Lane, Ryan wrote:
Seems like all
I needed was a fresh perspective. The extension
/AutomaticRemote_User/
(
http://www.mediawiki.org/wiki/Extension:AutomaticREMOTE_USER)
gives me
exactly what I need to do to seamlessly authenticate my users to
Mediawiki. Works perfectly. Between that and some of the
functionality
provided by /LDAPAuthentication/ for pulling AD attributes, I can
Frankenstein something up that should suffice till the next
version of
LDAPAuthentication is released.
No need to frankenstein something together. Version 1.2a of the LDAP
plugin (LDAPAuthentication.php and LDAPAutoAuthentication.php) should be
able to handle any form of web authentication.
Kerberos auth is likely what you are using. You want to look at this
documentation (just ignore the Apache stuff):
http://www.mediawiki.org/wiki/Extension:LDAP_Authentication/Kerberos_Con
figuration_Examples
Note that I haven't tested this with IIS (as I don't have a Windows 2003
system to test with). I've tested this with Apache and MIT Kerberos.
The following line may need to change, depending on what you get back
from IIS:
$wgLDAPAutoAuthUsername = preg_replace( '/@.*/', '',
$_SERVER["REMOTE_USER"] );
This line is expecting "REMOTE_USER" to be returned as
"username@DOMAIN". If IIS returns something else, you'll need to change
it. For instance, if IIS simply returns "username" then you'll need to
change this to:
$wgLDAPAutoAuthUsername = $_SERVER["REMOTE_USER"];
V/r,
Hi Ryan,
Just to follow up, I took a look at the configuration examples, and
picked out the Kerberos-related entries and gave it a shot. Sadly, IIS
gives me a 500.
I did verify that IIS passes $_SERVER["REMOTE_USER"] for the REMOTE_USER
as that is what the AutomaticREMOTE_USER extension successfully uses. I
suspect the issue is with AutoAuth, as there is no LDAP traffic
generated. (I am running a debug LDAP proxy that shows
Here are the relevant entries from LocalSettings.php:
#
# LDAP Authentication
#
require_once( "extensions/LdapAutoAuthentication.php" );
require_once( "extensions/LdapAuthentication.php" );
$wgLDAPDomainNames = array("MyDomain);
$wgLDAPServerNames = array("MyDomain"=>"192.168.20.212");
$wgLDAPAutoAuthDomain = "MyDomain";
$wgLDAPProxyAgent = array("MyDomain"=>"CN=Proxy
User,cn=Users,dc=MyDomain,dc=com");
$wgLDAPProxyAgentPassword = array("MyDomain"=>"PASSWORD");
$wgLDAPBaseDNs = array("MyDomain"=>"dc=MyDomain,dc=com");
$wgLDAPSearchAttributes = array("MyDomain"=>"samaccountname");
$wgLDAPAutoAuthUsername = $_SERVER["REMOTE_USER"] );
AutoAuthSetup();
If you see anything wonky with my config, I'd like to hear about it. In
the meanwhile, I will start Frankensteining...
Thanks very much!!
John
Ryan Lane
_______________________________________________
MediaWiki-l mailing list
MediaWiki-l(a)lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l