[Mediawiki-l] SOLVED: Is LDAPAutoAuth Without Smartcard Supported?

John Thomson thomsonj at stonewayconsulting.ca
Fri Apr 3 12:16:36 UTC 2009 


Lane, Ryan wrote:
>> Seems like all I needed was a fresh perspective.  The extension 
>> /AutomaticRemote_User/ 
>> (http://www.mediawiki.org/wiki/Extension:AutomaticREMOTE_USER)
>>  gives me 
>> exactly what I need to do to seamlessly authenticate my users to 
>> Mediawiki.  Works perfectly.  Between that and some of the 
>> functionality 
>> provided by /LDAPAuthentication/ for pulling AD attributes, I can 
>> Frankenstein something up that should suffice till the next 
>> version of 
>> LDAPAuthentication is released.
>>
>>     
>
> No need to frankenstein something together. Version 1.2a of the LDAP
> plugin (LDAPAuthentication.php and LDAPAutoAuthentication.php) should be
> able to handle any form of web authentication.
>
> Kerberos auth is likely what you are using. You want to look at this
> documentation (just ignore the Apache stuff):
>
> 	
> http://www.mediawiki.org/wiki/Extension:LDAP_Authentication/Kerberos_Con
> figuration_Examples
>
> Note that I haven't tested this with IIS (as I don't have a Windows 2003
> system to test with). I've tested this with Apache and MIT Kerberos.
>
> The following line may need to change, depending on what you get back
> from IIS:
>
> 	$wgLDAPAutoAuthUsername = preg_replace( '/@.*/', '',
> $_SERVER["REMOTE_USER"] );
>
> This line is expecting "REMOTE_USER" to be returned as
> "username at DOMAIN". If IIS returns something else, you'll need to change
> it. For instance, if IIS simply returns "username" then you'll need to
> change this to:
>
> 	$wgLDAPAutoAuthUsername = $_SERVER["REMOTE_USER"];
>
> V/r,
>
>   
Hi Ryan,

Just to follow up, I took a look at the configuration examples, and 
picked out the Kerberos-related entries and gave it a shot.  Sadly, IIS 
gives me a 500. 

I did verify that IIS passes $_SERVER["REMOTE_USER"] for the REMOTE_USER 
as that is what the AutomaticREMOTE_USER extension successfully uses.  I 
suspect the issue is with AutoAuth, as there is no LDAP traffic 
generated.  (I am running a debug LDAP proxy that shows

Here are the relevant entries from LocalSettings.php:

#
# LDAP Authentication
#
require_once( "extensions/LdapAutoAuthentication.php" );
require_once( "extensions/LdapAuthentication.php" );

$wgLDAPDomainNames = array("MyDomain);
$wgLDAPServerNames = array("MyDomain"=>"192.168.20.212");

$wgLDAPAutoAuthDomain = "MyDomain";

$wgLDAPProxyAgent = array("MyDomain"=>"CN=Proxy 
User,cn=Users,dc=MyDomain,dc=com");
$wgLDAPProxyAgentPassword = array("MyDomain"=>"PASSWORD");
$wgLDAPBaseDNs = array("MyDomain"=>"dc=MyDomain,dc=com");

$wgLDAPSearchAttributes = array("MyDomain"=>"samaccountname");

$wgLDAPAutoAuthUsername = $_SERVER["REMOTE_USER"] );
AutoAuthSetup();

If you see anything wonky with my config, I'd like to hear about it.  In 
the meanwhile, I will start Frankensteining...

Thanks very much!!

John

> Ryan Lane
>
> _______________________________________________
> MediaWiki-l mailing list
> MediaWiki-l at lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
>
>

More information about the MediaWiki-l mailing list