Hi DokuWiki Team,
I like to authenticate Users against active Directory and like to use additionally a user filter.
I figured out, that authad don't support userfilters, thus I used authldap like describted here:
https://www.dokuwiki.org/auth:ldap_ad
My Config:
-------------------------------------------------
// LDAP_AUTH against AD
$conf['authtype'] = 'authldap';
$conf['auth']['ldap']['server'] = 'XXXXX';
#$conf['auth']['ldap']['binddn'] = '%{user}@%{server}';
$conf['auth']['ldap']['binddn'] = 'AD\%{user}';
$conf['auth']['ldap']['usertree'] = 'cn=users,dc=ad,XXXXX';
$conf['auth']['ldap']['userfilter'] = '(memberof=CN=fmi0_alle,OU=fmi0,XXXXX)';
$conf['auth']['ldap']['mapping']['name'] = 'displayname';
$conf['auth']['ldap']['mapping']['grps'] = array('memberof' => '/CN=(.+?),/i');
$conf['auth']['ldap']['grouptree'] = 'ou=fmi0,XXXXX'; # position for find groups, at root here
$conf['auth']['ldap']['groupfilter'] = '(&(cn=*)(Member=%{dn})(objectClass=group))'; # find groups for current user(dn)
$conf['auth']['ldap']['referrals'] = 0; # Switch referrals off for use with Active Directory
$conf['auth']['ldap']['version'] = 3;
$conf['auth']['ldap']['debug'] = 1; #set 1 for watch authenticate activity (eg. list of user groups) on html page
$conf['superuser'] = '@fmi0_admins';
-------------------------------------------------
With this special Setup (binddn but no bindpw) the auth-routine in file lib/plugins/authldap/auth.php doing this (funktion checkPass):
} else if($this->getConf('binddn') &&
$this->getConf('usertree') &&
$this->getConf('userfilter')
) {
// special bind string
$dn = $this->_makeFilter(
$this->getConf('binddn'),
array('user'=> $user, 'server'=> $this->getConf('server'))
);
}
generates an "$dn"
At the end of checkPass() following is done:
if(!empty($dn)) {
// User/Password bind
if(!@ldap_bind($this->con, $dn, $pass)) {
$this->_debug("LDAP: bind with $dn failed", -1, __LINE__, __FILE__);
$this->_debug('LDAP user dn bind: '.htmlspecialchars(ldap_error($this->con)), 0, __LINE__, __FILE__);
return false;
}
$this->bound = 1;
return true;
But the function "$this->getUserData($user, true);" which checks the userfilter is not executed.
So I had to copy the code from below right before the line "$this->bound = 1;"
Result:
if(!empty($dn)) {
// User/Password bind
if(!@ldap_bind($this->con, $dn, $pass)) {
$this->_debug("LDAP: bind with $dn failed", -1, __LINE__, __FILE__);
$this->_debug('LDAP user dn bind: '.htmlspecialchars(ldap_error($this->con)), 0, __LINE__, __FILE__);
return false;
}
$info = $this->getUserData($user, true);
if(empty($info['dn'])) {
$this->_debug('Empty DN, Skip', 0, __LINE__, __FILE__);
return false;
} else {
$dn = $info['dn'];
}
$this->bound = 1;
return true;
} else {
Now the filter works for me fine. Anyway, the code was a little bit hard to read for me, and is now more ugly (lot of copied stuff). Maybe there is some room for improvement.
Regards, Sebastian