Hi Everyone,
I'm using a Mediawiki/IIS/AD implementation and would like to accomplish the following via Microsoft Active Directory:
* Single Sign On * Synchronisation between MediaWiki groups and AD Groups (For example, I want myself, and people in my department from security group to have full, administrative access) * At a later date (but not urgent right now) disable anonymous access, and have private and public wiki sections.
I know what a lot of people are going to say.... "google it". I have, but there are many different configuration settings and examples for different versions of the plugin and different versions of mediawiki, I've yet to have any success with them, hence why I'm now asking here.
Below is what I've got so far, but it's not a lot. I've disabled anonymous access via IIS and enabled windows authentication, but I'm not getting any single sign on functionality. However, if anyone has accomplished at least the first two objectives listed above and would be able to provide me with a "template" of their config (sensitive data obviously omitted) then I would really appreciate it.
Many thanks,
David
// //LDAP Authentication Configuration //
require_once( "/extensions/LdapAuthentication.php" ); require_once( "/extensions/LdapAutoAuthentication.php" );
//the domain name is any arbitrary name that you will use as a variable
$wgLDAPDomainNames = array("localdomain.local");
//define the fully qualified name of your AD domain
$wgLDAPServerNames = array("localdomain.local"=>"DC1.localdomain.local DC2.localdomain.local"); $wgLDAPEncryptionType = array("localdomain.local"=>"ssl");
//this is the short name of your domain, not the arbitrary variable mentioned below
$wgLDAPAutoAuthDomain = "localdomain.local";
//this is how you get the wiki user to be username as opposed to DOMAIN\username
list($dom,$userid)=split('[]',$_SERVER['REMOTE_USER']); $wgLDAPAutoAuthUsername = $userid; $wgLDAPBaseDNs = array("localdomain.local"=>"ou=Users,DC=localdomain,dc=local"); $wgLDAPSearchAttributes = array("localdomain.local" => "sAMAccountName"); $wgMinimalPasswordLength = 1;
//Group Configuration
$wgLDAPGroupUseFullDN = array( "localdomain.local"=>true ); $wgLDAPGroupObjectclass = array( "localdomain.local"=>"group" ); $wgLDAPGroupAttribute = array( "localdomain.local"=>"member" ); $wgLDAPGroupSearchNestedGroups = array( "localdomain.local"=>false ); $wgLDAPUseLDAPGroups = array( "localdomain.local"=>true ); $wgLDAPGroupNameAttribute = array( "localdomain.local"=>"cn=sysop,ou=Users,dc=localdomain,dc=local" ); $wgLDAPGroupNameAttribute = array( "localdomain.local"=>"sysop" ); AutoAuthSetup();
//this is where you define the credentials necessary to read information from AD //you only need this if you want to pull the name, email address and groups from AD
$wgLDAPProxyAgent = array('localdomain.local' =>'CN=MediaWikiLDAPSearcher,OU=Users,DC=localdomain,DC=local'); $wgLDAPProxyAgentPassword = array('localdomain.local' => 'MyLDAPSearcherPassword'); $wgLDAPPreferences = array("localdomain.local"=>array("email"=>"mail","realname"=>"cn","nickname"=>"givenName"));
I know what a lot of people are going to say.... "google it". I have, but there are many different configuration settings and examples for different versions of the plugin and different versions of mediawiki, I've yet to have any success with them, hence why I'm now asking here.
This is why I tell people to only use the official documentation on mediawiki.org. It's always up to date, and it's fairly in depth (improvements welcome).
Below is what I've got so far, but it's not a lot. I've disabled anonymous access via IIS and enabled windows authentication, but I'm not getting any single sign on functionality. However, if anyone has accomplished at least the first two objectives listed above and would be able to provide me with a "template" of their config (sensitive data obviously omitted) then I would really appreciate it.
Are you sure the authentication is working?
// //LDAP Authentication Configuration //
require_once( "/extensions/LdapAuthentication.php" ); require_once( "/extensions/LdapAutoAuthentication.php" );
//the domain name is any arbitrary name that you will use as a variable
$wgLDAPDomainNames = array("localdomain.local");
//define the fully qualified name of your AD domain
$wgLDAPServerNames = array("localdomain.local"=>"DC1.localdomain.local DC2.localdomain.local"); $wgLDAPEncryptionType = array("localdomain.local"=>"ssl");
//this is the short name of your domain, not the arbitrary variable mentioned below
$wgLDAPAutoAuthDomain = "localdomain.local";
//this is how you get the wiki user to be username as opposed to DOMAIN\username
list($dom,$userid)=split('[]',$_SERVER['REMOTE_USER']); $wgLDAPAutoAuthUsername = $userid; $wgLDAPBaseDNs = array("localdomain.local"=>"ou=Users,DC=localdomain,dc=local"); $wgLDAPSearchAttributes = array("localdomain.local" => "sAMAccountName"); $wgMinimalPasswordLength = 1;
//Group Configuration
$wgLDAPGroupUseFullDN = array( "localdomain.local"=>true ); $wgLDAPGroupObjectclass = array( "localdomain.local"=>"group" ); $wgLDAPGroupAttribute = array( "localdomain.local"=>"member" ); $wgLDAPGroupSearchNestedGroups = array( "localdomain.local"=>false ); $wgLDAPUseLDAPGroups = array( "localdomain.local"=>true ); $wgLDAPGroupNameAttribute = array( "localdomain.local"=>"cn=sysop,ou=Users,dc=localdomain,dc=local" ); $wgLDAPGroupNameAttribute = array( "localdomain.local"=>"sysop" ); AutoAuthSetup();
//this is where you define the credentials necessary to read information from AD //you only need this if you want to pull the name, email address and groups from AD
$wgLDAPProxyAgent = array('localdomain.local' =>'CN=MediaWikiLDAPSearcher,OU=Users,DC=localdomain,DC=local'); $wgLDAPProxyAgentPassword = array('localdomain.local' => 'MyLDAPSearcherPassword'); $wgLDAPPreferences = array("localdomain.local"=>array("email"=>"mail","realname"=>"cn","nickname"=>"givenName"));
I don't see any issues with the configuration. You should enable debugging and reply with the debug log with sensitive stuff snipped out.
- Ryan Lane
Hi Ryan/All,
Thanks for your prompt response.
Based on your comments I've decided to start a fresh using code snippets directly from mediawiki.org.
I'm trying to produce some meaningful debug logs, I've added the following to my localsettings.php file:
$wgLDAPDebug = 3; $wgDebugLogFile = 'C:\LDAPDebug.log'; require_once ('extensions/LdapAuthentication.php');
$wgAuth = new LdapAuthenticationPlugin(); //LDAP Code from "Single Domain Requiring Search Before Binding" Including proxy settings.
The only thing I'm getting from LDAPDebug.log is:
LoginForm::attemptAutoCreate: $wgAuth->authenticate() returned false, aborting
And nothing specificly relating to the LDAP. Any pointers as to how I can generate more meaningful debug logs?
Thanks
David
On Tue, Feb 1, 2011 at 7:34 PM, Ryan Lane rlane32@gmail.com wrote:
I know what a lot of people are going to say.... "google it". I have, but there are many different configuration settings and examples for different versions of the plugin and different versions of mediawiki, I've yet to have any success with them, hence why I'm now asking here.
This is why I tell people to only use the official documentation on mediawiki.org. It's always up to date, and it's fairly in depth (improvements welcome).
Below is what I've got so far, but it's not a lot. I've disabled anonymous access via IIS and enabled windows authentication, but I'm not getting any single sign on functionality. However, if anyone has accomplished at least the first two objectives listed above and would be able to provide me with a "template" of their config (sensitive data obviously omitted) then I would really appreciate it.
Are you sure the authentication is working?
// //LDAP Authentication Configuration //
require_once( "/extensions/LdapAuthentication.php" ); require_once( "/extensions/LdapAutoAuthentication.php" );
//the domain name is any arbitrary name that you will use as a variable
$wgLDAPDomainNames = array("localdomain.local");
//define the fully qualified name of your AD domain
$wgLDAPServerNames = array("localdomain.local"=>"DC1.localdomain.local DC2.localdomain.local"); $wgLDAPEncryptionType = array("localdomain.local"=>"ssl");
//this is the short name of your domain, not the arbitrary variable mentioned below
$wgLDAPAutoAuthDomain = "localdomain.local";
//this is how you get the wiki user to be username as opposed to DOMAIN\username
list($dom,$userid)=split('[]',$_SERVER['REMOTE_USER']); $wgLDAPAutoAuthUsername = $userid; $wgLDAPBaseDNs = array("localdomain.local"=>"ou=Users,DC=localdomain,dc=local"); $wgLDAPSearchAttributes = array("localdomain.local" => "sAMAccountName"); $wgMinimalPasswordLength = 1;
//Group Configuration
$wgLDAPGroupUseFullDN = array( "localdomain.local"=>true ); $wgLDAPGroupObjectclass = array( "localdomain.local"=>"group" ); $wgLDAPGroupAttribute = array( "localdomain.local"=>"member" ); $wgLDAPGroupSearchNestedGroups = array( "localdomain.local"=>false ); $wgLDAPUseLDAPGroups = array( "localdomain.local"=>true ); $wgLDAPGroupNameAttribute = array( "localdomain.local"=>"cn=sysop,ou=Users,dc=localdomain,dc=local" ); $wgLDAPGroupNameAttribute = array( "localdomain.local"=>"sysop" ); AutoAuthSetup();
//this is where you define the credentials necessary to read information from AD //you only need this if you want to pull the name, email address and groups from AD
$wgLDAPProxyAgent = array('localdomain.local' =>'CN=MediaWikiLDAPSearcher,OU=Users,DC=localdomain,DC=local'); $wgLDAPProxyAgentPassword = array('localdomain.local' => 'MyLDAPSearcherPassword'); $wgLDAPPreferences = array("localdomain.local"=>array("email"=>"mail","realname"=>"cn","nickname"=>"givenName"));
I don't see any issues with the configuration. You should enable debugging and reply with the debug log with sensitive stuff snipped out.
- Ryan Lane
MediaWiki-l mailing list MediaWiki-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
$wgLDAPDebug = 3; $wgDebugLogFile = 'C:\LDAPDebug.log'; require_once ('extensions/LdapAuthentication.php');
$wgAuth = new LdapAuthenticationPlugin(); //LDAP Code from "Single Domain Requiring Search Before Binding" Including proxy settings.
Please see: http://www.mediawiki.org/wiki/Extension:LDAP_Authentication/Options#Debuggin...
I use a specific log group so that the logs will be separated out:
$wgDebugLogGroups["ldap"] = "C:\LDAPDebug.log";
Also, place options after the $wgAuth line, not before it.
- Ryan Lane
Hi Ryan,
Thanks for that, shortly realised afterwards my mistake.
It seems that my ldap config isn't searching before binding:
Config:
require_once ('extensions/LdapAuthentication.php');
$wgAuth = new LdapAuthenticationPlugin(); $wgLDAPDebug = 3; $wgDebugLogGroups["ldap"] = "C:\NewDebug.log" ;
$wgLDAPDomainNames = array( 'localdomain.local' );
$wgLDAPServerNames = array( 'localdomain.local' => 'DC1.localdomain.local DC2.localdomain.local' );
$wgLDAPSearchStrings = array( 'localdomain.local' => 'uid=USER-NAME,OU=Users,DC=localdomain,DC=local' );
$wgLDAPEncryptionType = array( 'localdomain.local' => 'ssl' );
$wgMinimalPasswordLength = 1;
$wgLDAPProxyAgent = array( 'localdomain.local' => 'cn=MediaWikiLDAPSearcher,ou=Users,dc=localdomain,dc=local' );
$wgLDAPProxyAgentPassword = array( 'localdomain.local' => 'MyLDAPSearcherPassword' );
Debug:
2011-02-01 21:11:11 wikidb: Entering validDomain 2011-02-01 21:11:11 wikidb: User is using a valid domain. 2011-02-01 21:11:11 wikidb: Setting domain as: localdomain.local 2011-02-01 21:11:11 wikidb: Entering getCanonicalName 2011-02-01 21:11:11 wikidb: Username isn't empty. 2011-02-01 21:11:11 wikidb: Munged username: someuser 2011-02-01 21:11:11 wikidb: Entering userExists 2011-02-01 21:11:11 wikidb: 2011-02-01 21:11:11 wikidb: Entering authenticate 2011-02-01 21:11:11 wikidb: 2011-02-01 21:11:11 wikidb: Entering Connect 2011-02-01 21:11:11 wikidb: Using SSL 2011-02-01 21:11:11 wikidb: Using servers: ldaps://DC1.localdomain.local ldaps://DC2.localdomain.local 2011-02-01 21:11:11 wikidb: Connected successfully 2011-02-01 21:11:11 wikidb: Entering getSearchString 2011-02-01 21:11:11 wikidb: Doing a straight bind 2011-02-01 21:11:11 wikidb: userdn is: uid=someuser,OU=Users,DC=localdomain,DC=local 2011-02-01 21:11:11 wikidb: 2011-02-01 21:11:11 wikidb: Binding as the user 2011-02-01 21:11:11 wikidb: Failed to bind as uid=someuser,OU=Users,DC=localdomain,DC=local 2011-02-01 21:11:11 wikidb: Entering allowPasswordChange 2011-02-01 21:11:11 wikidb: Entering modifyUITemplate
On Tue, Feb 1, 2011 at 9:12 PM, Ryan Lane rlane32@gmail.com wrote:
$wgLDAPDebug = 3; $wgDebugLogFile = 'C:\LDAPDebug.log'; require_once ('extensions/LdapAuthentication.php');
$wgAuth = new LdapAuthenticationPlugin(); //LDAP Code from "Single Domain Requiring Search Before Binding" Including proxy settings.
Please see: http://www.mediawiki.org/wiki/Extension:LDAP_Authentication/Options#Debuggin...
I use a specific log group so that the logs will be separated out:
$wgDebugLogGroups["ldap"] = "C:\LDAPDebug.log";
Also, place options after the $wgAuth line, not before it.
- Ryan Lane
MediaWiki-l mailing list MediaWiki-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Go back to using your original config, it was correctly set up for auto-login. Also, I'm betting that SSL isn't working. It's the most common problem with configuring the plugin:
http://www.mediawiki.org/wiki/Extension:LDAP_Authentication/Requirements#Win...
- Ryan Lane
On Tue, Feb 1, 2011 at 3:33 PM, David Holder david.holder@gmail.com wrote:
Hi Ryan,
Thanks for that, shortly realised afterwards my mistake.
It seems that my ldap config isn't searching before binding:
Config:
require_once ('extensions/LdapAuthentication.php');
$wgAuth = new LdapAuthenticationPlugin(); $wgLDAPDebug = 3; $wgDebugLogGroups["ldap"] = "C:\NewDebug.log" ;
$wgLDAPDomainNames = array( 'localdomain.local' );
$wgLDAPServerNames = array( 'localdomain.local' => 'DC1.localdomain.local DC2.localdomain.local' );
$wgLDAPSearchStrings = array( 'localdomain.local' => 'uid=USER-NAME,OU=Users,DC=localdomain,DC=local' );
$wgLDAPEncryptionType = array( 'localdomain.local' => 'ssl' );
$wgMinimalPasswordLength = 1;
$wgLDAPProxyAgent = array( 'localdomain.local' => 'cn=MediaWikiLDAPSearcher,ou=Users,dc=localdomain,dc=local' );
$wgLDAPProxyAgentPassword = array( 'localdomain.local' => 'MyLDAPSearcherPassword' );
Debug:
2011-02-01 21:11:11 wikidb: Entering validDomain 2011-02-01 21:11:11 wikidb: User is using a valid domain. 2011-02-01 21:11:11 wikidb: Setting domain as: localdomain.local 2011-02-01 21:11:11 wikidb: Entering getCanonicalName 2011-02-01 21:11:11 wikidb: Username isn't empty. 2011-02-01 21:11:11 wikidb: Munged username: someuser 2011-02-01 21:11:11 wikidb: Entering userExists 2011-02-01 21:11:11 wikidb: 2011-02-01 21:11:11 wikidb: Entering authenticate 2011-02-01 21:11:11 wikidb: 2011-02-01 21:11:11 wikidb: Entering Connect 2011-02-01 21:11:11 wikidb: Using SSL 2011-02-01 21:11:11 wikidb: Using servers: ldaps://DC1.localdomain.local ldaps://DC2.localdomain.local 2011-02-01 21:11:11 wikidb: Connected successfully 2011-02-01 21:11:11 wikidb: Entering getSearchString 2011-02-01 21:11:11 wikidb: Doing a straight bind 2011-02-01 21:11:11 wikidb: userdn is: uid=someuser,OU=Users,DC=localdomain,DC=local 2011-02-01 21:11:11 wikidb: 2011-02-01 21:11:11 wikidb: Binding as the user 2011-02-01 21:11:11 wikidb: Failed to bind as uid=someuser,OU=Users,DC=localdomain,DC=local 2011-02-01 21:11:11 wikidb: Entering allowPasswordChange 2011-02-01 21:11:11 wikidb: Entering modifyUITemplate
On Tue, Feb 1, 2011 at 9:12 PM, Ryan Lane rlane32@gmail.com wrote:
$wgLDAPDebug = 3; $wgDebugLogFile = 'C:\LDAPDebug.log'; require_once ('extensions/LdapAuthentication.php');
$wgAuth = new LdapAuthenticationPlugin(); //LDAP Code from "Single Domain Requiring Search Before Binding" Including proxy settings.
Please see: http://www.mediawiki.org/wiki/Extension:LDAP_Authentication/Options#Debuggin...
I use a specific log group so that the logs will be separated out:
$wgDebugLogGroups["ldap"] = "C:\LDAPDebug.log";
Also, place options after the $wgAuth line, not before it.
- Ryan Lane
MediaWiki-l mailing list MediaWiki-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
MediaWiki-l mailing list MediaWiki-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Hi Ryan,
Well, upon closer inspection of my old plugin the login wasn't actually working as expected. I'll have a look at the link you've provided and see how I get on
Thanks,
David
On Tue, Feb 1, 2011 at 9:46 PM, Ryan Lane rlane32@gmail.com wrote:
Go back to using your original config, it was correctly set up for auto-login. Also, I'm betting that SSL isn't working. It's the most common problem with configuring the plugin:
http://www.mediawiki.org/wiki/Extension:LDAP_Authentication/Requirements#Win...
- Ryan Lane
On Tue, Feb 1, 2011 at 3:33 PM, David Holder david.holder@gmail.com wrote:
Hi Ryan,
Thanks for that, shortly realised afterwards my mistake.
It seems that my ldap config isn't searching before binding:
Config:
require_once ('extensions/LdapAuthentication.php');
$wgAuth = new LdapAuthenticationPlugin(); $wgLDAPDebug = 3; $wgDebugLogGroups["ldap"] = "C:\NewDebug.log" ;
$wgLDAPDomainNames = array( 'localdomain.local' );
$wgLDAPServerNames = array( 'localdomain.local' => 'DC1.localdomain.local DC2.localdomain.local' );
$wgLDAPSearchStrings = array( 'localdomain.local' => 'uid=USER-NAME,OU=Users,DC=localdomain,DC=local' );
$wgLDAPEncryptionType = array( 'localdomain.local' => 'ssl' );
$wgMinimalPasswordLength = 1;
$wgLDAPProxyAgent = array( 'localdomain.local' => 'cn=MediaWikiLDAPSearcher,ou=Users,dc=localdomain,dc=local' );
$wgLDAPProxyAgentPassword = array( 'localdomain.local' => 'MyLDAPSearcherPassword' );
Debug:
2011-02-01 21:11:11 wikidb: Entering validDomain 2011-02-01 21:11:11 wikidb: User is using a valid domain. 2011-02-01 21:11:11 wikidb: Setting domain as: localdomain.local 2011-02-01 21:11:11 wikidb: Entering getCanonicalName 2011-02-01 21:11:11 wikidb: Username isn't empty. 2011-02-01 21:11:11 wikidb: Munged username: someuser 2011-02-01 21:11:11 wikidb: Entering userExists 2011-02-01 21:11:11 wikidb: 2011-02-01 21:11:11 wikidb: Entering authenticate 2011-02-01 21:11:11 wikidb: 2011-02-01 21:11:11 wikidb: Entering Connect 2011-02-01 21:11:11 wikidb: Using SSL 2011-02-01 21:11:11 wikidb: Using servers: ldaps://DC1.localdomain.local ldaps://DC2.localdomain.local 2011-02-01 21:11:11 wikidb: Connected successfully 2011-02-01 21:11:11 wikidb: Entering getSearchString 2011-02-01 21:11:11 wikidb: Doing a straight bind 2011-02-01 21:11:11 wikidb: userdn is: uid=someuser,OU=Users,DC=localdomain,DC=local 2011-02-01 21:11:11 wikidb: 2011-02-01 21:11:11 wikidb: Binding as the user 2011-02-01 21:11:11 wikidb: Failed to bind as uid=someuser,OU=Users,DC=localdomain,DC=local 2011-02-01 21:11:11 wikidb: Entering allowPasswordChange 2011-02-01 21:11:11 wikidb: Entering modifyUITemplate
On Tue, Feb 1, 2011 at 9:12 PM, Ryan Lane rlane32@gmail.com wrote:
$wgLDAPDebug = 3; $wgDebugLogFile = 'C:\LDAPDebug.log'; require_once ('extensions/LdapAuthentication.php');
$wgAuth = new LdapAuthenticationPlugin(); //LDAP Code from "Single Domain Requiring Search Before Binding" Including proxy settings.
Please see: http://www.mediawiki.org/wiki/Extension:LDAP_Authentication/Options#Debuggin...
I use a specific log group so that the logs will be separated out:
$wgDebugLogGroups["ldap"] = "C:\LDAPDebug.log";
Also, place options after the $wgAuth line, not before it.
- Ryan Lane
MediaWiki-l mailing list MediaWiki-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
MediaWiki-l mailing list MediaWiki-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
MediaWiki-l mailing list MediaWiki-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Ok, I've been doing some testing and don't think its an SSL issue (yet) Although I'm getting a bit confused with the configuration settings.
On the Wiki page for "Single Domain Requiring Search Before Binding" for the Active Directory specific guidelines I've used the code from there and get the following:
2011-02-02 12:12:44 wikidb: Doing a straight bind 2011-02-02 12:12:44 wikidb: userdn is: localdomain\someuser 2011-02-02 12:12:44 wikidb: 2011-02-02 12:12:44 wikidb: Binding as the user 2011-02-02 12:12:44 wikidb: Failed to bind as localdomain\someuser 2011-02-02 12:12:44 wikidb: Entering allowPasswordChange 2011-02-02 12:12:44 wikidb: Entering modifyUITemplate
It's not even using the proxy settings.
However, If I use "Single Domain Requiring Search Before Binding" for the generic LDAP specific guidelines I get the following:
011-02-02 12:14:55 wikidb: Connected successfully 2011-02-02 12:14:55 wikidb: Entering getSearchString 2011-02-02 12:14:55 wikidb: Doing a proxy bind 2011-02-02 12:14:55 wikidb: Failed to bind as (DN of user omitted) 2011-02-02 12:14:55 wikidb: Failed to bind 2011-02-02 12:14:55 wikidb: User DN is blank 2011-02-02 12:14:55 wikidb: Entering allowPasswordChange 2011-02-02 12:14:55 wikidb: Entering modifyUITemplate
if I use $wgLDAPSearchStrings (included in the default code for Microsoft AD "Single Domain Requiring Search Before Binding" it won't use a proxy server. This may be the expected response from the configuration, but for a mediawiki newbie like me, it's handy to know and might be worth mentioning on the wiki article itself.
David
On Tue, Feb 1, 2011 at 10:37 PM, David Holder david.holder@gmail.com wrote:
Hi Ryan,
Well, upon closer inspection of my old plugin the login wasn't actually working as expected. I'll have a look at the link you've provided and see how I get on
Thanks,
David
On Tue, Feb 1, 2011 at 9:46 PM, Ryan Lane rlane32@gmail.com wrote:
Go back to using your original config, it was correctly set up for auto-login. Also, I'm betting that SSL isn't working. It's the most common problem with configuring the plugin:
http://www.mediawiki.org/wiki/Extension:LDAP_Authentication/Requirements#Win...
- Ryan Lane
On Tue, Feb 1, 2011 at 3:33 PM, David Holder david.holder@gmail.com wrote:
Hi Ryan,
Thanks for that, shortly realised afterwards my mistake.
It seems that my ldap config isn't searching before binding:
Config:
require_once ('extensions/LdapAuthentication.php');
$wgAuth = new LdapAuthenticationPlugin(); $wgLDAPDebug = 3; $wgDebugLogGroups["ldap"] = "C:\NewDebug.log" ;
$wgLDAPDomainNames = array( 'localdomain.local' );
$wgLDAPServerNames = array( 'localdomain.local' => 'DC1.localdomain.local DC2.localdomain.local' );
$wgLDAPSearchStrings = array( 'localdomain.local' => 'uid=USER-NAME,OU=Users,DC=localdomain,DC=local' );
$wgLDAPEncryptionType = array( 'localdomain.local' => 'ssl' );
$wgMinimalPasswordLength = 1;
$wgLDAPProxyAgent = array( 'localdomain.local' => 'cn=MediaWikiLDAPSearcher,ou=Users,dc=localdomain,dc=local' );
$wgLDAPProxyAgentPassword = array( 'localdomain.local' => 'MyLDAPSearcherPassword' );
Debug:
2011-02-01 21:11:11 wikidb: Entering validDomain 2011-02-01 21:11:11 wikidb: User is using a valid domain. 2011-02-01 21:11:11 wikidb: Setting domain as: localdomain.local 2011-02-01 21:11:11 wikidb: Entering getCanonicalName 2011-02-01 21:11:11 wikidb: Username isn't empty. 2011-02-01 21:11:11 wikidb: Munged username: someuser 2011-02-01 21:11:11 wikidb: Entering userExists 2011-02-01 21:11:11 wikidb: 2011-02-01 21:11:11 wikidb: Entering authenticate 2011-02-01 21:11:11 wikidb: 2011-02-01 21:11:11 wikidb: Entering Connect 2011-02-01 21:11:11 wikidb: Using SSL 2011-02-01 21:11:11 wikidb: Using servers: ldaps://DC1.localdomain.local ldaps://DC2.localdomain.local 2011-02-01 21:11:11 wikidb: Connected successfully 2011-02-01 21:11:11 wikidb: Entering getSearchString 2011-02-01 21:11:11 wikidb: Doing a straight bind 2011-02-01 21:11:11 wikidb: userdn is: uid=someuser,OU=Users,DC=localdomain,DC=local 2011-02-01 21:11:11 wikidb: 2011-02-01 21:11:11 wikidb: Binding as the user 2011-02-01 21:11:11 wikidb: Failed to bind as uid=someuser,OU=Users,DC=localdomain,DC=local 2011-02-01 21:11:11 wikidb: Entering allowPasswordChange 2011-02-01 21:11:11 wikidb: Entering modifyUITemplate
On Tue, Feb 1, 2011 at 9:12 PM, Ryan Lane rlane32@gmail.com wrote:
$wgLDAPDebug = 3; $wgDebugLogFile = 'C:\LDAPDebug.log'; require_once ('extensions/LdapAuthentication.php');
$wgAuth = new LdapAuthenticationPlugin(); //LDAP Code from "Single Domain Requiring Search Before Binding" Including proxy settings.
Please see: http://www.mediawiki.org/wiki/Extension:LDAP_Authentication/Options#Debuggin...
I use a specific log group so that the logs will be separated out:
$wgDebugLogGroups["ldap"] = "C:\LDAPDebug.log";
Also, place options after the $wgAuth line, not before it.
- Ryan Lane
MediaWiki-l mailing list MediaWiki-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
MediaWiki-l mailing list MediaWiki-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
MediaWiki-l mailing list MediaWiki-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Ok, I've made some progress.
I've managed to get MediaWiki authenticating with AD when using clear instead of SSL, so it does appear to be an encryption issue.
My webserver (IIS) should trust my Active Directory SSL Certificate, these get pushed via group policy via out own internal CA.
Anyone got any ideas?
David
On Wed, Feb 2, 2011 at 2:51 PM, David Holder david.holder@gmail.com wrote:
Ok, I've been doing some testing and don't think its an SSL issue (yet) Although I'm getting a bit confused with the configuration settings.
On the Wiki page for "Single Domain Requiring Search Before Binding" for the Active Directory specific guidelines I've used the code from there and get the following:
2011-02-02 12:12:44 wikidb: Doing a straight bind 2011-02-02 12:12:44 wikidb: userdn is: localdomain\someuser 2011-02-02 12:12:44 wikidb: 2011-02-02 12:12:44 wikidb: Binding as the user 2011-02-02 12:12:44 wikidb: Failed to bind as localdomain\someuser 2011-02-02 12:12:44 wikidb: Entering allowPasswordChange 2011-02-02 12:12:44 wikidb: Entering modifyUITemplate
It's not even using the proxy settings.
However, If I use "Single Domain Requiring Search Before Binding" for the generic LDAP specific guidelines I get the following:
011-02-02 12:14:55 wikidb: Connected successfully 2011-02-02 12:14:55 wikidb: Entering getSearchString 2011-02-02 12:14:55 wikidb: Doing a proxy bind 2011-02-02 12:14:55 wikidb: Failed to bind as (DN of user omitted) 2011-02-02 12:14:55 wikidb: Failed to bind 2011-02-02 12:14:55 wikidb: User DN is blank 2011-02-02 12:14:55 wikidb: Entering allowPasswordChange 2011-02-02 12:14:55 wikidb: Entering modifyUITemplate
if I use $wgLDAPSearchStrings (included in the default code for Microsoft AD "Single Domain Requiring Search Before Binding" it won't use a proxy server. This may be the expected response from the configuration, but for a mediawiki newbie like me, it's handy to know and might be worth mentioning on the wiki article itself.
David
On Tue, Feb 1, 2011 at 10:37 PM, David Holder david.holder@gmail.com wrote:
Hi Ryan,
Well, upon closer inspection of my old plugin the login wasn't actually working as expected. I'll have a look at the link you've provided and see how I get on
Thanks,
David
On Tue, Feb 1, 2011 at 9:46 PM, Ryan Lane rlane32@gmail.com wrote:
Go back to using your original config, it was correctly set up for auto-login. Also, I'm betting that SSL isn't working. It's the most common problem with configuring the plugin:
http://www.mediawiki.org/wiki/Extension:LDAP_Authentication/Requirements#Win...
- Ryan Lane
On Tue, Feb 1, 2011 at 3:33 PM, David Holder david.holder@gmail.com wrote:
Hi Ryan,
Thanks for that, shortly realised afterwards my mistake.
It seems that my ldap config isn't searching before binding:
Config:
require_once ('extensions/LdapAuthentication.php');
$wgAuth = new LdapAuthenticationPlugin(); $wgLDAPDebug = 3; $wgDebugLogGroups["ldap"] = "C:\NewDebug.log" ;
$wgLDAPDomainNames = array( 'localdomain.local' );
$wgLDAPServerNames = array( 'localdomain.local' => 'DC1.localdomain.local DC2.localdomain.local' );
$wgLDAPSearchStrings = array( 'localdomain.local' => 'uid=USER-NAME,OU=Users,DC=localdomain,DC=local' );
$wgLDAPEncryptionType = array( 'localdomain.local' => 'ssl' );
$wgMinimalPasswordLength = 1;
$wgLDAPProxyAgent = array( 'localdomain.local' => 'cn=MediaWikiLDAPSearcher,ou=Users,dc=localdomain,dc=local' );
$wgLDAPProxyAgentPassword = array( 'localdomain.local' => 'MyLDAPSearcherPassword' );
Debug:
2011-02-01 21:11:11 wikidb: Entering validDomain 2011-02-01 21:11:11 wikidb: User is using a valid domain. 2011-02-01 21:11:11 wikidb: Setting domain as: localdomain.local 2011-02-01 21:11:11 wikidb: Entering getCanonicalName 2011-02-01 21:11:11 wikidb: Username isn't empty. 2011-02-01 21:11:11 wikidb: Munged username: someuser 2011-02-01 21:11:11 wikidb: Entering userExists 2011-02-01 21:11:11 wikidb: 2011-02-01 21:11:11 wikidb: Entering authenticate 2011-02-01 21:11:11 wikidb: 2011-02-01 21:11:11 wikidb: Entering Connect 2011-02-01 21:11:11 wikidb: Using SSL 2011-02-01 21:11:11 wikidb: Using servers: ldaps://DC1.localdomain.local ldaps://DC2.localdomain.local 2011-02-01 21:11:11 wikidb: Connected successfully 2011-02-01 21:11:11 wikidb: Entering getSearchString 2011-02-01 21:11:11 wikidb: Doing a straight bind 2011-02-01 21:11:11 wikidb: userdn is: uid=someuser,OU=Users,DC=localdomain,DC=local 2011-02-01 21:11:11 wikidb: 2011-02-01 21:11:11 wikidb: Binding as the user 2011-02-01 21:11:11 wikidb: Failed to bind as uid=someuser,OU=Users,DC=localdomain,DC=local 2011-02-01 21:11:11 wikidb: Entering allowPasswordChange 2011-02-01 21:11:11 wikidb: Entering modifyUITemplate
On Tue, Feb 1, 2011 at 9:12 PM, Ryan Lane rlane32@gmail.com wrote:
$wgLDAPDebug = 3; $wgDebugLogFile = 'C:\LDAPDebug.log'; require_once ('extensions/LdapAuthentication.php');
$wgAuth = new LdapAuthenticationPlugin(); //LDAP Code from "Single Domain Requiring Search Before Binding" Including proxy settings.
Please see: http://www.mediawiki.org/wiki/Extension:LDAP_Authentication/Options#Debuggin...
I use a specific log group so that the logs will be separated out:
$wgDebugLogGroups["ldap"] = "C:\LDAPDebug.log";
Also, place options after the $wgAuth line, not before it.
- Ryan Lane
MediaWiki-l mailing list MediaWiki-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
MediaWiki-l mailing list MediaWiki-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
MediaWiki-l mailing list MediaWiki-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
mediawiki-l@lists.wikimedia.org