Provides user authentication against a OpenLDAP + Kerberos server using GSSAPI
Table of Contents
OpenLDAP + Kerberos Auth Plugin
Compatible with DokuWiki
- 2024-02-06 "Kaos" unknown
- 2023-04-04 "Jack Jackrum" unknown
- 2022-07-31 "Igor" unknown
- 2020-07-29 "Hogfather" yes
Description
This plugin provides an integrated OpenLDAP + Kerberos authentication using GSSAPI with user listing and groups support.
This plugin is capable to bind an OpenLDAP server using GSSAPI and it's capable to check the username and password using PHP's Kerberos library without relying on the webserver as other DokuWiki plugins such as authad.
This plugin is intended to serve as an OpenLDAP interface to access the user list and groups in a read only mode. It doesn't support the editing of the groups, user data or password.
Installation
External requirements: This plugin assumes:
- A working OpenLDAP and Kerberos servers.
- A local Kerberos client installation with a valid
/etc/krb5.conffile. - A valid Kerberos ticket associated with the webserver UID. It could be managed vía
kinitorkstart. - PHP with LDAP support enabled (on Debian distributions it's provided by the
php-ldappackage). - GSSAPI library installed on the system (on Debian distributions it's provided by the
libsasl2-modules-gssapi-mitpackage). - PECL krb5 package installed and enabled.
Install the plugin using the Plugin Manager and the download URL above, which points to latest version of the plugin. Refer to Plugins on how to install plugins manually.
OpenLDAP schema
This plugin assumes a typical POSIX account/group schema where the user is stored as a register in an organizational unit (OU) having a default group ID (GID) number, and the groups are stored in another OU where if a group isn't the default for a user the user ID (UID) must be listed in the group data.
As an example the user data could be something like:
dn: uid=user,ou=people,dc=example,dc=com uid: user uidNumber: 1000 gidNumber: 2000 cn: Username mail: mail@example.com objectClass: posixAccount objectClass: inetOrgPerson
While the group data could be something like:
dn: cn=users,ou=groups,dc=example,dc=com cn: users gidNumber: 2000 objectClass: posixGroup dn: cn=admin,ou=groups,dc=example,dc=com cn: admin gidNumber: 2001 memberUid: user memberUid: otheruser objectClass: posixGroup
In this example the user has name Username, email user@example.com and belongs to users and admin groups.
Configuration
The basic configuration needs the LDAP server and base DN to be configured:
- conf/local.protected.php
<?php // general DokuWiki options $conf['useacl'] = 1; $conf['authtype'] = 'authopenldapkerberos'; // configure your OpenLDAP + Kerberos data here $conf['plugin']['authopenldapkerberos']['server'] = 'ldap://ldap.example.com'; $conf['plugin']['authopenldapkerberos']['base_dn'] = 'dc=example,dc=com';
In case that the OU or attribs differ from the example it's possible to redefine any of the keys, here's the complete config parameters:
- conf/local.protected.php
// Server: $conf['plugin']['authopenldapkerberos']['server'] = 'ldap://ldap.example.com'; $conf['plugin']['authopenldapkerberos']['port'] = 389; // Basic structure: $conf['plugin']['authopenldapkerberos']['base_dn'] = 'dc=example,dc=com'; $conf['plugin']['authopenldapkerberos']['user_ou'] = 'people'; $conf['plugin']['authopenldapkerberos']['group_ou'] = 'groups'; // User attribs: $conf['plugin']['authopenldapkerberos']['userkey'] = 'uid'; $conf['plugin']['authopenldapkerberos']['username'] = 'cn'; $conf['plugin']['authopenldapkerberos']['usermail'] = 'mail'; $conf['plugin']['authopenldapkerberos']['usergid'] = 'gidnumber'; // Group attribs: $conf['plugin']['authopenldapkerberos']['groupkey'] = 'cn'; $conf['plugin']['authopenldapkerberos']['groupgid'] = 'gidnumber'; $conf['plugin']['authopenldapkerberos']['groupuids'] = 'memberuid';