Skip to main content

LDAP authentication (and groups mapping) with Active Directory that works in Tiki Wiki 16.2

To make the LDAP authentication with MS Active  Directory works in Tiki Wiki 16.2, I have to do the set up both in LDAP and LDAP external groups tabs.

1. In Settings > Control Panels > Log in




2. In General Preferences tab:


  • Authentication method section, select Tiki and LDAP 
  • Uncheck Forgot password
  • Uncheck Users can change their password   
  • click Apply


3. In LDAP tab, set up as following (you may need to switch the Advanced mode on to see more settings):
  • LDAP
    • If user does not exist in Tiki: Create the user
    • Uncheck Create user if not in LDAP 
    • Check Use Tiki authentication for Admin login 
  • LDAP Bind settings
    • Host: ldap://<my-ldap-server-address>
    • Port: 389
    • Write LDAP debug Information in Tiki Logs: <checked>
    • LDAP Bind Type: Active Directory (username@domain)
    • Search scope: Subtree
    • LDAP version: 3
    • Base DN: DC=MYDOMAIN,DC=COM
  • LDAP User
    • User DN: OU=All Users (If you want to pull users from a specific OU, if not, leave blank, also remember to omit the Base DN part)
    • User attribute: sAMAccountName
    • User OC: person
    • Realname attribute: displayName
    • Country attribute: <leave blank>
    • Email attribute: userPrincipalName
  •  LDAP Admin 
    • Admin user: admin@mydomain.com (in the form of <username>@<base domain name>)
    • Admin password: <thepassword>

4. In LDAP external groups tab, setup as following:

  • LDAP external groups

    • Uncheck Use an external LDAP server for groups

  • LDAP Bind settings
    • Host: ldap://<my-ldap-server-address>
    • Port: 389
    • Check Write LDAP debug Information in Tiki Logs
    • Uncheck Use SSL (ldaps) (Because I don't user SSL)
    • Uncheck Use TLS  (Because I don't use TLS)
    • LDAP Bind Type: Active Directory (username@domain)
    • Search scope: Subtree
    • LDAP version: 3
    • Base DN: DC=MYDOMAIN,DC=COM
  • LDAP User
    • User DN: OU=All Users (If you want to pull users from a specific OU, if not, leave blank, also remember to omit the Base DN part)
    • User attribute: sAMAccountName
    • Corresponding user attribute in 1st directory: sAMAccountName
    • User OC: person
    • Check Synchronize Tiki groups with a directory (important)
  • LDAP Group
    • Group DN: (Set Group DN to the specific OU you wish to pull groups from, ifyou wish to use the whole directory, leave blank. Note that as far as I can tell if you specify something here it will only pull from that specific OU, not members of that OU. For example a setting of ou=IT,ou=Authorized Users will pull groups from the Authorized Users\IT organizational unit, but will not pull from the Authorized Users\IT\Admins (ou=Admins,ou=IT,ou=Authorized Users) OU. There may be something to modify this behavior, but I haven't found it. Again, a blank setting will acquire all group information.)
    • Group name attribute: sAMAccountName
    • Group description attribute: description
    • Group OC: group
    • Check Synchronize Tiki users with a directory 
  • LDAP Group Member - if group membership can be found in group attributes
    • Member attribute: member
    • Check Member is DN
  • LDAP User Group - if group membership can be found in user attributes
    • Group attribute: memberOf
    • Group attribute in group entry: cn
  • LDAP Admin
    • Admin user: admin@mydomain.com (in the form of <username>@<base domain name>)
    • Admin password: <thepassword>

5. Click Apply and enjoy

Reference:

[0] https://tiki.org/forumthread60764?topics_offset=4
[1] https://tiki.org/forumthread42893


Comments