DokuWiki

It's better when it's simple

User Tools

Site Tools

Trace:
plugin:authad

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
plugin:authad [2017-08-17 05:20] td1plugin:authad [2025-04-01 11:36] (current) – [Web Server] gssapi setup andi
Line 6: Line 6:
 email      : andi@splitbrain.org email      : andi@splitbrain.org
 type       : Auth type       : Auth
-lastupdate : 2014-04-03+lastupdate : 2023-04-04
 compatible : (bundled) compatible : (bundled)
 depends    :  depends    : 
 conflicts  conflicts 
 similar    :  similar    : 
-tags       : !bundled, authentication+tags       : !bundled, authentication, ad
  
 downloadurl:  downloadurl: 
-bugtracker : # eg. https://github.com/splitbrain/dokuwiki/issues +bugtracker : # eg. https://github.com/dokuwiki/dokuwiki/issues 
-sourcerepo : https://github.com/splitbrain/dokuwiki/tree/master/lib/plugins/authad+sourcerepo : https://github.com/dokuwiki/dokuwiki/tree/master/lib/plugins/authad
 donationurl:  donationurl: 
 ---- ----
Line 30: Line 30:
 Before this plugin can be used, you need to setup some settings: Before this plugin can be used, you need to setup some settings:
   - Prepare your AD server, see also [[#server configuration]] below.   - Prepare your AD server, see also [[#server configuration]] below.
-  - Activate the authad plugin in the [[plugin|Plugin Manager]].+  - Activate the authad plugin in the [[plugin:extension|Extension Manager]].
   - Define connection details in the [[config|Configuration Manager]]   - Define connection details in the [[config|Configuration Manager]]
   - Switch on this Auth plugin via the configuration option [[config:authtype]] by selecting ''authad''.   - Switch on this Auth plugin via the configuration option [[config:authtype]] by selecting ''authad''.
Line 43: Line 43:
  
 ===Apache=== ===Apache===
-If you're using Apache on Ubuntu or Debian, just install the ''php5-ldap'' package. If you're using Apache on another distro, follow [[http://adldap.sourceforge.net/wiki/doku.php?id=apache|this guide]]. Installing ''php5-ldap'' also works on SLES. If you're using Arch Linux, install the php-ldap package with pacman.+If you're using Apache on Ubuntu or Debian, just install the ''php-ldap'' package. If you're using Apache on another distro, follow [[http://adldap.sourceforge.net/wiki/doku.php?id=apache|this guide]]FIXME((broken link : Try searching  https://github.com/Rich2k/adLDAP/wiki)). Installing ''php5-ldap'' also works on SLES. If you're using Arch Linux, install the php-ldap package with pacman.
  
  
Line 63: Line 63:
  
 ===Other=== ===Other===
-If you're using a web server other than Apache or IIS7, you have to figure it out yourself. :( Please update this article if you succeed.+If you're using a web server other than Apache, Nginx, or IIS7, you have to figure it out yourself. :( Please update this article if you succeed.
 ===== Configuration===== ===== Configuration=====
  
Line 120: Line 120:
  
 ==Other options== ==Other options==
-Any other options given in ''$conf['plugin']['authad']'' are directly passed to the adldap library. Please refer to the [[http://adldap.sourceforge.net/wiki/doku.php?id=api|adLDAP documentation]] for a detailed description of what other options might be available.+Any other options given in ''$conf['plugin']['authad']'' are directly passed to the adldap library. Please refer to the [[http://adldap.sourceforge.net/wiki/doku.php?id=api|adLDAP documentation]]FIXME((broken link : Try searching  https://github.com/Rich2k/adLDAP/wiki)) for a detailed description of what other options might be available.
  
 In combination with Single-Sign-On, you can also add Windows domain specific setups. E.g. to authenticate against different Active Directory Servers depending on the NTLM or Kerberos Domain of a given user. The (lowercased) Domain just has to be used as a subkey to the ''$conf['plugin']['authad']'' setting. E.g. to identify all users coming from the ''Foobar'' Windows Domain using a non-default AD Server and user just put the following additional lines into your config: In combination with Single-Sign-On, you can also add Windows domain specific setups. E.g. to authenticate against different Active Directory Servers depending on the NTLM or Kerberos Domain of a given user. The (lowercased) Domain just has to be used as a subkey to the ''$conf['plugin']['authad']'' setting. E.g. to identify all users coming from the ''Foobar'' Windows Domain using a non-default AD Server and user just put the following additional lines into your config:
Line 147: Line 147:
 </code> </code>
  
 +==A few caveats==
 +  * account suffix is always added to admin username, even when it already contains @ character
 +  * different suffix for admin and normal accounts is not supported
 +  * empty account suffix, that is entering usernames with suffix, is not supported
  
 ===== User Profile and Password Changes ===== ===== User Profile and Password Changes =====
  
-Users can change their user details (name, email and passwords) using the profile button. This may require to set up a privileged user through the ''admin_username'' and ''admin_password'' options. Password changing is only supported via SSL or TLS. See [[http://adldap.sourceforge.net/wiki/doku.php?id=ldap_over_ssl|LDAP over SSL]] in the adLDAP documentation.+Users can change their user details (name, email and passwords) using the profile button. This may require to set up a privileged user through the ''admin_username'' and ''admin_password'' options. Password changing is only supported via SSL or TLS. See [[http://adldap.sourceforge.net/wiki/doku.php?id=ldap_over_ssl|LDAP over SSL]]FIXME((broken link : Try searching  https://github.com/Rich2k/adLDAP/wiki)) in the adLDAP documentation.
  
 Please note that DokuWiki's auto generated passwords do not match with the Active Directory default [[http://technet.microsoft.com/en-us/library/cc875814.aspx|password policy]]. Either adjust your AD password policy or disable the "Forget Password" option using the [[config:disableactions]] config option. Please note that DokuWiki's auto generated passwords do not match with the Active Directory default [[http://technet.microsoft.com/en-us/library/cc875814.aspx|password policy]]. Either adjust your AD password policy or disable the "Forget Password" option using the [[config:disableactions]] config option.
Line 331: Line 335:
 klist klist
 kdestroy kdestroy
-(If you get any errors here, make sure your DNS setup is working and you wrote all marked as "YOURDOMAIN.COM" hosts in uppercase in your krb5.conf. Try resolve every hostname manually.</code> +</code> If you get any errors here, make sure your DNS setup is working and you wrote all marked as "YOURDOMAIN.COM" hosts in uppercase in your krb5.conf. Try resolve every hostname manually. 
-  - Create a keytab file for your DokuWiki server. Make sure you have created a non-admin user in Active Directory with no password expiration. Run this as a Domain Admin on a Windows server with Support Tools installed:<code>ktpass -princ HTTP/dokuwiki.yourdomain.com@YOURDOMAIN.COM -mapuser name_of_ad_user_you_have_created -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -mapop set +desonly -pass the_ad_users_password -out dokuwiki.HTTP.keytab</code> Use the following if you're running Windows 7/Server 2008 R2 clients because [[http://technet.microsoft.com/en-us/library/dd560670(WS.10).aspx|des is disabled by default]] on these operating systems: <code>ktpass -princ HTTP/dokuwiki.yourdomain.com@YOURDOMAIN.COM -mapuser name_of_ad_user_you_have_created@yourdomain.com -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -pass the_ad_users_password -out dokuwiki.HTTP.keytab </code> RC4-HMAC is supported on Windows 2000 and higher.+  - Create a keytab file for your DokuWiki server. Make sure you have created a non-admin user in Active Directory with no password expiration. Run this as a Domain Admin on a Windows server with Support Tools installed: <code>ktpass -princ HTTP/dokuwiki.yourdomain.com@YOURDOMAIN.COM -mapuser name_of_ad_user_you_have_created@yourdomain.com -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -pass the_ad_users_password -out dokuwiki.HTTP.keytab </code>
   - If no errors occurred, copy the keytab file to /etc/httpd/conf/.   - If no errors occurred, copy the keytab file to /etc/httpd/conf/.
 +  - Check if authentication via the keytab file works <code>
 +kinit -k -t /etc/httpd/confo/dokuwiki.HTTP.keytab HTTP/dokuwiki.yourdomain.com
 +kdestroy
 +</code> If this doesn't work, there is no need to continue. Fix this first.
   - Create /etc/httpd/conf.d/dokuwiki.conf:<code apache>   - Create /etc/httpd/conf.d/dokuwiki.conf:<code apache>
 <Directory "/var/www/html/dokuwiki"> <Directory "/var/www/html/dokuwiki">
Line 358: Line 366:
   * Review this instruction from start to end. See reference links where possible.   * Review this instruction from start to end. See reference links where possible.
  
 +=== Kerberos via GSSAPI on Apache (Linux) ===
 +
 +
 +''mod_auth_kerberos'' has been replaced with ''mod_auth_gssapi'' in newer versions of Apache. The basic setup is the same as above, so follow that guide first. Only the syntax for configuring the module differs. Here's an example to replace the above config:
 +
 +<code apache>
 +<Directory "/var/www/html/dokuwiki">
 +        # Kerberos Auth
 +        AuthType GSSAPI
 +        AuthName "Kerberos Authentication"
 +        GssapiCredStore keytab:/etc/httpd/conf/dokuwiki.HTTP.keytab
 +        GssapiAllowedMech krb5
 +        GssapiBasicAuth On
 +        GssapiBasicAuthMech krb5
 +        GssapiLocalName On
 +        # If you need to restrict to specific realms
 +        # GssapiAcceptorName HTTP/dokuwiki.yourdomain.com
 +        Require valid-user
 +</Directory>
 +</code>
  
 ==== Browser ==== ==== Browser ====
Line 386: Line 414:
 Some plug-ins may not gracefully work once you've switched over to the ad auth backend. Specifically, pulling the user's display name will not work if you don't provide valid authentication information. One such plugin is WikiStatistics, where a simple workaround to only display the username can be employed. Some plug-ins may not gracefully work once you've switched over to the ad auth backend. Specifically, pulling the user's display name will not work if you don't provide valid authentication information. One such plugin is WikiStatistics, where a simple workaround to only display the username can be employed.
  
-Due to [[http://adldap.sourceforge.net/wiki/doku.php?id=api_pagingsupport|missing support for paged queries in PHP's LDAP extension]], plugins that try to get all users from the auth backend will fail if you use authAD plugin and have more than 1000 objects in Active Directory. One example is the [[:plugin:issuetracker#faq|IssueTracker]] plugin.+Due to [[http://adldap.sourceforge.net/wiki/doku.php?id=api_pagingsupport|missing support for paged queries in PHP's LDAP extension]]FIXME((broken link : Try searching  https://github.com/Rich2k/adLDAP/wiki)), plugins that try to get all users from the auth backend will fail if you use authAD plugin and have more than 1000 objects in Active Directory. One example is the [[:plugin:issuetracker#faq|IssueTracker]] plugin.
plugin/authad.1502940040.txt.gz · Last modified: by td1
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki

Global DokuWiki Links