pagaille
(Matthieu Gaillet)
June 14, 2019, 12:26pm
1
Hi there, hi @stephdl
I’d like to report some problems I have had when installing nethserver-dokuwiki on a nethserver connected to remote opendldap server.
Here is the bind setup :
After installation, the file /etc/dokuwiki/local.protected.php
was not correctly configured :
$conf['authtype'] = 'authldap';
$conf['plugin'][$conf['authtype']]['server'] = "ldaps://domain.tld:636:636";
note the double 636.
$conf['plugin']['authldap']['starttls'] = 1;
Not blocking but leads to an error message. I had to disable this.
Question :
Is there a way to enable the users to log in with their email address (which they are used to) ? I tried with '(&(|(objectclass=inetOrgPerson))(|(uid=%{user})(|(mail=%{user}))))'
and it works but the group association doesn’t work anymore and I don’t see a way to make it work with an email as login.
m.traeumner
(Michael Träumner)
June 14, 2019, 12:42pm
2
pagaille:
note the double 636
I think at LDAP server URL you only have to set the server url without the port.
stephdl
(Stéphane de Labrusse)
June 14, 2019, 1:39pm
3
I cannot reproduce
<?php
/*
# ================= DO NOT MODIFY THIS FILE =================
#
# Manual changes will be lost when this file is regenerated.
#
# Please read the developer's guide, which is available
# at NethServer official site: https://www.nethserver.org
#
#
*/
$conf['authtype'] = 'authldap';
$conf['plugin'][$conf['authtype']]['server'] = "ldap://127.0.0.1:389";
$conf['plugin'][$conf['authtype']]['version'] = '3';
$conf['plugin'][$conf['authtype']]['usertree'] = "ou=People,dc=directory,dc=nh";
$conf['plugin'][$conf['authtype']]['grouptree'] = "ou=Groups,dc=directory,dc=nh";
$conf['plugin'][$conf['authtype']]['userfilter'] = '(&(uid=%{user})(objectClass=inetOrgPerson))';
$conf['plugin']['authldap']['groupfilter'] = '(|(memberUid=%{user})(gidNumber=%{gid}))';
$conf['plugin'][$conf['authtype']]['groupkey'] = 'cn';
$conf['plugin']['authldap']['binddn'] = "cn=ldapservice,dc=directory,dc=nh";
$conf['plugin']['authldap']['bindpw'] = "Z59OUcMHGUaidA_x";
$conf['plugin']['authldap']['starttls'] = 1;
$conf['plugin']['authldap']['modPass'] = 0;
$conf['useacl'] = 1;
?>
stephdl
(Stéphane de Labrusse)
June 14, 2019, 1:46pm
4
ok got it you used a remote ldap provider, no tested in that scenario, it should work OTB, will try when I got time
1 Like
pagaille
(Matthieu Gaillet)
June 15, 2019, 6:41am
5
Indeed, that’s strange. I don’t how I end up with such a configuration… But it works
pagaille
(Matthieu Gaillet)
June 25, 2019, 1:25pm
6
I removed the “:636” at the end of the LDAP server URI field in the server manager, now it’s ok for Dokuwiki.
I also set “No” for STARTTLS in the UI but that parameter looks not being taken into account by the template, I had to set it to “0” manually in the configuration file.
pagaille
(Matthieu Gaillet)
June 25, 2019, 1:29pm
7
So the most annoying problem is the inability to login using an email address…
stephdl
(Stéphane de Labrusse)
June 25, 2019, 3:19pm
8
Sorry, I did not find time to dive inside your issue, will try to check and to reproduce the remote ldap account, but can you login with a local account provider (dokuwiki hosted on the same server) with the email ’ address?
pagaille
(Matthieu Gaillet)
June 25, 2019, 6:57pm
9
Just tested.
With AD : works OTB
With DC : authentications is done with uid, not with email.
So the problem is not related to a non-localhost ldap server install but because of DC.
pagaille
(Matthieu Gaillet)
June 25, 2019, 7:02pm
10
/etc/dokuwiki/local.protected.php
:
$conf['authtype'] = 'authad';
$conf['plugin']['authad']['account_suffix'] = '@gaillet.be';
$conf['plugin']['authad']['base_dn'] = 'dc=ad,dc=gaillet,dc=be';
$conf['plugin']['authad']['domain_controllers'] = 'ldaps://ad.gaillet.be'; //multiple can be given
$conf['useacl'] = 1;
$conf['authtype'] = 'authldap';
$conf['plugin'][$conf['authtype']]['server'] = "ldap://127.0.0.1:389";
$conf['plugin'][$conf['authtype']]['version'] = '3';
$conf['plugin'][$conf['authtype']]['usertree'] = "ou=People,dc=directory,dc=nh";
$conf['plugin'][$conf['authtype']]['grouptree'] = "ou=Groups,dc=directory,dc=nh";
$conf['plugin'][$conf['authtype']]['userfilter'] = '(&(uid=%{user})(objectClass=inetOrgPerson))';
$conf['plugin']['authldap']['groupfilter'] = '(|(memberUid=%{user})(gidNumber=%{gid}))';
$conf['plugin'][$conf['authtype']]['groupkey'] = 'cn';
$conf['plugin']['authldap']['binddn'] = "cn=ldapservice,dc=directory,dc=nh";
$conf['plugin']['authldap']['bindpw'] = "********************";
$conf['plugin']['authldap']['starttls'] = 1;
$conf['plugin']['authldap']['modPass'] = 0;
$conf['useacl'] = 1;
Very different.
stephdl
(Stéphane de Labrusse)
June 26, 2019, 5:54pm
11
pagaille:
Very different.
yes with samba4 you use the self bind
, so the user authenticates himself
stephdl
(Stéphane de Labrusse)
June 26, 2019, 5:59pm
12
I retrieve the data, directly from NethServer::SSSD, so it is probably a matter to bind the good data, but I do not know if I could offer user and email address
However why you went to openLdap
pagaille
(Matthieu Gaillet)
June 26, 2019, 6:21pm
13
It’s so lightweight and easy to install compared to the bloated MS-stylish AD !
stephdl
(Stéphane de Labrusse)
June 26, 2019, 7:50pm
14
for now modify, of course the next template-expand and update will remove your change
- $conf['plugin'][$conf['authtype']]['userfilter'] = '(&(uid=%{user})(objectClass=inetOrgPerson))';
+ $conf['plugin'][$conf['authtype']]['userfilter'] = '(&(mail=%{user})(objectClass=inetOrgPerson))';
1 Like
pagaille
(Matthieu Gaillet)
June 26, 2019, 7:53pm
15
I think I tried that (see post #7 ), it works but we loose the group association (which is useful for ACL)
stephdl
(Stéphane de Labrusse)
June 26, 2019, 7:54pm
16
thank for the hint
you have a debug that is useful to play
$conf['plugin']['authldap']['debug'] = 1;
stephdl
(Stéphane de Labrusse)
June 26, 2019, 8:32pm
17
I think I got it, please could you test this fix in /etc/dokuwiki/local.protected.php
...
$conf['plugin'][$conf['authtype']]['userfilter'] = '(|(uid=%{user})(mail=%{user}))';
$conf['plugin']['authldap']['groupfilter'] = '(memberUid=%{uid})';
...
$conf['plugin']['authldap']['debug'] = 1;
add also the full email of the admin inside /etc/dokuwiki/local.php
$conf['superuser'] = 'admin,admin@nethservertest.org';
stephdl
(Stéphane de Labrusse)
June 26, 2019, 9:17pm
18
$conf['plugin']['authldap']['starttls'] = 1;
this is a bug now I retrieve the startTls from NethServer::SSSD (0 or 1)
stephdl
(Stéphane de Labrusse)
June 28, 2019, 6:04am
19
@pagaille would you mind to test the ldap fix, just cp and paste in the php file.
pagaille
(Matthieu Gaillet)
June 28, 2019, 12:12pm
20