In the local network is AD domain - xxx.yyy.org Domain Controllers - serv1.xxx.yyy.org and serv2.xxx.yyy.org In the domain is a group - MWUsers, which includes several users - mwuser1, mwuser2, etc. There MediaWiki 1.13.1. I need to allow automatic access only to users who are in the AD group users. I know that this can be done through LdapAuthentication and LdapAutoAuthentication, but all my attempts unsuccessful.
Setting up Active Directory auto-authentication isn't exactly easy, and since I don't currently have documentation written on how to use mod_auth_kerb with the plugin, I won't go into this. As of right now, let's just say kerberos (which is used by Active Directory) isn't supported from a I'll give support perspective. That'll change soon.
My LocalSettings.php:
require_once ("$IP/extensions/LdapAutoAuthentication.php");
Unless you are use PKI/Smartcard/CAC authentication, don't use this line.
require_once ("$IP/extensions/LdapAuthentication.php"); $wgAuth = new LdapAuthenticationPlugin(); $wgLDAPDomainNames = array('XXX'); $wgLDAPServerNames = array('XXX' => 'serv1.xxx.yyy.org serv2.xxx.yyy.org'); $wgLDAPSearchStrings = array('XXX' => 'XXX\USER-NAME'); $wgLDAPEncryptionType = array('XXX' => 'false'); $wgLDAPUseLocal = false; $wgMinimalPasswordLength = 1; $wgLDAPBaseDNs = array('XXX'=>'dc=xxx,dc=yyy,dc=org'); $wgLDAPSearchAttributes = array('XXX'=>'sAMAccountName'); $wgLDAPGroupBaseDNs = array('XXX'=>'ou=MWUsers,dc=xxx,dc=yyy,dc=org'); AutoAuthSetup(); $wgLDAPDebug = 6;
Remember not to set "$wgAuth = new LdapAuthenticationPlugin();" when using "AutoAuthSetup();" as it does it for you. I'll probably put some error checking in for this later. Remove "AutoAuthSetup();" for now.
Notice that "$wgLDAPEncryptionType = array('XXX' => 'false');" isn't a valid setting. You need to read the documentation. If you want to turn encryption off (not recommended), you need to use:
$wgLDAPEncryptionType = array('XXX' => 'clear');
But these settings do not work as expected. Auto login is not performed. Therefore, I choose the "Log in / create account" and enter login - mwuser1 and password Log info:
Entering validDomain User is using a valid domain. Setting domain as: XXX Entering getCanonicalName Username isn't empty. Munged username: mwuser1 Entering authenticate
Entering Connect Using TLS or not using encryption. Using servers: ldap://serv1.xxx.yyy.org ldap://serv2.xxx.yyy.org Connected successfully Entering getSearchString Doing a straight bind userdn is: XXX\mwuser1
Binding as the user Bound successfully Entering getUserDN Created a regular filter: (sAMAccountName=mwuser1) Entering getBaseDN basedn is not set for this type of entry, trying to get the default basedn. Entering getBaseDN basedn is dc=xxx,dc=yyy,dc=org Using base: dc=xxx,dc=yyy,dc=org Fetched username is not a string (check your hook code...). This message can be safely ignored if you do not have the SetUsernameAttributeFromLDAP hook defined. Pulled the user's DN: CN=f_name l_name,OU=MWUsers,OU=DataArt,DC=xxx,DC=yyy,DC=org Authentication passed Entering updateUser
Hmm. It looks like it authenticated the user properly. Did it log the user in? Is that part of the problem? Did you want to restrict log in to only people in a certain group? Lemme know what you are aiming for, and I can give you a better config.
WTF!?)
... And it looks like I commited changes with some stupid debugging code left in place :(.
V/r,
Ryan Lane