[Mediawiki-l] How to setup Auto Authentication with AD ?
Michael B Allen
ioplex at gmail.com
Fri Oct 10 16:00:54 UTC 2008
On Fri, Oct 10, 2008 at 5:40 AM, <gadina at hotmail.ru> wrote:
> Hello,
>
> In the local network is AD domain - xxx.yyy.org
> Domain Controllers - serv1.xxx.yyy.org and serv2.xxx.yyy.org
> In the domain is a group - MWUsers, which includes several users - mwuser1, mwuser2, etc.
> There MediaWiki 1.13.1.
> I need to allow automatic access only to users who are in the AD group users.
> I know that this can be done through LdapAuthentication and LdapAutoAuthentication, but all my attempts unsuccessful.
If your webserver is Linux or FreeBSD you might want to check out the
Plexcel PHP extension and the MW extension that goes with:
http://www.ioplex.com/mediawiki_plugin.html
Since it's commercial and this is a public list I won't discuss it in
detail but feel free to contact our support email and I'll answer any
questions you might have.
As for the LDAP extension note that the "AutoAuth" stuff is for smart
cards and SSL. If you're looking for SPNEGO where you don't enter a
password at all, you can't do that with the LDAP extension (or any
other LDAP anything). AFAIK the only extension that does true SPNEGO
SSO is our Plexcel product (and mod_auth_kerb but that's not
script-level).
Otherwise, you might want to grab the latest LDAP extension files from
SVN. I know a lot of changes have been made recently and I'm not sure
if they've made it to the Wiki page yet. Check the SVN timestamps in
your files.
Mike
> My LocalSettings.php:
>
> require_once ("$IP/extensions/LdapAutoAuthentication.php");
> require_once ("$IP/extensions/LdapAuthentication.php");
> $wgAuth = new LdapAuthenticationPlugin();
> $wgLDAPDomainNames = array('XXX');
> $wgLDAPServerNames = array('XXX' => 'serv1.xxx.yyy.org serv2.xxx.yyy.org');
> $wgLDAPSearchStrings = array('XXX' => 'XXX\\USER-NAME');
> $wgLDAPEncryptionType = array('XXX' => 'false');
> $wgLDAPUseLocal = false;
> $wgMinimalPasswordLength = 1;
> $wgLDAPBaseDNs = array('XXX'=>'dc=xxx,dc=yyy,dc=org');
> $wgLDAPSearchAttributes = array('XXX'=>'sAMAccountName');
> $wgLDAPGroupBaseDNs = array('XXX'=>'ou=MWUsers,dc=xxx,dc=yyy,dc=org');
> AutoAuthSetup();
> $wgLDAPDebug = 6;
>
> But these settings do not work as expected. Auto login is not performed.
> Therefore, I choose the "Log in / create account" and enter login - mwuser1 and password
> Log info:
>
> Entering validDomain
> User is using a valid domain.
> Setting domain as: XXX
> Entering getCanonicalName
> Username isn't empty.
> Munged username: mwuser1
> Entering authenticate
>
> Entering Connect
> Using TLS or not using encryption.
> Using servers: ldap://serv1.xxx.yyy.org ldap://serv2.xxx.yyy.org
> Connected successfully
> Entering getSearchString
> Doing a straight bind
> userdn is: XXX\mwuser1
>
> Binding as the user
> Bound successfully
> Entering getUserDN
> Created a regular filter: (sAMAccountName=mwuser1)
> Entering getBaseDN
> basedn is not set for this type of entry, trying to get the default basedn.
> Entering getBaseDN
> basedn is dc=xxx,dc=yyy,dc=org
> Using base: dc=xxx,dc=yyy,dc=org
> Fetched username is not a string (check your hook code...).
> This message can be safely ignored if you do not have the SetUsernameAttributeFromLDAP hook defined.
> Pulled the user's DN: CN=f_name l_name,OU=MWUsers,OU=DataArt,DC=xxx,DC=yyy,DC=org
> Authentication passed
> Entering updateUser
> WTF!?)
>
> _______________________________________________
> MediaWiki-l mailing list
> MediaWiki-l at lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
>
--
Michael B Allen
PHP Active Directory SPNEGO SSO
http://www.ioplex.com/
More information about the MediaWiki-l
mailing list