[pmwiki-users] ldap

Thomas Gemperli gemperli at arch.ethz.ch
Mon Sep 10 04:37:08 CDT 2007


Hi

On 10.09.2007, at 10:53, Maria McKinley wrote:

> On 9/10/07, Thomas Gemperli <gemperli at arch.ethz.ch> wrote:
>> Hi
>>
>> On 10.09.2007, at 09:46, Maria McKinley wrote:
>>
>>> I am trying to get authentication using ldap working, and having a
>>> very hard time. here are the lines I added to local/config.php:
>>>
>>> ## Want entire site to be password-protected for editing.
>>> $DefaultPasswords['edit'] = crypt('edit_password');
>>> ## Want to use AuthUser so we can use ldap for passwords
>>> include_once("$FarmD/scripts/authuser.php");
>>> # use ldap.shadlen.org for authentication
>>> $AuthUser['ldap'] = 'ldap://ldap.shadlen.org/ou=people,dc=shadlen?
>>> dc=org?';
>>
>> I'm using ldap, with the following config:
>>
>> $AuthUser['ldap'] = "ldap://host.domain.tld/ 
>> cn=users,dc=domain,dc=tld?
>> uid";
>> #  Enable authuser extensions - MUST be BELOW every $AuthUser entry
>> in this file
>> include_once("$FarmD/scripts/authuser.php");
>>
>> Make sure to include authuser.php below any $AuthUser lines.
>>
>> Thomas
>>
>
> Thanks a bunch. That does seem like something worth putting in the
> docs under AuthUser, ldap. Maybe I'll do that once I have this all
> figured out, since it is a wiki and all. :-)  However, it doesn't seem
> to completely solve my problem. Now I get no error message, it just
> doesn't log me in,

No message, like "invalid username" or something similar?

> so I don't know if the ldap enquiry was successful
> and there is some other problem, or if I am still having ldap
> problems.

Well, if PmWiki does not complain about your username/password login  
was successful.
Now you probably need to define which users are allowed to edit/ 
upload/etc pages.

I use something like this in my config.php:

$AuthUser['@editors'] =  get_ldap_values("cn=groups", "(cn=GROUP)",  
array("memberUid"));
$AuthUser['@admins'] =  get_ldap_values("cn=groups",  
"(cn=OTHERGROUP)", array("memberUid"));

$DefaultPasswords['edit'] = '@editors';
$DefaultPasswords['attr'] = '@editors';
$DefaultPasswords['upload'] = '@editors';
$DefaultPasswords['admin'] = array('@admins','id:ANOTHERUSER');

Please note, I use a self written piece of php to get group members  
out of my LDAP directory (Apple OpenDirectory). It will most likely  
not work with AD. Anyway, you can "hardcode" legitimated users in  
config.php, for example:

$AuthUser['@editors'] =  'id:USER1, id:USER2';
$DefaultPasswords['edit'] = '@editors';

JFYI, I have attached my "get the group members cookbook". Probably  
you would like to "port" it to AD. ;)

Thomas



-------------- next part --------------
A non-text attachment was scrubbed...
Name: archbook.php
Type: text/php
Size: 2891 bytes
Desc: not available
Url : /pipermail/pmwiki-users/attachments/20070910/73bca627/attachment-0001.bin 
-------------- next part --------------



More information about the pmwiki-users mailing list