Instead of using Tiki's internal user system, you can configure Tiki to authenticate users against an LDAP directory. The username still has to be created in Tiki at some point, but it will authenticate the password against an LDAP directory.
Logged in as an administrator, go to the admin screen, and click on Login.
There you will see two sections: "User registration and login" and "PEAR::Auth".
Under the "User registration and login" section, change Authentication Method to Tiki and PEAR::Auth.
- Create user if not in Tiki?
- If username exists in the LDAP directory, it will create the Tiki user and allow them to login.
- Create user if not in Auth?
- Will create a Tiki user even if they do not exist in LDAP directory, and will add the user to the LDAP directory using LDAP Admin User/Pwd. Only use this when using the Users can register option.
- Just use Tiki auth for admin?
- Just use Tiki authentication, for administrator instead of a LDAP authentication.
- LDAP Host
- FQDN of LDAP server. (localhost if it is on the same machine that Tiki is on.)
- LDAP Port
- Port that LDAP server is listening on. Default is 389.
- LDAP Scope
- Options are base, one, or sub (default). Tells Tiki to search the base DN only, one-level down, or the entire subtree on the LDAP directory.
- LDAP Base DN
- Base DN (Distinguished Name) of LDAP directory you want to use on the LDAP server. Usually something like dc=example,dc=org.
- LDAP User DN
- What OU are your users under? This may be something like ou=People. This is just the group/OU, not the full DN.
- LDAP User Attribute
- What LDAP attribute are you looking to match as the username. I use shadowAccount for LDAP User OC, so the username will match up with the "uid" attribute. This could be userid or something else depending on what object class you use for the users in the LDAP directory.
- LDAP User OC
- Fill in which Object Class your users are setup with in your LDAP directory. As mentioned above, I am using shadowAccount, but this could be posixAccount, account, or others.
- LDAP Group DN (this does not seem to get used at this point)
- DN (Distinguished Name) of group you want to have access to Tiki. Usually something like cn=TikiAccess,ou=Group,dc=example,dc=org. *Just a guess, someone please correct/confirm me
- LDAP Group Attribute (this does not seem to get used at this point)
- Similar to LDAP User Attribute. What LDAP attribute are you looking to match as the group name. I use groupOfUniqueNames for LDAP Group OC, so the group will match up with the "cn"' attribute. This could be something else depending on what Object Class you use for the group in the LDAP directory.
- LDAP Group OC (this does not seem to get used at this point)
- Fill in which Object Class your group is setup with in your LDAP directory. As mentioned above, I am using groupOfUniqueNames, but this could be something else.
- LDAP Member Attribute
- Inside that group, what attribute will be the username. If you are using groupOfUniqueNames for LDAP Group OC, this should be uniqueMember.
- LDAP Member is DN
- Options are simply y and n. Is the value of the LDAP Member Attribute the DN of the user? N means it contains only the username, instead of the full DN.
- LDAP Admin User
- DN of the LDAP directory admin.
- LDAP Admin Pwd
- Password that goes with this admin account.
"An Introduction to LDAP" by Luke A. Kanies — Luke A. Kanies introduces LDAP and explains why it is an important tool for network administrators.
"Getting Started with LDAP" by Luke A. Kanies — Luke A. Kanies shows you how to set up a basic LDAP directory to store Unix user accounts, along with a script to pull those accounts to a Unix system.