In the local network is AD domain -
xxx.yyy.org
Domain Controllers -
serv1.xxx.yyy.org and
serv2.xxx.yyy.org
In the domain is a group - MWUsers, which includes several
users - mwuser1, mwuser2, etc.
There MediaWiki 1.13.1.
I need to allow automatic access only to users who are in the
AD group users.
I know that this can be done through LdapAuthentication and
LdapAutoAuthentication, but all my attempts unsuccessful.
Setting up Active Directory auto-authentication isn't exactly easy, and
since I don't currently have documentation written on how to use
mod_auth_kerb with the plugin, I won't go into this. As of right now,
let's just say kerberos (which is used by Active Directory) isn't
supported from a I'll give support perspective. That'll change soon.
My LocalSettings.php:
require_once ("$IP/extensions/LdapAutoAuthentication.php");
Unless you are use PKI/Smartcard/CAC authentication, don't use this
line.
require_once
("$IP/extensions/LdapAuthentication.php");
$wgAuth = new LdapAuthenticationPlugin();
$wgLDAPDomainNames = array('XXX');
$wgLDAPServerNames = array('XXX' => 'serv1.xxx.yyy.org
serv2.xxx.yyy.org');
$wgLDAPSearchStrings = array('XXX' => 'XXX\\USER-NAME');
$wgLDAPEncryptionType = array('XXX' => 'false');
$wgLDAPUseLocal = false;
$wgMinimalPasswordLength = 1;
$wgLDAPBaseDNs = array('XXX'=>'dc=xxx,dc=yyy,dc=org');
$wgLDAPSearchAttributes = array('XXX'=>'sAMAccountName');
$wgLDAPGroupBaseDNs =
array('XXX'=>'ou=MWUsers,dc=xxx,dc=yyy,dc=org');
AutoAuthSetup();
$wgLDAPDebug = 6;
Remember not to set "$wgAuth = new LdapAuthenticationPlugin();" when
using "AutoAuthSetup();" as it does it for you. I'll probably put some
error checking in for this later. Remove "AutoAuthSetup();" for now.
Notice that "$wgLDAPEncryptionType = array('XXX' =>
'false');" isn't a
valid setting. You need to read the documentation. If you want to turn
encryption off (not recommended), you need to use:
$wgLDAPEncryptionType = array('XXX' => 'clear');
But these settings do not work as expected. Auto login
is not
performed.
Therefore, I choose the "Log in / create account" and enter
login - mwuser1 and password
Log info:
Entering validDomain
User is using a valid domain.
Setting domain as: XXX
Entering getCanonicalName
Username isn't empty.
Munged username: mwuser1
Entering authenticate
Entering Connect
Using TLS or not using encryption.
Using servers:
ldap://serv1.xxx.yyy.org ldap://serv2.xxx.yyy.org
Connected successfully
Entering getSearchString
Doing a straight bind
userdn is: XXX\mwuser1
Binding as the user
Bound successfully
Entering getUserDN
Created a regular filter: (sAMAccountName=mwuser1)
Entering getBaseDN
basedn is not set for this type of entry, trying to get the
default basedn.
Entering getBaseDN
basedn is dc=xxx,dc=yyy,dc=org
Using base: dc=xxx,dc=yyy,dc=org
Fetched username is not a string (check your hook code...).
This message can be safely ignored if you do not have the
SetUsernameAttributeFromLDAP hook defined.
Pulled the user's DN: CN=f_name
l_name,OU=MWUsers,OU=DataArt,DC=xxx,DC=yyy,DC=org
Authentication passed
Entering updateUser
Hmm. It looks like it authenticated the user properly. Did it log the
user in? Is that part of the problem? Did you want to restrict log in to
only people in a certain group? Lemme know what you are aiming for, and
I can give you a better config.
WTF!?)
... And it looks like I commited changes with some stupid debugging code
left in place :(.
V/r,
Ryan Lane