I am looking for a method of authenticating against
Active Directory
and
possibly group permissions. Is this do-able? Does
anybody have any
experience making MediaWiki authenticate against Microsoft Active
Directory? If so does it work well? Will this "deactivate" all ready
existing MediaWiki accounts?
I've heard many accounts of it working pretty well, even under WAMP
w/AD.
I have looked into and tried implementing the LDAP
Authentication
plugin
and I am receiving errors. I am using WAMP (Windows,
Apache 2.2.4,
MySQL
5.0.45, PHP 5.2.3) and MediaWiki 1.10.1.
I have already done the following:
1. Copied LdapAuthentication.php to /extensions
2. Added the following to LocalSettings.php:
#
# Active Directory Authentication
#
require_once( "extensions/LdapAuthentication.php" );
$wgAuth = new LdapAuthenticationPlugin();
$wgLDAPDomainNames = array( "XORANTECH" );
$wgLDAPServerNames = array(
"XORANTECH"=>"dcxoran.xorantech.local"
);
$wgLDAPEncryptionType = array( "XORANTECH"=>"ssl" );
$wgLDAPRetrievePrefs = array( "XORANTECH"=>true ); //<- this is
how
to do it
$wgMinimalPasswordLength = 1;
$wgLDAPSearchStrings = array(
"XORANTECH"=>"XORANTECH\\USER-NAME" );
$wgLDAPDebug = 3; //for debugging
$wgShowExceptionDetails = true; //for debugging MediaWiki
You don't have group syncing or restriction enabled, but the settings
look fine for authentication and preference pulling.
3. Copied the following files from the PHP directory
to the Windows
System
directory (C:\%windir%\system32)
o libeay32.dll
o ssleay32.dll
4. Uncomment the following lines in php.ini:
o extension=php_ldap.dll
o extension=php_openssl.dll
Do these exist anywhere by default or do they need to be installed
separately (does openssl have to be installed?)? I'm not terribly
familiar with WAMP.
5. Created directory C:\OpenLDAP\sysconf and created
file named
ldap.conf.
In this File added "TLS_REQCERT never" in
the first line.
I remember hearing something about openldap hard coding a path to
ldap.conf on windows, although this is probably the right path, it may
be worth double checking.
Also, notice that although it'll be easier to get the plugin working
with "TLS_REQCERT never", you are turning off a legitimate security
check. I don't know if this works with WAMP or not, but if you can get
it working with this security check enabled, you probably should. Truth
be told, if you trust your network isn't susceptible to man in the
middle attacks, it is probably alright to leave it like this.
When I try logging in using domain username/password I
get the
following
debug:
Entering validDomain
User is using a valid domain.
Setting domain as: XORANTECH
Entering getCanonicalName
Username isn't empty.
Munged username: jspirko
Entering userExists
Entering authenticate
Entering Connect
Using SSL
Using servers: ldaps://dcxoran.xorantech.local
Then is just stops there with a blank white screen with the above
debug
info on it. Any ideas??
It is either a problem with php_ldap, or php_openssl; try doing
clear-text authentication (please for all that is holy don't leave it
like this though). If mediawiki doesn't crash, it is php_openssl and/or
php_ldap, if mediawiki does crash, it is php_ldap.
It may be possible to put explicit checks in, and have the plugin fail
gracefully if those modules aren't available. I may have to check on
this (adding to the todo list).
V/r,
Ryan Lane