Hi,
Here's a small patch to support LDAP over IPC, "ldapi://". It's only
defined in an expired Internet Draft [1], but works quite well with
OpenLDAP.
--- LdapAuthentication.php~
+++ LdapAuthentication.php
@@ -159,6 +159,10 @@
$this->printDebug( "Using SSL", SENSITIVE );
$serverpre = "ldaps://";
break;
+ case "ipc":
+ $this->printDebug( "Using IPC", SENSITIVE );
+ $serverpre = "ldapi://";
+ break;
default:
$this->printDebug( "Using TLS or not using encryption.", SENSITIVE );
$serverpre = "ldap://";
[1] http://opends.dev.java.net/public/standards/draft-chu-ldap-ldapi.txt
Thanks!
Matej
Ryan et al.:
Congrats on Extension:LDAP_Authentication, You're doing some great work
here.
Our systems are:
- FreeBSD 6.x / amd64
- OpenLDAP 2.3.4x
- Apache 2.3
- PHP 5.2.5
- WM 1.11.0 from Ports
- TLS works
- Proxy User works
- I've managed to make things work with our non-standard LDAP tree
So far the only problems that I've encountered
- "Proxy Agent" is ambiguous and even misleading. If you look at
something like PADL PAM_LDAP or NSS_LDAP, they simply refer to these
as "bindpw" and "bindcn" -- or even a better name is "MetaUser" since
LDAP as a whole is ambiguous as to what constitutes a user or identity
(a DN).
- WRT groups, It isn't entirely clear which settings control which group
a UID=/CN= must be a member of (PADL calls this $pam_groupdn) v.s. how
meta-group member _WITHIN_ media-wiki is determined (PADL call it
$nss_base_group)
- $wgLDAPProxyAgentPassword isn't accepting a proper SHA1+Base64'd
password -- I've resorted to storing it in cleartext. Will debug
later.
- $wgLDAPRetrievePrefs isn't documented well -- or it is defaulting to
off. It should say/document something like "Enable to extract CN
attribute / value pairs from LDAP"
- It is not entirely clear how other mediawiki settings not defined in
the posixAccount or inetOrgPerson foundation ObjectClasses for things
such as Skins and Editing preferences should be stored
(semi-overlapping entries in the SQL database side?)
I will examine these closer during the day today.
~BAS
PS. On that topic of LDAP<->MW prefs, it might be recommended to use a
wiki table to map SQL columns in mediawiki.wmuser SQL table to LDAP
attributes!
wikidb-# \d mediawiki.mwuser;
Table "mediawiki.mwuser"
Column | Type | Modifiers
--------------------------+--------------------------+------------------------------------------------------------------
user_id | integer | not null default
nextval('mediawiki.user_user_id_seq'::regclass)
user_name | text | not null
user_real_name | text |
user_password | text |
user_newpassword | text |
user_newpass_time | timestamp with time zone |
user_token | character(32) |
user_email | text |
user_email_token | character(32) |
user_email_token_expires | timestamp with time zone |
user_email_authenticated | timestamp with time zone |
user_options | text |
user_touched | timestamp with time zone |
user_registration | timestamp with time zone |
user_editcount | integer |
Indexes:
"mwuser_pkey" PRIMARY KEY, btree (user_id)
"mwuser_user_name_key" UNIQUE, btree (user_name)
"user_email_token_idx" btree (user_email_token)
--
Brian A. Seklecki <bseklecki(a)collaborativefusion.com>
Collaborative Fusion, Inc.
IMPORTANT: This message contains confidential information and is intended only for the individual named. If the reader of this message is not an intended recipient (or the individual responsible for the delivery of this message to an intended recipient), please be advised that any re-use, dissemination, distribution or copying of this message is prohibited. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.
Thanks for the comment River,
I did use the suggested method by Greg and it works to lock down my
default theme. Unfortunately as you have pointed out the other themes
are still available to anonymous users through specifying it as a URL
parameter. I am using the $wgSkipSkins setting , but that only limits
the skins available on the Special:Preferences page. The
useskin=standard in URL still works.
Any suggestions to disable the use of alternate (non-default or
skipped) skins? I was looking on Meta and saw the following section:
http://meta.wikimedia.org/wiki/Skins#Ensure_users_using_skipped_skins_use_t…
I would prefer not to modify code because it will break when I upgrade
but so far I have not seen another option. I have applied the above
linked hack to my mediawiki and it works great. I added the following
to the function normalizeKey in includes/Skin.php (add at the location
recommended by Meta):
global $wgSkipSkins;
if( in_array( $key, $wgSkipSkins ) ) {
$key = $wgDefaultSkin;
}
Maybe this should be added to a future release of mediawiki? I'm
running 1.10.2 and this code is what I needed to completely enforce
$wgSkipSkins .
Many thanks to Greg and River for the helpful info.
-Tom
> Date: Sat, 15 Dec 2007 12:56:32 +0000
> From: River Tarnell <river(a)wikimedia.org>
> Subject: Re: [Mediawiki-enterprise] deny anonymous access to sidebar
> To: mediawiki-enterprise(a)lists.wikimedia.org
> Message-ID: <4763CF00.2030505(a)wikimedia.org>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Greg Sabino Mullane wrote:
> > A simple solution would be to simply take the sidebar out of the default
> > skin (whatever $wgDefaultSkin is set to).
>
> but remember that anonymous users can change the skin by adding e.g.
> ?useskin=standard to the URL.
>
> - river.
Hello,
According to the page
http://www.mediawiki.org/wiki/Manual:Preventing_access "If you need to
protect even the sidebar ... it's recommended that you use
higher-level authentication such as .htpasswd or equivalent."
Without using .htpasswd, are there options for restricting access to
the MediaWiki:Sidebar content before a user logs in? A wiki-wide
navigation menu is an important element for providing our users easy
access to important content. If the world will have access to see the
contents of the Sidebar, I will be reluctant to put more than a few
generic menu items.
Here is an analogy for my motivation: You have purchased several very
expensive gifts and they are in your car. The car is locked, but you
still want to put them in the trunk or otherwise hide the fact that
they are there. If you leave them in plain view, your car is instantly
a very attractive target for theft. In the same way, if the
interesting contents of a locked site are clearly visible it becomes a
more likely target for attack (to access whatever sensitive
information may be contained therein).
Any ideas for how to best secure the mediawiki sidebar are much
appreciated. I have included some info on my configuration below to
provide some context for those who may be interested.
--
Thomas (Tom) Hogarty
I'm using the http://www.mediawiki.org/wiki/Extension:LDAP_Authentication
plugin to authenticate company users against Windows 2003 Active
Directory. We are also using SSL to encrypt connections to the wiki.
My MediaWiki version is 1.10.2-36
I am requiring all users to be logged in via LDAP using the following
restrictions in LocalSettings.php:
$wgGroupPermissions['*']['read'] = false;
$wgGroupPermissions['*']['edit'] = false;
$wgGroupPermissions['*']['createaccount'] = false;
$wgWhitelistRead = array( "Special:Userlogin" );
$wgEmailConfirmToEdit = true;
$wgLDAPUseLocal = false;
# 28800 seconds is 8 hours
$wgCookieExpiration = 28800;
I have personalized some of the Special:Allmessages (system messages)
to reflect our login policy:
MediaWiki:Loginprompt
MediaWiki:Loginreqpagetext
MediaWiki:Tooltip-pt-anonlogin
MediaWiki:Tooltip-pt-login
MediaWiki:Userlogin
hello,
i'd like to enable creation of LDAP users from MediaWiki, but i need new LDAP
users to become members of some existing LDAP (not MediaWiki) groups. it
would be nice if this was possible :) (or maybe it is already, but i missed
the option.)
- river.
Hello all,
we have developed a patch to make group synchronization work.
Please have a look at the attached patch or see
http://www.mediawiki.org/wiki/Extension_talk:LDAP_Authentication#Group_Sync…
Regards,
Bjoern
--- LdapAuthentication.php-orig 2007-03-08 13:37:22.070548000 +0100
+++ LdapAuthentication.php 2007-04-05 19:00:56.267368111 +0200
@@ -1237,6 +1237,8 @@
foreach ($info as $i) {
$mem = strtolower($i['dn']);
$shortnamemem = strtolower($i[$nameattribute][0]);
+ //removing bogus AD groups with SSIDs or such in curly brackets behind name
+ if (strstr($mem, '{')) continue;
array_push($groups,$mem);
array_push($shortnamegroups,$shortnamemem);
@@ -1290,7 +1292,7 @@
$this->printDebug("Pulling groups from LDAP.",1);
# add groups permissions
- $localAvailGrps = $user->getAllGroups();
+ $localAvailGrps = array_merge($user->getAllGroups(), $this->allLDAPGroups);
$localUserGrps = $user->getEffectiveGroups();
$this->printDebug("Available groups are: " . implode(",",$localAvailGrps) . "",1);
Am I right, that LdapAuthentication.php at present does not offer a
single_sign-on access but "only" the security of authentication, so that
only authorized people have access to the company's wiki?
Thanks,
Hanfred
Hi,
I'd like to report a possible bug.
I'm using MediaWiki 1.9 and am setting up OpenLDAP authentication.
I was unable to add users, because of a malformed userDN of the target user. (it was something like uid=testuserou=public,dc=uranus,dc=lan)
I changed this line:
$username . $wgLDAPWriteLocation[$_SESSION['wsDomain']];
To:
$username . ", " . $wgLDAPWriteLocation[$_SESSION['wsDomain']];
which fixed my problem.
Greetings,
Ger Apeldoorn
----------------------------------------------
Apeldoorn IT - http://www.gerapeldoorn.nl
It works fine to log me in using my ad username/username password.
However, when saving a page, intermittently I get a windows login
prompt, which accepts my ad user/password.
I would prefer to only authenticate once to the wiki.
Here is my ldap code in localsettings.php:
/* Ldap Authentication
*/
require_once( "includes/LdapAuthentication.php" );
$wgAuth = new LdapAuthenticationPlugin();
$wgLDAPDomainNames = array( "MYDOMAIN" );
$wgLDAPServerNames = array( " MYDOMAIN "=>"dc1.mydomain.com" );
//$wgLDAPSearchStrings = array( " MYDOMAIN "=>" MYDOMAIN \\USER-NAME" );
$wgLDAPSearchAttributes = array( " MYDOMAIN "=>"sAMAccountName" );
$wgLDAPBaseDNs = array( " MYDOMAIN "=>"dc=mydomain,dc=com" );
$wgLDAPProxyAgent = "cn=aduser,ou=Services,ou=Users
,dc=mydomain,dc=com";
$wgLDAPProxyAgentPassword = "Mypassword"; //You should also be able to
use a hash!
$wgLDAPUseSSL = false; //not recommended but OK for testing
$wgLDAPUseLocal = true;
$wgMinimalPasswordLength = 1;
$wgLDAPRetrievePrefs = false;
$wgLDAPAddLDAPUsers = false;
$wgLDAPUpdateLDAP = false;
$wgLDAPMailPassword = false;
I'm using iis 5 webserver/php 5.1.2/my domain is windows server
2003/ldap plugin v. 1.0h.
Any help would be appreciated.
-Isaac
Isaac Gonzalez
Systems Administrator
AutoReturn
Phone: (415)575-2359
Fax: (415)575-2379
> I agree; this would probably be pretty helpful. You should add a
request
> for this feature to the bugzilla. This probably needs to be more
generic
> though. You could use an option with the default being the current
> functionality.
>
> Does anyone in this email list have commit access to SVN?
>
> I know this feature needs to go through bugzilla, but it would be nice
> if the people doing the commiting see the email chain concerning
> features we need added.
>
> V/r,
>
> Ryan Lane
I've added a feature request:
http://bugzilla.wikimedia.org/show_bug.cgi?id=8086
Reinhard