[pmwiki-users] ldap

Maria McKinley parody at u.washington.edu
Mon Sep 10 15:22:19 CDT 2007


Thanks to Graham and Thomas, I now have it figured out. I was missing
the part where I said what to do with the login once it happened. So,
for future reference to get ldap to work you need:

## assign an ldap server, with basedn
$AuthUser['ldap'] = "ldap://ldap.example.org/ou=people,dc=example,dc=org?uid";

## Want to use AuthUser so we can use ldap for passwords
## Needs to go BELOW the ldapserver assignment
include_once("$FarmD/scripts/authuser.php");

##Security Variables set login for edit & history page
## to let anyone edit that has an ldap entry:
$HandleAuth['diff'] = 'edit';
$DefaultPasswords['edit'] = 'id:*';
$Author = $AuthId;

or to check the groups in ldap, and let different groups do different
things, do something like this:

$AuthUser['@editors'] =  get_ldap_values("cn=groups", "(cn=GROUP)",
array("memberUid"));
$AuthUser['@admins'] =  get_ldap_values("cn=groups",
"(cn=OTHERGROUP)", array("memberUid"));

$DefaultPasswords['edit'] = '@editors';
$DefaultPasswords['attr'] = '@editors';
$DefaultPasswords['upload'] = '@editors';
$DefaultPasswords['admin'] = array('@admins','id:ANOTHERUSER');

cheers,
maria

On 9/10/07, Thomas Gemperli <gemperli at arch.ethz.ch> wrote:
> Hi
>
> On 10.09.2007, at 10:53, Maria McKinley wrote:
>
> > On 9/10/07, Thomas Gemperli <gemperli at arch.ethz.ch> wrote:
> >> Hi
> >>
> >> On 10.09.2007, at 09:46, Maria McKinley wrote:
> >>
> >>> I am trying to get authentication using ldap working, and having a
> >>> very hard time. here are the lines I added to local/config.php:
> >>>
> >>> ## Want entire site to be password-protected for editing.
> >>> $DefaultPasswords['edit'] = crypt('edit_password');
> >>> ## Want to use AuthUser so we can use ldap for passwords
> >>> include_once("$FarmD/scripts/authuser.php");
> >>> # use ldap.shadlen.org for authentication
> >>> $AuthUser['ldap'] = 'ldap://ldap.shadlen.org/ou=people,dc=shadlen?
> >>> dc=org?';
> >>
> >> I'm using ldap, with the following config:
> >>
> >> $AuthUser['ldap'] = "ldap://host.domain.tld/
> >> cn=users,dc=domain,dc=tld?
> >> uid";
> >> #  Enable authuser extensions - MUST be BELOW every $AuthUser entry
> >> in this file
> >> include_once("$FarmD/scripts/authuser.php");
> >>
> >> Make sure to include authuser.php below any $AuthUser lines.
> >>
> >> Thomas
> >>
> >
> > Thanks a bunch. That does seem like something worth putting in the
> > docs under AuthUser, ldap. Maybe I'll do that once I have this all
> > figured out, since it is a wiki and all. :-)  However, it doesn't seem
> > to completely solve my problem. Now I get no error message, it just
> > doesn't log me in,
>
> No message, like "invalid username" or something similar?
>
> > so I don't know if the ldap enquiry was successful
> > and there is some other problem, or if I am still having ldap
> > problems.
>
> Well, if PmWiki does not complain about your username/password login
> was successful.
> Now you probably need to define which users are allowed to edit/
> upload/etc pages.
>
> I use something like this in my config.php:
>
> $AuthUser['@editors'] =  get_ldap_values("cn=groups", "(cn=GROUP)",
> array("memberUid"));
> $AuthUser['@admins'] =  get_ldap_values("cn=groups",
> "(cn=OTHERGROUP)", array("memberUid"));
>
> $DefaultPasswords['edit'] = '@editors';
> $DefaultPasswords['attr'] = '@editors';
> $DefaultPasswords['upload'] = '@editors';
> $DefaultPasswords['admin'] = array('@admins','id:ANOTHERUSER');
>
> Please note, I use a self written piece of php to get group members
> out of my LDAP directory (Apple OpenDirectory). It will most likely
> not work with AD. Anyway, you can "hardcode" legitimated users in
> config.php, for example:
>
> $AuthUser['@editors'] =  'id:USER1, id:USER2';
> $DefaultPasswords['edit'] = '@editors';
>
> JFYI, I have attached my "get the group members cookbook". Probably
> you would like to "port" it to AD. ;)
>
> Thomas
>
>
>
>
>
>
> _______________________________________________
> pmwiki-users mailing list
> pmwiki-users at pmichaud.com
> http://www.pmichaud.com/mailman/listinfo/pmwiki-users
>
>
>


-- 
Maria Mckinley
Scientific Programmer
Shadlen Lab
Physiology and Biophysics
Box 357290
University of Washington
(206) 616-3923
parody at u.washington.edu



More information about the pmwiki-users mailing list