[pmwiki-users] LDAP and Group Authentication
gspivey at georgefox.edu
Wed Jan 23 22:09:56 CST 2008
Sorry for the late response, ...
To first answer your question about extern_auth - it doesn't use LDAP -
it assumes that something has done the authentication externally (in my
case, via LDAP outside of PmWiki) - and then set some session variables
- things like:
1) $_SESSION['authenticated'] (true or false)
2) $_SESSION['authentication_level'] (based on the highest gid for the
that they are associated with)
3) $_SESSION['groups'] (an array that contains the group names to
which the individual belongs. This can be
checked with in_array)
I also set a $_SESSION['username'] that I utilize in (:if username
When these are set, ExternAuth goes through and looks for each of these
conditions to see if they match the specific requirements of the
So, that was the ExternAuth plan.
Thanks for the suggestion on getting Groups working with AuthUser - I
will soon give that a try.
From: pmwiki-users-bounces at pmichaud.com
[mailto:pmwiki-users-bounces at pmichaud.com] On Behalf Of ThomasP
Sent: Thursday, January 17, 2008 9:05 PM
To: pmwiki-users at pmichaud.com
Subject: Re: [pmwiki-users] LDAP and Group Authentication
On Wed, January 16, 2008 1:33 pm, Thomas Gemperli wrote:
> I missed this thread, so I am not sure if this is interesting for you.
> I use a self written piece of php (attachment) to get group members
> out of my LDAP directory (Apple OpenDirectory). It will most likely
> not work with AD, because AD stores group information inside user
> Use something like this in config.php:
> $AuthUser['@editors'] = get_ldap_values("cn=groups", "(cn=GROUP)",
> $AuthUser['@admins'] = get_ldap_values("cn=groups",
> "(cn=OTHERGROUP)", array("memberUid"));
> $DefaultPasswords['edit'] = '@editors';
> $DefaultPasswords['attr'] = '@editors';
> $DefaultPasswords['upload'] = '@editors';
> $DefaultPasswords['admin'] = array('@admins','id:ANOTHERUSER');
looking diagonal over this and the previous ldif output hints me that
is already exactly what would also work in Gary's case (since there also
the users (also via memberUid attributes) are in group "containers").
I somehow would guess that one has to provide
as root node for the search, and then filter by "cn=MYGROUP". The hurdle
that I have with this is currently "only":
Where actually is the get_ldap_values function defined? (Could see it
neither in pmwiki nor on php.net.) What does one provide as arguments?
Gary, if you just want to give it a try, use
and this line repeated with MYGROUP replaced with your groups found in
Then authuser permission granting as usual.
pmwiki-users mailing list
pmwiki-users at pmichaud.com
More information about the pmwiki-users