LDAP Pear::Auth Settings With LDAP version 3 And TikiWiki 1.9.7


You may have to explicitly set the version in TikiWiki 1.9.7 to get it to work with LDAP v3. If you are having problems, try the following:

Open userslib.php search for the following code around line 624:

Copy to clipboard
$options["memberisdn"] = ($tikilib->get_preference("auth_ldap_memberisdn", "y") == "y");


Add the following lines right after this line:

Copy to clipboard
$options["version"] = $tikilib->get_preference("auth_ldap_version", "3");

LDAP Pear::Auth Settings With Microsoft Active Directory Services (ADS) And TikiWiki 1.9.7

Essentially the LDAP settings to work with a Microsoft Active Directory Server are the same. However they won't work from the get-go without changing the userslib.php (valid for version 1.9.7)

Open /lib/userslib.php and search for the following code around line 624:

Copy to clipboard
$options["memberisdn"] = ($tikilib->get_preference("auth_ldap_memberisdn", "y") == "y");


Add the following lines right after this line:

Copy to clipboard
$options["binddn"] = $tikilib->get_preference("auth_ldap_adminuser", "");
$options["bindpw"] = $tikilib->get_preference("auth_ldap_adminpass", "");


These lines create the necessary binding for the ADS since by default it doesn't allow anonymous requests.

After that the following LDAP configuration settings do work with ADS:

  1. in the 'User registration and login' section, set 'Authentication method' to 'Tiki and PEAR::Auth'


In the 'PEAR::Auth' section set the following settings:

  1. set 'AUTH Type' to 'LDAP'
  2. set 'LDAP Host:' to the Active Directory server's name or IP address
  3. set 'LDAP Port:' to '389'
  4. leave 'BaseDSN' empty
  5. activate 'Create user if not in Tiki?'
  6. deactivate 'Create user if not in Auth?' (we do not want the user to be created in the LDAP dir)
  7. leave 'LDAP URL' empty
  8. set 'LDAP Scope:' to 'sub'
  9. set 'LDAP Base DN:' to the LDAP version of the domain name as it appears in 'Active Directory Users and Computers'. E.g., if the domain is called my-domain.local, set this to 'dc=my-domain,dc=local'. You might add an 'ou=yourorganizaonalunit' entry too. That depends on your config.
  10. leave 'LDAP User DN' empty
  11. set 'LDAP User Attribute:' to 'sAMAccountName'
  12. set 'LDAP User OC:' to '*'
  13. leave 'LDAP Group DN' empty
  14. set 'LDAP Group Attribute:' to 'cn'
  15. set 'LDAP Group OC:' to 'groupOfUniqueNames'
  16. set 'LDAP Member Attribute:' to 'uniqueMember'
  17. set 'LDAP Member Is DN::' to 'n'
  18. set 'LDAP Admin User Name' to 'cn=LDAPReader, cn=users, dc=my-domain, dc=local' - replace 'LDAPReader' with a username that is able to read the LDAP directory on ADS. Adjust the cn=, dc= settings accordingly.
  19. set 'LDAP Admin User Name' to the password of your LDAPReader user password.


Now you should be able to login. If you get a blank page after login make sure your PHP version is >=4.3.2 as this is required by the LDAP Pear module. After it works with these basic settings you can further refine the settings carefully if (for example) you only want a special group inside the LDAP directory have access to the TikiWiki.