[pmwiki-users] LDAP and Group Authentication

Gary Spivey gspivey at georgefox.edu
Wed Jan 23 22:09:56 CST 2008

Sorry for the late response, ...

To first answer your question about extern_auth - it doesn't use LDAP -
it assumes that something has done the authentication externally (in my
case, via LDAP outside of PmWiki) - and then set some session variables
- things like:

 1) $_SESSION['authenticated'] (true or false)

 2) $_SESSION['authentication_level'] (based on the highest gid for the
                            that they are associated with)

 3) $_SESSION['groups'] (an array that contains the group names to
                         which the individual belongs. This can be
                         checked with in_array)

 I also set a $_SESSION['username']  that I utilize in (:if username
johndoe:) syntax.

When these are set, ExternAuth goes through and looks for each of these
conditions to see if they match the specific requirements of the

So, that was the ExternAuth plan. 

Thanks for the suggestion on getting Groups working with AuthUser - I
will soon give that a try.


-----Original Message-----
From: pmwiki-users-bounces at pmichaud.com
[mailto:pmwiki-users-bounces at pmichaud.com] On Behalf Of ThomasP
Sent: Thursday, January 17, 2008 9:05 PM
To: pmwiki-users at pmichaud.com
Subject: Re: [pmwiki-users] LDAP and Group Authentication

On Wed, January 16, 2008 1:33 pm, Thomas Gemperli wrote:
> ...
> I missed this thread, so I am not sure if this is interesting for you.
> I use a self written piece of php (attachment) to get group members
> out of my LDAP directory (Apple OpenDirectory). It will most likely
> not work with AD, because AD stores group information inside user
> containers.
> Use something like this in config.php:
> $AuthUser['@editors'] =  get_ldap_values("cn=groups", "(cn=GROUP)",
> array("memberUid"));
> $AuthUser['@admins'] =  get_ldap_values("cn=groups",
> "(cn=OTHERGROUP)", array("memberUid"));
> $DefaultPasswords['edit'] = '@editors';
> $DefaultPasswords['attr'] = '@editors';
> $DefaultPasswords['upload'] = '@editors';
> $DefaultPasswords['admin'] = array('@admins','id:ANOTHERUSER');
> Thomas


looking diagonal over this and the previous ldif output hints me that
is already exactly what would also work in Gary's case (since there also
the users (also via memberUid attributes) are in group "containers").

I somehow would guess that one has to provide


as root node for the search, and then filter by "cn=MYGROUP". The hurdle
that I have with this is currently "only":

Where actually is the get_ldap_values function defined? (Could see it
neither in pmwiki nor on php.net.) What does one provide as arguments?

Gary, if you just want to give it a try, use

$AuthUser['@MYGROUP'] = 
get_ldap_values("ou=Group,dc=engr,dc=georgefox,dc=edu", "(cn=MYGROUP)",

and this line repeated with MYGROUP replaced with your groups found in
LDAP tree.

Then authuser permission granting as usual.


pmwiki-users mailing list
pmwiki-users at pmichaud.com

More information about the pmwiki-users mailing list