A few days ago we installed Piwigo, an open source web based photo gallery software, and I can safely say a cool one.
But, one might wonder why does a company and let alone one in IT industry need a photo gallery management software. The answer is simple, there a lot of photos from all the new year parties and team buildings we need to manage 🙂
First issue I encountered was that Piwigo does not have a built-in LDAP authentication and that is usually one of the basic requirements in corporate environment. Quick search revealed the “Ldap login” extension which unfortunately didn’t work at all.
Apache authentication came to my mind, and after a quick check, it turned out that Piwigo has support for Apache (http) authenticated users. You just need to enable it in the /piwigo_root_dir_include/config_default.inc.php file. Find the line apache_authentication and set it to true, like this: $conf[‘apache_authentication’] = true;
Now, we need to set http authentication in Apache. Easy enough, just create .htaccess file in root directory of piwigo with the following:
# Distinguished name of Bind user and password AuthLDAPBindDN "CN=Your_CN,OU=Your_OU,DC=example,DC=com" AuthLDAPBindPassword "secure_p@ssw0rd" # LDAP URL and path to search for user # To add multiple LDAP server for redundancy just separate them with space AuthLDAPURL "ldap://dc1.example.com dc2.example.com/OU=Your_OU,DC=example,DC=com?sAMAccountName?sub?(objectClass=*)" # Specify authentication type and auth provider AuthType Basic AuthName "Arbitraty instrcution text" AuthBasicProvider ldap # Allow any valid user require valid-user
Or allow a speciefic user…
require ldap-user "user.name"
… or even a group.
require ldap-group "CN=Your_CN,OU=Your OU,DC=example,DC=com"
On a Ubuntu 14.04 with LAMP packages installed I just needed to activate one additional Apache module – authnz_ldap. You can do that with one command a2enmod authnz_ldap, and don’t forget to restart Apache after that.
After the first login, the user will appear in Piwigo administration panel where you can set its permission level.
Cheers!
First off thanks for the help! But I don’t seem to get it working. I’ve changed the piwigo config file and added the htaccess with my LDAP settings. Then I activated the ldap apache module and restarted apache, but I can’t login with LDAP users. Is there any way to verify my LDAP URL and to get some logging? Because I checked the apache logs, but there is no mention of ldap in there.
Ok, got it to work now. Not using a .htaccess file but applying it directly to my piwigo apache2 config file.
Seemed I had selected the wrong CN for bind account, default Windows AD base CN is ‘Users’. Found it by using:
ldapsearch -LLL -H ldap://dc1.example.com -x -D ‘example\test_user’ -w ‘password’ -E pr=1000/noprompt -b ‘cn=Users,dc=example,dc=com’ ‘(&(objectClass=*))’ sAMAccountName
Im trying to set this up with Micr$oft AD and having trouble would anyone mind contacting me and let me know how you got this working im still having trouble getting it to pass credentials.
Thanks for your very useful post!
Just a small improvement: In the latest Piwigo versions it’s better if you copy the /piwigo_root_dir_include/config_default.inc.php to /piwigo_root_dir_include/local/config/config.inc.php and change the local file.
Sadly this way it’s not possible to have a ‘open public’ site and a ‘closed private’ site at the same time. I don’t expect it to be soon, but a working LDAP plugin to Piwigo seems still quite valueable.