Loading...
 

Tiki LDAP FAQ

Questions

Answers

Question: What needs to be configured on LDAP Base DN?
Answer  normaly dc=yourDomain, dc=com
Question: How do I configure LDAP User Authentication with Windows Active Directory?
Answer 

PHP Tiki LDAP User Authentication

Environment:
IIS 5.0, PHP 4.3.3, Tiki 1.7.1.1, Windows 2000 SP 3 (German).
Active Directory is on another server, also Windows 2000 SP3 (German).

Note that only the configuration changes from the default are described here.
- activate extension php_ldap.dll in php.ini
- copy all dll's from the PHP directory (e.g., c:\php\dlls) to a directory where Windows can find them (e.g., c:\winnt\system32) or add this directory to PATH or just copy the files ssleay32.dll and libeay32.dll (for PHP >= 4.3.0, or libsasl.dll for PHP < 4.3.0) where Windows can find them. See PHPs install.txt.
- Login to Tiki as Admin and go to the Login configuration page accessed by selecting 'Admin (click!)'
- in the 'User registration and login' section, set 'Authentication method' to 'Tiki and PEAR::Auth'
- in the 'PEAR::Auth' section, activate 'Create user if not in Tiki?'
- in the 'PEAR::Auth' section, set 'LDAP Host:' to the Active Directory server's name or IP address
- in the 'PEAR::Auth' section, set 'LDAP Base DN:' to the LDAP version of the domain name as it appears in 'Active Directory Users and Computers'. E.g., if the domain is called my-domain.local, set this to 'dc=my-domain,dc=local'
- in the 'PEAR::Auth' section, set 'LDAP User Attribute:' to 'sAMAccountName'
- in the 'PEAR::Auth' section, set 'LDAP User OC:' to 'User'

By default, Active Directory does not allow anonymous ldap_search! Therefore, you have to make a small change in lib\pear\AUTH\Container\LDAP.php in order to ldap_bind with a user account that has the right to do so:
in the function _connect(), change the line (189)
if @ldap_bind($this->conn_id == false) {
to
if @ldap_bind($this->conn_id,"someuser","somepassword" == false) {
where "someuser" is an existing Active Directory user with the password "somepassword". Specify the username as someuser at my-company.local, if the domain is called my-company.local. Obviously, you best create a new user account for this.

Question: I've changed the login settings (LDAP or SSL only), and now can't log in.
Answer  I've found this listed twice in the "suggested questions" box, and have just done it to myself, as well. I think that three makes it officially a FAQ. :-) Does anyone know how I can reset the login perms and point to any docs on what needs to be done BEFORE turning on this authentication function? Thanks! Patrick Salsbury

Why Register?

Register at tiki.org and you'll be able to use the account at any *.tiki.org site, thanks to the InterTiki feature. A valid email address is required to receive site notifications and occasional newsletters. You can opt out of these items at any time.