Re: [Phpwiki-talk] Configuring LDAP to connect to Active Directory

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

I have been able to make some progress on the problem. I started by 
reverting the config.ini file and configuring it again. This time is was 
able to get a Call to undefined function: ldap_connect() in LDAP.php 
line 16. This is good because it never did that before so. It seems that 
I was missing something in my config.ini to start with. So to get past 
this problem, I had to uncomment extension=php_ldap.dll in my php.ini. 
So now it seems that it is really trying to use LDAP, but I am still not 
completely there. With the debug set to 65 in config.ini, I can now get 
something like this when logging in:

DEBUG: ALLOW_ANON_EDIT = false, ALLOW_BOGO_LOGIN = false, 
ALLOW_USER_PASSWORDS = true, ENABLE_PAGEPERM = true, USER_AUTH_ORDER: => 
LDAP (nosuchuser) => Forbidden, USER_AUTH_POLICY: first-only, 
PASSWORD_LENGTH_MINIMUM: 0

Correct me if I am wrong, but that tells me that the LDAP code was 
unable to verify that the supplied user name doesn't exist. I am basing 
this assumption from the part that reads "USER_AUTH_ORDER: => LDAP 
(nosuchuser) => Forbidden" meaning LDAP reported that no such user 
exists, and since LDAP is the only allowed option on my wiki, failing 
that the only choice remaining was Forbidden user.

Upon double checking the config.ini, I found that the configurator.php 
script commented out the LDAP settings. I uncommented and changed what I 
think is correct, based on the hints in the config.ini:

*LDAP_AUTH_HOST = "ldap://12.161.32.40:389"
;**12.161.32.40** is the address of the Active Directory server as it is 
seen from the webserver.
;it does run on port 389, because I have been able to configure other 
programs to connect on that port.

LDAP_BASE_DN = "ou=Users,o=WikiUsers,dc=pdi.com"
;I don't know enough about LDAP to know if this is right.
;the origional config had o=developement
;not being sure what that was I guessed that it is supposed to be the group.
;WikiUsers is the group on Active Directory that contains the users that 
should have access to the wiki.
;pdi.com is the name of the domain.

LDAP_SET_OPTION = "LDAP_OPT_PROTOCOL_VERSION=3:LDAP_OPT_REFERRALS=0"
;I've heard somewhere active directory needs these, so I just 
uncommented this line.

LDAP_AUTH_USER = "CN=ldapclient,ou=Users,o=WikiUsers,dc=pdi.com"
;I also know that active directory needs a user to log in as to query 
the directory
;ldapclient is a user in my domain created just for that purpose, the 
rest of the line
;was similar to Base_DN so this was also modified in the same way as base_DN

LDAP_AUTH_PASSWORD = secret
;the password was changed to match what is in active directory.

LDAP_SEARCH_FIELD = sAMAccountName
;i've also heard somewhere that active directory needs this line to 
search by the old style username (will instead of wi...@pd...)

LDAP_OU_USERS = ou=Users
LDAP_OU_GROUP = ou=Groups
;i don't know what these last two do. so I just uncommented them.

*With all these changes I now get an error when loggin into the wiki:

lib\WikiUser\LDAP.php:28: Warning[2]: ldap_bind() [<a 
href='function.ldap-bind'>function.ldap-bind</a>]: Unable to bind to 
server: Invalid credentials
lib\WikiUser\LDAP.php:37: Warning[512]: Unable to bind LDAP server 
ldap://12.161.32.40:389 using 
CN=ldapclient,ou=Users,o=WikiUsers,dc=pdi.com secret

And this is where I am stuck.

-Will