====== OpenLDAP + Kerberos Auth Plugin ======
---- plugin ----
description: Provides user authentication against a OpenLDAP + Kerberos server using GSSAPI
author : Sebastián Santisi
email : s@ntisi.com.ar
type : auth
lastupdate : 2021-12-15
compatible : 2020-07-29 "Hogfather"
depends :
conflicts :
similar :
tags : authentication, ldap, openldap, kerberos, gssapi
downloadurl: https://github.com/santisis/dokuwiki-plugin-authopenldapkerberos/zipball/main
bugtracker : https://github.com/santisis/dokuwiki-plugin-authopenldapkerberos/issues
sourcerepo : https://github.com/santisis/dokuwiki-plugin-authopenldapkerberos/
----
===== Description =====
This plugin provides an integrated OpenLDAP + Kerberos authentication using GSSAPI with user listing and groups support.
This plugin is capable to bind an OpenLDAP server using GSSAPI and it's capable to check the username and password using PHP's Kerberos library without relying on the webserver as other DokuWiki plugins such as [[authad]].
This plugin is intended to serve as an OpenLDAP interface to access the user list and groups in a read only mode. It doesn't support the editing of the groups, user data or password.
===== Installation =====
:!: **External requirements:** This plugin assumes:
* A working OpenLDAP and Kerberos servers.
* A local Kerberos client installation with a valid ''/etc/krb5.conf'' file.
* A valid Kerberos ticket associated with the webserver UID. It could be managed vía ''kinit'' or ''kstart''.
* PHP with LDAP support enabled (on Debian distributions it's provided by the ''php-ldap'' package).
* GSSAPI library installed on the system (on Debian distributions it's provided by the ''libsasl2-modules-gssapi-mit'' package).
* [[https://pecl.php.net/package/krb5|PECL krb5]] package installed and enabled.
Install the plugin using the [[plugin:plugin|Plugin Manager]] and the download URL above, which points to latest version of the plugin. Refer to [[:Plugins]] on how to install plugins manually.
===== OpenLDAP schema =====
This plugin assumes a typical POSIX account/group schema where the user is stored as a register in an organizational unit (OU) having a default group ID (GID) number, and the groups are stored in another OU where if a group isn't the default for a user the user ID (UID) must be listed in the group data.
As an example the user data could be something like:
dn: uid=user,ou=people,dc=example,dc=com
uid: user
uidNumber: 1000
gidNumber: 2000
cn: Username
mail: mail@example.com
objectClass: posixAccount
objectClass: inetOrgPerson
While the group data could be something like:
dn: cn=users,ou=groups,dc=example,dc=com
cn: users
gidNumber: 2000
objectClass: posixGroup
dn: cn=admin,ou=groups,dc=example,dc=com
cn: admin
gidNumber: 2001
memberUid: user
memberUid: otheruser
objectClass: posixGroup
In this example the user has name Username, email user@example.com and belongs to users and admin groups.
===== Configuration =====
The basic configuration needs the LDAP server and base DN to be configured:
In case that the OU or attribs differ from the example it's possible to redefine any of the keys, here's the complete config parameters:
// Server:
$conf['plugin']['authopenldapkerberos']['server'] = 'ldap://ldap.example.com';
$conf['plugin']['authopenldapkerberos']['port'] = 389;
// Basic structure:
$conf['plugin']['authopenldapkerberos']['base_dn'] = 'dc=example,dc=com';
$conf['plugin']['authopenldapkerberos']['user_ou'] = 'people';
$conf['plugin']['authopenldapkerberos']['group_ou'] = 'groups';
// User attribs:
$conf['plugin']['authopenldapkerberos']['userkey'] = 'uid';
$conf['plugin']['authopenldapkerberos']['username'] = 'cn';
$conf['plugin']['authopenldapkerberos']['usermail'] = 'mail';
$conf['plugin']['authopenldapkerberos']['usergid'] = 'gidnumber';
// Group attribs:
$conf['plugin']['authopenldapkerberos']['groupkey'] = 'cn';
$conf['plugin']['authopenldapkerberos']['groupgid'] = 'gidnumber';
$conf['plugin']['authopenldapkerberos']['groupuids'] = 'memberuid';
===== Discussion =====