This is how to configure MindTouch Core (Deki Wiki) 10.1.4 to authenticate with Active Directory.
- From the wiki, go to Tools > Control Panel.
- Go to System Settings > Authentication on the left.
- Click the Add Authentication Service tab.
- For Choose an authentication provider, choose LDAP.
- For Description, choose how you want it to show up on the login page.
- For Service Identifier (SID), use sid://mindtouch.com/ent/2009/03/ldap-authentication
- This is the default value for new LDAP configurations. The one that was imported from Deki 8.08.2 was sid://mindtouch.com/2007/05/ldap-authentication, though that seemed to work just fine as well.
- Select Default authentication provider if you want it to be selected by default on the login page. Chances are you do.
- For hostname, put your fully qualified domain controller name, such as myserver.mydomain.com.
- For bindingdn, put $1@mydomain.com, substituting mydomain.com for your own.
- For searchbase, put each segment of your domain in DC=x,DC=y format, such as DC=mydomain,DC=com.
- For userquery, put samAccountName=$1.
- Under Preferences, add key displayname-pattern and give it value {givenname} {SN}.
Update: In March 2020
Microsoft is expected to increase the default security settings around LDAP. This means you should also configure LDAP over SSL (LDAPS).
- Configure LDAPS support on the server you are using to authenticate. Here's one set of instructions for Active Directory, but you can also just google LDAPS plus whichever server you're using.
- In Tools > Control Panel > System Settings > Authentication, edit the authentication service you created before.
- Under Configuration, click Add New Key.
- Enter key ssl with value true.
- If you're using a self-signed certificate:
- Click Add New Key again.
- Enter key ssl-ignore-cert-errors with value true.
- Click Save Changes.
- Log out and back in to test the changes. If it doesn't work, try going back and adding the ssl-ignore-cert-errors setting above and trying again.
Also, a reference for all the available settings for this configuration page is available on the Wayback Machine here:
Hey,
ReplyDeleteIm amazed that I could find this content here, but glad I did. Has your org enforced TLS1.2 yet? We are trying to get that going, but this old software is having trouble talking LDAPS to our domain controller (where tls1.2 is disabled).
I haven't run into this yet, sorry, so I don't have any help right now.
ReplyDelete