Using the LDAP Authentication Plugin for MediaWiki – The Basics (Part 1)

Configuring the LDAP Authentication plugin for MediaWiki can be a daunting task. In this series of posts, I’ll go over the basics of configuring the plugin for common environments. In a later series of posts, I’ll go into each environment in detail.

Part 1 will discuss basic password authentication for Active Directory (AD). Part 2 will discuss basic password authentication for LDAP domains with the posix schema. Part 3 will discuss enabling group restrictions and synchronization, and retrieving preferences for AD. Part 4 will discuss group restrictions and synchronization, and retrieving preferences for LDAP domains with the posix schema.

Basic MediaWiki administration experience is assumed. This series of posts should only be considered current for version 1.2a or 1.2b of the LDAP plugin.

Create a local sysop

Before enabling the plugin, you should create a user in the local wiki database that exists in AD, and promote that user to sysop. After the plugin is enabled, you will not be able to log in as any user who does not exist in AD.

Enabling the plugin

To enable the plugin, first download the current stable version, and place it at $IP/extensions/LdapAuthentication/LdapAuthentication.php. After downloading the plugin, place the following in LocalSettings.php:

require_once( "$IP/extensions/LdapAuthentication/LdapAuthentication.php" );
$wgAuth = new LdapAuthenticationPlugin();

Configuring the plugin

For basic password authentication against an AD domain, you need to configure three things:

  1. Domain name
  2. Server names
  3. How to bind to the AD servers

Setting the domain name

The domain name is used for all of the LDAP configuration settings, and is also the domain name visible to users when logging in. It is recommended to use the short name of your AD domain as the domain name. For example, if your AD domain is TESTAD.EXAMPLE.COM, then you should use TESTAD as your domain name. We will use TESTAD for the examples in this post.

Place the following in LocalSettings.php file to set the domain name:

$wgLDAPDomainNames = array( "TESTAD" );

Setting the server names

The plugin needs to know the fully qualified domain name (FQDN) of each of your AD servers to contact. Currently, the plugin can not do automatic domain discovery. You may add multiple servers, delimited by spaces, for server failover.

Place the following in LocalSettings.php to set the server names:

$wgLDAPServerNames = array( "TESTAD" => "adserver1.testad.example.com adserver2.testad.example.com" );

Telling the plugin how to bind to the AD server

Binding to AD is straightforward; you simply tell the server the domain, username, and password. AD takes the domain and the username in either of the following formats: username@DOMAIN or DOMAINusername. The LDAP plugin supports either of these formats; for this example we’ll use the former.

To specify the format to bind with, place the following into LocalSettings.php:

$wgLDAPSearchStrings = array( "TESTAD" => "USER-NAME@TESTAD" );

Notice that USER-NAME is a special string, and should not be modified. When the user logs in, USER-NAME will be replaced with whatever username is used.

By default the LDAP plugin is set to bind using encryption. Specifically, the plugin defaults to tls using LDAP (port 389). AD doesn’t support tls, so the encryption type needs to be changed. The supported encryption types are clear, tls, and ssl. AD doesn’t allow clear text binds by default, and only supports the ssl encryption type using LDAPS (port 636). If you wish to use clear text binds, you’ll need to change your AD security settings (not recommended).

To change the encryption type, place the following into LocalSettings.php:

$wgLDAPEncryptionType = array( "TESTAD" => "ssl" );

Configuring the server

Configuring the SSL trust

For ssl to work properly, it is important to ensure the LDAP client (the web server) trusts the root Certificate Authority (CA) of the AD server. If your organization is using a third party CA that is in most normal trust lists (like in IE or Firefox), this step can likely be skipped. If your AD servers are using self signed certificates or a local CA, this step is needed.

You can find out which CA issued the AD server’s certificate using openssl. Run the following command:

openssl s_client -connect adserver1.testad.example.com:636 | egrep "subject|issuer"

If the subject and the issuer are the same, the certificate is self signed. If the subject and issuer are not the same, the certificate was signed by a CA. If the CA is local, ask someone in your organization for a copy of the CA certificate. If the certificate is self signed, you can get the certificate by running the previous command without the grep:

openssl s_client -connect adserver1.testad.example.com:636

Copy everything in between, and including:

-----BEGIN CERTIFICATE-----

and:

-----END CERTIFICATE-----

Paste the text into a file, and place the file wherever your OS normally stores its CA certificates; Red Hat Enterprise Linux 5 and newer versions of Fedora place these in /etc/pki/tls/certs.

Now place the following into /etc/openldap/ldap.conf:

TLS_CACERT     <pathToCACert>
TLS_CACERTFILE <pathToCACert>

Restart your web server for this to take effect.

Test your configuration by logging in with an AD user

Everything should be working at this point. If you have any questions, you should post them on the discussion page for the plugin on mediawiki.org, or leave me a comment (the former is preferred).

110 Comments

  1. Hi guys,

    I’m trying to get this going for our mediawiki that runs on ubuntu server.

    We run a Windows 2003 domain.

    I actually like trying to figure out problems myself as it’s how I learn best, but I am just running into brick walls.

    Basically what is happening is when I try and log in I am just getting a blank page.

    I CAN query the DC I am trying to get to using ldapsearch.

    When I have tried enabling debugging using:

    $wgLDAPDebug
    and

    $wgDebugLogGroups

    I have tried using debug levels 1 2 and 3.

    Using either option, nothing appears in the file specified with $wgDebugLogGroups

    Using 2 and 3 the following is displayed at the top left hand corner of media wiki after clicking the login button:

    Entering validDomain
    Uer is not using a valid domain
    Setting domain as: invaliddomain
    Entering modifyUITemplate

    However the login screen then doesn’t load properly and you can’t attempt to login (the login fields are missing).

    I am running MediaWiki 1.13.3
    LDAP Authentication PLugin is show as version 1.1g ( I installed using LdapAuthentication-MW1.13-r36354.tar.gz).
    Ubuntu is 9.04

    Can anyone point me in the correct direction as to how to troubleshoot this. Maybe let me know how to get some meaningful logs.

    Cheers

    Ian

    Reply

    1. Nearly 100% of the time, a blank screen means the ldap library is missing in php. Run the following in ubuntu:

      sudo apt-get install -y php5-ldap
      sudo apache2 restart

      After doing so, try it again.

      Reply

  2. Setup my wiki using LDAP followed this instruction worked perfectly. I like to know if it is posible using this ldapauthentication, can i set up so that the user will be logged-in automatically when he or she launch my wiki site?
    Thank you

    Reply

  3. by the way what does LdapAutoAuthentication.php file is for?

    Reply

    1. It is used for automatic authentication. It does what you are looking for, but you’ll need to read the docs to set it up.

      Reply

  4. Hi Ryan,

    Great extension. Thank you so much for developing it.
    I got LDAP authentication working, however, once I started using “$wgLDAPRequiredGroups” it causes my login to hang about 20-30 seconds.

    # ================
    # My LocalSettings.php Below
    # ================
    require_once( “\extensions\LdapAuthentication.php” );
    $wgAuth = new LdapAuthenticationPlugin();
    $wgLDAPDomainNames = array(“LDAP”);
    $wgLDAPServerNames = array(“LDAP” => “ldap-server.com”);
    $wgLDAPEncryptionType = array(“LDAP” => “ssl”);
    $wgLDAPSearchStrings = array(“LDAP” => “uid=USER-NAME,ou=personnel,dc=dir,dc=com”);

    $wgLDAPUseLocal = false;
    $wgLDAPAddLDAPUsers = false;
    $wgLDAPUpdateLDAP = false;
    $wgLDAPMailPassword = false;
    $wgLDAPRetrievePrefs = true;
    $wgMinimalPasswordLength = 1;

    $wgLDAPRequiredGroups = array(“LDAP” => array(“cn=mygroup,ou=personnel,dc=dir,dc=com”, “cn=mygroup2,ou=personnel,dc=dir,dc=com”));
    $wgLDAPGroupUseFullDN = array(“LDAP” => true);
    $wgLDAPGroupObjectclass = array(“LDAP” => “groupofuniquenames”);
    $wgLDAPGroupAttribute = array(“LDAP” => “uniqueMember”);
    $wgLDAPGroupSearchNestedGroups = array(“LDAP” => false);
    $wgLDAPGroupNameAttribute = array(“LDAP” => “cn”);
    $wgLDAPBaseDNs = array(“LDAP” => “dc=dir,dc=com”);

    Reply

    1. If you have a lot of entries in your directory server, searches can take a while. You should set a group base dn, via $wgLDAPGroupBaseDNs

      Reply

      1. Hi Ryan,

        Thank you for quick the response. I added that variable, but it didn’t seem to help.

        Still takes about 20-30 seconds to login. I think we do have a decent sized directory, but I would think it should be faster than this. I only have this problem once I use $wgLDAPRequiredGroups.

        Thanks,
        Ryan

        Reply

        1. You should enable debugging, and send me the output with sensitive stuff snipped out. There must be something else wrong.

          Reply

  5. Hey Ryan, hello.

    I am just another guy that has issues with this plugin, was wondering if you can help somehow. My config is as follows:
    running apache using: WAMP -windows server 2003
    running AD using: windows server 2003 (different pc)
    running Mediawiki version 1.16,PHP above 5.2 and ldap plugin v1.2b (alpha)

    Binding phase fails when using “ssl” option
    Binding phase and everything/ account creation etc work when using “clear” option

    I can verify AD connectivity using ldp.exe (GUI util) from the windows srv tools. The server connects from ldap @ port 636 and can bind successfully. Does it make sence to use clear for binding and ssl for session encr.?

    Can you explain a bit on LDAP versus LDAP over SSL so I know if at least the ssl port works then if its fine to leave the binding as cleartext.

    If anything doesnt make sense or missing, E.g: logs etc please let me know – important info about log: DOMAIN\\USER-NAME used, doing straight bind which fails, ldaps says connected successful.

    Thanks in advance.

    Reply

    1. In PHP, a successful connection doesn’t actually mean an actual connection was made. The connection isn’t made until you try to bind. You should see the ssl documentation for the extension. Using LDAP without SSL means all traffic is sent across the network in clear text, which would allow people to steal passwords, if they can become a man in the middle, or have access to sniff your network.

      You should also enable the debug log.

      Reply

      1. Hi, in reply to your comment above:

        I was able to use the plugin with only clear-text binding, so far. Even tried different types of certificates for LDAPS for my AD which didn’t work.

        I’ve read all the relevant documentation for it, followed instructions which still haven’t worked either.

        I guess my main question on that previous post was to verify from you that have a bit more knowledge on the matter whether passing binding-phase data through SSL encrypted traffic (which works Ok for my wiki site) still makes the bind-passwords viewable.

        Overall i was asking if the conf. below is OK:
        SSL for the site/content login forms -enabled
        SSL for binding passwd of AD -disabled

        Also, the logs where enabled the whole time I was doing my testing.

        Reply

        1. Your credentials are being passed in the clear. You really don’t want to do this.

          Are you sure your Active Directory server even has SSL enabled? It doesn’t by default. Even if it does, most use some kind of internal CA, which your web server will need to trust.

          Reply

          1. Hi again,

            Ok then I guess I’ll be trying to switch to ldaps:// connection again after your input on the matter. The server with active directory has certificate services installed as well, with a root certificate (5yrs is the default for WS2003 i think) to identify it as a CA.

            It was being used as an internal certificate authority as well for outlook webmail access so the server is SSL enabled overall.

            NOTE:
            As my configurations for both server and test-server have changed a lot by trial-and-error, I have managed to make ldap on php/apache undetectable by your plugin or php overall.

            So, until I fix this general issue I will get back to you. Need to re-trace exactly what I did and fix it and then hopefully I can provide you with more input on the matter.

            ALSO: I used openldap\conf\ as suggested on the doc for windows platform to trust the certificates with both the cert. and key files.
            Until I provide better info or progress,

            Thanks for your input on this issue.

  6. Hi,

    i have set up an Wiki with ldap authentification.

    It works for fine as long as i do not try to restirct it to certain groups.

    Hard to debug.

    Any hints.

    Best regards,
    Werz

    Reply

    1. bte can i make it work without an certificat? Or is this impossible?
      As I said, the login works as long as i do not try to restrict via groups. So there must be a working connetion between the wiki and the ldap server.

      But if i try to get the cert from server… there is no.
      Cheers Werz

      Reply

      1. You can use “clear” for encryption type, but you should really try to get ssl working properly. See the requirements section of the documentation for this.

        Reply

    2. I would need to see your config, and your debug log with sensitive stuff snipped out.

      Reply

    3. Hi Ryan,

      thanks for your fast reply, here are my settings:

      #### LDAP settings
      require_once( “$IP/extensions/LdapAuthentication/LdapAuthentication.php” );
      $wgAuth = new LdapAuthenticationPlugin();

      #### Uncomment this line to see debug messages:
      $wgLDAPDebug = 3;
      $wgDebugLogGroups["ldap"] = “/tmp/debug.log” ;

      $wgLDAPDomainNames = array(“Domain1″,”Domain2″);
      $wgLDAPServerNames = array(“Domain1″ => “servername.domain1.com”, “Domain2″ => “serverIP”);

      $wgLDAPSearchStrings = array(“Domain1″ => “Domain1\USER-NAME”,”Domain2″ => “Domain2\USER-NAME”);
      $wgLDAPEncryptionType = array(“Domain1″ => “clear”,”DOmain2″ => “clear”);

      $wgLDAPUseLocal = false;
      $wgLDAPAddLDAPUsers = false;
      $wgLDAPUpdateLDAP = false;
      $wgLDAPMailPassword = false;
      $wgLDAPRetrievePrefs = true;
      $wgMinimalPasswordLength = 1;

      ### Group permissions
      $wgLDAPRequiredGroups = array(“Domain1″ => array(“cn=it.Wiki_USER,ou=Groups,dc=Domain1,dc=COM”));
      $wgLDAPGroupUseFullDN = array(“Domain1″ => true);
      $wgLDAPGroupObjectclass = array(“Domain1″ => “*”);
      $wgLDAPGroupAttribute = array(“Domain1″ => “member”);
      $wgLDAPGroupSearchNestedGroups = array(“Domain1″ => false);
      $wgLDAPGroupNameAttribute = array(“Domain1″ => “cn”);
      $wgLDAPBaseDNs = array(“Domain1″ => “dc=domain1,dc=com”);

      That’s all. Unfortunately it does not work.
      If I comment out $wgLDAPRequiredGroups it work… but of course then anyone can login… which should not be :-)

      Cheers, Werz

      Reply

  7. Hi Ryan,

    here is my debug output with $wgLDAPRequiredGroups:

    wiki: Entering validDomain
    wiki: User is using a valid domain.
    wiki: Setting domain as: Domain1
    wiki: Entering getCanonicalName
    wiki: Username isn’t empty.
    wiki: Munged username: Username
    wiki: Entering authenticate
    wiki:
    wiki: Entering Connect
    wiki: Using TLS or not using encryption.
    wiki: Using servers: ldap://servername.domain1.com
    wiki: Connected successfully
    wiki: Entering getSearchString
    wiki: Doing a straight bind
    wiki: userdn is: Domain1\Username
    wiki:
    wiki: Binding as the user
    wiki: Bound successfully
    wiki: Entering getUserDN
    wiki: Created a regular filter: (=Username)
    wiki: Entering getBaseDN
    wiki: basedn is not set for this type of entry, trying to get the default basedn.
    wiki: Entering getBaseDN
    wiki: basedn is dc=domain1,dc=com
    wiki: Using base: dc=domain1,dc=com
    wiki: Couldn’t find an entry
    wiki: Pulled the user’s DN:
    wiki: Entering getGroups
    wiki: Retrieving LDAP group membership
    wiki: Searching for the groups
    wiki: Entering searchGroups
    wiki: Entering getBaseDN
    wiki: basedn is not set for this type of entry, trying to get the default basedn.
    wiki: Entering getBaseDN
    wiki: basedn is dc=domain1,dc=com
    wiki: Search string: (&(member=)(objectclass=*))
    wiki: Returned groups:
    wiki: Entering checkGroups
    wiki: Checking for (new style) group membership
    wiki: Required groups: cn=it.wiki_user,ou=groups,dc=domain1,dc=com
    wiki: Couldn’t find the user in any groups.
    wiki: Entering strict.
    wiki: Returning true in strict().
    wiki: Entering allowPasswordChange
    wiki: Entering modifyUITemplate

    That’s it. Hope you can help me :-)

    Cheers, Paul

    Reply

  8. hmm still not working… have no clue what is wrong…

    Reply

    1. Hi Ryan, now it works!

      But I got another question:
      If I use wgLDAPRequiredGroups, what do i have to do to give access for users in different groups.
      I mean something like the user must be in this OR in that group.

      Cheers, Paul Werz

      Reply

      1. You should use group synch instead of required groups in this scenario. It’ll be easier. I think adding multiple groups to the required groups array may work for this, though (it should be an OR by default).

        Reply

  9. I am using the latest snapshot of LdapAuthentication 1.2d (2010-11-23), Apache 2.2.14, MediaWiki 1.16.2, our LDAP server requiring protocol 3, SSL. I am not an LDAP admin but have used and configured other clients with our server.

    I am having trouble configuring validating on a filter. I’m not sure if I should be using wgLDAPgroups or not. I’m obviously working against the extension somehow.

    This is what I want if I were using openldap 2.3.33:

    ldapsearch -D “uid=username,ou=authenticaate,dc=domain,dc=com” -b “ou=authorize,dc=domain,dc=com” -H ldaps//hostname.domain.com -W “(&(uid=username)(chx=1234))”

    This is what I want if I were using PHP:

    $ds = ldap_connect(“ldaps://hostname.domain.com”);
    $r = ldap_bind($ds, “cn=username,ou=authenticate,dc=domain,dc=com”, “password”);
    $sr = ldap_search($ds, “ou=authorize,dc=domain,dc=com”, “(&(uid=username)(chx=1234))”);

    I can successfully bind to LDAP using your LdapAuthentication but get confused when I try to require an LDAP group.

    Here’s my latest attempt using LdapAuthentication.php. MediaWiki returns “Login error. Incorrect password entered. Please try again.”:

    $wgLDAPDomainNames = array( “myLDAP” );
    $wgLDAPServerNames = array( “myLDAP” => “hostname.domain.com” );
    $wgLDAPUseLocal = false;
    $wgLDAPEncryptionType = array( “myLDAP”=>”ssl” );
    $wgLDAPPort = array( “myLDAP”=>636 );
    $wgLDAPSearchStrings = array(“myLDAP”=>”uid=USER-NAME,ou=authenticate,dc=domain,dc=com”);
    $wgLDAPBaseDNs = array(” myLDAP”=>”ou=authorize,dc=domain,dc=edu” );
    $wgLDAPSearchAttributes = array( “myLDAP”=>”ou=authorize,dc=domain,dc=edu” );
    $wgMinimalPasswordLength = 1;

    $wgLDAPRequiredGroups = array( “myLDAP”=>array(“1234″) );
    $wgLDAPGroupUseFullDN = array( “myLDAP”=>false );
    $wgLDAPGroupObjectclass = array( “myLDAP”=>”1234″ );
    $wgLDAPGroupAttribute = array( “myLDAP”=>”uid” );
    $wgLDAPGroupSearchNestedGroups = array( “myLDAP”=>false );
    $wgLDAPGroupNameAttribute = array( “myLDAP”=>”chx” );
    $wgLDAPDebug = 3;
    $wgLDAPLowerCaseUsername = array( “myLDAP”=>true );

    I also hacked searchGroups() to change the filter to:

    $filter = “(&($attribute=$value)(chx=$objectclass))”;

    I get in the $wgDebugLogGroups file:

    2011-05-12 18:48:08 wikidb-mw_: Entering validDomain
    2011-05-12 18:48:08 wikidb-mw_: User is using a valid domain.
    2011-05-12 18:48:08 wikidb-mw_: Setting domain as: myLDAP
    2011-05-12 18:48:08 wikidb-mw_: Entering getCanonicalName
    2011-05-12 18:48:08 wikidb-mw_: Username isn’t empty.
    2011-05-12 18:48:08 wikidb-mw_: Munged username: Username
    2011-05-12 18:48:08 wikidb-mw_: Entering authenticate
    2011-05-12 18:48:08 wikidb-mw_:
    2011-05-12 18:48:08 wikidb-mw_: Entering Connect
    2011-05-12 18:48:08 wikidb-mw_: Using SSL
    2011-05-12 18:48:08 wikidb-mw_: Using servers: ldaps://hostname.domain.com
    2011-05-12 18:48:08 wikidb-mw_: Connected successfully
    2011-05-12 18:48:08 wikidb-mw_: Lowercasing the username: Username
    2011-05-12 18:48:08 wikidb-mw_: Entering getSearchString
    2011-05-12 18:48:08 wikidb-mw_: Doing a straight bind
    2011-05-12 18:48:08 wikidb-mw_: userdn is: uid=username,ou=authenticate,dc=domain,dc=com
    2011-05-12 18:48:08 wikidb-mw_:
    2011-05-12 18:48:08 wikidb-mw_: Binding as the user
    2011-05-12 18:48:08 wikidb-mw_: Bound successfully
    2011-05-12 18:48:08 wikidb-mw_: Entering getGroups
    2011-05-12 18:48:08 wikidb-mw_: Retrieving LDAP group membership
    2011-05-12 18:48:08 wikidb-mw_: Searching for the groups
    2011-05-12 18:48:08 wikidb-mw_: Entering searchGroups
    2011-05-12 18:48:08 wikidb-mw_: Entering getBaseDN
    2011-05-12 18:48:08 wikidb-mw_: basedn is not set for this type of entry, trying to get the default basedn.
    2011-05-12 18:48:08 wikidb-mw_: Entering getBaseDN
    2011-05-12 18:48:08 wikidb-mw_: basedn is ou=authorize,dc=domain,dc=com
    2011-05-12 18:48:08 wikidb-mw_: Search string: (&(uid=username)(chx=1234))
    2011-05-12 18:48:08 wikidb-mw_: Returned groups: uid=username,ou=authenticate,dc=domain,dc=com
    2011-05-12 18:48:08 wikidb-mw_: Entering checkGroups
    2011-05-12 18:48:08 wikidb-mw_: Checking for (new style) group membership
    2011-05-12 18:48:08 wikidb-mw_: Required groups: 3592
    2011-05-12 18:48:08 wikidb-mw_: Checking against: uid=arvin,ou=authenticate,dc=purdue,dc=edu
    2011-05-12 18:48:08 wikidb-mw_: Couldn’t find the user in any groups.
    2011-05-12 18:48:08 wikidb-mw_: Entering strict.
    2011-05-12 18:48:08 wikidb-mw_: Returning true in strict().
    2011-05-12 18:48:08 wikidb-mw_: Entering allowPasswordChange
    2011-05-12 18:48:08 wikidb-mw_: Entering modifyUITemplate

    Reply

    1. I replied to you on the extension’s support page. I’m not totally sure how you are searching for the groups. The way you are going about it is not a normal LDAP way of handling groups. That said, if you see this response, please respond on the thread on the support page, since it’s a little easier for me to see.

      Reply

  10. Hi,

    I also get the wrong password message here is my settings:

    require_once( “$IP/extensions/LdapAuthentication/LdapAuthentication.php” );
    $wgAuth = new LdapAuthenticationPlugin();

    $wgLDAPDomainNames = array( “domain.com” );
    $wgLDAPServerNames = array( “domain.com” => “x.x.x.x y.y.y.y z.z.z.z ” );
    $wgLDAPSearchStrings = array( “domain.com” => “USER-NAME@domain.com” );
    $wgLDAPEncryptionType = array( “domain.com” => “ssl” );
    $wgLDAPUseLocal=false;
    $wgShowExceptionDetails = true;
    $wgLDAPAddLDAPUsers = false;
    $wgLDAPUpdateLDAP = false;

    $wgLDAPDebug = 3;
    $wgDebugLogGroups["ldap"] = “/tmp/debug.log” ;

    —– From the log /tmp/debug.log ——-

    2011-06-15 08:42:01 knowledgebase-pss_: Entering validDomain
    2011-06-15 08:42:01 knowledgebase-pss_: User is using a valid domain.
    2011-06-15 08:42:01 knowledgebase-pss_: Setting domain as: domain.com
    2011-06-15 08:42:01 knowledgebase-pss_: Entering getCanonicalName
    2011-06-15 08:42:01 knowledgebase-pss_: Username isn’t empty.
    2011-06-15 08:42:01 knowledgebase-pss_: Munged username: myuser
    2011-06-15 08:42:01 knowledgebase-pss_: Entering userExists
    2011-06-15 08:42:01 knowledgebase-pss_:
    2011-06-15 08:42:01 knowledgebase-pss_: Entering authenticate
    2011-06-15 08:42:01 knowledgebase-pss_:
    2011-06-15 08:42:01 knowledgebase-pss_: Entering Connect
    2011-06-15 08:42:01 knowledgebase-pss_: Using SSL
    2011-06-15 08:42:01 knowledgebase-pss_: Using servers: ldaps://x.x.x.x ldaps://y.y.y.y ldaps://z.z.z.z
    2011-06-15 08:42:01 knowledgebase-pss_: Connected successfully
    2011-06-15 08:42:01 knowledgebase-pss_: Entering getSearchString
    2011-06-15 08:42:01 knowledgebase-pss_: Doing a straight bind
    2011-06-15 08:42:01 knowledgebase-pss_: userdn is: myuser@domain.com
    2011-06-15 08:42:01 knowledgebase-pss_:
    2011-06-15 08:42:01 knowledgebase-pss_: Binding as the user
    2011-06-15 08:42:01 knowledgebase-pss_: Failed to bind as myuser@domain.com
    2011-06-15 08:42:01 knowledgebase-pss_: Entering allowPasswordChange
    2011-06-15 08:42:01 knowledgebase-pss_: Entering modifyUITemplate

    Dont know where to start really. Thanks!

    Reply

  11. I just wanted to say thank you for everyone’s comments. You guys helped me out so much.
    I just wanted a small wiki my small team of IT guys could us in our intranet.

    My Setup:
    I was running Mediawiki on a Windows 2008 computer using Wamp, trying to connect to a 2008 AD. I could get it to connect, but only using clear passwords. I was able to later do a work around by putting in the line
    TLS_REQCERT never
    in my ldap.conf file in c:\openldap\sysconf.

    But I needed better, the likelihood that we would get a MitM, or a DNS hijack is slim, but I still couldn’t sleep well unless I got the certificates working.

    My fix was not to use openssl to pull the certificate off the server using –

    “openssl s_client -connect adserver1.testad.example.com:636″

    Instead what I had to do was install Active Directory Certificate Services on my DC. Then follow this website to make a self signed cert – very easy to follow.
    http://www.christowles.com/2010/11/enable-ldap-over-ssl-ldaps-on-windows.html

    Once I had a certificate I exported the certificate as a .cer file to my wamp server inside my c:\openldap\sysconf folder and edited the ldap.conf file to TLS_CACERT c:\openldap\sysconf\dc1.cer

    SSL now works! Seriously this all took me several days just gathering all the right info and troubleshooting. That last little bit saved me. active directory doesn’t support ssl out of the box. No wonder it wasn’t working.

    Reply

  12. Tengo un problema; He instalada mediawiki en un servidor debian. Como necesito acceder a ello utilizando el directorio activo, le he metido la extension LDAP Authentication y he añadido el siguiente código a LocalSettings.php.

    # Validación LDAP
    require_once( “$IP/extensions/LdapAuthentication/LdapAuthentication.php” );
    require_once( “$IP/extensions/LdapAuthentication/LdapAutoAuthentication.php” );

    $wgAuth = new LdapAuthenticationPlugin();

    //Nombres de los dominios que utilizarás.
    $wgLDAPDomainNames = array(“indar.local”);

    //Asociación entre nombre de dominio y nombre DNS de la máquina donde se va a validar.
    $wgLDAPServerNames = array(“indar.local”=>”192.168.1.108″);

    $wgLDAPSearchStrings = array( “indar.local” => “user name@indar.local” );

    //Encriptación en las solicitudes LDAP.
    $wgLDAPEncryptionType = array( “indar.local” => “ssl” );

    //Podemos permitir la convivencia de autenticación local del wiki con LDAP.
    $wgLDAPUseLocal = true;

    $wgMinimalPasswordLength = 1;

    //Le decimos cual es la base de la consulta
    $wgLDAPBaseDNs = array(“indar.local”=>”dc=indar,dc=local”);

    $wgLDAPSearchAttributes = array(“indar.local”=>”sAMAccountName”);
    //$wgLDAPSearchAttributes = array(“indar.local”=>”uid”);

    $wgLDAPRetievePref = array(“indar.local”=>true);

    //Utilizamos los grupos LDAP para las directivas de grupo:
    $wgLDAPGroupsPrevail = array(“indar.local”=>true);
    $wgLDAPGroupNameAttribute = array(“indar.local”=>”cn”);

    Intento iniciar sesion a mi wiki con el administrador y si me inicia sesión, pero acceso con mi nombre y contraseña y me dice que “La contraseña indicada es incorrecta. Por favor, inténtalo de nuevo.”

    Que es lo que estoy haciendo mal para que una vez echo todo eso me de ese error?

    Gracias por ayudarme

    Reply

  13. I’ve busy trying to setup the LDAP on sematic Mediawiki. It works in a way that I can log in. However I cannot get the goup membership information working. This means that LDAP can determine to which groups this user belongs to.
    In my LocalSetings.php I have enabled the memberof, but the debug info keeps saying the following: “memberOf attribute isn’t set”. Please can someone help to figure out what I do wrong?

    This is a snippet of my Local LocalSettings.php

    require_once (“$IP/extensions/LdapAuthentication/LdapAuthentication.php”);
    $wgAuth = new LdapAuthenticationPlugin();

    $wgLDAPDebug = 6;
    $wgDebugLogGroups["ldap"] = “C:/xampp/htdocs/ldap.log” ;

    // Connection to AD
    $wgLDAPDomainNames = array(“domain1″);
    $wgLDAPServerNames = array(“domain1″=>’domain1.intra’ );
    $wgLDAPSearchStrings = array(“domain1″=>”USER-NAME@mySite.com”);
    $wgLDAPEncryptionType = array(“domain1″ => “ssl”,
    “domain1″ => “tls”,
    “domain1″ => “clear”);

    $wgLDAPGroupUseFullDN = array(“domain1″=>true);
    $wgLDAPLowerCaseUsername = array(‘domain1′ => true);
    $wgLDAPBaseDNs = array(“domain1″=>’dc=domain1,dc=com’);
    $wgLDAPSearchAttributes = array(“domain1″=>’sAMAccountName’);
    $wgLDAPGroupsUseMemberOf = array(“domain1″=>true);

    $wgLDAPGroupObjectclass = array(“domain1″=>”group”);
    $wgLDAPGroupAttribute = array(“domain1″=>”member”);
    $wgLDAPGroupNameAttribute = array(“domain1″=>”cn”);

    The following is a snippet of the log file:
    mywiki 1.2e Binding as the user
    mywiki 1.2e Bound successfully
    mywiki 1.2e Entering getUserDN
    mywiki 1.2e Created a regular filter: (sAMAccountName=thisuser)
    mywiki 1.2e Entering getBaseDN
    mywiki 1.2e basedn is not set for this type of entry, trying to get the default basedn.
    mywiki 1.2e Entering getBaseDN
    mywiki 1.2e basedn is dc=domain1,dc=com
    mywiki 1.2e Using base: dc=domain1,dc=com
    mywiki 1.2e Couldn’t find an entry
    mywiki 1.2e Pulled the user’s DN:
    mywiki 1.2e Entering getGroups
    mywiki 1.2e Retrieving LDAP group membership
    mywiki 1.2e Using memberOf
    mywiki 1.2e memberOf attribute isn’t set
    mywiki 1.2e Entering checkGroups
    mywiki 1.2e Entering getPreferences
    mywiki 1.2e Retrieving preferences
    mywiki 1.2e Entering synchUsername
    mywiki 1.2e Authentication passed
    mywiki 1.2e Entering updateUser
    mywiki 1.2e Setting user preferences.
    mywiki 1.2e Setting user groups.
    mywiki 1.2e Entering setGroups.
    mywiki 1.2e Adding all groups to wgGroupPermissions:
    mywiki 1.2e Locally managed groups is unset, using defaults: bot::sysop::bureaucrat
    mywiki 1.2e Available groups are: bot::sysop::bureaucrat
    mywiki 1.2e Effective groups are: *::user::autoconfirmed
    mywiki 1.2e Checking to see if user is in: bot
    mywiki 1.2e Entering hasLDAPGroup
    mywiki 1.2e Checking to see if user is in: sysop
    mywiki 1.2e Entering hasLDAPGroup
    mywiki 1.2e Checking to see if user is in: bureaucrat
    mywiki 1.2e Entering hasLDAPGroup
    mywiki 1.2e Checking to see if user is in: mygroup
    mywiki 1.2e Entering hasLDAPGroup
    mywiki 1.2e Saving user settings.

    Reply

  14. Some notes on my experience:
    I was setting up an internal-only wiki and wanted to use LDAP authentication.
    Active Directory (circa 2003) under the hood.
    In this example I am running IIS 7.5
    I had to:
    1. Create a new user to act as the proxy agent. I assume you know how Create an AD user.

    2. Change the application pool to run as that user
    2a. This is accomplished in IIS Manager
    2b. Click on the site that was created for mediawiki (in my case it was MediaWiki)
    2c. Open the Authentication subsection
    Right-click on Anonymous Authentication, click Edit.
    2d. Change the specific user to the DOMAIN\\webagent
    2e. Restart the IIS services by right-clicking on the server and selecting STOP, then repeating and selecting START.
    3. add the following lines to LocalSettings.php
    ## LDAP Authentication extension start##
    require_once (“$IP/extensions/LdapAuthentication/LdapAuthentication.php”);
    $wgAuth = new LdapAuthenticationPlugin();

    #Set the domain short name.
    $wgLDAPDomainNames = array( ‘MYDOMAIN’ );

    #Set names or IP addresses of AD servers.
    $wgLDAPServerNames = array( ‘MYDOMAIN’ => ‘Adserver1.MYDOMAIN.com Adserver2.MYDOMAIN.com Adserver3.MYDOMAIN.com’ );

    #Tell the plugin how to authenticate.
    #note: USER-NAME is a special string and should not be changed.
    $wgLDAPSearchStrings = array( “MYDOMAIN” => “USER-NAME@MYDOMAIN” );

    #Set the encryption type
    $wgLDAPEncryptionType = array( ‘MYDOMAIN’ => ‘sasl’);
    $wgLDAPGroupUseFullDN = array( “MYDOMAIN”=>true );
    $wgLDAPGroupObjectclass = array( “MYDOMAIN”=>”group” );
    $wgLDAPGroupAttribute = array( “MYDOMAIN”=>”member” );
    $wgLDAPGroupSearchNestedGroups = array( “MYDOMAIN”=>true );
    $wgLDAPGroupNameAttribute = array( “MYDOMAIN”=>”cn” );
    $wgLDAPBaseDNs = array( “MYDOMAIN”=>”dc=MYDOMAIN,dc=COM” );
    $wgLDAPSearchAttributes = array( ‘MYDOMAIN’ => ‘sAMAccountName’);
    $wgMinimalPasswordLength = 1;
    $wgLDAPProxyAgent = array( ‘MYDOMAIN’ => ‘CN=Web Agent,OU=MYORGANIZATIONALUNIT,OU=MYOTHEROU,DC=MYDOMAIN,DC=COM’);
    $wgLDAPProxyAgentPassword = array( ‘MYDOMAIN’ => ‘MYAAGENTPASSWORD’);
    ## LDAP Authentication extension end##

    Special notes: I specified SASL for the encryption intentionally, as my reading suggests that self-signed certificates, in certain situations can be a hazard. Also the reliance on a 3rd party provider is not my preference.
    While the documentation does not state that SASL is supported, it appears to work perfectly. In my tests, the logins/passwords are NOT being sent in cleartext, but rather leveraging unterlying Kerberos technology to handle the cipher work. To test this I used a Windows 7 PC with Wireshark v1.8.6 on managed switch where I mirrored the port to which the AD server was connected.

    References:
    http://support.microsoft.com/kb/321051
    http://msdn.microsoft.com/en-us/library/cc223498.aspx
    http://msdn.microsoft.com/en-us/library/cc223498.aspx
    http://kb.iu.edu/data/acjj.html

    Reply

  15. Hi Ryan,

    Try to follow your instruction but cannot list the certificate
    What’s wrong ?

    openssl s_client -connect ad-server:636

    CONNECTED(00000003)

    write:errno=104

    no peer certificate available

    No client certificate CA names sent

    SSL handshake has read 0 bytes and written 305 bytes

    New, (NONE), Cipher is (NONE)
    Secure Renegotiation IS NOT supported
    Compression: NONE
    Expansion: NONE

    Reply

    1. It looks like your AD server doesn’t have a certificate enabled (SSL isn’t enabled).

      Reply

      1. Hi Ryan,

        Thanks for this reply.
        I’m pretty sure that you’re right. I don’t have a SSL certificate on my AD.
        Now, what is the best solution ? Do you have a best practice ? I don’t want to install a CA on my AD, create an auto-signed certificate, just to bind my Wiki with my AD.
        Is there another solution ? Perhaps using native Kerberos ?

        Reply

        1. Well, you could use clear, rather than ssl or tls, but it’s not very recommended. Kerberos isn’t supported.

          Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>