[Mediawiki-l] Active Directory Authentication

Lane, Ryan Ryan.Lane at ocean.navo.navy.mil
Mon Aug 6 19:17:30 UTC 2007


> I am looking for a method of authenticating against Active Directory
and
> possibly group permissions. Is this do-able? Does anybody have any
> experience making MediaWiki authenticate against Microsoft Active
> Directory? If so does it work well? Will this "deactivate" all ready
> existing MediaWiki accounts?
> 

I've heard many accounts of it working pretty well, even under WAMP
w/AD.

> I have looked into and tried implementing the LDAP Authentication
plugin
> and I am receiving errors. I am using WAMP (Windows, Apache 2.2.4,
MySQL
> 5.0.45, PHP 5.2.3) and MediaWiki 1.10.1.
> 
> I have already done the following:
> 
> 1. Copied LdapAuthentication.php to /extensions
> 2. Added the following to LocalSettings.php:
> 
> 	#
> 	# Active Directory Authentication
> 	#
> 	require_once( "extensions/LdapAuthentication.php" );
> 	$wgAuth = new LdapAuthenticationPlugin();
> 	$wgLDAPDomainNames = array( "XORANTECH" );
> 	$wgLDAPServerNames = array(
"XORANTECH"=>"dcxoran.xorantech.local"
> );
> 	$wgLDAPEncryptionType = array( "XORANTECH"=>"ssl" );
> 	$wgLDAPRetrievePrefs = array( "XORANTECH"=>true ); //<- this is
how
> to do it
> 	$wgMinimalPasswordLength = 1;
> 	$wgLDAPSearchStrings = array(
"XORANTECH"=>"XORANTECH\\USER-NAME" );
> 	$wgLDAPDebug = 3; //for debugging
> 	$wgShowExceptionDetails = true;  //for debugging MediaWiki
> 

You don't have group syncing or restriction enabled, but the settings
look fine for authentication and preference pulling.

> 3. Copied the following files from the PHP directory to the Windows
System
> directory (C:\%windir%\system32)
>    	o libeay32.dll
>       o ssleay32.dll
> 
> 4. Uncomment the following lines in php.ini:
>       o extension=php_ldap.dll
>       o extension=php_openssl.dll
> 

Do these exist anywhere by default or do they need to be installed
separately (does openssl have to be installed?)? I'm not terribly
familiar with WAMP.

> 5. Created directory C:\OpenLDAP\sysconf and created file named
ldap.conf.
> In this File added "TLS_REQCERT never" in the first line.
> 

I remember hearing something about openldap hard coding a path to
ldap.conf on windows, although this is probably the right path, it may
be worth double checking.

Also, notice that although it'll be easier to get the plugin working
with "TLS_REQCERT never", you are turning off a legitimate security
check. I don't know if this works with WAMP or not, but if you can get
it working with this security check enabled, you probably should. Truth
be told, if you trust your network isn't susceptible to man in the
middle attacks, it is probably alright to leave it like this.

> When I try logging in using domain username/password I get the
following
> debug:
> 
> 	Entering validDomain
> 	User is using a valid domain.
> 	Setting domain as: XORANTECH
> 	Entering getCanonicalName
> 	Username isn't empty.
> 	Munged username: jspirko
> 	Entering userExists
> 	Entering authenticate
> 	Entering Connect
> 	Using SSL
> 	Using servers: ldaps://dcxoran.xorantech.local
> 
> Then is just stops there with a blank white screen with the above
debug
> info on it. Any ideas??

It is either a problem with php_ldap, or php_openssl; try doing
clear-text authentication (please for all that is holy don't leave it
like this though). If mediawiki doesn't crash, it is php_openssl and/or
php_ldap, if mediawiki does crash, it is php_ldap.

It may be possible to put explicit checks in, and have the plugin fail
gracefully if those modules aren't available. I may have to check on
this (adding to the todo list).

V/r,

Ryan Lane



More information about the MediaWiki-l mailing list