Re: [Phpwiki-talk] Configuring LDAP to connect to Active Directory

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

After lots more digging, here is where I am at. The code is calling the 
_PassUser constructor. Inside the constructor, right around line 880 or 
so there is the block of code that only runs when USER_AUTH_POLICY = 
first-only

$class = $this->nextClass();
return new $class($UserName,$this->_prefs);

Whats interesting is that if we follow the code back up and examine the 
result, it is a _PassUser, but a   _LDAPPassUser was expected. So I got 
to thinking that something must not be right with the line:

return new $class($UserName,$this->_prefs);

That runs when Auth Policy is first-only, and but there is different 
code that runs when USER_AUTH_POLICY = old, which should behave the same 
way as long as USER_AUTH_ORDER = "LDAP" right? So one quick change to 
the config.ini and I can now log in. My guess is that the code that runs 
for the old Auth Policy explcitly calls _LDAPPassUser's constructor.

So return new $class($UserName,$this->_prefs); does not behave the same 
as return new _LDAPPassUser($UserName,$this->_prefs);

things still weren't quite right. I had to adjust around a few more 
seeming unrelated settings before things were completely working the way 
I want them to. After some review of my config.ini here are the values 
that needed to be changed to make it work:

USER_AUTH_ORDER = "LDAP"
USER_AUTH_POLICY = old
CATEGORY_GROUP_PAGE = "CategoryGroup"
;not sure if CATEGORY_GROUP_PAGE was really needed.
LDAP_AUTH_HOST = "ldap://127.0.0.1:389"
LDAP_BASE_DN = "DC=PDI,DC=com"
LDAP_SET_OPTION = "LDAP_OPT_PROTOCOL_VERSION=3:LDAP_OPT_REFERRALS=0"
LDAP_AUTH_USER = "CN=ldapclient,CN=Users,DC=PDI,DC=com"
LDAP_AUTH_PASSWORD = secret
LDAP_SEARCH_FIELD = sAMAccountName
LDAP_OU_USERS = "OU=Users"
LDAP_OU_GROUP = "OU=Users"
AUTH_SESS_USER = "userid"
AUTH_SESS_LEVEL = 2

Some observations:
I had tried setting ENABLE_PAGEPERM on, but this doesn't appear to work 
yet with LDAP. The comments mention something about  a gidnumber, but it 
seems silly for me to have to add some attribute like that. When an 
Active Directory Group has a Members attribute with a list of members in 
it. If I can find the time to do it, I may try to hack up GroupLdap's 
Membership functions to do things the active directory way, It depends 
on how much free time I have.

Active Directory appears to be case sensitive on the LDAP stuff. I had 
to make all the DC, OU, CN, etc, uppercase before the connections to 
LDAP would work. I'm not 100% sure this is true, can anyone who knows 
more about AD and LDAP confirm this?

Currently any account in the Active Directory can log in. This isn't 
what I want, but it will have to do for now. Since the Group code isn't 
working, its probably related to that. If anyone has gotten their php 
wiki setup so that only members of a certain group can login, I would 
like to hear from them.

-Will

William Leader wrote:
> I have been able to make further progress by changing these two settings:
>
> LDAP_BASE_DN = "DC=PDI,DC=com"
> LDAP_AUTH_USER = "CN=ldapclient,CN=Users,DC=PDI,DC=com"
>
> Now when I try to log in as any user that is in the active directory I get:
> USER_AUTH_ORDER: => LDAP => Forbidden,
>
> But if I use anything that doesn't exist in the active directory I get:
> USER_AUTH_ORDER: => LDAP (nosuchuser) => Forbidden,
>
> So at the very least I do know that it is connecting and properly 
> checking if the users exist. However I am still not able to log in with 
> a valid user name and password
>   