Hi,
Please help me configure LDAP Authentication extension.
My system:
MediaWiki 1.10 Apache/2.2.4 (Win32) - runs on WinXP PHP/5.2.3 MySQL 5.0.41 Microsoft Active Directory
My LDAP parameters:
ldapUserName=KAR\_apache ldapPassword=user123 ldapProviderURL=ldap://aab.kar.local:389/ ldapConnectionFactory=com.sun.jndi.ldap.LdapCtxFactory ldapSContext=OU=Technical Accounts,DC=kar,DC=local ldapSFilter=(objectclass=group) ldapFilterArgs=mail ldapAttributeIds=mail ldapDomainName=KAR useSpecTime=true ldapDomainSeparator=\
I did the following modifications: php.ini: ;extension=php_ldap.dll changed to extension=php_ldap.dll
LocalSettings.php: require_once 'LdapAuthentication.php';
$wgAuth = new LdapAuthenticationPlugin();
$wgLDAPDomainNames = array( 'KAR' );
$wgLDAPServerNames = array( 'KAR' => 'ldap://aab.kar.local:389/', );
$wgLDAPSearchStrings = array( 'KAR' => 'KAR\_apache', );
$wgLDAPEncryptionType = array( 'KAR' => 'clear', );
$wgLDAPUseLocal = false; $wgMinimalPasswordLength = 1;
Do I have to use the following 2 extra configurations for AD if I want to use "Syncronizing LDAP groups"?$wgLDAPBaseDNs = array( 'KAR' => 'cn=Users,dc=kar,dc=local' );
$wgLDAPSearchAttributes = array( 'KAR' => =user827' );
What do I have to change the following configuration if I want to use "Single Domain Requiring Search Before Binding"?
require_once 'LdapAuthentication.php'; $wgAuth = new LdapAuthenticationPlugin();
$wgLDAPDomainNames = array( 'exampleNonADDomain' , );
$wgLDAPServerNames = array( 'exampleNonADDomain' => 'exampleldapserver.example.com exampleldapserver2.example.com', );
$wgLDAPSearchStrings = array( 'exampleNonADDomain' => 'uid=USER-NAME,ou=people,dc=exampledomain,dc=example,dc=com', );
$wgLDAPEncryptionType = array( 'exampleNonADDomain' => 'ssl', ); $wgMinimalPasswordLength = 1;
Kind Regards, Gabor Reizer MKB Bank Hungary
$wgLDAPServerNames = array( 'KAR' => 'ldap://aab.kar.local:389/', );
use:
$wgLDAPServerNames = array( 'KAR' => 'aab.kar.local', );
The other info gets filled in for you automatically.
$wgLDAPSearchStrings = array( 'KAR' => 'KAR\_apache', );
This should be:
$wgLDAPSearchStrings = array( 'KAR' => 'KAR\USER-NAME', );
As USER-NAME will get subsituted by the user logging in.
$wgLDAPEncryptionType = array( 'KAR' => 'clear', );
Your AD server may not like this; I'm not sure if SSL (or Kerberos) is required for binding by default in AD, but I think it is. I know there is a way to turn it off, which is fine for testing, but not so ok for production. If you are having problems, make it work without SSL, then work towards using SSL.
$wgLDAPUseLocal = false; $wgMinimalPasswordLength = 1;
Do I have to use the following 2 extra configurations for AD if I want to use "Syncronizing LDAP groups"? $wgLDAPBaseDNs = array( 'KAR' => 'cn=Users,dc=kar,dc=local' );
$wgLDAPSearchAttributes = array( 'KAR' => =user827' );
Yes, but $wgLDAPSearchAttributes, should probably be:
$wgLDAPSearchAttributes = array( "KAR"=>"sAMAccountName" );
and you'll need:
$wgLDAPUseLDAPGroups = array( "KAR"=>"true" ); $wgLDAPGroupObjectclass = array( "KAR"=>"group" ); $wgLDAPGroupAttribute = array( "KAR"=>"member" ); $wgLDAPGroupNameAttribute = array( "KAR"=>"cn" )
You *really* should get regular authentication working before you try group sync.
What do I have to change the following configuration if I want to use "Single Domain Requiring Search Before Binding"?
This is the wrong configuration example; you quoted the non-AD config. But you can ignore that, just use the config above with what you had.
V/r,
Ryan Lane
Hi,
As you suggested I used the following configuration to get regular authentication working first. Despite it is NOT working. What could be the problem?
require_once 'LdapAuthentication.php';
$wgAuth = new LdapAuthenticationPlugin();
$wgLDAPDomainNames = array( 'KAR' );
$wgLDAPServerNames = array( 'KAR' => 'aab.kar.local', );
$wgLDAPSearchStrings = array( 'KAR' => 'KAR\USER-NAME', );
$wgLDAPEncryptionType = array( 'KAR' => 'ssl', );
$wgLDAPUseLocal = false; $wgMinimalPasswordLength = 1;
2007/11/7, Lane, Ryan Ryan.Lane@ocean.navo.navy.mil:
$wgLDAPServerNames = array( 'KAR' => 'ldap://aab.kar.local:389/', );
use:
$wgLDAPServerNames = array( 'KAR' => 'aab.kar.local', );
The other info gets filled in for you automatically.
$wgLDAPSearchStrings = array( 'KAR' => 'KAR\_apache', );
This should be:
$wgLDAPSearchStrings = array( 'KAR' => 'KAR\USER-NAME', );
As USER-NAME will get subsituted by the user logging in.
$wgLDAPEncryptionType = array( 'KAR' => 'clear', );
Your AD server may not like this; I'm not sure if SSL (or Kerberos) is required for binding by default in AD, but I think it is. I know there is a way to turn it off, which is fine for testing, but not so ok for production. If you are having problems, make it work without SSL, then work towards using SSL.
$wgLDAPUseLocal = false; $wgMinimalPasswordLength = 1;
Do I have to use the following 2 extra configurations for AD if I want to use "Syncronizing LDAP groups"? $wgLDAPBaseDNs = array( 'KAR' => 'cn=Users,dc=kar,dc=local' );
$wgLDAPSearchAttributes = array( 'KAR' => =user827' );
Yes, but $wgLDAPSearchAttributes, should probably be:
$wgLDAPSearchAttributes = array( "KAR"=>"sAMAccountName" );
and you'll need:
$wgLDAPUseLDAPGroups = array( "KAR"=>"true" ); $wgLDAPGroupObjectclass = array( "KAR"=>"group" ); $wgLDAPGroupAttribute = array( "KAR"=>"member" ); $wgLDAPGroupNameAttribute = array( "KAR"=>"cn" )
You *really* should get regular authentication working before you try group sync.
What do I have to change the following configuration if I want to use "Single Domain Requiring Search Before Binding"?
This is the wrong configuration example; you quoted the non-AD config. But you can ignore that, just use the config above with what you had.
V/r,
Ryan Lane
MediaWiki-l mailing list MediaWiki-l@lists.wikimedia.org http://lists.wikimedia.org/mailman/listinfo/mediawiki-l
mediawiki-l@lists.wikimedia.org