[Mediawiki-l] Help with LDAP Configuration and Windows 2003 Active Directory

[SHane Parkinson]

Folks,

 

I am by no means an expert in either PHP, LDAP, Active Directory or a
Windows 2003 Administration but I'm trying to set up a proof of concept in a
Windows 2003 Active Directory domain which is configured as a domain name of
"HOME" with DNS = "home.local" (dns forwarders are configured on this
domain)

 

I have read the pages on LDAP
(http://meta.wikimedia.org/wiki/LDAP_Authentication) and LDAP Configuration
Examples
(http://meta.wikimedia.org/wiki/LDAP_Authentication_Configuration_Examples)
and I am in "learning sponge mode" trying to understand the details to get
this running. 

 

The configuration required is to disallow anonymous users to read the
content pages of the wiki as the wiki will operate in an extranet style
configuration. A large percentage of staff are working remotely or
externally to the company's infrastructure. To reduce the number of
username/passwords staff have to remember I'm trying to have users
authenticate against the Windows Active Directory. 

 

As a first attempt to understand the rather steep learning curve in
LDAP/AD/PHP I followed the examples provided in the LDAP Authentication
Configuration examples and customised for the pilot network I'm using (see
below). These setting we copied into the localSettings.php and the
DefaultSettings.PHP

 

require_once( "includes/LdapAuthentication.php" );

$wgAuth = new LdapAuthenticationPlugin();

$wgLDAPDomainNames = array( "Home" );

$wgLDAPServerNames = array( "HOME"=>"sydaapms37-pede.home.local" );

$wgLDAPSearchStrings = array( "Home"=>"HOME\\USER-NAME" );

$wgLDAPUseSSL = true; //not recommended but OK for testing

$wgLDAPUseLocal = false;

$wgMinimalPasswordLength = 1;

$wgLDAPRetrievePrefs = false;

 

I have created a domain user called "tester1" and added this user to a group
called "Wiki" although I don't think I have created any configuration
entries related to this user group.

 

The domain name is displayed as "HOME" on the login page but all user
accounts tested (including the windows administrator account) generate the
following error: The password you entered is incorrect (or missing). Please
try again. 

 

I've also got behaviour where after hitting the login button, I receive a
blank page, i.e. it returned nothing, no error message etc, simply a blank
page. 

 

I have reached the limits of my knowledge as to where to look/investigate
why I cannot log in correctly. The passwords are correct and test accounts
cannot be locked out. I have tried changing the $wgLDAPUseSSL from false to
true but this makes no difference and I haven't, as far as I'm aware enabled
SSL.

 

If anybody can assist reducing this newbie's learning curve, your assistance
would be greatly appreciated

 

Regards

 

Shane