Extension:LDAP Authentication/Configuration Example Notes

[edit] Notes

[edit] SSL

Notice that SSL is enabled in all examples. Your LDAP server may or may not require SSL. If you do not require SSL (if you set AD to not require signed communications), you can set that option to "false". Be aware that doing so will cause your domain user's passwords to be sent across the network in clear text, which makes your system susceptible to man in the middle attacks, replay attacks, and other nasty attacks.

For SSL to work, you must install an SSL certificate on your LDAP server, your wiki's server must trust the LDAP server's CA, and the DNS name of your LDAP server must resolve to the CN field of the certificate issued to your LDAP server.

Remember, if your web server does not use SSL (URL does not start with https://), your password will be transmitted in clear text from the client browser to the web server. This is independent of the SSL settings described below from the web server to the LDAP server.

[edit] General Configuration

Be sure to enable LDAP support within PHP. Make sure that you have installed the necessary packages for your distro.

• RedHat EL based distro (CentOS 4.3):

  yum install php-ldap

• Make sure that /etc/php.d/ldap.ini contains

  extension=ldap.so

• Ubuntu 6.06.1 (Dapper Drake) and others:

  sudo apt-get install php-ldap

  
  

  or possibly:

  
  

  sudo apt-get install php5-ldap

• Other distros:

  Modify php.ini, and uncomment the line:

  
  

   ;extension=php_ldap.so

  
  

  change to:

  
  

  extension=php_ldap.so

• Windows:

  Modify php.ini, and uncomment the line:

  
  

   ;extension=php_ldap.dll

  
  

  change to:

  
  

  extension=php_ldap.dll