Loading...
 

How to configure Tiki Wiki CMS Groupware with OpenLDAP for ClearOS

Background

ClearOS is an operating system for your Server, Network, and Gateway systems. It is designed for homes, small to medium businesses, and distributed environments. ClearOS is commonly known as the Next Generation Small Business Server, while including indispensable Gateway and Networking functionality. It delivers a powerful IT solution with an elegant user interface that is completely web-based. Simply put.. ClearOS is the new way of delivering IT. Source: https://www.clearos.com/

Assumptions

  • This guide assumes your ClearOS server will be the main server for your domain. Thus, your website (powered by Tiki) will be on the same server. E-mails could also be handled (with Roundcube on ClearOS) but are also easily handled by your domain name provider.
  • You are familiar enough with LDAP. We strongly suggest to read the following link: http://www.openldap.org/doc/admin24/guide.html#Introduction to OpenLDAP Directory Services
  • You are familiar enough with Tiki

Limitations

  • Users need to login with their email or Full Name instead of their username.
  • "Get data from OpenLDAP into a Tiki tracker" (section below) is not working.

Configure OpenLDAP


1.-Initialize your OpenLDAP service through the Webconfig-Open LDAP Directory Server Module (https://yourserver.wikisuite.org:81/app/openldap_directory).

C

2.-On the Directory Server Settings page set the server mode and Base Domain (https://yourserver.wikisuite.org:81/app/openldap_directory/settings/edit)

D

3.-On the Directory Server Policies page set the Publish Policy and Accounts access according to your requirements (https://yourserver.wikisuite.org:81/app/openldap_directory/policies/edit)

E

  • ClearOS bundles an OpenLDAP server
  • Tiki has a built-in (and optional) mechanism to use LDAP authentication (instead of Tiki's user system)


This documentation is for Tiki 15x on ClearOS 7.x

Use LDAP authentication

Go to tiki-admin.php and select the filter for basic, advanced and experimental.
Tiki Options
Go to tiki-admin.php?page=login#contentadmin_login-3 and fill the data (taken from the ClearOS)

Basic Authentication

Go to tiki-admin.php?page=login and fill the blanks. Use next information as a guide:

  • If user does not exist in Tiki: Create the user
  • Create user if not in LDAP: not selected
  • Use Tiki authentication for Admin login: selected
  • Use Tiki authentication for users created in Tiki: not selected
  • Host: 127.0.0.1
  • Port: 389
  • Write LDAP debug Information in Tiki Logs: not selected
  • Use SSL (ldaps): not selected (loopback interface does not need this kind of things)
  • Use TLS: not selected
  • LDAP Bind Type: Default: Anonymous Bind
  • Search scope: Subtree
  • LDAP version: 3
  • Base DN: (check your LDAP settings, by default ClearOS uses dc=system,dc=lan)

LDAP User

In the same page, put the following data:

  • User DN (check your LDAP settings, by default ClearOS uses ou=Users,ou=Accounts)
  • User attribute: uid
  • User OC: inetOrgPerson
  • Real Name attribute: cn
  • Country attribute:
  • Email attribute: mail

Admin info

  • Admin user: (check your LDAP settings, by default ClearOS uses cn=manager,ou=Internal,dc=system,dc=lan)
  • Admin password: (check on your LDAP settings)

Use an external LDAP server for groups

In the same page, go to the "LDAP external groups" tab, put the following data:

  • Use an external LDAP server for groups: selected
  • Host: 127.0.0.1
  • Port: 389
  • Write LDAP debug Information in Tiki Logs: not selected
  • Use SSL (ldaps): not selected
  • Use TLS: not selected
  • LDAP Bind Type: Full
  • Search scope: subtree
  • LDAP version: 3
  • Base DN: (check your LDAP settings, by default ClearOS uses dc=system,dc=lan)

LDAP User

  • User DN (check your LDAP settings, by default ClearOS uses ou=Users,ou=Accounts)
  • User attribute: uid
  • Corresponding user attribute in 1st directory: uid
  • User OC: inetOrgPerson
  • Synchronize Tiki groups with a directory: selected

LDAP Group

  • Group DN (check your LDAP settings, by default ClearOS uses ou=Groups,ou=Accounts)
  • Group name attribute: cn
  • Group description attribute: description
  • Group OC: groupOfNames
  • Synchronize Tiki users with a directory: selected

LDAP Group Member - if group membership can be found in group attributes

  • Member attribute: member
  • Member is DN: selected

LDAP User Group - if group membership can be found in user attributes

All blank

Admin info

  • Admin user: (check your LDAP settings, by default ClearOS uses cn=manager,ou=Internal,dc=system,dc=lan)
  • Admin password: (check on your LDAP settings)

Get data from OpenLDAP into a Tiki tracker

Getting LDAP data into a tracker is useful if you want to do things like a corporate directory. To do this, go to
http://yourserver.com/tiki-admin_dsn.php and add a new DSN.

DSN'es come with the following syntax:
ldap://binduser:password@IP/path

Where:

  • binduser is full DN, for example cn=manager,ou=Internal,dc=system,dc=lan
  • password is the DN password
  • IP is the LDAP server IP
  • Path is the base where it will start looking for, if you don't know what to put use the base DN, for example dc=system,dc=lan. You need to be familiar with your LDAP structure in order to put a value that fits your needs.


Screen 20160502 110715

Ensure to grant tiki permissions to use the DSN by the groups of users that need to use it.

Please also see: https://doc.tiki.org/LDAP+Tracker+Field

Configure your Tracker

You need a working Tracker to make this step. Before you may continue, you need to be familiar with LDAP filtering syntax; you may want to read the following links:

How to have an email alias for a group in Tiki

Groups in ClearOS can be distribution lists (so emails are forwarded to all members of the group). Thus, if your Tiki and ClearOS groups are in sync (see above), you have an email alias for a group in Tiki.
2016 05 05 Distribution List For Groups In ClearOS

Make a profile

When everything is working nicely, a profile should be made: https://profiles.tiki.org/Tiki+ClearOS+OpenLDAP

Troubleshooting

Essentially if the ldap directory is in the starting state (spinning circle) . This usually happens after an update or a reboot of the system. 

Wait for everything to start including networking, etc.   Then  type.

service webconfig restart

Apparently it is waiting for something that initial is not but then does not recheck.  Starting the webconfig finds the service (most likely networking based on my research) and then everything comes up properly.

Show php error messages