Hello,
In the local network is AD domain - xxx.yyy.org Domain Controllers - serv1.xxx.yyy.org and serv2.xxx.yyy.org In the domain is a group - MWUsers, which includes several users - mwuser1, mwuser2, etc. There MediaWiki 1.13.1. I need to allow automatic access only to users who are in the AD group users. I know that this can be done through LdapAuthentication and LdapAutoAuthentication, but all my attempts unsuccessful.
My LocalSettings.php:
require_once ("$IP/extensions/LdapAutoAuthentication.php"); require_once ("$IP/extensions/LdapAuthentication.php"); $wgAuth = new LdapAuthenticationPlugin(); $wgLDAPDomainNames = array('XXX'); $wgLDAPServerNames = array('XXX' => 'serv1.xxx.yyy.org serv2.xxx.yyy.org'); $wgLDAPSearchStrings = array('XXX' => 'XXX\USER-NAME'); $wgLDAPEncryptionType = array('XXX' => 'false'); $wgLDAPUseLocal = false; $wgMinimalPasswordLength = 1; $wgLDAPBaseDNs = array('XXX'=>'dc=xxx,dc=yyy,dc=org'); $wgLDAPSearchAttributes = array('XXX'=>'sAMAccountName'); $wgLDAPGroupBaseDNs = array('XXX'=>'ou=MWUsers,dc=xxx,dc=yyy,dc=org'); AutoAuthSetup(); $wgLDAPDebug = 6;
But these settings do not work as expected. Auto login is not performed. Therefore, I choose the "Log in / create account" and enter login - mwuser1 and password Log info:
Entering validDomain User is using a valid domain. Setting domain as: XXX Entering getCanonicalName Username isn't empty. Munged username: mwuser1 Entering authenticate
Entering Connect Using TLS or not using encryption. Using servers: ldap://serv1.xxx.yyy.org ldap://serv2.xxx.yyy.org Connected successfully Entering getSearchString Doing a straight bind userdn is: XXX\mwuser1
Binding as the user Bound successfully Entering getUserDN Created a regular filter: (sAMAccountName=mwuser1) Entering getBaseDN basedn is not set for this type of entry, trying to get the default basedn. Entering getBaseDN basedn is dc=xxx,dc=yyy,dc=org Using base: dc=xxx,dc=yyy,dc=org Fetched username is not a string (check your hook code...). This message can be safely ignored if you do not have the SetUsernameAttributeFromLDAP hook defined. Pulled the user's DN: CN=f_name l_name,OU=MWUsers,OU=DataArt,DC=xxx,DC=yyy,DC=org Authentication passed Entering updateUser WTF!?)
I'm new here so take my answer with a pinch of salt but I was under the impression you needed a server-level method of using NTLM/LDAP authentication.
We've got a similar thing configured with our wiki for multi-domain but we use the SSPI Apache module.
Httpd.conf looks something like:
<Location /Wiki> AuthName "Some auth name here" AuthType SSPI SSPIAuth On SSPIAuthoritative On SSPIOfferBasic On #Offer basic auth method if NTLM fails? SSPIBasicPreferred Off #Prefer basic auth? SSPIUsernameCase lower #lowercase usernames to facilitate authentication listings SSPIOmitDomain On #try to guess domain from valid options SSPIDomain domain1 #For domain1 require group domain1\it-development #require this group SSPIDomain domain2 #For domain2 require group domain2\it-development #Ditto </Location>
Which then means anyone not matching SSPIs requirements is sent to a 403 Forbidden page. Anyone else sees the wiki as usual.
NB: The domain has to be known to the server.
As I said, I'm new to this list and Mediawiki so please get some other opinions too :)
Hope I've helped a little.
Simon
-----Original Message----- From: mediawiki-l-bounces@lists.wikimedia.org [mailto:mediawiki-l-bounces@lists.wikimedia.org] On Behalf Of gadina@hotmail.ru Sent: 10 October 2008 10:40 To: mediawiki-l@lists.wikimedia.org Subject: [Mediawiki-l] How to setup Auto Authentication with AD ?
Hello,
In the local network is AD domain - xxx.yyy.org Domain Controllers - serv1.xxx.yyy.org and serv2.xxx.yyy.org In the domain is a group - MWUsers, which includes several users - mwuser1, mwuser2, etc. There MediaWiki 1.13.1. I need to allow automatic access only to users who are in the AD group users. I know that this can be done through LdapAuthentication and LdapAutoAuthentication, but all my attempts unsuccessful.
My LocalSettings.php:
require_once ("$IP/extensions/LdapAutoAuthentication.php"); require_once ("$IP/extensions/LdapAuthentication.php"); $wgAuth = new LdapAuthenticationPlugin(); $wgLDAPDomainNames = array('XXX'); $wgLDAPServerNames = array('XXX' => 'serv1.xxx.yyy.org serv2.xxx.yyy.org'); $wgLDAPSearchStrings = array('XXX' => 'XXX\USER-NAME'); $wgLDAPEncryptionType = array('XXX' => 'false'); $wgLDAPUseLocal = false; $wgMinimalPasswordLength = 1; $wgLDAPBaseDNs = array('XXX'=>'dc=xxx,dc=yyy,dc=org'); $wgLDAPSearchAttributes = array('XXX'=>'sAMAccountName'); $wgLDAPGroupBaseDNs = array('XXX'=>'ou=MWUsers,dc=xxx,dc=yyy,dc=org'); AutoAuthSetup(); $wgLDAPDebug = 6;
But these settings do not work as expected. Auto login is not performed. Therefore, I choose the "Log in / create account" and enter login - mwuser1 and password Log info:
Entering validDomain User is using a valid domain. Setting domain as: XXX Entering getCanonicalName Username isn't empty. Munged username: mwuser1 Entering authenticate
Entering Connect Using TLS or not using encryption. Using servers: ldap://serv1.xxx.yyy.org ldap://serv2.xxx.yyy.org Connected successfully Entering getSearchString Doing a straight bind userdn is: XXX\mwuser1
Binding as the user Bound successfully Entering getUserDN Created a regular filter: (sAMAccountName=mwuser1) Entering getBaseDN basedn is not set for this type of entry, trying to get the default basedn. Entering getBaseDN basedn is dc=xxx,dc=yyy,dc=org Using base: dc=xxx,dc=yyy,dc=org Fetched username is not a string (check your hook code...). This message can be safely ignored if you do not have the SetUsernameAttributeFromLDAP hook defined. Pulled the user's DN: CN=f_name l_name,OU=MWUsers,OU=DataArt,DC=xxx,DC=yyy,DC=org Authentication passed Entering updateUser WTF!?)
_______________________________________________ MediaWiki-l mailing list MediaWiki-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
________________________________________________________________________ This e-mail has been scanned for all viruses by Star. The service is powered by MessageLabs. For more information on a proactive anti-virus service working around the clock, around the globe, visit: http://www.star.net.uk ________________________________________________________________________
P Please think of the environment before you print this email
________________________________________________________________________ This email and any files transmitted with it are private and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please return it to the address it came from telling them it is not for you and then delete it from your system. This footnote also confirms that this email message has been swept for the presence of computer viruses but this in no way indicates that the message is virus free. Teleperformance is a trading style of MM Teleperformance Ltd: Reg No. 02060289 England: Registered Office: St James House, Moon Street, Bristol, BS2 8QY. VAT No.763 0980 18 _______________________________________________________________________
Hi
Just out of interest, I checked for AutoAuthSetup() on mediawiki.org. I found this:
http://www.mediawiki.org/wiki/Manual:Hooks/AutoAuthenticate
"[image: Warning]http://www.mediawiki.org/wiki/Image:Attention_niels_epting.svg *Warning*: This hook doesn't exist anymore in 1.13 or above, use UserLoadFromSessionhttp://www.mediawiki.org/wiki/Manual:Hooks/UserLoadFromSessioninstead."
Maybe the Ldap extension doesn't work correctly with 1.13.1?
Cheers
André
On Fri, Oct 10, 2008 at 11:40 AM, gadina@hotmail.ru wrote:
Hello,
In the local network is AD domain - xxx.yyy.org Domain Controllers - serv1.xxx.yyy.org and serv2.xxx.yyy.org In the domain is a group - MWUsers, which includes several users - mwuser1, mwuser2, etc. There MediaWiki 1.13.1. I need to allow automatic access only to users who are in the AD group users. I know that this can be done through LdapAuthentication and LdapAutoAuthentication, but all my attempts unsuccessful.
...
Just out of interest, I checked for AutoAuthSetup() on mediawiki.org. I found this:
http://www.mediawiki.org/wiki/Manual:Hooks/AutoAuthenticate
"[image: Warning]http://www.mediawiki.org/wiki/Image:Attention_niels_e pting.svg *Warning*: This hook doesn't exist anymore in 1.13 or above, use UserLoadFromSessionhttp://www.mediawiki.org/wiki/Manual:Hooks /UserLoadFromSessioninstead."
Maybe the Ldap extension doesn't work correctly with 1.13.1?
The auto-authentication hook changed to something else in 1.13. The version of the plugin from SVN, which is fairly stable, but isn't officially released, works with 1.13+, and should work with earlier versions fine as well.
V/r,
Ryan Lane
On Fri, Oct 10, 2008 at 5:40 AM, gadina@hotmail.ru wrote:
Hello,
In the local network is AD domain - xxx.yyy.org Domain Controllers - serv1.xxx.yyy.org and serv2.xxx.yyy.org In the domain is a group - MWUsers, which includes several users - mwuser1, mwuser2, etc. There MediaWiki 1.13.1. I need to allow automatic access only to users who are in the AD group users. I know that this can be done through LdapAuthentication and LdapAutoAuthentication, but all my attempts unsuccessful.
If your webserver is Linux or FreeBSD you might want to check out the Plexcel PHP extension and the MW extension that goes with:
http://www.ioplex.com/mediawiki_plugin.html
Since it's commercial and this is a public list I won't discuss it in detail but feel free to contact our support email and I'll answer any questions you might have.
As for the LDAP extension note that the "AutoAuth" stuff is for smart cards and SSL. If you're looking for SPNEGO where you don't enter a password at all, you can't do that with the LDAP extension (or any other LDAP anything). AFAIK the only extension that does true SPNEGO SSO is our Plexcel product (and mod_auth_kerb but that's not script-level).
Otherwise, you might want to grab the latest LDAP extension files from SVN. I know a lot of changes have been made recently and I'm not sure if they've made it to the Wiki page yet. Check the SVN timestamps in your files.
Mike
My LocalSettings.php:
require_once ("$IP/extensions/LdapAutoAuthentication.php"); require_once ("$IP/extensions/LdapAuthentication.php"); $wgAuth = new LdapAuthenticationPlugin(); $wgLDAPDomainNames = array('XXX'); $wgLDAPServerNames = array('XXX' => 'serv1.xxx.yyy.org serv2.xxx.yyy.org'); $wgLDAPSearchStrings = array('XXX' => 'XXX\USER-NAME'); $wgLDAPEncryptionType = array('XXX' => 'false'); $wgLDAPUseLocal = false; $wgMinimalPasswordLength = 1; $wgLDAPBaseDNs = array('XXX'=>'dc=xxx,dc=yyy,dc=org'); $wgLDAPSearchAttributes = array('XXX'=>'sAMAccountName'); $wgLDAPGroupBaseDNs = array('XXX'=>'ou=MWUsers,dc=xxx,dc=yyy,dc=org'); AutoAuthSetup(); $wgLDAPDebug = 6;
But these settings do not work as expected. Auto login is not performed. Therefore, I choose the "Log in / create account" and enter login - mwuser1 and password Log info:
Entering validDomain User is using a valid domain. Setting domain as: XXX Entering getCanonicalName Username isn't empty. Munged username: mwuser1 Entering authenticate
Entering Connect Using TLS or not using encryption. Using servers: ldap://serv1.xxx.yyy.org ldap://serv2.xxx.yyy.org Connected successfully Entering getSearchString Doing a straight bind userdn is: XXX\mwuser1
Binding as the user Bound successfully Entering getUserDN Created a regular filter: (sAMAccountName=mwuser1) Entering getBaseDN basedn is not set for this type of entry, trying to get the default basedn. Entering getBaseDN basedn is dc=xxx,dc=yyy,dc=org Using base: dc=xxx,dc=yyy,dc=org Fetched username is not a string (check your hook code...). This message can be safely ignored if you do not have the SetUsernameAttributeFromLDAP hook defined. Pulled the user's DN: CN=f_name l_name,OU=MWUsers,OU=DataArt,DC=xxx,DC=yyy,DC=org Authentication passed Entering updateUser WTF!?)
MediaWiki-l mailing list MediaWiki-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
As for the LDAP extension note that the "AutoAuth" stuff is for smart cards and SSL. If you're looking for SPNEGO where you don't enter a password at all, you can't do that with the LDAP extension (or any other LDAP anything). AFAIK the only extension that does true SPNEGO SSO is our Plexcel product (and mod_auth_kerb but that's not script-level).
Otherwise, you might want to grab the latest LDAP extension files from SVN. I know a lot of changes have been made recently and I'm not sure if they've made it to the Wiki page yet. Check the SVN timestamps in your files.
The SVN version of the LDAP plugin will do web server authentication, and can therefore do any type of authentication your web server can handle, including Kerberos (which Active Directory uses). All you need to know is how to set up your web server.
I'll be adding documentation for various authentication methods soon.
V/r,
Ryan Lane
In the local network is AD domain - xxx.yyy.org Domain Controllers - serv1.xxx.yyy.org and serv2.xxx.yyy.org In the domain is a group - MWUsers, which includes several users - mwuser1, mwuser2, etc. There MediaWiki 1.13.1. I need to allow automatic access only to users who are in the AD group users. I know that this can be done through LdapAuthentication and LdapAutoAuthentication, but all my attempts unsuccessful.
Setting up Active Directory auto-authentication isn't exactly easy, and since I don't currently have documentation written on how to use mod_auth_kerb with the plugin, I won't go into this. As of right now, let's just say kerberos (which is used by Active Directory) isn't supported from a I'll give support perspective. That'll change soon.
My LocalSettings.php:
require_once ("$IP/extensions/LdapAutoAuthentication.php");
Unless you are use PKI/Smartcard/CAC authentication, don't use this line.
require_once ("$IP/extensions/LdapAuthentication.php"); $wgAuth = new LdapAuthenticationPlugin(); $wgLDAPDomainNames = array('XXX'); $wgLDAPServerNames = array('XXX' => 'serv1.xxx.yyy.org serv2.xxx.yyy.org'); $wgLDAPSearchStrings = array('XXX' => 'XXX\USER-NAME'); $wgLDAPEncryptionType = array('XXX' => 'false'); $wgLDAPUseLocal = false; $wgMinimalPasswordLength = 1; $wgLDAPBaseDNs = array('XXX'=>'dc=xxx,dc=yyy,dc=org'); $wgLDAPSearchAttributes = array('XXX'=>'sAMAccountName'); $wgLDAPGroupBaseDNs = array('XXX'=>'ou=MWUsers,dc=xxx,dc=yyy,dc=org'); AutoAuthSetup(); $wgLDAPDebug = 6;
Remember not to set "$wgAuth = new LdapAuthenticationPlugin();" when using "AutoAuthSetup();" as it does it for you. I'll probably put some error checking in for this later. Remove "AutoAuthSetup();" for now.
Notice that "$wgLDAPEncryptionType = array('XXX' => 'false');" isn't a valid setting. You need to read the documentation. If you want to turn encryption off (not recommended), you need to use:
$wgLDAPEncryptionType = array('XXX' => 'clear');
But these settings do not work as expected. Auto login is not performed. Therefore, I choose the "Log in / create account" and enter login - mwuser1 and password Log info:
Entering validDomain User is using a valid domain. Setting domain as: XXX Entering getCanonicalName Username isn't empty. Munged username: mwuser1 Entering authenticate
Entering Connect Using TLS or not using encryption. Using servers: ldap://serv1.xxx.yyy.org ldap://serv2.xxx.yyy.org Connected successfully Entering getSearchString Doing a straight bind userdn is: XXX\mwuser1
Binding as the user Bound successfully Entering getUserDN Created a regular filter: (sAMAccountName=mwuser1) Entering getBaseDN basedn is not set for this type of entry, trying to get the default basedn. Entering getBaseDN basedn is dc=xxx,dc=yyy,dc=org Using base: dc=xxx,dc=yyy,dc=org Fetched username is not a string (check your hook code...). This message can be safely ignored if you do not have the SetUsernameAttributeFromLDAP hook defined. Pulled the user's DN: CN=f_name l_name,OU=MWUsers,OU=DataArt,DC=xxx,DC=yyy,DC=org Authentication passed Entering updateUser
Hmm. It looks like it authenticated the user properly. Did it log the user in? Is that part of the problem? Did you want to restrict log in to only people in a certain group? Lemme know what you are aiming for, and I can give you a better config.
WTF!?)
... And it looks like I commited changes with some stupid debugging code left in place :(.
V/r,
Ryan Lane
mediawiki-l@lists.wikimedia.org