Hi
On 10.09.2007, at 10:53, Maria McKinley wrote:
On 9/10/07, Thomas Gemperli <[EMAIL PROTECTED]> wrote:
Hi
On 10.09.2007, at 09:46, Maria McKinley wrote:
I am trying to get authentication using ldap working, and having a
very hard time. here are the lines I added to local/config.php:
## Want entire site to be password-protected for editing.
$DefaultPasswords['edit'] = crypt('edit_password');
## Want to use AuthUser so we can use ldap for passwords
include_once("$FarmD/scripts/authuser.php");
# use ldap.shadlen.org for authentication
$AuthUser['ldap'] = 'ldap://ldap.shadlen.org/ou=people,dc=shadlen?
dc=org?';
I'm using ldap, with the following config:
$AuthUser['ldap'] = "ldap://host.domain.tld/
cn=users,dc=domain,dc=tld?
uid";
# Enable authuser extensions - MUST be BELOW every $AuthUser entry
in this file
include_once("$FarmD/scripts/authuser.php");
Make sure to include authuser.php below any $AuthUser lines.
Thomas
Thanks a bunch. That does seem like something worth putting in the
docs under AuthUser, ldap. Maybe I'll do that once I have this all
figured out, since it is a wiki and all. :-) However, it doesn't seem
to completely solve my problem. Now I get no error message, it just
doesn't log me in,
No message, like "invalid username" or something similar?
so I don't know if the ldap enquiry was successful
and there is some other problem, or if I am still having ldap
problems.
Well, if PmWiki does not complain about your username/password login
was successful.
Now you probably need to define which users are allowed to edit/
upload/etc pages.
I use something like this in my config.php:
$AuthUser['@editors'] = get_ldap_values("cn=groups", "(cn=GROUP)",
array("memberUid"));
$AuthUser['@admins'] = get_ldap_values("cn=groups",
"(cn=OTHERGROUP)", array("memberUid"));
$DefaultPasswords['edit'] = '@editors';
$DefaultPasswords['attr'] = '@editors';
$DefaultPasswords['upload'] = '@editors';
$DefaultPasswords['admin'] = array('@admins','id:ANOTHERUSER');
Please note, I use a self written piece of php to get group members
out of my LDAP directory (Apple OpenDirectory). It will most likely
not work with AD. Anyway, you can "hardcode" legitimated users in
config.php, for example:
$AuthUser['@editors'] = 'id:USER1, id:USER2';
$DefaultPasswords['edit'] = '@editors';
JFYI, I have attached my "get the group members cookbook". Probably
you would like to "port" it to AD. ;)
Thomas
<?php if (!defined('PmWiki')) exit();
/*
filename: archbook.php
purpose: provide some d-arch specific functionality. my very first cookbook, so, sorry.
copyright: see pmwiki license
created by: thomas gemperli <[EMAIL PROTECTED]>
last modified: 2007-02-08 / gem
*/
// vars
$ldaphost = "ldap://host.domain.tld";; // ldap server (non-ssl: ldap://ldap.example.com, ssl: ldaps://ldap.example.com)
$ldapport = 389; // ldap server's port number (non-ssl: 389, ssl: 636)
$ldapdn = "dc=domain,dc=tld"; // ldap server's dn
// vars used in config.php
$ldapuserdn = "cn=users"; // ldap user dn
$ldapgroupdn = "cn=groups"; // ldap group dn
$ldapuserprefix = "uid"; // ldap user name container
// connect to the ldap server anonymously
function connect_ldap($ldaphost, $ldapport)
{
$ldapconn = ldap_connect($ldaphost, $ldapport)
or die("Could not connect to $ldaphost");
if ($ldapconn) {
// specify ldap protocol version 3
ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);
// bind to ldap server (anonymously)
ldap_bind($ldapconn)
or die("Could not bind ldap to $ldapconn");
}
return $ldapconn;
}
// connect to the ldap server with authentication (unused)
function connect_ldap_auth($ldaphost, $ldapport, $ldapcredential, $ldappass)
{
$ldapconn = ldap_connect($ldaphost, $ldapport)
or die("Could not connect to $ldaphost");
if ($ldapconn) {
// specify ldap protocol version 3
ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);
// bind to ldap server (using credentials)
// a valid $ldapcredential example for an OpenDirectory: "uid=username,cn=users,dc=domain,dc=tld"
$ldapbind = ldap_bind($ldapconn, $ldapcredential, $ldappass)
or die("Could not bind ldap to $ldapconn");
}
return $ldapconn;
}
// disconnect ldap server
function disconnect_ldap($ldapconn)
{
if ($ldapconn) {
ldap_close($ldapconn);
}
}
// get ldap values
function get_ldap_values($searchdn, $filter, $justthese)
{
// sorry. but pmwiki is using globals anyway
global $ldaphost, $ldapport, $ldapdn;
// assemble full searchdn
$ldapsearchdn = "$searchdn,$ldapdn";
// connect ldap
$ldapconn = connect_ldap($ldaphost, $ldapport);
// query ldap
$searchresult = ldap_search($ldapconn, $ldapsearchdn, $filter, $justthese);
// get first returned ldap entry
$entry = ldap_first_entry($ldapconn, $searchresult);
// get all ldap attributes of this entry
$attributes = ldap_get_attributes($ldapconn, $entry);
for ( $i = 0; $i < $attributes['count']; $i++ ) {
// get all ldap values of this attributes
$valuefilter = $attributes[$i];
$values = ldap_get_values($ldapconn, $entry, $valuefilter);
for ( $j=0; $j < $values['count']; $j++ ) {
$returnvalue[$j] = utf8_decode($values[$j]);
}
}
// disconnect ldap
disconnect_ldap($ldapconn);
// return array with attributes
return $returnvalue;
}
_______________________________________________
pmwiki-users mailing list
[email protected]
http://www.pmichaud.com/mailman/listinfo/pmwiki-users
