Loading...
 
Skip to main content

LDAP / Active directory


How to use AD groups and users

Okay, this took me quite a bit of fiddling with to get right. First, screenshots that you should be able to use readily if you're comfortable with LDAP, AD and the Tiki admin menus.

https://j10-wiki-v01/tiki-admin.php?page=login

ldap-a.jpg
ldap-b.jpg
ldap-c.jpg
ldap-d.jpg
ldap-e.jpg

Now, here's what we have done:

  1. Navigate to Admin > Admin Home > Login > General Preferences
  2. Set Authentication Method to Tiki and LDAP
  3. Uncheck Users Can Register
  4. Check Synchronize Tiki groups with a directory
  5. Uncheck Forgot Password
  6. Uncheck Users can change their password
  7. Change Preferences
  8. Navigate to Admin > Admin Home > Login > LDAP
  9. Set If user does not exist in Tiki to Create the user
  10. Uncheck Create user if not in LDAP
  11. Check Use Tiki authentication for Admin login
  12. Set Host to the URL of your domain controller such as ldap://dc.mydomain.com, omit the port number.
  13. Set Port to the appropriate listener for your DC, 389 by default for non-secure.
  14. Check Use SSL if appropriate
  15. Check Use TLS if you're not using SSL, strongly suggested for security, but not required.
  16. Set LDAP bind Type to Active Directory (username@domain)
  17. Set Search Scope to Subtree
  18. Set LDAP Version to 3
  19. Set Base DN to something appropriate for your domain, to follow the example above dc=mydomain,dc=com
  20. Set User DN to the top level you want to find users from. If you want to be able to authenticate all users in your directory leave it blank. If you want users from a specific OU only enter the information in DN form excluding the Base DN string. For example, to query the Authorized Users\IT OU: ou=IT,ou=Authorized Users (For demonstration, the full DN to this would actually be ou=IT,ou=Authorized Users,dc=mydomain,dc=com, but we have the Base DN string entered already elsewhere)
  21. Set User attribute to sAMAccountName
  22. Set User OC to person
  23. Set Realname attribute to displayName
  24. Set E-mail attribute to userPrincipalName
  25. Enter credentials for an existing service account. This is for searches only, so does not have to have admin access for any reason I can fathom, please create a secure service account. Use internet-style login, so username@mydomain.com (Note: I did not bother to test whether this is required both here and in the next tab, try one or the other if you want, but I have it set in both.)
  26. Change Preferences
  27. Navigate to Admin > Admin Home > Login > LDAP external groups
  28. Uncheck Use an external LDAP server for groups
  29. Set Host to the URL for your AD server such as ldap://dc.mydomain.com
  30. Set Port to the appropriate listener port such as 389 by default.
  31. Check Use SSL or Use TLS as appropriate.
  32. Set LDAP Bind Type to Active Directory (username@domain)
  33. Set Search Scope to Subtree
  34. Set LDAP version to 3
  35. Set Base DN to match your domain, for mydomain.com it would be dc=mydomain,dc=com
  36. Set User DN to the top level you wish to pull user information from, see above for example.
  37. Set User attribute to sAMAccountName
  38. Set Corresponding user attribute in 1st directory to sAMAccountName
  39. Set User OC to person
  40. Set Group DN to the specific OU you wish to pull groups from, ifyou wish to use the whole directory, leave blank. Note that as far as I can tell if you specify something here it will only pull from that specific OU, not members of that OU. For example a setting of ou=IT,ou=Authorized Users will pull groups from the Authorized Users\IT organizational unit, but will not pull from the Authorized Users\IT\Admins (ou=Admins,ou=IT,ou=Authorized Users) OU. There may be something to modify this behavior, but I haven't found it. Again, a blank setting will acquire all group information.
  41. Set Group name attribute to sAMAccountName
  42. Set group description attribute to description
  43. Set Group OC to group
  44. Set Member attribute to member
  45. Check Member is DN
  46. Set Group attribute to memberOf
  47. Set Group attribute in group entry to cn
  48. Set Admin user and password to a pre-configured service account. This account does not need admin rights to perform searches, use the internet-style logon such as user@mydomain.com
  49. Change preferences
  50. Try to login with a domain account.


From here I'm hoping you can piece together the rest of what to do. This was a pretty trying process for me and I only returned here because I remembered seeing many questions about how to make this happen and not seeing any answers. Hopefully this will increase utilization of Tiki and thus increase the amount of support these forums get from other users.

Good luck!

Update: There are a couple of pretty hefty flaws, in my environment at least, with this method.

While Tiki does in fact import new groups every time a user logs on, it does not remove those groups. While I certainly understand there are some technical limitations I personally would greatly prefer if it were to actually synchronize at every logon.

I had thought that the 'Use external LDAP server for groups' option would do this, I haven't been able to get that to work as of yet.

jwbrandon wrote:

Update: There are a couple of pretty hefty flaws, in my environment at least, with this method.

While Tiki does in fact import new groups every time a user logs on, it does not remove those groups. While I certainly understand there are some technical limitations I personally would greatly prefer if it were to actually synchronize at every logon.

I had thought that the 'Use external LDAP server for groups' option would do this, I haven't been able to get that to work as of yet.


Thank you very much for the effort, apparently it is quite complicated... I tried to follow your instructions, but the options you mention are not always the same as mine. You say, e.g., "4. Check Synchronize Tiki groups with a directory", but I don't have this option.

Is it due to different versions, or am I missing something?

Best,
Jesper, Denmark

holck wrote:

Thank you very much for the effort, apparently it is quite complicated... I tried to follow your instructions, but the options you mention are not always the same as mine. You say, e.g., "4. Check Synchronize Tiki groups with a directory", but I don't have this option.

Is it due to different versions, or am I missing something?

Best,
Jesper, Denmark


It is possible, I know that the interface changed from 6 to 7, but I believe everything is the same from 7 to 8. In my example I was using 8.1 or 8.2, I honestly can't remember which, but these admin panels look the same in both of those versions.

The particular checkbox you're looking for is under the Login > General Preferences option, and you have to have the check box at the top of the screen that says Advanced checked in order to see all of the options.


Thank you for putting this tutorial together, it's very useful and much appreciated. I was wondering what version of Active Directory schema you used to sync users and groups on this installation?

I'm not able to get the groups to sync with the Active Directory Win2003 Schema and was wondering if upgrading to an Active Directory Win2008 schema will make the difference. No issues syncing the users but Tiki groups will just not sync the LDAP directory. I cannot bring in any details from the groups on AD. Cheers.

United States
kyork wrote:
I'm not able to get the groups to sync with the Active Directory Win2003 Schema and was wondering if upgrading to an Active Directory Win2008 schema will make the difference.


I have no reason to think that recent changes to AD would have any affect on this feature.


USA
Fantastic! Worked very well for me. Thanks for the hard work.

United States

Thanks for your efforts in mapping all of that out for us. I was able to successfully authenticate by way of our companies AD based on your instructions.

One extra thing I had to do was to edit the php.ini file on the Windows server hosting TikiWiki. I simply ran a search for the file. I found it here: C:\Program Files (x86)\PHP\v5.3 . I suspect it may be different for other users depending on the version. All I had to do was add the line "extension=php_ldap.dll" to the "ExtensionList" down towards the bottom of the file.

After I added the extension, AD authentication began working right away.


Brazil

Today I did this setting and it worked fine!!!!

Thanks!


I followed it but after doing everything when I logon and the credentials are correct, the screen just goes blank. If I enter wrong credentials it tells me so but for both admin as well as ldap accounts, it gives me nothing. Any solution?

Clear the tiki-system caches.