Loading...
 
Skip to main content

Tiki LDAP FAQ

Questions

Answers

Question: What needs to be configured on LDAP Base DN?
Answer:  normaly dc=yourDomain, dc=com
Question: How do I configure LDAP User Authentication with Windows Active Directory?
Answer: 

PHP Tiki LDAP User Authentication

Environment:
IIS 5.0, PHP 4.3.3, Tiki 1.7.1.1, Windows 2000 SP 3 (German).
Active Directory is on another server, also Windows 2000 SP3 (German).

Note that only the configuration changes from the default are described here.
- activate extension php_ldap.dll in php.ini
- copy all dll's from the PHP directory (e.g., c:\php\dlls) to a directory where Windows can find them (e.g., c:\winnt\system32) or add this directory to PATH or just copy the files ssleay32.dll and libeay32.dll (for PHP >= 4.3.0, or libsasl.dll for PHP < 4.3.0) where Windows can find them. See PHPs install.txt.
- Login to Tiki as Admin and go to the Login configuration page accessed by selecting 'Admin (click!)'
- in the 'User registration and login' section, set 'Authentication method' to 'Tiki and PEAR::Auth'
- in the 'PEAR::Auth' section, activate 'Create user if not in Tiki?'
- in the 'PEAR::Auth' section, set 'LDAP Host:' to the Active Directory server's name or IP address
- in the 'PEAR::Auth' section, set 'LDAP Base DN:' to the LDAP version of the domain name as it appears in 'Active Directory Users and Computers'. E.g., if the domain is called my-domain.local, set this to 'dc=my-domain,dc=local'
- in the 'PEAR::Auth' section, set 'LDAP User Attribute:' to 'sAMAccountName'
- in the 'PEAR::Auth' section, set 'LDAP User OC:' to 'User'

By default, Active Directory does not allow anonymous ldap_search! Therefore, you have to make a small change in lib\pear\AUTH\Container\LDAP.php in order to ldap_bind with a user account that has the right to do so:
in the function _connect(), change the line (189)
if @ldap_bind($this->conn_id == false) {
to
if @ldap_bind($this->conn_id,"someuser","somepassword" == false) {
where "someuser" is an existing Active Directory user with the password "somepassword". Specify the username as someuser at my-company.local, if the domain is called my-company.local. Obviously, you best create a new user account for this.

Question: I've changed the login settings (LDAP or SSL only), and now can't log in.
Answer:  I've found this listed twice in the "suggested questions" box, and have just done it to myself, as well. I think that three makes it officially a FAQ. 😊 Does anyone know how I can reset the login perms and point to any docs on what needs to be done BEFORE turning on this authentication function? Thanks! Patrick Salsbury