c22mort
05-01-2008, 01:38 PM
Having spent some time this morning getting LDAP Authentication and Groups running with eDirectory and thought I'd share what i found, in case it's usefull.
Notes on eDirectory (probably applies to Active Directory as well)
At the moment judging from how deki-wiki does the bind and lookup, you can't pull in different users/groups from the whole tree and assign them to different deki-wiki groups, you may need to create an AUthentication Service for each Organisational Unit that contains your wiki users and groups.
eDirectory Attribute Names
o : Organisation
ou: Organisational Unit
cn: Common Name (used by Dynamic User Substitution)
groupMemberShip : Applies to a user object : there is a groupMembership attribute for every group that a user belongs to, holds DN (Distinguished Name) of Group.
member : Applies to a Group : there is a member attribute for each user that is a member of the group, holds DN of user.
The distinction between these two is important when setting up groups later.
Creating LDAP Service
1 : Create a new Local Service in Control panel.
2 : Provide a name for the Service i.e. eDirectory Sales Authentication.
3 : Provide SID : http://services.mindtouch.com/deki/stable/2007/05/ldap-authentication
4 : Add the following config entries:-
a : hostname, hostname of your LDAP Server e.g. ldap.acme.com
b : searchbase, the root of your LDAP search, eDirectory will be searched from this location down, so keep it as far down the tree as possible to speed up searches, e.g. ou=sales,ou=uk,o=acme
c : bindingdn, DN of authentication account you can use the credentials of the user logging in by using $1. Note, this MUST be a descendant of your searchbase or you will get authentication errors. e.g. cn=$1,ou=sales,ou=uk,o=acme
d: userquery, for eDirectory use cn=$1
e: groupmembersattribute, the eDirectory attribute that defines a users group memberships, NOT the attribute that defines a groups members. groupMembership
f: groupqueryal, this will return a list of groups within the searchbase (objectclass=group)
You can test that all this works by browsing the following url :
http://<yoursite>/@api/deki/services/default/<service id number>/groups which will return a list of found groups, or
http://<yoursite>/@api/deki/services/default/<service id number>/users/<username> which will display attributes for the given user.
You can then create and populate LDAP Groups within eDirectory e.g. wikiSalesGroup, wikimarketingGroup e.t.c. (make sure they are within your searchbase).
Add a new deki-wiki groups with the same name as your LDAP Groups, making sure to choose the right service, you will be asked for login credentials this is simply an eDirectory user within your seachbase, and the group will be created if a matching group is found withing your LDAP Authentication Service.
Once this is done simply set security/new-account-role to None, and your deki-wiki groups (matching your eDirectory groups) can be used to set Access Restrictions.
Once this has been tested again (by using the above URLS) you can try loggin into your wiki, pay attention to any error messages as they are fairly good at finding any faults withing your LDAP Authentication Service (to be honest usually typos :) )
Logged in users have NO rights on the wiki, but will become members of the relevant deki-wiki groups as they are tied to your eDirectory Groups, and the user will get Access based on what you set for the group.
Notes on eDirectory (probably applies to Active Directory as well)
At the moment judging from how deki-wiki does the bind and lookup, you can't pull in different users/groups from the whole tree and assign them to different deki-wiki groups, you may need to create an AUthentication Service for each Organisational Unit that contains your wiki users and groups.
eDirectory Attribute Names
o : Organisation
ou: Organisational Unit
cn: Common Name (used by Dynamic User Substitution)
groupMemberShip : Applies to a user object : there is a groupMembership attribute for every group that a user belongs to, holds DN (Distinguished Name) of Group.
member : Applies to a Group : there is a member attribute for each user that is a member of the group, holds DN of user.
The distinction between these two is important when setting up groups later.
Creating LDAP Service
1 : Create a new Local Service in Control panel.
2 : Provide a name for the Service i.e. eDirectory Sales Authentication.
3 : Provide SID : http://services.mindtouch.com/deki/stable/2007/05/ldap-authentication
4 : Add the following config entries:-
a : hostname, hostname of your LDAP Server e.g. ldap.acme.com
b : searchbase, the root of your LDAP search, eDirectory will be searched from this location down, so keep it as far down the tree as possible to speed up searches, e.g. ou=sales,ou=uk,o=acme
c : bindingdn, DN of authentication account you can use the credentials of the user logging in by using $1. Note, this MUST be a descendant of your searchbase or you will get authentication errors. e.g. cn=$1,ou=sales,ou=uk,o=acme
d: userquery, for eDirectory use cn=$1
e: groupmembersattribute, the eDirectory attribute that defines a users group memberships, NOT the attribute that defines a groups members. groupMembership
f: groupqueryal, this will return a list of groups within the searchbase (objectclass=group)
You can test that all this works by browsing the following url :
http://<yoursite>/@api/deki/services/default/<service id number>/groups which will return a list of found groups, or
http://<yoursite>/@api/deki/services/default/<service id number>/users/<username> which will display attributes for the given user.
You can then create and populate LDAP Groups within eDirectory e.g. wikiSalesGroup, wikimarketingGroup e.t.c. (make sure they are within your searchbase).
Add a new deki-wiki groups with the same name as your LDAP Groups, making sure to choose the right service, you will be asked for login credentials this is simply an eDirectory user within your seachbase, and the group will be created if a matching group is found withing your LDAP Authentication Service.
Once this is done simply set security/new-account-role to None, and your deki-wiki groups (matching your eDirectory groups) can be used to set Access Restrictions.
Once this has been tested again (by using the above URLS) you can try loggin into your wiki, pay attention to any error messages as they are fairly good at finding any faults withing your LDAP Authentication Service (to be honest usually typos :) )
Logged in users have NO rights on the wiki, but will become members of the relevant deki-wiki groups as they are tied to your eDirectory Groups, and the user will get Access based on what you set for the group.