[Mediawiki-l] How to setup Auto Authentication with AD ?
Lane, Ryan
Ryan.Lane at ocean.navo.navy.mil
Tue Oct 14 15:03:15 UTC 2008
> In the local network is AD domain - xxx.yyy.org
> Domain Controllers - serv1.xxx.yyy.org and serv2.xxx.yyy.org
> In the domain is a group - MWUsers, which includes several
> users - mwuser1, mwuser2, etc.
> There MediaWiki 1.13.1.
> I need to allow automatic access only to users who are in the
> AD group users.
> I know that this can be done through LdapAuthentication and
> LdapAutoAuthentication, but all my attempts unsuccessful.
>
Setting up Active Directory auto-authentication isn't exactly easy, and
since I don't currently have documentation written on how to use
mod_auth_kerb with the plugin, I won't go into this. As of right now,
let's just say kerberos (which is used by Active Directory) isn't
supported from a I'll give support perspective. That'll change soon.
> My LocalSettings.php:
>
> require_once ("$IP/extensions/LdapAutoAuthentication.php");
Unless you are use PKI/Smartcard/CAC authentication, don't use this
line.
> require_once ("$IP/extensions/LdapAuthentication.php");
> $wgAuth = new LdapAuthenticationPlugin();
> $wgLDAPDomainNames = array('XXX');
> $wgLDAPServerNames = array('XXX' => 'serv1.xxx.yyy.org
> serv2.xxx.yyy.org');
> $wgLDAPSearchStrings = array('XXX' => 'XXX\\USER-NAME');
> $wgLDAPEncryptionType = array('XXX' => 'false');
> $wgLDAPUseLocal = false;
> $wgMinimalPasswordLength = 1;
> $wgLDAPBaseDNs = array('XXX'=>'dc=xxx,dc=yyy,dc=org');
> $wgLDAPSearchAttributes = array('XXX'=>'sAMAccountName');
> $wgLDAPGroupBaseDNs = array('XXX'=>'ou=MWUsers,dc=xxx,dc=yyy,dc=org');
> AutoAuthSetup();
> $wgLDAPDebug = 6;
>
Remember not to set "$wgAuth = new LdapAuthenticationPlugin();" when
using "AutoAuthSetup();" as it does it for you. I'll probably put some
error checking in for this later. Remove "AutoAuthSetup();" for now.
Notice that "$wgLDAPEncryptionType = array('XXX' => 'false');" isn't a
valid setting. You need to read the documentation. If you want to turn
encryption off (not recommended), you need to use:
$wgLDAPEncryptionType = array('XXX' => 'clear');
> But these settings do not work as expected. Auto login is not
> performed.
> Therefore, I choose the "Log in / create account" and enter
> login - mwuser1 and password
> Log info:
>
> Entering validDomain
> User is using a valid domain.
> Setting domain as: XXX
> Entering getCanonicalName
> Username isn't empty.
> Munged username: mwuser1
> Entering authenticate
>
> Entering Connect
> Using TLS or not using encryption.
> Using servers: ldap://serv1.xxx.yyy.org ldap://serv2.xxx.yyy.org
> Connected successfully
> Entering getSearchString
> Doing a straight bind
> userdn is: XXX\mwuser1
>
> Binding as the user
> Bound successfully
> Entering getUserDN
> Created a regular filter: (sAMAccountName=mwuser1)
> Entering getBaseDN
> basedn is not set for this type of entry, trying to get the
> default basedn.
> Entering getBaseDN
> basedn is dc=xxx,dc=yyy,dc=org
> Using base: dc=xxx,dc=yyy,dc=org
> Fetched username is not a string (check your hook code...).
> This message can be safely ignored if you do not have the
> SetUsernameAttributeFromLDAP hook defined.
> Pulled the user's DN: CN=f_name
> l_name,OU=MWUsers,OU=DataArt,DC=xxx,DC=yyy,DC=org
> Authentication passed
> Entering updateUser
Hmm. It looks like it authenticated the user properly. Did it log the
user in? Is that part of the problem? Did you want to restrict log in to
only people in a certain group? Lemme know what you are aiming for, and
I can give you a better config.
> WTF!?)
... And it looks like I commited changes with some stupid debugging code
left in place :(.
V/r,
Ryan Lane
More information about the MediaWiki-l
mailing list