[Mediawiki-l] How to setup Auto Authentication with AD ?

Simon Orr Simon.Orr at Teleperformance.co.uk
Fri Oct 10 09:57:39 UTC 2008


I'm new here so take my answer with a pinch of salt but I was under the
impression you needed a server-level method of using NTLM/LDAP
authentication.

We've got a similar thing configured with our wiki for multi-domain but
we use the SSPI Apache module.

Httpd.conf looks something like:

<Location /Wiki>
	AuthName "Some auth name here"
	AuthType SSPI
	SSPIAuth On
	SSPIAuthoritative On
	SSPIOfferBasic On			#Offer basic auth method
if NTLM fails?
	SSPIBasicPreferred Off		#Prefer basic auth?
	SSPIUsernameCase lower		#lowercase usernames to
facilitate authentication listings
	SSPIOmitDomain On 		#try to guess domain from valid
options
	SSPIDomain domain1		#For domain1
	require group domain1\it-development	#require this group
	SSPIDomain domain2		#For domain2
	require group domain2\it-development	#Ditto
</Location>

Which then means anyone not matching SSPIs requirements is sent to a 403
Forbidden page. Anyone else sees the wiki as usual.

NB: The domain has to be known to the server.

As I said, I'm new to this list and Mediawiki so please get some other
opinions too :)

Hope I've helped a little.

Simon

-----Original Message-----
From: mediawiki-l-bounces at lists.wikimedia.org
[mailto:mediawiki-l-bounces at lists.wikimedia.org] On Behalf Of
gadina at hotmail.ru
Sent: 10 October 2008 10:40
To: mediawiki-l at lists.wikimedia.org
Subject: [Mediawiki-l] How to setup Auto Authentication with AD ?

Hello,

In the local network is AD domain - xxx.yyy.org
Domain Controllers - serv1.xxx.yyy.org and serv2.xxx.yyy.org
In the domain is a group - MWUsers, which includes several users -
mwuser1, mwuser2, etc.
There MediaWiki 1.13.1.
I need to allow automatic access only to users who are in the AD group
users.
I know that this can be done through LdapAuthentication and
LdapAutoAuthentication, but all my attempts unsuccessful.

My LocalSettings.php:

require_once ("$IP/extensions/LdapAutoAuthentication.php");
require_once ("$IP/extensions/LdapAuthentication.php");
$wgAuth = new LdapAuthenticationPlugin();
$wgLDAPDomainNames = array('XXX');
$wgLDAPServerNames = array('XXX' => 'serv1.xxx.yyy.org
serv2.xxx.yyy.org');
$wgLDAPSearchStrings = array('XXX' => 'XXX\\USER-NAME');
$wgLDAPEncryptionType = array('XXX' => 'false');
$wgLDAPUseLocal = false;
$wgMinimalPasswordLength = 1;
$wgLDAPBaseDNs = array('XXX'=>'dc=xxx,dc=yyy,dc=org');
$wgLDAPSearchAttributes = array('XXX'=>'sAMAccountName');
$wgLDAPGroupBaseDNs = array('XXX'=>'ou=MWUsers,dc=xxx,dc=yyy,dc=org');
AutoAuthSetup();
$wgLDAPDebug = 6;

But these settings do not work as expected. Auto login is not performed.
Therefore, I choose the "Log in / create account" and enter login -
mwuser1 and password
Log info:

Entering validDomain
User is using a valid domain.
Setting domain as: XXX
Entering getCanonicalName
Username isn't empty.
Munged username: mwuser1
Entering authenticate

Entering Connect
Using TLS or not using encryption.
Using servers: ldap://serv1.xxx.yyy.org ldap://serv2.xxx.yyy.org
Connected successfully
Entering getSearchString
Doing a straight bind
userdn is: XXX\mwuser1

Binding as the user
Bound successfully
Entering getUserDN
Created a regular filter: (sAMAccountName=mwuser1)
Entering getBaseDN
basedn is not set for this type of entry, trying to get the default
basedn.
Entering getBaseDN
basedn is dc=xxx,dc=yyy,dc=org
Using base: dc=xxx,dc=yyy,dc=org
Fetched username is not a string (check your hook code...). 
This message can be safely ignored if you do not have the
SetUsernameAttributeFromLDAP hook defined.
Pulled the user's DN: CN=f_name
l_name,OU=MWUsers,OU=DataArt,DC=xxx,DC=yyy,DC=org
Authentication passed
Entering updateUser
WTF!?)

_______________________________________________
MediaWiki-l mailing list
MediaWiki-l at lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l

________________________________________________________________________
This e-mail has been scanned for all viruses by Star. The
service is powered by MessageLabs. For more information on a proactive
anti-virus service working around the clock, around the globe, visit:
http://www.star.net.uk
________________________________________________________________________

P Please think of the environment before you print this email





________________________________________________________________________
This email and any files transmitted with it are private and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please return it to the address it came from telling them it is not for you and then delete it from your system.
This footnote also confirms that this email message has been swept  for the presence of computer viruses but this in no way indicates that the message is virus free.
Teleperformance is a trading style of MM Teleperformance Ltd: Reg No. 02060289 England: Registered Office: St James House, Moon Street, Bristol, BS2 8QY. VAT No.763 0980 18
_______________________________________________________________________



More information about the MediaWiki-l mailing list