Friday, February 25, 2011

Dokuwiki LDAP authentication against 389 Directory Server (before Fedora Directory Server)

EDIT (25/02/2011): The group filter string was wrong, I didn't noticed before as I didn't had the need to use the groups feature until today. If you want to be able to access the admin options of dokuwiki you will need to create an admin group on 389 DS, add the users you need to it and update the group filter to the one of this guide.

In my company we are changing our LDAP server, we're going away from Sun Directory Server because since Oracle acquired Sun Microsystems, beginning with Oracle Sun Directory Server 7, it isn't a free (as in beer) product anymore (what a surprise uh ??). So we did some research and chose 389 Directory Server as it's replacement. The main reason behind this decision was that both servers have a very similar architecture and design because both have the same ancestor on Netscape Directory Sever, which made migration easier and learning curve lower. One of the websites we needed to migrate to the new server is a Dokuwiki installation. In general, LDAP configuration for any product is straight-forward, but depending on the LDAP server you are using probably you will need to do some quirks to the configuration to get it working, mainly on user and group filters.
Put this on your local.php configuration file and edit the $conf['auth']['ldap']['server'] variable pointing to your LDAP server, and $conf['auth']['ldap']['usertree'] and $conf['auth']['ldap']['grouptree'] with your user DN and group DN. Leave the rest as is:
$conf['useacl'] = 1;
$conf['openregister']= 0;
$conf['authtype'] = 'ldap';

$conf['auth']['ldap']['server'] = 'ldap://ldapserver.com:389';
$conf['auth']['ldap']['usertree'] = 'ou=People, dc=ldapserver, dc=com';
$conf['auth']['ldap']['grouptree'] = 'ou=Groups, dc=ldapserver, dc=com';
$conf['auth']['ldap']['userfilter'] = '(&(uid=%{user})(objectClass=inetOrgPerson))';
$conf['auth']['ldap']['groupfilter'] = '(&(uniquemember=%{dn}))';

# This is optional but may be required for your server:
$conf['auth']['ldap']['version'] = 3;
That's all you need to do for basic non-SSL communication (which I haven't worked on yet), although dokuwiki's LDAP backend documentation explains which parameters you need to configure for that. One important thing to have in mind, according to the documentation, user creation isn't supported with the LDAP backend, so you will have to create your wiki users with other means, which you probably already do if your centralizing your authentication with an LDAP server.
=-=-=-=-=
Powered by Blogilo