Below are example configurations for use with the authLDAP plugin and the OpenLDAP server.
Use the Config Manager or (create and) add it to the conf/local.protected.php to store the config protected.
<?php /* OpenLDAP config - details: https://www.dokuwiki.org/plugin:authldap:openldap */ $conf['plugin']['authldap']['server'] = 'ldap.server.tld'; $conf['plugin']['authldap']['usertree'] = 'uid=%{user}, ou=People, dc=server, dc=tld'; $conf['plugin']['authldap']['grouptree'] = 'ou=Groups, dc=server, dc=tld'; $conf['plugin']['authldap']['groupfilter'] = '(&(objectClass=posixGroup)(|(memberUid=%{uid})(gidNumber=%{gid})))';
<?php /* OpenLDAP config - details: https://www.dokuwiki.org/plugin:authldap:openldap */ $conf['plugin']['authldap']['server'] = 'ldap.server.tld'; $conf['plugin']['authldap']['usertree'] = 'ou=People, dc=server, dc=tld'; $conf['plugin']['authldap']['userfilter'] = '(&(objectClass=posixAccount)(uid=%{user}))'; $conf['plugin']['authldap']['grouptree'] = 'ou=Groups, dc=server, dc=tld'; $conf['plugin']['authldap']['groupfilter'] = '(&(objectClass=posixGroup)(|(memberUid=%{uid})(gidNumber=%{gid})))';
<?php /* OpenLDAP config - details: https://www.dokuwiki.org/plugin:authldap:openldap */ $conf['plugin']['authldap']['server'] = 'ldap.server.tld'; $conf['plugin']['authldap']['binddn'] = 'uid=ldapuser,ou=People,dc=server,dc=tld'; $conf['plugin']['authldap']['bindpw'] = 'password'; $conf['plugin']['authldap']['usertree'] = 'uid=%{user},ou=People,dc=server,dc=tld';
With openldap I had to add the following to get the users group list back:
$conf['plugin']['authldap']['grouptree'] = 'ou=groups, dc=tld'; $conf['plugin']['authldap']['groupfilter'] = '(&(objectClass=posixGroup)(Member=%{dn}))';
For use with Kolab.
<?php /* OpenLDAP config - details: https://www.dokuwiki.org/plugin:authldap:openldap */ $conf['plugin']['authldap']['server'] = 'mykolabserver'; #replace with hostname of your kolab server $conf['plugin']['authldap']['usertree'] = 'dc=mydomain, dc=com'; #replace with your domain $conf['plugin']['authldap']['grouptree'] = 'dc=mydomain, dc=com'; #replace with your domain $conf['plugin']['authldap']['userfilter'] = '(&(uid=%{user}))'; $conf['plugin']['authldap']['groupfilter'] = '(&(objectClass=kolabGroupOfNames)(member=%{dn}))';
<?php /* OpenLDAP config - details: https://www.dokuwiki.org/plugin:authldap:openldap */ $conf['plugin']['authldap']['server'] = 'ldap://1.2.3.4:389'; $conf['plugin']['authldap']['usertree'] = 'ou=People,dc=example,dc=com'; $conf['plugin']['authldap']['grouptree'] = 'ou=Groups,dc=example,dc=com'; $conf['plugin']['authldap']['userfilter'] = '(&(uid=%{user})(objectClass=posixAccount))'; $conf['plugin']['authldap']['groupfilter'] = '(&(uniquemember=%{dn}))'; $conf['plugin']['authldap']['version'] = 3;
Note that you need to use %{dn} for the uniquemember.
Note: you may need to change line 4:
if users in LDAP directory are PosixAccount's:
$conf['plugin']['authldap']['userfilter'] = '(&(uid=%{user})(objectClass=posixAccount))';
if users in LDAP directory are only InetOrgPerson's:
$conf['plugin']['authldap']['userfilter'] = '(&(uid=%{user})(objectClass=inetOrgPerson))';
This worked for me with a default SLES 10 configuration:
<?php /* OpenLDAP config - details: https://www.dokuwiki.org/plugin:authldap:openldap */ $conf['plugin']['authldap']['server'] = 'ldap://server.tld:389'; $conf['plugin']['authldap']['port'] = 389; $conf['plugin']['authldap']['usertree'] = 'ou=People,dc=server,dc=tld'; $conf['plugin']['authldap']['grouptree'] = 'ou=Group,dc=server,dc=tld'; $conf['plugin']['authldap']['userfilter'] = '(&(uid=%{user})objectClass=posixAccount)'; $conf['plugin']['authldap']['groupfilter'] = '(&(Member=%{dn})objectClass=posixGroup)'; $conf['plugin']['authldap']['version'] = 3;
The groupfilter attribute is what is important, and I recommend to create an “admin” group on the directory, setting superuser config setting to @admin and adding the users you want to administer the wiki to that group using the YAST user manager.
$conf['superuser'] = '@admin';
<?php /* OpenLDAP config - details: https://www.dokuwiki.org/plugin:authldap:openldap */ $conf['authtype'] = 'authldap'; $conf['superuser'] = '@wiki'; $conf['plugin']['authldap']['server'] = 'ldap://ipa.example.com:389'; $conf['plugin']['authldap']['usertree'] = 'cn=users,cn=accounts,dc=example,dc=com'; $conf['plugin']['authldap']['grouptree'] = 'cn=groups,cn=accounts,dc=example,dc=com'; $conf['plugin']['authldap']['userfilter'] = '(&(uid=%{user})(objectClass=posixAccount))'; $conf['plugin']['authldap']['groupfilter'] = '(&(member=%{dn})(objectClass=posixGroup))'; $conf['plugin']['authldap']['version'] = '3';
<?php /* OpenLDAP config - details: https://www.dokuwiki.org/plugin:authldap:openldap */ $conf['useacl'] = 1; $conf['openregister']= 0; $conf['authtype'] = 'authldap'; $conf['plugin']['authldap']['server'] = 'ldap://hostname.domain.tld:389'; $conf['plugin']['authldap']['binddn'] = 'uid=zmposix,cn=appaccts,cn=zimbra';//can use the config account here too $conf['plugin']['authldap']['bindpw'] = 'password'; $conf['plugin']['authldap']['usertree'] = 'uid=%{user},ou=people,dc=domain,dc=tld'; $conf['plugin']['authldap']['grouptree'] = 'ou=groups,dc=domain,dc=tld'; $conf['plugin']['authldap']['groupfilter'] = '(|(memberUid=%{user})(gidNumber=%{gid}))'; $conf['plugin']['authldap']['version'] = 3; $conf['plugin']['authldap']['starttls'] = 1;
You can retreive the usertree and grouptree from the “Users and Groups / LDAP Settings” page of the Zentyal administration as the “Users DN” and the “Groups DN” and you must use the “Read-only root DN” and its password password for the binddn/bindpw :
$conf['plugin']['authldap']['server'] = '127.0.0.1'; $conf['plugin']['authldap']['port'] = 390; $conf['plugin']['authldap']['usertree'] = 'ou=Users,dc=domain,dc=name,dc=com'; $conf['plugin']['authldap']['grouptree'] = 'ou=Groups,dc=domain,dc=name,dc=com'; $conf['plugin']['authldap']['version'] = 3; $conf['plugin']['authldap']['debug'] = 0; $conf['plugin']['authldap']['binddn'] = 'cn=zentyalro,dc=domain,dc=name,dc=com'; $conf['plugin']['authldap']['bindpw'] = 'EzfCKRAJJW3eQgfAmhM5bCaghQ'; $conf['plugin']['authldap']['userfilter'] = '(&(uid=%{user})(objectclass=inetOrgPerson))'; $conf['plugin']['authldap']['groupfilter'] = '(&(Member=%{dn})(objectClass=posixGroup))';
As far i know dokuwiki do not suppport multiple servers in ldap configuration. My workaround is to create a local slapd proxy:
# Proxy slapd must contain all schema and objectClass definitions include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/kerberos.schema # Where the pid file is put. The init.d script # will not stop the server if you change this. pidfile /var/run/slapd/slapd.pid # List of arguments that were passed to the server argsfile /var/run/slapd/slapd.args # Read slapd.conf(5) for possible values loglevel stats stats2 ACL filter # The maximum number of entries that is returned for a search operation sizelimit 5000 # The tool-threads parameter sets the actual amount of cpu's that is used # for indexing. tool-threads 1 # Ensure read access to the base for things like # supportedSASLMechanisms. Without this you may # have problems with SASL not knowing what # mechanisms are available and the like. # Note that this is covered by the 'access to *' # ACL below too but if you change that as people # are wont to do you'll still need this if you # want SASL (and possible other things) to work # happily. access to dn.base="" by * read # by default we proxy all request access to * by * read # from slapd-ldap(5) backend ldap database ldap suffix "dc=mydomain,dc=lan" rootdn "dc=mydomain,dc=lan" uri "ldaps://server1.mydomain.lan/ ldaps://server2.mydomain.lan/" tls ldaps # timeouts in seconds network-timeout 2 timeout 2 conn-ttl 2 rebind-as-user yes # in case of debug problems # session-tracking-request yes
It's recomended to restrict slapd to loopback interface and socket by demon argument options:
-h ldap://127.0.0.1:389/ ldapi:///
If everything is right, u can change url in dokuwiki config
$conf['plugin']['authldap']['server'] = 'ldap://127.0.0.1:389';
and now downtime one of ldap servers is not critical.