How do I...Integrate my users with LDAP/MS Active Directory?
Starting with Hayes, DekiWiki can be integrated with an external an LDAP directory server such as OpenLDAP, MS Active Directory, Novell eDirectory. This allows companies to have users already setup with their directories to start using DekiWiki immediately without having to create user accounts. As a user successfully logs in to DekiWiki using their LDAP credentials, the account is created and syncronized with the info from the directory.
HOWTO integrate DekiWiki with LDAP
- Login as a user with ADMIN access such as Sysop
- Go to Control Panel -> Service Management
- Ensure that 'Local' is selected.
- Enter a description for the directory server such as "ACME Sales". Users will use this description to identify the correct authentication provider when logging in.
- For service identifier (SID) enter: " http://services.mindtouch.com/deki/s...authentication " (be sure to right click and copy link on this URI)
- In the Configuration section, add the following entries: (you'll need to click 'add' to enter these settings)
- hostname with the value being your ldap server host or IP such as "sales.acme.com" (note that this may or may not be the same as your domain. This should be a pingable ip or host of the machine hosting your LDAP service)
- searchbase with the value being the DN (distinguished name) of your LDAP/AD server such as "DC=sales,DC=acme,DC=com"
- bindingdn with the DN to use for binding/authenticating with LDAP. $1 will be dynamically substituted with user name at login.
- Active directory example: $1@sales.acme.com
- OpenLdap example: CN=$1,DC=sales,DC=acme,DC=com
- userquery with the search query to use for looking up users. $1 will be dynamically substituted with user name at login.
- ActiveDirectory example: samAccountName=$1
- OpenLdap example: CN=$1
- Optionally: timeout with value being the amount of time in milliseconds for LDAP operations to timeout (default is 5000)
- Optionally (new in 1.8.2): displayname-pattern allows you to customize the username for new accounts created via the LDAP service. For example "{sn}, {givenname}" will create a username in the form lastname, firstname. Refer to your directory documentation for a list of exposed attributes for user records. Note that the displayname-pattern is composed of attributes exposed from the user object in your directory.
- Optionally (new in 1.8.3C): usernameattribute and groupnameattribute can be used to set an LDAP attribute to use for returning the username or group name. By default the behavior is to look at the common attributes for this until a value comes back. The default order is: sAMAccountName -> uid -> name -> cn. If this isn't working or you're getting an error such as: Unexpected username 'Joe Schmoe' came back from external auth provider. Expected: 'jschmoe' then you'll want to set this to the name of an LDAP attribute that has the username so the searching isn't performed.
- Optionally (new in 8.05.2): set ssl to 'true' to enable LDAPS support. This will connect on port 636 and communicate via SSL. This requires a valid SSL certificate to be used on the server. You can set ssl-ignore-cert-errors to 'true' to allow the connection bypassing any certificate warnings and errors. Refer to the SSL troubleshooting section below.
Optionally (new in 8.05): bindingpw with a password of the LDAP user described by bindingdn. This is necessary when your LDAP server doesn't allow anonymous queries, or when integrating with single sign on via NTLM/SSPI, or using this LDAP service for trusted authentication. Set bindingdn to a user's full dn (use a real username instead of $1) and set the bindingpw to their password. - Ensure the service is enabled and click 'Add service'
- Read about how to set permissions for new and existing LDAP users:
You should see that the service was added and reset successfully.
That should be it. Next time you go to the login page you'll see the service listed and you'll be able to authenticate with the directory.
Example settings
Try the following settings (work fine with Active Directory on a SBS 2003) if you are facing error 500 or having trouble with the above mentioned configuration:
searchbase DC=domainname,DC=local hostname servername.domainname.local userquery samAccountName=$1 bindingdn $1@domainname.local
(work in progress -- please add to this table if you have issues with the given settings but find one that works for you
| Microsoft Active Directory | Novell eDirectory | OpenLDAP | Mac OS X Server | |
| bindingdn | $1@sales.acme.com | CN=$1,DC=sales,DC=acme,DC=com | CN=$1,DC=sales,DC=acme,DC=com | uid=$1,cn=users,dc=your,dc=server,dc=name |
| userquery | samAccountName=$1 | CN=$1 | CN=$1 | uid=$1 |
| groupquery (available in 1.8.3) | (&(cn=$1)(objectClass=group)) | (&(cn=$1)(objectClass=group)) or (&(cn=$1)(objectClass=groupOfNames)) | (&(cn=$1)(objectClass=group)) | |
| groupqueryall (available in 1.8.3) | (objectClass=group) | (objectClass=group) | (objectClass=group) | |
| groupmembersattribute (available in 1.8.3) | memberOf | groupMembership | | |
| groupmembershipquery (available in 8.05.2) | (&(uniqueMember=$1)(objectClass=groupOfUniqueNames)) | (&(uniqueMember=$1)(objectClass=groupOfUniqueNames)) |
More info
Take a look here if you have a custom user database (non-LDAP) that you'd like to integrate with.
c22mort wrote a great guide for Novell eDirectory users here: http://forums.opengarden.org/showthread.php?p=14042
FAQs
Q: My directory service requires all connections to be authenticated. Since I never hardcoded any system account, what credentials are used to allow LDAP queries?
A: The login screen uses the credentials provided by the user to attempt authentication and to retrieve user/group info. The control panel user/group management screens ask for the credentials to use that are not stored anywhere.
Q: I've setup LDAP correctly and it looks like my users are able to authenticate but are not allowed to login with the message "This user does not have access to login to Deki Wiki. Please contact your site administrator"
A: Read the two FAQ's on external account rights from step 8 above.
Q: I'm using Novell eDirectory and I cant get groups to work
A: We found some issues in the way groups are being looked up for eDirectory. This will be fixed in 1.8.3. Please refer to http://forums.opengarden.org/showthread.php?t=890 for a fix until then
Q: When adding a group you get an error: Group 'XXX' not found in the external authentication provider.
A: This may happen on Active Directory when your CN doesn't match your sAMAccountName (windows 2000 name). Either change your sAMAccountName to the same as your group name or adjust your groupquery setting. Refer to this forum post.
Troubleshooting
Basic troubleshooting steps
A simple way to troubleshoot LDAP-related issues is to ensure that the LdapAuthentication service is able to communicate to your directory correctly. You may do this by going to the Control Panel -> Service Management and getting the URI for the LDAP Authentication service you added. You can then use a browser to interact with your directory through this service. For example, if your LDAP Authentication service URI is http://wiki.acme.org/@api/deki/services/11 you can attempt to authenticate and get user info by going to http://wiki.acme.org/@api/deki/services/11/users/maxm where maxm is the user you want to lookup. It should ask you for credentials which it will use to create the bind to the directory. To see the groups in the domain you can go to http://wiki.acme.org/@api/deki/services/11/groups.
If you're having problems having LDAP accept your username/password you can ensure that it's receiving your credentials correctly by enabling trace logging. You can do this by editing your mindtouch.host.exe.config and at the bottom use <level value="TRACE" />.
If you suspect a searchbase configuration issue, the Active Directory Explorer allows you to visually see the Active Directory tree structure.
Running VM on the Windows Server computer that you are trying to authenticate with
In at least one instance - the Deki Wiki running on the same server would be denied access to the LDAP database, causing connection errors even when everything is connected and configured properly.
To test: Suspend the VM, move your VM anywhere else, and test (good first test is the @api url).
SSL / LDAPS connections
SSL support has been added in 8.05.2. It requires a valid certificate on the server that is trusted by the ldap client. If you're unable to connect and you suspect it's a cert issue, you can try setting ssl-ignore-cert-errors to 'true' to disregard and certificate related errors. If you get a "SSL Provider not found" error, you should download the new Novell.Directory.Ldap.dll and replace the file in your wiki's bin directory (new version is included in Deki 8.07). Make sure you have trusted certs installed if you're having certificate related issues. More info on this forum thread. (todo: FAQ/howto for installing trusted root certs).
LDAP help
If you're struggling take a look the posts on the ldap forum. Try the troubleshooting steps above and search the forum before posting.
Drop by the opengarden irc channel at irc.freenode.net #opengarden
- Tag page
- What links here
Images 1
I'll try to get it into the next 1.8.3 release. But meanwhile, if you're technical enough you can edit the source and recompile to set your correct port number.
http://addicted-to-it.blogspot.com/2008/01/dekiwiki-active-directory-integration.html
userquery uid=$1
hostname your.server.name
bindingdn uid=$1,cn=users,dc=your,dc=server,dc=name
searchbase cn=users,dc=your,dc=server,dc=name
edited 01:50, 19 Jul 2008