I'm new here so take my answer with a pinch of salt but I was under the impression you needed a server-level method of using NTLM/LDAP authentication.
We've got a similar thing configured with our wiki for multi-domain but we use the SSPI Apache module.
Httpd.conf looks something like:
<Location /Wiki> AuthName "Some auth name here" AuthType SSPI SSPIAuth On SSPIAuthoritative On SSPIOfferBasic On #Offer basic auth method if NTLM fails? SSPIBasicPreferred Off #Prefer basic auth? SSPIUsernameCase lower #lowercase usernames to facilitate authentication listings SSPIOmitDomain On #try to guess domain from valid options SSPIDomain domain1 #For domain1 require group domain1\it-development #require this group SSPIDomain domain2 #For domain2 require group domain2\it-development #Ditto </Location>
Which then means anyone not matching SSPIs requirements is sent to a 403 Forbidden page. Anyone else sees the wiki as usual.
NB: The domain has to be known to the server.
As I said, I'm new to this list and Mediawiki so please get some other opinions too :)
Hope I've helped a little.
Simon
-----Original Message----- From: mediawiki-l-bounces@lists.wikimedia.org [mailto:mediawiki-l-bounces@lists.wikimedia.org] On Behalf Of gadina@hotmail.ru Sent: 10 October 2008 10:40 To: mediawiki-l@lists.wikimedia.org Subject: [Mediawiki-l] How to setup Auto Authentication with AD ?
Hello,
In the local network is AD domain - xxx.yyy.org Domain Controllers - serv1.xxx.yyy.org and serv2.xxx.yyy.org In the domain is a group - MWUsers, which includes several users - mwuser1, mwuser2, etc. There MediaWiki 1.13.1. I need to allow automatic access only to users who are in the AD group users. I know that this can be done through LdapAuthentication and LdapAutoAuthentication, but all my attempts unsuccessful.
My LocalSettings.php:
require_once ("$IP/extensions/LdapAutoAuthentication.php"); require_once ("$IP/extensions/LdapAuthentication.php"); $wgAuth = new LdapAuthenticationPlugin(); $wgLDAPDomainNames = array('XXX'); $wgLDAPServerNames = array('XXX' => 'serv1.xxx.yyy.org serv2.xxx.yyy.org'); $wgLDAPSearchStrings = array('XXX' => 'XXX\USER-NAME'); $wgLDAPEncryptionType = array('XXX' => 'false'); $wgLDAPUseLocal = false; $wgMinimalPasswordLength = 1; $wgLDAPBaseDNs = array('XXX'=>'dc=xxx,dc=yyy,dc=org'); $wgLDAPSearchAttributes = array('XXX'=>'sAMAccountName'); $wgLDAPGroupBaseDNs = array('XXX'=>'ou=MWUsers,dc=xxx,dc=yyy,dc=org'); AutoAuthSetup(); $wgLDAPDebug = 6;
But these settings do not work as expected. Auto login is not performed. Therefore, I choose the "Log in / create account" and enter login - mwuser1 and password Log info:
Entering validDomain User is using a valid domain. Setting domain as: XXX Entering getCanonicalName Username isn't empty. Munged username: mwuser1 Entering authenticate
Entering Connect Using TLS or not using encryption. Using servers: ldap://serv1.xxx.yyy.org ldap://serv2.xxx.yyy.org Connected successfully Entering getSearchString Doing a straight bind userdn is: XXX\mwuser1
Binding as the user Bound successfully Entering getUserDN Created a regular filter: (sAMAccountName=mwuser1) Entering getBaseDN basedn is not set for this type of entry, trying to get the default basedn. Entering getBaseDN basedn is dc=xxx,dc=yyy,dc=org Using base: dc=xxx,dc=yyy,dc=org Fetched username is not a string (check your hook code...). This message can be safely ignored if you do not have the SetUsernameAttributeFromLDAP hook defined. Pulled the user's DN: CN=f_name l_name,OU=MWUsers,OU=DataArt,DC=xxx,DC=yyy,DC=org Authentication passed Entering updateUser WTF!?)
_______________________________________________ MediaWiki-l mailing list MediaWiki-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
________________________________________________________________________ This e-mail has been scanned for all viruses by Star. The service is powered by MessageLabs. For more information on a proactive anti-virus service working around the clock, around the globe, visit: http://www.star.net.uk ________________________________________________________________________
P Please think of the environment before you print this email
________________________________________________________________________ This email and any files transmitted with it are private and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please return it to the address it came from telling them it is not for you and then delete it from your system. This footnote also confirms that this email message has been swept for the presence of computer viruses but this in no way indicates that the message is virus free. Teleperformance is a trading style of MM Teleperformance Ltd: Reg No. 02060289 England: Registered Office: St James House, Moon Street, Bristol, BS2 8QY. VAT No.763 0980 18 _______________________________________________________________________