LDAPauthentication Documentation
Not included in official Wikka versionSee also:
Development: LDAPauthenticationDocumentation
Short description
Authenticates a user against a LDAP directory.Parameters and configuration
Three configuration parameters have been added to wikka.config.php:name | type | required? | default | description |
---|---|---|---|---|
user_identification | string | required | wikka | Set to 'ldap' to enable LDAP authentication |
ldap_server | string | required | Name or IP address of the LDAP server | |
ldap_name | string | required | LDAP Relative Distinguished Name (RDN) to use in the bind() operation. Its value depends on your directory's structure |
Long description
With this extension, it is possible to add to the built-in authentication of WikkaWiki an alternative authentication method: the lookup of the user's credentials (login/password) into a LDAP-compliant directory. The main benefit is that it is not necessary for users to remember a specific password in order to log into the wiki.Notes
- If the LDAP authentication fails, there is a fallback to the standard built-in authentication. Therefore, LDAP-authenticated and wiki-authenticated users can coexist
- To accomodate differences in naming schemes between the wiki and the LDAP directory, one can modify the function LDAP_wikiname_to_login() which defines an algorithmical mapping between the two types of identifiers (i.e. it translates a wiki name into a LDAP user name)
- its default version simply turns the WikiName into lowercase
- Users still need to sign-up into the wiki and to define their settings (in other words, the full set of user settings is not obtained from the LDAP directory)
- this is a bit clumsy, but it avoids changing the data model and the native authentication scheme
- To turn off the feature and go back to the native authentication scheme, set "user_identification" => "wikka" in wikka.config.php
- In an Active Directory environment, it seems a good value for ldap_name is: 'mydomain\\%s' where mydomain is the Windows server domain name
- A main difference with the existing ActiveDirectory extension is that the latter authenticates the user's computer, and not the user herself, and requires to configure manually the association between WikiName and LDAP user name
To-do, bugs and limitations
- To-do: test code with OpenLDAP (was only tested against Active Directory on Windows 2003)
- Limitation: communication between the web server and the LDAP host is not encrypted and passwords are sent in clear text. This is a potential security breach.
Author
DomBonjCategoryDocumentation