn


I would like to add this for anyone that is using XAMPP and still receives a blank page when logging in \after following this tutorial.

I found this in the forums by TCC_WEB4 Punkte on Wed 15 Sep. 2010 01:47 UTC

''Nuely,
dont know if you still need the help, but had the same issue with same xampp setup.
i had to enable php_ldap.dll in the apache php.ini file.
that got me past the error.''

Open /XAMPP/php/php.ini and uncomment the following line ~965 (i.e. remove semi-colon)

;extension=php_ldap.dll

restart apache and you should be good to go


I would like to add this for anyone that is using XAMPP and still receives a blank page when logging in \after following this tutorial.

I found this in the forums by TCC_WEB4 Punkte on Wed 15 Sep. 2010 01:47 UTC

''Nuely,
dont know if you still need the help, but had the same issue with same xampp setup.
i had to enable php_ldap.dll in the apache php.ini file.
that got me past the error.''

Open /XAMPP/php/php.ini and uncomment the following line ~965 (i.e. remove semi-colon)

;extension=php_ldap.dll

restart apache and you should be good to go


Does anyone know what this might look like in tiki 4 or 5? I suspect I am having the same problem (I get a successful bind, but username and password fails) but I am not using pear auth, but the built in tiki auth for ldap. The new ldap.conf file does not have a line that looks like ones originally listed above.

Here is the working config I have for Tiki 5.3

NOTE: anything I left out is either blank or unchecked

  • Create user if not in Tiki - Checked
  • Use Tiki authentication for Admin login - Checked
  • Host: - IP address of my AD Server
  • Port: - 389
  • Use TLS - Checked
  • LDAP Bind Type: - Active Directory (username@domain)
  • Search scope: - Subtree
  • LDAP version: - 3
  • Base DN: - dc=mydomain,dc=com (Change this to suit your environment)
  • User DN: - OU=MyLocationsOU (OU to query from; in my case, it is my Office Location)
  • User attribute: - sAMAccountName
  • User OC: - user
  • Realname attribute: - name
  • E-mail attribute: - mail
  • Group attribute: - cn
  • Group OC: - groupOfUniqueNames
  • Member attribute: - uniqueMember
  • Member is DN - Checked
  • Admin user: - CN=DomainAdminName,OU=OU3,OU=OU2,OU=OU1,DC=mydomain,DC=com
  • Admin password: - myP4$sW0rD


To get the proper information for Admin User you can use the tool LDP.EXE from the support tools in Windows 2003


jhodge,

Thanks for your settings. Those are very similar to my settings, but unfortunately, no dice. I'm actually beginning to think that it's not a problem with searching across different OUs. I'm going to start a new thread so as not to get this one off track.


Did you check in /lib/pear/Auth/Container/LDAP.php

Then scroll down to line 435 and change $this->options'referrals' = true; to false

Yep. I did make that change, although it doesn't look like that script is used anymore, having been superseded by LDAP2.php in the lib/pear/Net/ directory. I certainly could be wrong about this.