LDAP, ActiveDirectory, and DokuWiki
I’ve had a terrible time trying to get PHP’s LDAP functions use an ActiveDirectory domain controller for authentication - even using the examples in posted comments.
I tried writing a bunch of different pages but couldn’t get any of them to work. I think part of my problem is that I’m not totally savvy with LDAP terminology to know what I should enter for a DS, a DN, RDN, or the CN at different points. It doesn’t feel very well documented, and of course Microfot’s AD uses a spattering of different terms as well.
Enter adLDAP - a GPL PHP class that provides LDAP authentication with Active Directory. It just worked.
The Problem
I was trying a bunch of PHP wiki implementations at work. Work is a MS shop and whatever we used had to be easy on “average” end users. Creating yet another username and password pair for them wasn’t going to cut it.
I tried using MediaWiki’s LDAP implementation but couldn’t get it to work. Same with PHP Wiki.
I liked DokuWiki the best though - and it too promised it’s own LDAP authentication. Unfortunately, it still didn’t work.
The Solution
Finally I found adLDAP. I configured three parameters in the adLDAP.php file and ran its tests - worked wonderfully.
I then set about getting DokuWiki to work with it. Here’s what it takes -
- download and install adLDAP
- configure adLDAP so that its own test cases pass on your AD domain
- replace the DokuWiki file
/inc/auth/ldap.phpwith this one that I changed to work with adLDAP Update: that only works on versions prior to 2006-03-09. Use this updated version instead. - edit your
/conf/local.phpto use ‘ldap’ as its authtype$conf['authtype'] = ‘ldap’; $conf['passcrypt'] = ’ssha’; - try logging in as one of your domain users
Custom Tweaks
I also use DokuWiki’s ACL security feature. Unfortunately, all of the group names in my domain were something like ‘#ORD-GROUP NAME’. This causes a couple of problems
- LDAP queries returning group names can’t contain a ‘#’ sign… unless escaped.
- DokuWiki’s ACL doesn’t deal with # signs anyway
- DokuWiki’s ACL can’t deal with spaces
So in my ‘ldap.php’ file I added a bit of post-processing to all of the group names
- backslashes (\’s) are removed entirely
- pound signs (#’s) are removed as well
- spaces are replaced with an underscore (_)
Thus, in my ACL I can still use names pretty close to what they are in AD, which is much easier for the site administrators: MY_GROUP_NAME.
Update for DokuWiki 2006-03-09
Download the updated adLDAP auth class for DokuWiki.
The auth files were converted over to classes. I’ve updated my modified LDAP.php file to be ntlm.class.php instead. Instructions for use (also in the comments of the file):
- Copy the
ntlm.class.phpfile into your /dokuwiki/inc/auth/ directory - Put adLDAP.php in your PHP include path
- Configure adLDAP.php for your environment
- Set DokuWiki’s local.php auth setting to read
$conf['useacl'] = 1; $conf['openregister']= 0; $conf['autopasswd'] = 0; $conf['authtype'] = ‘ntlm’; $conf['passcrypt'] = ’ssha’;
Final Notes
I hope this helps other people out there… I spent a lot of time trying to figure out why PHP’s LDAP function didn’t seem to quite work with AD.
Special thanks to Andreas Gohr, author of DokuWiki, for developing one of the best wiki’s for a corporate environment I have seen and tested. (And I tested quite a few before settling on his.)
The clean look of the default site, usable wiki grammar, features for Windows users (like linking to Windows shares) that are usually ignored in open-source environements, non-database dependence, and powerful ACL are just what we needed.
Also thanks to Scott Barnett, maintainer (author?) of adLDAP. The coding is clean, the class function names make sense, and best of all: it actually works.
To Do
Saw on the DokuWiki LDAP page that another user got this working with integrated authentication. I might try and add options to allow that to work.
(only showing the 10 most recent - View All Comments)
Ah… i managed to retrieve the group names via the example-file.
But i still have trouble with the access list.
The basic group for users in our AD is Domänen-Benutzer.
But the ä seems to break the authentication.
Would you mind posting the lines where you used the str_replace(). I assume that would solve my problem too.
In the ntlm.class.php file, look for the function called _sanitizeGroupName($name). It’s around line 146. You can indeed add your own additional replacments there.
I’ve noticed the most current version of DokuWiki will also replace some symbols by their hex equivalents (for example, pound signs (’#') with ‘%23′.
You may not need to make a change to ntlm.class.php if you change your ACL file to use ascii hex codes. For example, ‘ä’ can be written in the ACL as ‘%E4′.
See http://www.good-stuff.co.uk/useful/ascii.php for more ASCII codes.
Maybe I am being a bit thick here, but did you place the adLDAP files into the /inc directory within your dokuwiki installation? I just want to make sure I am putting these in the right place.
Oooops. RTFDs.
After following all the directions and taking a look at the adLDAP section of this, I am getting the following error:
Warning: require_once(adLDAP.inc.php) [function.require-once]: failed to open stream: No such file or directory in C:\wiki\dokuwiki\inc\auth\ntlm.class.php on line 43
Fatal error: require_once() [function.require]: Failed opening required ‘adLDAP.inc.php’ (include_path=’.;C:\php5\pear’) in C:\wiki\dokuwiki\inc\auth\ntlm.class.php on line 43
Now, I am trying to get this to tie into the IIS/NTLM authentication, so that might be part of my problem. Thoughts?
Jason: looks like you didn’t install adLDAP in a place that DokuWiki could find it.
Since adLDAP is a SourceForge project I’m not trying to bundle & sync their distribution with my code - you’ll have to install it on your own (link provided in the post).
The good part is it’s test/example PHP script that, if you can get working, guarantees you can also get DokuWiki working with it.
I’m having trouble getting groups to work with the 2006-03-09 version of doku. I tried adding groups through the web interface and manually and neither have worked for me. Users are authenticated but when they login they simply get a permission denied page because I have @ALL set to no access. I’ve followed the steps above for the new install but I’m wondering if
I need to add additional lines to get groups to work.
Tim
Excellent Solution. Only thing I had to change was rename adLDAP.php to adLDAP.inc.php and everything worked like a charm. Thanks for the excellent solution.
Has anyone found any problems with file uploads or the indexer running?
Hi,
I’ve just tried setting up adLDAP on a Linux/Apache server, and connecting to a Win2003 ldap AD.
When I try loading examples.php or the Docuwiki index page, I just get a blank page.
can someone give me a hint what might cause this… is it my path to the include files, my LDAP connection details, or something else?
I’ve checked everything and it all looks correct to me.
Any ideas where to start looking?
Thanks