Essentially the LDAP settings to work with a Microsoft Active Directory Server are the same. However they won't work from the get-go without changing the userslib.php (valid for version 1.9.7)
Open /lib/userslib.php and search for the following code around line 624:
Copy to clipboard $options["memberisdn"] = ($tikilib->get_preference("auth_ldap_memberisdn", "y") == "y");
Add the following lines right after this line:
Copy to clipboard $options["binddn"] = $tikilib->get_preference("auth_ldap_adminuser", "");
$options["bindpw"] = $tikilib->get_preference("auth_ldap_adminpass", "");
These lines create the necessary binding for the ADS since by default it doesn't allow anonymous requests.
After that the following LDAP configuration settings do work with ADS:
- in the 'User registration and login' section, set 'Authentication method' to 'Tiki and PEAR::Auth'
In the 'PEAR::Auth' section set the following settings:
- set 'AUTH Type' to 'LDAP'
- set 'LDAP Host:' to the Active Directory server's name or IP address
- set 'LDAP Port:' to '389'
- leave 'BaseDSN' empty
- activate 'Create user if not in Tiki?'
- deactivate 'Create user if not in Auth?' (we do not want the user to be created in the LDAP dir)
- leave 'LDAP URL' empty
- set 'LDAP Scope:' to 'sub'
- set 'LDAP Base DN:' to the LDAP version of the domain name as it appears in 'Active Directory Users and Computers'. E.g., if the domain is called my-domain.local, set this to 'dc=my-domain,dc=local'. You might add an 'ou=yourorganizaonalunit' entry too. That depends on your config.
- leave 'LDAP User DN' empty
- set 'LDAP User Attribute:' to 'sAMAccountName'
- set 'LDAP User OC:' to '*'
- leave 'LDAP Group DN' empty
- set 'LDAP Group Attribute:' to 'cn'
- set 'LDAP Group OC:' to 'groupOfUniqueNames'
- set 'LDAP Member Attribute:' to 'uniqueMember'
- set 'LDAP Member Is DN::' to 'n'
- set 'LDAP Admin User Name' to 'cn=LDAPReader, cn=users, dc=my-domain, dc=local' - replace 'LDAPReader' with a username that is able to read the LDAP directory on ADS. Adjust the cn=, dc= settings accordingly.
- set 'LDAP Admin User Name' to the password of your LDAPReader user password.
Now you should be able to login. If you get a blank page after login make sure your PHP version is >=4.3.2 as this is required by the LDAP Pear module. After it works with these basic settings you can further refine the settings carefully if (for example) you only want a special group inside the LDAP directory have access to the TikiWiki.
|