Hi,
Thanks for the reply. Yes, I did all those stuff already, and what I found was that, though I'm getting the error if the user don't exist in MW table, if I refresh the browser, everything is ok and I can log in.
Also, when you say ldap group synchronization, preference pulling,etc., Does it mean that in the userright page we'll get the user groups that exist in AD to select for a user to add to? Or the user_group table will be populated with the usernames and groups as in AD?
What are correct setting for that? Mine is MW 193
Regards,
Jack
-----Original Message----- From: mediawiki-l-bounces@lists.wikimedia.org [mailto:mediawiki-l-bounces@lists.wikimedia.org] On Behalf Of Lane, Ryan Sent: Wednesday, June 13, 2007 10:32 PM To: MediaWiki announcements and site admin list Subject: Re: [Mediawiki-l] Problem with LDAP Authentication plugin
I'm using LDAP authentication plugin with MW 193. If a username does not exist in the MW user table, when that user logs in, he/she can't. The error displayed is
"There was either an external authentication database error or you are not allowed to update your external account"
So I have to add all the users existing in the AD to MW table as well. But this is not practical as new users are added to AD quite often.
I'm guessing you are using MediaWiki 1.9.x? If so, please look here: http://www.mediawiki.org/wiki/Extension_talk:LDAP_Authentication#Officia l_workaround
A small change needs to be made for the plugin to work with MediaWiki 1.9. Upgrading to MediaWiki 1.10 should also fix the problem.
Here's my settings for ldapauthentication plugin:
[snip]
$wgLDAPUseLocal = true;
You probably don't want this. This is meant mostly for transitional periods, where you originally had a local database, and you are moving to an LDAP backend. This has security hazards associated with it, such as possibly storing your LDAP account passwords in the local database.
[snip]
$wgLDAPDebug = 0;
0 is actually the default, so you don't really need to define this one.
V/r,
Ryan Lane
_______________________________________________ MediaWiki-l mailing list MediaWiki-l@lists.wikimedia.org http://lists.wikimedia.org/mailman/listinfo/mediawiki-l
This electronic mail (including any attachment thereto) may be confidential and privileged and is intended only for the individual or entity named above. Any unauthorized use, printing, copying, disclosure or dissemination of this communication may be subject to legal restriction or sanction. Accordingly, if you are not the intended recipient, please notify the sender by replying to this email immediately and delete this email (and any attachment thereto) from your computer system...Thank You
Thanks for the reply. Yes, I did all those stuff already, and what I found was that, though I'm getting the error if the user don't exist in MW table, if I refresh the browser, everything is ok and I can log in.
You made the changes to SpecialUserlogin.php right? What version of the plugin are you using (don't use the SVN HEAD version, use the latest release)?
Also, when you say ldap group synchronization, preference pulling,etc., Does it mean that in the userright page we'll get the user groups that exist in AD to select for a user to add to? Or the user_group table will be populated with the usernames and groups as in AD?
Essentially, since you are using AD (Active Directory) style binding (DOMAIN\USERNAME), adding the additional settings lets the plugin search for the user's bind DN (ex: cn=Test User,ou=Domain Users,dc=example,dc=com), allowing the plugin to then use the bind DN to search in groups, and pull user preferences. If the plugin did not have the bind DN, it would search AD for DOMAIN\USERNAME, which doesn't exist as far as AD is concerned. If you don't plan to syncronize user groups, syncronize preferences, or restrict users by LDAP groups, then those extra settings aren't really necessary (they don't really hurt either though).
What are correct setting for that? Mine is MW 193
With the exception of the two settings I mentioned, everything else looks good. Try setting "$wgLDAPDebug = 4", and see why the plugin is failing.
V/r,
Ryan Lane
mediawiki-l@lists.wikimedia.org