After banging my head on a wall for quite a while, I realize I may have made a very silly misinterpretation regarding the functionality provided by Ryan Lane's LDAPAuthentication (and LDAPAutoAuthentication) extension.
Here is my scenario
MW 1.13.1 on IIS 6.0 (Win2K3) IIS has IWA configured for IE and it works without flaw. (No anonymous auth on IIS, all visitors are logged-in domain members using IE with the wiki's NetBIOS name in the "Intranet Zone") I have LDAPAuthentication working /almost/ perfectly (with the exception of two out of four preferences which do not get set..but thats a thread for tomorrow)
Can I not use the extension(s) to automatically log the user into the wiki without a Smartcard? Or am I forced to buy a commercial extension like the solution from IOPLEX?
Thanks, folks, this is driving me nuts...
John
Seems like all I needed was a fresh perspective. The extension /AutomaticRemote_User/ (http://www.mediawiki.org/wiki/Extension:AutomaticREMOTE_USER) gives me exactly what I need to do to seamlessly authenticate my users to Mediawiki. Works perfectly. Between that and some of the functionality provided by /LDAPAuthentication/ for pulling AD attributes, I can Frankenstein something up that should suffice till the next version of LDAPAuthentication is released.
John Thomson wrote:
After banging my head on a wall for quite a while, I realize I may have made a very silly misinterpretation regarding the functionality provided by Ryan Lane's LDAPAuthentication (and LDAPAutoAuthentication) extension.
Here is my scenario
MW 1.13.1 on IIS 6.0 (Win2K3) IIS has IWA configured for IE and it works without flaw. (No anonymous auth on IIS, all visitors are logged-in domain members using IE with the wiki's NetBIOS name in the "Intranet Zone") I have LDAPAuthentication working /almost/ perfectly (with the exception of two out of four preferences which do not get set..but thats a thread for tomorrow)
Can I not use the extension(s) to automatically log the user into the wiki without a Smartcard? Or am I forced to buy a commercial extension like the solution from IOPLEX?
Thanks, folks, this is driving me nuts...
John
MediaWiki-l mailing list MediaWiki-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Seems like all I needed was a fresh perspective. The extension /AutomaticRemote_User/ (http://www.mediawiki.org/wiki/Extension:AutomaticREMOTE_USER) gives me exactly what I need to do to seamlessly authenticate my users to Mediawiki. Works perfectly. Between that and some of the functionality provided by /LDAPAuthentication/ for pulling AD attributes, I can Frankenstein something up that should suffice till the next version of LDAPAuthentication is released.
No need to frankenstein something together. Version 1.2a of the LDAP plugin (LDAPAuthentication.php and LDAPAutoAuthentication.php) should be able to handle any form of web authentication.
Kerberos auth is likely what you are using. You want to look at this documentation (just ignore the Apache stuff):
http://www.mediawiki.org/wiki/Extension:LDAP_Authentication/Kerberos_Con figuration_Examples
Note that I haven't tested this with IIS (as I don't have a Windows 2003 system to test with). I've tested this with Apache and MIT Kerberos.
The following line may need to change, depending on what you get back from IIS:
$wgLDAPAutoAuthUsername = preg_replace( '/@.*/', '', $_SERVER["REMOTE_USER"] );
This line is expecting "REMOTE_USER" to be returned as "username@DOMAIN". If IIS returns something else, you'll need to change it. For instance, if IIS simply returns "username" then you'll need to change this to:
$wgLDAPAutoAuthUsername = $_SERVER["REMOTE_USER"];
V/r,
Ryan Lane
Lane, Ryan wrote:
Seems like all I needed was a fresh perspective. The extension /AutomaticRemote_User/ (http://www.mediawiki.org/wiki/Extension:AutomaticREMOTE_USER) gives me exactly what I need to do to seamlessly authenticate my users to Mediawiki. Works perfectly. Between that and some of the functionality provided by /LDAPAuthentication/ for pulling AD attributes, I can Frankenstein something up that should suffice till the next version of LDAPAuthentication is released.
No need to frankenstein something together. Version 1.2a of the LDAP plugin (LDAPAuthentication.php and LDAPAutoAuthentication.php) should be able to handle any form of web authentication.
Not to sound dense, but can they be used in conjunction with one another? Can I use LDAPAutoAuthentication to log the user into the wiki AND use LDAPAuthentication to pull attributes using a proxy account?
Kerberos auth is likely what you are using. You want to look at this documentation (just ignore the Apache stuff):
Yes, using Kerberos on between IE and IIS on Windows 2003.
http://www.mediawiki.org/wiki/Extension:LDAP_Authentication/Kerberos_Con figuration_Examples
Note that I haven't tested this with IIS (as I don't have a Windows 2003 system to test with). I've tested this with Apache and MIT Kerberos.
I was getting error 500's from IIS, but I am going to take another look this week...now that I *know* it can be done.
The following line may need to change, depending on what you get back from IIS:
$wgLDAPAutoAuthUsername = preg_replace( '/@.*/', '', $_SERVER["REMOTE_USER"] );
This line is expecting "REMOTE_USER" to be returned as "username@DOMAIN". If IIS returns something else, you'll need to change it. For instance, if IIS simply returns "username" then you'll need to change this to:
$wgLDAPAutoAuthUsername = $_SERVER["REMOTE_USER"];
Thank you, I'll play around some more. I'm not sure what IIS is returning, so I'll have to see what the "AutomaticREMOTE_USER" is expecting, since that works right away. From that, I'll know better how to define $wgLDAPAutoAuthUsername.
Thanks for taking the time to respond, I really appreciate your help, Ryan.
John
V/r,
Ryan Lane
MediaWiki-l mailing list MediaWiki-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Lane, Ryan wrote:
Seems like all I needed was a fresh perspective. The extension /AutomaticRemote_User/ (http://www.mediawiki.org/wiki/Extension:AutomaticREMOTE_USER) gives me exactly what I need to do to seamlessly authenticate my users to Mediawiki. Works perfectly. Between that and some of the functionality provided by /LDAPAuthentication/ for pulling AD attributes, I can Frankenstein something up that should suffice till the next version of LDAPAuthentication is released.
No need to frankenstein something together. Version 1.2a of the LDAP plugin (LDAPAuthentication.php and LDAPAutoAuthentication.php) should be able to handle any form of web authentication.
Kerberos auth is likely what you are using. You want to look at this documentation (just ignore the Apache stuff):
http://www.mediawiki.org/wiki/Extension:LDAP_Authentication/Kerberos_Con figuration_Examples
Note that I haven't tested this with IIS (as I don't have a Windows 2003 system to test with). I've tested this with Apache and MIT Kerberos.
The following line may need to change, depending on what you get back from IIS:
$wgLDAPAutoAuthUsername = preg_replace( '/@.*/', '', $_SERVER["REMOTE_USER"] );
This line is expecting "REMOTE_USER" to be returned as "username@DOMAIN". If IIS returns something else, you'll need to change it. For instance, if IIS simply returns "username" then you'll need to change this to:
$wgLDAPAutoAuthUsername = $_SERVER["REMOTE_USER"];
V/r,
Hi Ryan,
Just to follow up, I took a look at the configuration examples, and picked out the Kerberos-related entries and gave it a shot. Sadly, IIS gives me a 500.
I did verify that IIS passes $_SERVER["REMOTE_USER"] for the REMOTE_USER as that is what the AutomaticREMOTE_USER extension successfully uses. I suspect the issue is with AutoAuth, as there is no LDAP traffic generated. (I am running a debug LDAP proxy that shows
Here are the relevant entries from LocalSettings.php:
# # LDAP Authentication # require_once( "extensions/LdapAutoAuthentication.php" ); require_once( "extensions/LdapAuthentication.php" );
$wgLDAPDomainNames = array("MyDomain); $wgLDAPServerNames = array("MyDomain"=>"192.168.20.212");
$wgLDAPAutoAuthDomain = "MyDomain";
$wgLDAPProxyAgent = array("MyDomain"=>"CN=Proxy User,cn=Users,dc=MyDomain,dc=com"); $wgLDAPProxyAgentPassword = array("MyDomain"=>"PASSWORD"); $wgLDAPBaseDNs = array("MyDomain"=>"dc=MyDomain,dc=com");
$wgLDAPSearchAttributes = array("MyDomain"=>"samaccountname");
$wgLDAPAutoAuthUsername = $_SERVER["REMOTE_USER"] ); AutoAuthSetup();
If you see anything wonky with my config, I'd like to hear about it. In the meanwhile, I will start Frankensteining...
Thanks very much!!
John
Ryan Lane
MediaWiki-l mailing list MediaWiki-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Hi Ryan,
Just to follow up, I took a look at the configuration examples, and picked out the Kerberos-related entries and gave it a shot. Sadly, IIS gives me a 500.
I did verify that IIS passes $_SERVER["REMOTE_USER"] for the REMOTE_USER as that is what the AutomaticREMOTE_USER extension successfully uses. I suspect the issue is with AutoAuth, as there is no LDAP traffic generated. (I am running a debug LDAP proxy that shows
Here are the relevant entries from LocalSettings.php:
# # LDAP Authentication # require_once( "extensions/LdapAutoAuthentication.php" ); require_once( "extensions/LdapAuthentication.php" );
$wgLDAPDomainNames = array("MyDomain); $wgLDAPServerNames = array("MyDomain"=>"192.168.20.212");
$wgLDAPAutoAuthDomain = "MyDomain";
$wgLDAPProxyAgent = array("MyDomain"=>"CN=Proxy User,cn=Users,dc=MyDomain,dc=com"); $wgLDAPProxyAgentPassword = array("MyDomain"=>"PASSWORD"); $wgLDAPBaseDNs = array("MyDomain"=>"dc=MyDomain,dc=com");
$wgLDAPSearchAttributes = array("MyDomain"=>"samaccountname");
$wgLDAPAutoAuthUsername = $_SERVER["REMOTE_USER"] ); AutoAuthSetup();
If you see anything wonky with my config, I'd like to hear about it. In the meanwhile, I will start Frankensteining...
I don't see anything wrong with your configuration. I haven't tested auto-auth with IIS, so that very well may be the issue. Let me know what solves your problem, and I'll see about adding the fixes to the plug-in.
V/r,
Ryan Lane
Lane, Ryan wrote:
Hi Ryan,
Just to follow up, I took a look at the configuration examples, and picked out the Kerberos-related entries and gave it a shot. Sadly, IIS gives me a 500.
I did verify that IIS passes $_SERVER["REMOTE_USER"] for the REMOTE_USER as that is what the AutomaticREMOTE_USER extension successfully uses. I suspect the issue is with AutoAuth, as there is no LDAP traffic generated. (I am running a debug LDAP proxy that shows
Here are the relevant entries from LocalSettings.php:
# # LDAP Authentication # require_once( "extensions/LdapAutoAuthentication.php" ); require_once( "extensions/LdapAuthentication.php" );
$wgLDAPDomainNames = array("MyDomain); $wgLDAPServerNames = array("MyDomain"=>"192.168.20.212");
$wgLDAPAutoAuthDomain = "MyDomain";
$wgLDAPProxyAgent = array("MyDomain"=>"CN=Proxy User,cn=Users,dc=MyDomain,dc=com"); $wgLDAPProxyAgentPassword = array("MyDomain"=>"PASSWORD"); $wgLDAPBaseDNs = array("MyDomain"=>"dc=MyDomain,dc=com");
$wgLDAPSearchAttributes = array("MyDomain"=>"samaccountname");
$wgLDAPAutoAuthUsername = $_SERVER["REMOTE_USER"] ); AutoAuthSetup();
If you see anything wonky with my config, I'd like to hear about it. In the meanwhile, I will start Frankensteining...
I don't see anything wrong with your configuration. I haven't tested auto-auth with IIS, so that very well may be the issue. Let me know what solves your problem, and I'll see about adding the fixes to the plug-in.
Oh crap.
;-)
Thanks a lot for responding and confirming my configuration, Ryan.
Sadly, I am more of an LDAP Guy than a Developer Guy, so short of some creative Cut&Pastes between the automaticREMOTE_USER extension and LDAPAuthentication, you shouldn't hold your breath for any epiphanies from this user!
Thanks once again,
John
V/r,
Ryan Lane
MediaWiki-l mailing list MediaWiki-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
mediawiki-l@lists.wikimedia.org