Nethserver-dokuwiki ldap auth problem when connected to a remote ldap bind

Hi there, hi @stephdl

I’d like to report some problems I have had when installing nethserver-dokuwiki on a nethserver connected to remote opendldap server.

Here is the bind setup :

After installation, the file /etc/dokuwiki/local.protected.php was not correctly configured :

$conf['authtype'] = 'authldap';
$conf['plugin'][$conf['authtype']]['server'] = "ldaps://domain.tld:636:636";

note the double 636.

$conf['plugin']['authldap']['starttls']   = 1;

Not blocking but leads to an error message. I had to disable this.

Question :

Is there a way to enable the users to log in with their email address (which they are used to) ? I tried with '(&(|(objectclass=inetOrgPerson))(|(uid=%{user})(|(mail=%{user}))))' and it works but the group association doesn’t work anymore and I don’t see a way to make it work with an email as login.

I think at LDAP server URL you only have to set the server url without the port.

I cannot reproduce

<?php
/*
# ================= DO NOT MODIFY THIS FILE =================
# 
# Manual changes will be lost when this file is regenerated.
#
# Please read the developer's guide, which is available
# at NethServer official site: https://www.nethserver.org
#
# 
*/

$conf['authtype'] = 'authldap';
$conf['plugin'][$conf['authtype']]['server'] = "ldap://127.0.0.1:389";
$conf['plugin'][$conf['authtype']]['version'] = '3';
$conf['plugin'][$conf['authtype']]['usertree'] = "ou=People,dc=directory,dc=nh";
$conf['plugin'][$conf['authtype']]['grouptree'] = "ou=Groups,dc=directory,dc=nh";
$conf['plugin'][$conf['authtype']]['userfilter'] = '(&(uid=%{user})(objectClass=inetOrgPerson))';
$conf['plugin']['authldap']['groupfilter']  = '(|(memberUid=%{user})(gidNumber=%{gid}))';
$conf['plugin'][$conf['authtype']]['groupkey'] = 'cn';
$conf['plugin']['authldap']['binddn']     = "cn=ldapservice,dc=directory,dc=nh";
$conf['plugin']['authldap']['bindpw']     = "Z59OUcMHGUaidA_x";
$conf['plugin']['authldap']['starttls']   = 1;
$conf['plugin']['authldap']['modPass'] = 0;


$conf['useacl'] = 1;



?>

ok got it you used a remote ldap provider, no tested in that scenario, it should work OTB, will try when I got time

Indeed, that’s strange. I don’t how I end up with such a configuration… But it works

I removed the “:636” at the end of the LDAP server URI field in the server manager, now it’s ok for Dokuwiki.

I also set “No” for STARTTLS in the UI but that parameter looks not being taken into account by the template, I had to set it to “0” manually in the configuration file.

So the most annoying problem is the inability to login using an email address…

Sorry, I did not find time to dive inside your issue, will try to check and to reproduce the remote ldap account, but can you login with a local account provider (dokuwiki hosted on the same server) with the email ’ address?

Just tested.

• With AD : works OTB
• With DC : authentications is done with uid, not with email.

So the problem is not related to a non-localhost ldap server install but because of DC.

/etc/dokuwiki/local.protected.php :

• AD :

$conf['authtype'] = 'authad';
$conf['plugin']['authad']['account_suffix']     = '@gaillet.be';
$conf['plugin']['authad']['base_dn']            = 'dc=ad,dc=gaillet,dc=be';
$conf['plugin']['authad']['domain_controllers'] = 'ldaps://ad.gaillet.be'; //multiple can be given


$conf['useacl'] = 1;

• DC :

$conf['authtype'] = 'authldap';
$conf['plugin'][$conf['authtype']]['server'] = "ldap://127.0.0.1:389";
$conf['plugin'][$conf['authtype']]['version'] = '3';
$conf['plugin'][$conf['authtype']]['usertree'] = "ou=People,dc=directory,dc=nh";
$conf['plugin'][$conf['authtype']]['grouptree'] = "ou=Groups,dc=directory,dc=nh";
$conf['plugin'][$conf['authtype']]['userfilter'] = '(&(uid=%{user})(objectClass=inetOrgPerson))';
$conf['plugin']['authldap']['groupfilter']  = '(|(memberUid=%{user})(gidNumber=%{gid}))';
$conf['plugin'][$conf['authtype']]['groupkey'] = 'cn';
$conf['plugin']['authldap']['binddn']     = "cn=ldapservice,dc=directory,dc=nh";
$conf['plugin']['authldap']['bindpw']     = "********************";
$conf['plugin']['authldap']['starttls']   = 1;
$conf['plugin']['authldap']['modPass'] = 0;


$conf['useacl'] = 1;

Very different.

yes with samba4 you use the self bind, so the user authenticates himself

I retrieve the data, directly from NethServer::SSSD, so it is probably a matter to bind the good data, but I do not know if I could offer user and email address

However why you went to openLdap

It’s so lightweight and easy to install compared to the bloated MS-stylish AD !

for now modify, of course the next template-expand and update will remove your change

- $conf['plugin'][$conf['authtype']]['userfilter'] = '(&(uid=%{user})(objectClass=inetOrgPerson))';
+ $conf['plugin'][$conf['authtype']]['userfilter'] = '(&(mail=%{user})(objectClass=inetOrgPerson))';

I think I tried that (see post #7), it works but we loose the group association (which is useful for ACL)

thank for the hint
you have a debug that is useful to play

$conf['plugin']['authldap']['debug'] = 1;

I think I got it, please could you test this fix in /etc/dokuwiki/local.protected.php

...
$conf['plugin'][$conf['authtype']]['userfilter'] = '(|(uid=%{user})(mail=%{user}))';
$conf['plugin']['authldap']['groupfilter']  = '(memberUid=%{uid})';
...
$conf['plugin']['authldap']['debug'] = 1;

add also the full email of the admin inside /etc/dokuwiki/local.php

$conf['superuser'] = 'admin,admin@nethservertest.org';

$conf['plugin']['authldap']['starttls']   = 1;

this is a bug now I retrieve the startTls from NethServer::SSSD (0 or 1)

@pagaille would you mind to test the ldap fix, just cp and paste in the php file.

Yep. Working

Well done cpt code cruncher And thanks !!