Using the LDAP Authentication Plugin for MediaWiki - The Basics (Part 1)

103 Responses to “Using the LDAP Authentication Plugin for MediaWiki – The Basics (Part 1)”

eDRoaCH says:

April 17, 2009 at 11:24 pm

Thanks so much for this series of posts, its very much what is needed. I did not yet see a link back from your plugin page, you may want to put that up near the top.

BTW- your tags completely fail in IE, cant even read the text.

Reply
- Ryan Lane says:
  
  April 18, 2009 at 12:26 am
  
  Argh, IE. I tested the theme at one point in time in IE, but something broke along the way (I’ve done template modifications). I think something got cached improperly in one of the in between states. I think I have it fixed now.
  
  Like I mention on my plugin page, I don’t have a suitable Windows test environment; so, like most things, Microsoft products kind of lag behind in support.
  
  Thanks for the comment. I’m glad to know the post is helpful!
  
  Reply
  - eDRoaCH says:
    
    April 22, 2009 at 8:27 pm
    
    I know I know, everyone hates IE. With 6 there was good reason, but I quite like 7, plan to upgrade to 8 very soon.
    
    Anyway it now works for all but 3 of them, i believe because the lines are too long causing the scoll bar to appear and cover everything up.
    
    Reply
eDRoaCH says:

April 22, 2009 at 11:58 pm

Not sure if you want this here, but…
I’ve got everything working until the SSL key import. I am simply not sure how to import it under Ubuntu 8.04. All tutorials I have found talk about setting up a domain server, which is beyond what I want. there is supposed to be an /etc/ldap/ldap.conf and a /etc/ldap.conf. I have the first one but not the second.

With SSL everything is just fine till an inexplicable ‘Failed to bind as my_name@THEDOMAIN. I did have to hack underscores into your script via the tip on the talk page of the plugin.

Reply
- Ryan Lane says:
  
  April 23, 2009 at 2:16 pm
  
  Funny enough, I’ve never used the ldap plugin on debian/ubuntu. However….
  
  It looks like you need the libpam-ldap libnss-ldap nss-updatedb libnss-db packages installed. It also looks like ubuntu has the files /etc/libnss-ldap.conf and /etc/pam_ldap.conf.
  
  You want to ensure /etc/libnss-ldap.conf is correct. This is likely the file that will affect PHP, unless php5-ldap uses a separate config file. /etc/openldap/ldap.conf in fedora (/etc/libnss_ldap.conf in ubuntu) is used for all openldap client configuration, and /etc/ldap.conf (/etc/pam_ldap.conf in ubuntu) is used for pam ldap configuration. I usually just link one to the other; I’m not sure how that would affect ubuntu though.
  
  Reply
eDRoaCH says:

April 23, 2009 at 6:47 pm

Is it possible to get more info than

Binding as the user
Failed to bind as NKUSA\My_Username
with password: MyPassword
Entering allowPasswordChange
Entering modifyUITemplate

I have tried with the username@domain format as well, and recently hard-coded the username in the localsettings.php file.
Debug level 4, everything above (connecting to ldaps, etc) is successful

Reply
- Ryan Lane says:
  
  April 23, 2009 at 9:08 pm
  
  Check your Active Directory server and see if you are even binding. Just because the debug logs say the plugin connected successfully, doesn’t mean it did. In PHP, the ldap connect method returns success if it initializes its connection parameters (if you have php5-ldap, it’ll return success). I should really change the debug to say something other than “connected successfully” since it is somewhat misleading.
  
  Try connecting to your AD server from the command line with ldapsearch:
```
ldapsearch -x -D "username@fully.qualified.domain" -W -b "root" '(samaccountname=)'
```
  You can find the above root for your domain by running:
```
ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts
```
  It’ll likely look like: DC=fully,DC=qualified,DC=domain
  
  If the ldapsearch won’t complete because it doesn’t trust your AD server, then PHP won’t work either.
  
  Reply
eDRoaCH says:

April 27, 2009 at 6:49 pm

Finally got it. Stupid mistake of mine I guess. I had domain\USER-NAME I did not add the .local though. I changed it to USER-NAME@domain.local (looked to weird the other way) and it is working!

I still have to change TLS_REQCERT never to use the cert I downloaded instead, is there a preferred extension/location for the cert? I plan on just dropping it in /etc/ldap/ if not.

Also, this is not a fancy setup, just making it so all domain users have an account as long as their AD account is active. So I shouldn’t need groups/etc. That should make me ‘done’ after this part of the tutorial, but I want to make sure of a few things
1. users cant use local authentication to the wiki (mediawiki default)
2. password recovery email will not work (security issue)
3. How can I check if my domain user is a sysop?

I posted over on Ubuntuforums and was given a link to a very nice AD testing script, may be useful to other readers: http://ubuntuforums.org/showthread.php?t=1140020
Here’s the script
http://adldap.sourceforge.net/wiki/doku.php?id=api

Thanks much for the help!

Reply
- Ryan Lane says:
  
  April 27, 2009 at 7:16 pm
  
  1. As long as you don’t have $wgLDAPUseLocal = true; user’s can’t use local authentication
  2. This shouldn’t work. In fact, as far as I can see on my wiki, I don’t even see a way to try it. It is disabled.
  3. Starting from the toolbox on the bottom left, click on Special pages->User rights management; then enter your (wiki) user name. You should really make your user a sysop before enabling LDAP.
  
  Glad to see you have it working.
  
  Reply
eDRoaCH says:

April 27, 2009 at 8:32 pm

Answering my own questions…
TLS_CACERT /etc/ldap/cacerts/nkusa2.crt added to /etc/ldap/ldap.conf works great. The reason there’s a 2 there is I had to remove the
—–BEGIN CERTIFICATE—– and
—–END CERTIFICATE—– to get it to work.

As for 3. I added myself as an Sysop and Bureaucrat, but when I log in I am not one. As all of my domain logins use underscores, I assumed that the mediawiki user should not have an underscore. Am I wrong in that or am I missing something?

Reply
- Ryan Lane says:
  
  April 27, 2009 at 10:46 pm
  
  I’m betting the underscore stuff is causing your issues. MediaWiki turns underscores into spaces. I don’t have any experience with any of the underscore hacks around. I’d recommend seeing if you have multiple user accounts created. Check out this post for other ways to make yourself a sysop:
  
  http://mwusers.com/forums/showthread.php?t=9500
  
  Reply
Ahriman says:

May 22, 2009 at 7:59 pm

I’m not sure if this is a newbie stupid question, but here it goes anyway.

I’m trying to set up a wiki using AD authentication in a very simple way (single domain requiring search before binding, using a proxy agent). My personal AD user is the only wiki’s SysOp and everithing works fine, but one problem is driving me crazy…

When I try to create a new wiki user (using my SysOp user) I must provide the user’s AD password in order to create it. Is there a way to create a new user without having to suply its AD password (of course I want it authenticate against its AD password when it will use wiki after its creation)?

Thank you so much!
(sorry for my poor English)

Reply
- Ryan Lane says:
  
  June 3, 2009 at 7:43 pm
  
  I’m pretty sure you asked this question on the support page over at mediawiki.org. I answered your question there.
  
  Reply
DGseam says:

June 17, 2009 at 5:09 pm

I’m getting a blank page on site now; and verified as much from this information as possible. I can bind to AD through LDAP Search, but the following appears in my httpd error_logs:
[client 192.168.30.209] PHP Fatal error: Class ldapauthenticationplugin: Cannot inherit from undefined class authplugin in /var/www/html/wiki/extensions/LdapAuthentication/LdapAuthentication.php on line 65

I’ve tried both the 1.2a and 1.2b versions of the LdapAuthentication.php file.. and both produce same error.

Reply
- Ryan Lane says:
  
  June 17, 2009 at 9:11 pm
  
  You are adding the LDAP configuration at the bottom of the LocalSettings.php file right?
  
  Reply
  - DGseam says:
    
    June 18, 2009 at 3:04 am
    
    Yes, the tail of my LocalSettings.php is as follows:
    (note I’ve tried varied configurations for array settings of AD – below represents the latest..)
    
    $wgLDAPDebug = 3;
    $wgDebugLogGroups["ldap"] = “/tmp/debug.log” ;
    require_once( “$IP/extensions/LdapAuthentication/LdapAuthentication.php” );
    $wgAuth = new LdapAuthenticationPlugin();
    $wgLDAPDomainNames = array( “STI”,”seamlessti” );
    $wgLDAPServerNames = array( “STI” => “EXCHANGE07.seamlessti.com”, “seamlessti”=>”exchange07.seamlessti.com” );
    $wgLDAPSearchStrings = array( “STI” => “STI\\USER-NAME”, “seamlessti”=>”STI\\USER-NAME” );
    $wgLDAPEncryptionType = array( “STI” => “ssl”, “seamlessti”=> “ssl” );
    ?>
    
    Reply
    - Ryan Lane says:
      
      June 18, 2009 at 2:04 pm
      
      Essentially, PHP is telling you that it can’t find the AuthPlugin class, that is defined in MediaWiki core. Is this a fresh installation of MediaWiki? Is it one that has been upgraded? If you upgraded, did you simply copy over your old directory?
      
      Your problem seems to be unrelated to the LDAP plugin (unfortunately). Is everything else working properly with MediaWiki?
      
      BTW, you don’t need ?> at the end of your LocalSettings.php file anymore.
      
      Reply
      - D Sherwood says:
        
        June 8, 2010 at 4:48 pm
        
        I was running into the same problem with “Cannot inherit from undefined class authplugin” messages. LdapAuthentication 1.2b , mediawiki 1.6.12 , php 4.3.9-3.29
        
        I got around the problem by adding “require_once( “includes/AuthPlugin.php” ); ” to LocalSettings.php . I’m not sure why I needed to manually include that, since it should be getting included in Setup.php, but once I added that everything started working.
      - Ryan Lane says:
        
        June 8, 2010 at 8:04 pm
        
        MediaWiki 1.6? PHP 4? Wow. Is everyone that is experiencing that problem on that version of MediaWiki? That may be the problem. I haven’t tested the plugin in MediaWiki 1.6 in years. I’m surprised and impressed it works :).
helpdesk says:

July 7, 2009 at 8:54 am

We have tried everything to get the authenticationof our wiki working against AD. I used your plugin but we ALWAYS get “wrong password” message. The wiki is running on a windows2003 server as a member server in our domain. We use xampp for our website.
What could be wrong ?

Below is our config :

require_once( “$IP/extensions/LdapAuthentication/LdapAuthentication.php” );
$wgAuth = new LdapAuthenticationPlugin();

$wgLDAPDomainNames = array( “DOMAIN” );
$wgLDAPServerNames = array( “DOMAIN” => “server001.domian.com server010.domian.som” );
$wgLDAPSearchStrings = array( “DOMAIN” => “DOMAIN\\USER-NAME” );
$wgLDAPEncryptionType = array( “DOMAIN” => “ssl” );

//Allow the use of the local database as well as the LDAP database.
//Good for transitional purposes.
//Default: false
$wgLDAPUseLocal = true;

//Don’t automatically create an account for a user if the account exists in LDAP
//but not in MediaWiki.
//Default: false.
$wgLDAPDisableAutoCreate = array(
“DOMAIN”=>false
);

//Shortest password a user is allowed to login using. Notice that 1 is the minimum so that
//when using a local domain, local users cannot login as domain users (as domain user’s
//passwords are not stored)
//Default: 0
$wgMinimalPasswordLength = 1;

Reply
- Ryan Lane says:
  
  July 7, 2009 at 6:02 pm
  
  Please send in your debug output. It is difficult to troubleshoot your problem without it. Put the following at the end of your LDAP configuration:
  
  $wgLDAPDebug = 3; $wgDebugLogGroups["ldap"] = "/tmp/debug.log" ;
  
  Make sure you replace /tmp/debug.log with a valid path/filename on your system.
  
  Also, make sure you’ve read the FAQ about Windows:
  
  http://www.mediawiki.org/wiki/Extension:LDAP_Authentication/FAQ#How_do_I_configure_PHP_with_LDAP_on_Windows.3F
  
  http://www.mediawiki.org/wiki/Extension:LDAP_Authentication/FAQ#How_do_I_fix_certificate_trust_issues_with_LDAPS_or_LDAP_with_StartTLS_on_Windows.3F
  
  Also, as mentioned in the donation section: I don’t have access to Windows for testing, so my support may be fairly limited here.
  
  Reply
  - helpdesk says:
    
    July 8, 2009 at 9:42 am
    
    I can’t seem to get the log path to work. I created a tmp folder inside de wiki dir, inside the htdocs dir and the logile is not beiong created.
    
    wgLDAPDebug = 3;
    $wgDebugLogGroups["ldap"] = “/tmp/LdapPlugin.log” ;
    
    Reply
    - Ryan Lane says:
      
      July 8, 2009 at 2:08 pm
      
      I haven’t tried this on Windows; however, I mentioned that you should choose an appropriate directory and file. This should probably be something like “C:\temp\ldapplugin.log”. /tmp isn’t a valid path on a Windows system AFAIK.
      
      Reply
      - heldesk says:
        
        July 15, 2009 at 7:13 am
        
        tried this :
        ## Debugging settings
        $wgShowExceptionDetails = true;
        $wgLDAPDebug = 3;
        $wgDebugLogGroups["ldap"] = “D:\xampp\htdocs\wiki\tmp\LdapPlugin.log” ;
        
        does not work ….
RM says:

July 14, 2009 at 5:28 pm

I am stuck at the step where we have to find the AD’s cert.

root@mediawiki:~# openssl s_client -connect myserver.test.name:636
CONNECTED(00000003)
4567:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:

I get the same error at port 389.
I have googled it high and low but am unable to solve the problem.

BTW, my mediawiki is a Turnkey Linux appliance VM (Ubuntu-based)

Someone please help me!

Reply
- RM says:
  
  July 14, 2009 at 6:15 pm
  
  Well I found out the issue.
  
  1. our AD is not using SSL (AFAIK by default AD does NOT use SSL) so this line is changed to :
  
  $wgLDAPEncryptionType = array( “ASPDEV” => “clear” );
  
  2. You need to fully qualify the user-name; like this:
  
  $wgLDAPSearchStrings = array( “ASPDEV” => “USER-NAME@test.name” );
  
  After these two changes, I am in !
  
  One comment though…..it should give a “successfully logged in” type message. Instead, it returns to the login page…….making users think that the logon was not successful.
  
  But at the top right corner of the page we can see the “log out” button.
  
  Thanks for this plugin !
  
  Reply
RM says:

July 14, 2009 at 6:21 pm

pl ignore my last paragraph….now mediawiki is going to the “main page” after successful authentication. I guess that is OK too (instead of the “successful login ” message.

Reply
- Ryan Lane says:
  
  July 15, 2009 at 10:52 pm
  
  Glad to see you got this working without my help :).
  
  Reply
Ranjan says:

August 19, 2009 at 6:42 am

HI,

I have authenticated my WIKI site with the LDAP authencation. Instead of domain name i used the IP address of the system. i had created two users and login to the site succefully. but the problem was next time when i want to login to my wiki site I am not able to login. When I created another new user, again i am able to login but only one time. Please help.

Reply
- Ryan Lane says:
  
  August 19, 2009 at 7:55 pm
  
  That seems like a strange issue. I’ll need you to post your configuration, and debug info with sensitive stuff snipped out.
  
  Reply
  - Ranjan says:
    
    August 21, 2009 at 6:25 am
    
    Thanks Ryan for the reply. we are using Server 2003 & IIS 6.0. here is the configuration for LDAP authencation:
    
    require_once( “D:\WIKi/LdapAuthentication/LdapAuthentication.php” );
    $wgAuth = new LdapAuthenticationPlugin();
    
    $wgLDAPDomainNames = array( “***.***.***.***” )
    
    $wgLDAPSearchStrings = array( “***.**.***.***” => “Administrator@”***.**.***.***”" );
    
    I am using the Server IP address instead of Domain name. I have not configured the SSL & Certificate service.
    
    Please let me know if you need any further information.
    
    Reply
    - Ryan Lane says:
      
      August 21, 2009 at 4:02 pm
      
      You should always use the FQDN of the server whether you have an ssl certain or not. Also, I don’t think user@ip-address will work for binding to AD. It expects to see user@domain.
      
      $wgLDAPDomainNames isn’t the right option to define your server. It is used for other config options and is what the end-user sees in the drop down box when logging in. $wgLDAPServerNames is the right option for that.
      
      Reply
Ranjan says:

August 25, 2009 at 9:20 am

Hi Ryan Thanks for the reply. I changed to the FQDN of my Server. but still i am getting the above errors. Please let me know if i have to change somethning else.

Reply
- Ryan Lane says:
  
  August 27, 2009 at 3:31 am
  
  Your confguration should look like this:
```
require_once( "$IP/extensions/LdapAuthentication.php" );
$wgAuth = new LdapAuthenticationPlugin();

$wgLDAPDomainNames = array( “MYDOMAIN” );

$wgLDAPServerNames = array( "MYDOMAIN" => "mydomain.example.com" );

$wgLDAPSearchStrings = array( “MYDOMAIN” => “USER-NAME@MYDOMAIN.EXAMPLE.COM" );
```
  Note in the above section that USER-NAME is a special string and shouldn’t be changed.
  
  Reply
RM says:

September 23, 2009 at 4:07 pm

I posted earlier here and I was successful in getting this working on one server.

Today when I created another server and installed the same version of Mediawiki and this LDAP extension, with the exact same LocalSettings.php file……….it is not working !

This is very strange.

Where do I start troubleshooting?
Is there a logfile something to look for?

Reply
- RM says:
  
  September 23, 2009 at 6:22 pm
  
  I solved my problem!
  
  Pasted the solution here:
  
  http://www.mediawiki.org/wiki/Extension_talk:LDAP_Authentication#White_page
  
  Thanks Ryan!
  
  Reply
AH says:

November 6, 2009 at 12:33 am

I am new to this so excuse me if its a dumb question but I can’t bind as the user, I’ve included the debug below

Entering validDomain
User is using a valid domain.
Setting domain as: *
Entering getCanonicalName
Username isn’t empty.
Munged username: *
Entering authenticate

Entering Connect
Using SSL
Using servers: ldaps://**.**.**.**
Connected successfully
Entering getSearchString
Doing a straight bind
userdn is: ***

Binding as the user
Failed to bind as ***
Entering strict.
Returning true in strict().
Entering allowPasswordChange
Entering modifyUITemplate

Reply
- Ryan Lane says:
  
  November 6, 2009 at 2:35 am
  
  You snipped out a little too much sensitive information :). I can’t see what the format of the username is. Also, you should post your configuration, since it is difficult for me to figure out how you configured the plugin just looking at the debug output.
  
  Reply
Charles says:

November 23, 2009 at 5:15 pm

Hi,

I’ve got some difficulties to get work fine ldap extension.

I downloaded the dll 1.2a from mediawiki, put it in my extension/LDAP directory, and put into LocalSettings.php this :

require_once( “$IP/extensions/LDAP/LdapAuthentication.php” );
$wgAuth = new LdapAuthenticationPlugin();
$wgLDAPDomainNames = array( “BDDF-LDAP” );
$wgLDAPServerNames = array( “BDDF-LDAP” => “directory.echonet” );
$wgLDAPEncryptionType = array( “BDDF-LDAP” => “clear” );
$wgLDAPSearchStrings = array( “BDDF-LDAP” => “uid=user_bddf,ou=FR,ou=EUROPE,o=GROUP” );
#$wgLDAPSearchAttributes = array( “testLDAPdomain” => “uid” );
#$wgLDAPBaseDNs = array( “BDDF-LDAP” => “dc=directory,dc=echonet” );
#$wgLDAPGroupBaseDNs = array( “BDDF-LDAP” => “ou=EUROPE,o=GROUP” );
#$wgLDAPUserBaseDNs = array( “BDDF-LDAP” => “ou=FR,ou=EUROPE,o=GROUP” );
$wgLDAPUseLocal = true;
$wgMinimalPasswordLength = 1;
$wgLDAPDebug = 3; // 3 is a lot

I know just little things about my ldap server : adress, o & ou, and the user connection for browse the ldap.

I do not have encryption.

I don’t understand why i can’t authentify myself on the ldap. The only error i have is “Bad password”, but i don’t know if i arrive to the ldap server !

Thanks you very much for your help ;)

Charles

Reply
- Charles says:
  
  December 1, 2009 at 2:22 pm
  
  Hi,
  
  I tried this :
  
  $wgAuth = new LdapAuthenticationPlugin();
  $wgLDAPDomainNames = array( “ldap” );
  $wgLDAPServerNames = array( “ldap” => “directory.echonet” );
  $wgLDAPEncryptionType = array( “ldap” => “clear” );
  $wgLDAPSearchStrings = array( “ldap” => “cn=uid”, “ou=EUROPE”,”ou=GROUP”, “ou=FR” );
  $wgLDAPSearchAttributes = array( “ldap” => “uid” );
  //$wgLDAPBaseDNs = array( “ldap” => “ou=EUROPE,ou=GROUPE,ou=FR” );
  $wgLDAPBaseDNs = array( “ldap” => “dc=directory.echonet” );
  //$wgLDAPGroupBaseDNs = array( “ldap” => “ou=EUROPE,o=GROUP” );
  //$wgLDAPUserBaseDNs = array( “ldap” => “ou=FR,ou=EUROPE,o=GROUP” );
  $wgLDAPUseLocal = true;
  $wgLDAPAddLDAPUsers = false;
  $wgLDAPUpdateLDAP = false;
  $wgMinimalPasswordLength = 1;
  $wgLDAPDebug = 3; // 3 is a lot
  $wgShowExceptionDetails = true;
  
  But the only thing i had is the debug log is :
  LoginForm::attemptAutoCreate: $wgAuth->authenticate() returned false, aborting
  
  Reply
  - Charles says:
    
    December 2, 2009 at 1:24 pm
    
    It works !!!
    
    require_once( “$IP/extensions/LDAP/LdapAuthentication.php” );
    $wgAuth = new LdapAuthenticationPlugin();
    $wgLDAPDomainNames = array( “ldap” );
    $wgLDAPServerNames = array( “ldap” => “directory.echonet” );
    $wgLDAPEncryptionType = array( “ldap” => “clear” );
    $wgLDAPSearchAttributes = array( “ldap” => “uid” );
    $wgLDAPBaseDNs = array( “ldap” => “ou=FR,ou=EUROPE,o=GROUP” );
    $wgLDAPUseLocal = true;
    $wgLDAPAddLDAPUsers = false;
    $wgLDAPUpdateLDAP = false;
    $wgMinimalPasswordLength = 1;
    $wgLDAPDebug = 1; // 3 is a lot
    $wgShowExceptionDetails = true;
    
    Thans a lot for the plugin ;)
    
    Reply
Bill says:

November 30, 2009 at 9:31 pm

You get nothing but calls for help, so I thought I’d throw you a “Thanks”.

Worked great once I gave up on SSL and just used TLS. This is with an AD on Server 2003 and a windows client on the same domain. Not sure why that works, given your comment that “AD doesn’t support tls”. Shrug.

Other than that, good stuff!

Reply
Michael Fertig says:

November 30, 2009 at 9:46 pm

LDAP configuration for use with Active Directory Domain Controllers running mediawiki on a windows server w/iis may require different settings than those indicated in the instructions on this site.
Here are the settings that worked OK for us.

require_once( “$IP/extensions/LdapAuthentication/LdapAuthentication.php” );
$wgAuth = new LdapAuthenticationPlugin();

$wgLDAPDomainNames = array( “xxx” );
$wgLDAPServerNames = array( “xxx” => “server.xxx.local” );
$wgLDAPSearchStrings = array(“xxx” => “xxx\\USER-NAME”);
$wgLDAPEncryptionType = array( “xxx” => “tls” );

In our case of AD, the ldap binds tls method by is what actually occurs between two windows servers by default when doing ldap over port 389. SSL did not function when configured as per instructions here (ldp.exe was able to connect and bind successfully; ldap plugin failed on both counts) Simple bind (clear) worked out of the box with no changes to AD configuration, which other than raising the domain to a 2003 level, is pretty much a default AD installation.
I myself do not have time to do much more looking into this, but I think that using tls over port 389 was the way to go between ms ad and a member server running mediawiki and the plugin. I did verify the encryption using wireshark to view packets transferred between the two servers. simple bind was clear text, but tls encrypted the credentials. We also use an ssl cert on web servers that require non-anonymous authentication.

Reply
Drew says:

December 10, 2009 at 4:48 pm

Trying to get this working using turnkey Mediawiki, but I don’t have /etc/openldap and I don’t see anywhere in the docs where you have to install it.

Do you need openldap installed for this to work? I was under the impression you only need the extension.

Reply
- Ryan Lane says:
  
  December 10, 2009 at 7:59 pm
  
  You need the openldap client libraries installed. I’d imagine that the openldap php extension would have had that as a dependency though. You definitely do not need the server package. Is this an Ubuntu distro, or a Fedora one?
  
  Reply
Thiago says:

December 15, 2009 at 6:05 pm

It works fine, but my AD doesn’t support LDAPS at this moment, so I have to use encryption type ‘clear’.
Best Regards.
Thiago

Reply
Sebas says:

January 12, 2010 at 12:25 pm

Ryan,

Im trying to install the 1.2b version because i need nested group support, but i get the following error:

Warning: require(/srv/http/mediawiki/extensions/LdapAuthentication/LdapAuthentication.i18n.php): failed to open stream: No such file or directory in /srv/http/mediawiki/includes/MessageCache.php on line 808 Fatal error: require(): Failed opening required ‘/srv/http/mediawiki/extensions/LdapAuthentication/LdapAuthentication.i18n.php’ (include_path=’/srv/http/mediawiki:/srv/http/mediawiki/includes:/srv/http/mediawiki/languages:.:/usr/share/pear’) in /srv/http/mediawiki/includes/MessageCache.php on line 808

Any idea’s?

Reply
- Ryan Lane says:
  
  January 18, 2010 at 7:08 pm
  
  That is pretty strange. My extension doesn’t output any text to the user, so there is no reason it should be trying to load i18n… I’ll need to check with the internationalization folks to see what changed.
  
  Reply
Corey says:

February 1, 2010 at 5:55 pm

In case it helps troubleshoot….

With the extension enabled, I get errors referring to the same line of MessageCache.php (808) whenever I try to access a special page, preferences, etc. Those pages simply show up blank. I’m running a fresh install of MediaWiki 1.15 with memcached enabled. The related error indicates “failed to open stream: No such file or directory in /includes/MessageCache.php on line 808″.

Reply
- Ryan Lane says:
  
  February 5, 2010 at 3:42 pm
  
  Ugh. Looks like someone added internationalization to the extension’s description on Special:Version. Now you’ll need to download the i18n file too:
  
  http://svn.wikimedia.org/viewvc/mediawiki/trunk/extensions/LdapAuthentication/LdapAuthentication.i18n.php?revision=61987
  
  Drop that into the same directory as LdapAuthentication.php.
  
  Reply
David Miller says:

February 7, 2010 at 1:25 am

Thank you for the great posting! I was able to get my XAMPP authenticating with active directory! I just want to note that setting the encryption type to clear was required for my setup to work. If I didn’t set the encryption type at all, the correct user and password combo would log me in, but the incorrect combo would throw a warning about TLS not being start- “Unable to start TLS”

Thanks again!

Reply
- Ryan Lane says:
  
  February 9, 2010 at 7:04 pm
  
  That’s a really odd error. If TLS fails, it should always fail. Did you try it with SSL instead of TLS?
  
  Reply
Mike says:

February 11, 2010 at 12:34 am

Hello!

I am getting the error, “Login error
Incorrect password entered. Please try again.” When I try to log in and am banging my head against the wall as to why. I am using Active Directory as the LDAP server (unfortunately).

My configuration in LocalSettings.php seems fine (domain names anonymized):

require_once( “$IP/extensions/LdapAuthentication/LdapAuthentication.php” );
$wgAuth = new LdapAuthenticationPlugin();
$wgLDAPDomainNames = array( “MYADDOMAIN” );
$wgLDAPServerNames = array( “MYADDOMAIN” => “dc1.mycompany.com” );
$wgLDAPSearchStrings = array( “MYADDOMAIN” => “USER-NAME@MYADDOMAIN” );
$wgLDAPEncryptionType = array( “MYADDOMAIN” => “ssl” );

Also typing ldapsearch -Hldaps://dc1 -b “” -s base -x -W -D mike@myaddomain from the wiki server works and prints out all sorts of information on my LDAP server.

Most peculiar is that when I watch traffic from the wiki server to the LDAP server while trying to log in, it seems the two servers aren’t talking:

tcpdump -i eth0 -e -vv host 192.168.69.123 shows nothing when I’m logging in. Shouldn’t I see traffic to the LDAP server on 636 at this time?

Can anyone out there give me a kick in the right direction on this? I’d sure appreciate it!

Thanks,
Mike

Reply
Tobias says:

February 16, 2010 at 3:22 pm

After i click on the Logon button i become a HTTP 500 Internal Server error :(

Reply
- Ryan Lane says:
  
  February 17, 2010 at 4:05 am
  
  What shows up in your php logs? If you are getting a 500 error, then there is likely a crash. Without knowing what is crashing, I can’t help.
  
  Reply
  - Mahesh says:
    
    March 9, 2010 at 10:48 pm
    
    Ryan,
    
    I receive the “HTTP 500 – Internal server error” since I edited the localsettings.php.
    
    One of your previous posts said this could due to crash. How can I check the logs.
    
    Thanks
    Mahesh
    
    Reply
    - Ryan Lane says:
      
      March 10, 2010 at 3:07 am
      
      You need to enable your php logs. See php’s documentation on how to do so.
      
      Reply
      - Mahesh says:
        
        March 10, 2010 at 9:06 pm
        
        This is what I have done so far
        
        1. Donwloaded the LDAP plugin and placed it in the /extensions/Ldap Authentication.
        
        2. Created an account in AD, same account exists in Wiki datase with SYSOP access.
        
        3. Added the following to Local Settings.PHP
        
        require_once(“$IP/extensions/LdapAuthentication/LdapAuthentication.php” );
        $wgAuth = new LdapAuthenticationPlugin();
        $wgLDAPDomainNames = array( “DOMAIN” );
        $wgLDAPServerNames = array( “DOMAIN” => “dc01.domain.com dc02.domain.com”);
        $wgLDAPSearchStrings = array( “DOMAIN” => “USER-NAME@DOMAIN” );
        $wgLDAPEncryptionType = array( “DOMAIN” => “clear” );
        $wgLDAPGroupUseFullDN = array( “DOMAIN”=>true );
        $wgLDAPBaseDNs = array( “DOMAIN” => ‘dc=domain,dc=com’ );
        $wgLDAPSearchAttributes = array( “DOMAIN” => ’sAMAccountName’ );
        $wgLDAPGroupsUseMemberOf = array( “DOMAIN” => true );
        $wgLDAPGroupObjectclass = array( “DOMAIN”=>”group” );
        $wgLDAPGroupAttribute = array( “DOMAIN”=>”member” );
        $wgLDAPGroupNameAttribute = array( “DOMAIN”=>”cn” );
        $wgLDAPRequiredGroups = array( “DOMAIN”=> array( “cn=wiki-users,ou=groups,dc=domain,dc=com”));
        $wgLDAPUseLDAPGroups = array( “DOMAIN”=>true );
        $wgGroupPermissions['Wiki-users']['edit'] = true;
        $wgLDAPDebug = 3;
        $wgDebugLogGroups["ldap"] = “/tmp/debug.log” ;
        
        Please let me know what I have missed. I cannot find anything in the “tmp” logs folder.
      - Mahesh says:
        
        March 29, 2010 at 4:42 am
        
        Ryan, can you help me with this. Need to know what I have done wrong here.
      - Ryan Lane says:
        
        March 29, 2010 at 7:06 pm
        
        The following directory shouldn’t be:
        
        /extensions/Ldap Authentication
        
        But, instead, should be be:
        
        /extensions/LdapAuthentication
        
        This may be the reason you are getting a 500 error.
John says:

March 2, 2010 at 9:14 pm

My company uses a different port than 636 for the SSL LDAPS. Is there a place to change the port MediaWiki wants to use? This is on a MS platform.

Reply
- Ryan Lane says:
  
  March 3, 2010 at 2:43 am
  
  Ugh. I still haven’t added this option. On the rare occation someone asks, I always remember that. You’ll need to change it in the extension for now. Edit LdapAuthentication.php, search for 636, and replace it. I’ll try to remember to add this soon.
  
  Reply
  - John says:
    
    March 3, 2010 at 2:02 pm
    
    I can’t seem to find it in there. My version appears to be 1.2b alpha. Can you tell me what line it should be on?
    
    Reply
    - Ryan Lane says:
      
      March 3, 2010 at 4:59 pm
      
      Looks like I don’t set the port explicitly. Let me get back to you with a patch.
      
      Reply
Marcel says:

March 29, 2010 at 3:30 pm

Great plugin, got it installed with a minimum of fuss. Love the way I can control access via security groups. Our certificate system is pretty problematic here and I predictably encountered problems with validation. In the end, since the wiki is on an intranet anyway, I cheated and added ‘TLS_REQCERT never’ to ldap.conf

Reply
Simon Eng says:

March 30, 2010 at 2:06 pm

LAPP on Centos 5.2 x64 authenticating against 2003R2 AD.

Got the plugin working initially but now the Special Pages will not display unless I deactivate the plugin (I just get a blank page). Doesn’t matter whether I login locally with WikiSysop or with an assigned Bureaucrat or Admin through LDAP.

I get this in the error log (even though I get a 200 in the access_log):

[Tue Mar 30 15:49:31 2010] [error] [client 10.65.252.81] PHP Fatal error: Allowed memory size of 20971520 bytes exhausted (tried to allocate 23040 bytes) in /opt/mediawiki-1.15.2/includes/IP.php on line 211, referer: http://10.65.4.191/mediawiki/index.php/Main_Page

Tried restarting the service and also increasing the PHP script memory limit, but get the same results.

If I deactivate the plugin, the Special Pages display correctly for WikiSysop.

Reply
- Simon Eng says:
  
  March 30, 2010 at 2:15 pm
  
  Found part of the issue. Apparently the CategoryTree extension was interfering with the LDAP plugin.
  
  We’re now investigating that.
  
  Reply
Martin von Herrmann says:

April 8, 2010 at 7:18 pm

I seem to be having the same problem Mahesh is having, and cannot get error logging to work.

I have in my file, and that doesn’t work.

$wgLDAPDebug = 3;
$wgDebugLogGroups["ldap"] = “/home/admin/debug.log” ;

I have tried a number of different paths, and none seem to work. Are there any other settings that could be interfering?

Reply
Ajay Rungta says:

April 26, 2010 at 11:43 am

I am trying to integrate LDAP Authentication with ConfirmAccount.

A new user can request for an account. Once the user is approved by sysops, it send account request approval mail along with a temporary password (I guess local wiki DB password).

Why is this password still generated when I am using LDAP authentication. How can I stop this password generation and sending temporary password to the user on approval?

Any input on this will be very helpful? May be enabling or disabling some properyt… will keep on reading or looking for the same…

Thanks

Reply
Rolf says:

May 27, 2010 at 2:04 pm

I have tried to get it working, but it is failing on “Failed to bin”.

Here is my output:
Config:
$wgLDAPDomainNames = array( “MYMGMT” );
$wgLDAPServerNames = array( “MYMGMT” => “192.168.3.250″ );
$wgLDAPEncryptionType = array( “MYMGMT” => “ssl” );
$wgLDAPProxyAgent = array( “MYMGMT” => “cn=sa ldapepo,OU=service accounts,OU=gebruikers,DC=mymgmt,DC=local” );
$wgLDAPProxyAgentPassword = array( “MYMGMT” => “*password*” );

Debug:
storage_wiki: Entering validDomain
storage_wiki: User is using a valid domain.
storage_wiki: Setting domain as: MYMGMT
storage_wiki: Entering getCanonicalName
storage_wiki: Username isn’t empty.
storage_wiki: Munged username: myusername
storage_wiki: Entering userExists
storage_wiki:
storage_wiki: Entering authenticate
storage_wiki:
storage_wiki: Entering Connect
storage_wiki: Using SSL
storage_wiki: Using servers: ldaps://192.168.3.250
storage_wiki: Connected successfully
storage_wiki: Entering getSearchString
storage_wiki: Doing a proxy bind
storage_wiki: Failed to bind as cn=sa ldapepo,OU=service accounts,OU=gebruikers,DC=mymgmt,DC=local
storage_wiki: with password: *password*
storage_wiki: Failed to bind
storage_wiki: User DN is blank
storage_wiki: Entering allowPasswordChange
storage_wiki: Entering modifyUITemplate

Reply
- Ryan Lane says:
  
  May 27, 2010 at 5:41 pm
  
  If you are using SSL, you need to use your server’s fully qualified domain name. IP addresses will not work, due to the nature of SSL. Also, your LDAP server must have an SSL certificate installed, and the CN field in the certificate must match the fully qualified domain name of the LDAP server. Your web server (the LDAP client), must also trust the CA certificate that signed your LDAP server’s certificate.
  
  Reply
- Ryan Lane says:
  
  May 27, 2010 at 5:44 pm
  
  Oh, you also need to specify more options to find users:
  
  $wgLDAPSearchAttributes = array(
  ‘MYMGMT’ => ‘sAMAccountName’
  );
  
  $wgLDAPBaseDNs = array(
  ‘MYMGMT’ => ‘OU=gebruikers,DC=mymgmt,DC=local’
  );
  
  Reply
  - Rolf says:
    
    May 28, 2010 at 7:57 am
    
    Hi Ryan,
    
    Thanks for your quick replay.
    
    For installing the SSL certificatie I did the following:
    openssl s_client -connect hmsvad002.mymgmt.local:636
    en copy the server certificate with out the begin and end header to:
    /etc/pki/tls/certs/hmsvad002.mymgmt.local.crt
    
    storage_wiki: Entering validDomain
    storage_wiki: User is using a valid domain.
    storage_wiki: Setting domain as: MYMGMT
    storage_wiki: Entering getCanonicalName
    storage_wiki: Username isn’t empty.
    storage_wiki: Munged username: myusername
    storage_wiki: Entering userExists
    storage_wiki:
    storage_wiki: Entering authenticate
    storage_wiki:
    storage_wiki: Entering Connect
    storage_wiki: Using SSL
    storage_wiki: Using servers: ldaps://hmsvad002.mymgmt.local
    storage_wiki: Connected successfully
    storage_wiki: Entering getSearchString
    storage_wiki: Doing a proxy bind
    storage_wiki: Failed to bind as cn=sa ldapepo,OU=service accounts,OU=gebruikers,DC=vcdmgmt,DC=local
    storage_wiki: with password: *password*
    storage_wiki: Failed to bind
    storage_wiki: User DN is blank
    storage_wiki: Entering allowPasswordChange
    storage_wiki: Entering modifyUITemplate
    
    Any idea where i can look at?
    
    Reply
    - Rolf says:
      
      May 28, 2010 at 8:18 am
      
      I found some more debugging:
      
      openssl s_client -state -nbio -connect hmsvad002.mymgmt.local:636 2>&1 | grep “^SSL”
      SSL_connect:before/connect initialization
      SSL_connect:SSLv2/v3 write client hello A
      SSL_connect:error in SSLv2/v3 read server hello A
      SSL_connect:error in SSLv3 read server hello A
      SSL_connect:error in SSLv3 read server hello A
      SSL_connect:SSLv3 read server hello A
      SSL_connect:SSLv3 read server certificate A
      SSL_connect:SSLv3 read server certificate request A
      SSL_connect:SSLv3 read server done A
      SSL_connect:SSLv3 write client certificate A
      SSL_connect:SSLv3 write client key exchange A
      SSL_connect:SSLv3 write change cipher spec A
      SSL_connect:SSLv3 write finished A
      SSL_connect:SSLv3 flush data
      SSL_connect:error in SSLv3 read finished A
      SSL_connect:SSLv3 read finished A
      SSL handshake has read 4757 bytes and written 315 bytes
      SSL-Session:
      
      SSL3 alert write:warning:close notify
      
      Reply
    - Ryan Lane says:
      
      May 28, 2010 at 6:12 pm
      
      The certificate file must have the begin and end lines included!
      
      Also, is your ldap.conf file configured to point to that location? Notice if you are using fedora or RHEL, you have two ldap.conf files. /etc/ldap.conf, and /etc/openldap/ldap.conf. PHP uses the latter. The options you want to set in that file are the following:
      
      TLS_CACERTDIR /etc/pki/tls/certs
      TLS_CACERT /etc/pki/tls/certs/hmsvad002.mymgmt.local.crt
      
      Notice that the CACERTDIR directive assumes a hash-linked directory of files. TLS_CACERT points specifically to your file, and should work well. For more in depth info on this, see:
      
      http://www.mediawiki.org/wiki/Extension:LDAP_Authentication/Requirements#Certificate_trusts
      
      Reply
Ian says:

July 12, 2010 at 6:47 am

Hi guys,

I’m trying to get this going for our mediawiki that runs on ubuntu server.

We run a Windows 2003 domain.

I actually like trying to figure out problems myself as it’s how I learn best, but I am just running into brick walls.

Basically what is happening is when I try and log in I am just getting a blank page.

I CAN query the DC I am trying to get to using ldapsearch.

When I have tried enabling debugging using:

$wgLDAPDebug
and

$wgDebugLogGroups

I have tried using debug levels 1 2 and 3.

Using either option, nothing appears in the file specified with $wgDebugLogGroups

Using 2 and 3 the following is displayed at the top left hand corner of media wiki after clicking the login button:

Entering validDomain
Uer is not using a valid domain
Setting domain as: invaliddomain
Entering modifyUITemplate

However the login screen then doesn’t load properly and you can’t attempt to login (the login fields are missing).

I am running MediaWiki 1.13.3
LDAP Authentication PLugin is show as version 1.1g ( I installed using LdapAuthentication-MW1.13-r36354.tar.gz).
Ubuntu is 9.04

Can anyone point me in the correct direction as to how to troubleshoot this. Maybe let me know how to get some meaningful logs.

Cheers

Ian

Reply
- Ryan Lane says:
  
  July 13, 2010 at 7:03 pm
  
  Nearly 100% of the time, a blank screen means the ldap library is missing in php. Run the following in ubuntu:
  
  sudo apt-get install -y php5-ldap
  sudo apache2 restart
  
  After doing so, try it again.
  
  Reply
dvn says:

August 25, 2010 at 1:53 pm

Setup my wiki using LDAP followed this instruction worked perfectly. I like to know if it is posible using this ldapauthentication, can i set up so that the user will be logged-in automatically when he or she launch my wiki site?
Thank you

Reply
- Ryan Lane says:
  
  August 25, 2010 at 4:09 pm
  
  Yes, this is possible using Kerberos. See the following documentation:
  
  http://www.mediawiki.org/wiki/Extension:LDAP_Authentication/Kerberos_Configuration_Examples
  
  Reply
dvn says:

August 25, 2010 at 1:55 pm

by the way what does LdapAutoAuthentication.php file is for?

Reply
- Ryan Lane says:
  
  August 25, 2010 at 4:09 pm
  
  It is used for automatic authentication. It does what you are looking for, but you’ll need to read the docs to set it up.
  
  Reply
Ryan F says:

January 5, 2011 at 10:14 pm

Hi Ryan,

Great extension. Thank you so much for developing it.
I got LDAP authentication working, however, once I started using “$wgLDAPRequiredGroups” it causes my login to hang about 20-30 seconds.

# ================
# My LocalSettings.php Below
# ================
require_once( “\extensions\LdapAuthentication.php” );
$wgAuth = new LdapAuthenticationPlugin();
$wgLDAPDomainNames = array(“LDAP”);
$wgLDAPServerNames = array(“LDAP” => “ldap-server.com”);
$wgLDAPEncryptionType = array(“LDAP” => “ssl”);
$wgLDAPSearchStrings = array(“LDAP” => “uid=USER-NAME,ou=personnel,dc=dir,dc=com”);

$wgLDAPUseLocal = false;
$wgLDAPAddLDAPUsers = false;
$wgLDAPUpdateLDAP = false;
$wgLDAPMailPassword = false;
$wgLDAPRetrievePrefs = true;
$wgMinimalPasswordLength = 1;

$wgLDAPRequiredGroups = array(“LDAP” => array(“cn=mygroup,ou=personnel,dc=dir,dc=com”, “cn=mygroup2,ou=personnel,dc=dir,dc=com”));
$wgLDAPGroupUseFullDN = array(“LDAP” => true);
$wgLDAPGroupObjectclass = array(“LDAP” => “groupofuniquenames”);
$wgLDAPGroupAttribute = array(“LDAP” => “uniqueMember”);
$wgLDAPGroupSearchNestedGroups = array(“LDAP” => false);
$wgLDAPGroupNameAttribute = array(“LDAP” => “cn”);
$wgLDAPBaseDNs = array(“LDAP” => “dc=dir,dc=com”);

Reply
- Ryan Lane says:
  
  January 5, 2011 at 10:23 pm
  
  If you have a lot of entries in your directory server, searches can take a while. You should set a group base dn, via $wgLDAPGroupBaseDNs
  
  Reply
  - Ryan F says:
    
    January 11, 2011 at 12:33 am
    
    Hi Ryan,
    
    Thank you for quick the response. I added that variable, but it didn’t seem to help.
    
    Still takes about 20-30 seconds to login. I think we do have a decent sized directory, but I would think it should be faster than this. I only have this problem once I use $wgLDAPRequiredGroups.
    
    Thanks,
    Ryan
    
    Reply
    - Ryan Lane says:
      
      January 11, 2011 at 5:06 pm
      
      You should enable debugging, and send me the output with sensitive stuff snipped out. There must be something else wrong.
      
      Reply
chris d says:

March 15, 2011 at 12:09 pm

Hey Ryan, hello.

I am just another guy that has issues with this plugin, was wondering if you can help somehow. My config is as follows:
running apache using: WAMP -windows server 2003
running AD using: windows server 2003 (different pc)
running Mediawiki version 1.16,PHP above 5.2 and ldap plugin v1.2b (alpha)

Binding phase fails when using “ssl” option
Binding phase and everything/ account creation etc work when using “clear” option

I can verify AD connectivity using ldp.exe (GUI util) from the windows srv tools. The server connects from ldap @ port 636 and can bind successfully. Does it make sence to use clear for binding and ssl for session encr.?

Can you explain a bit on LDAP versus LDAP over SSL so I know if at least the ssl port works then if its fine to leave the binding as cleartext.

If anything doesnt make sense or missing, E.g: logs etc please let me know – important info about log: DOMAIN\\USER-NAME used, doing straight bind which fails, ldaps says connected successful.

Thanks in advance.

Reply
- Ryan Lane says:
  
  March 22, 2011 at 4:45 pm
  
  In PHP, a successful connection doesn’t actually mean an actual connection was made. The connection isn’t made until you try to bind. You should see the ssl documentation for the extension. Using LDAP without SSL means all traffic is sent across the network in clear text, which would allow people to steal passwords, if they can become a man in the middle, or have access to sniff your network.
  
  You should also enable the debug log.
  
  Reply
  - chris d says:
    
    April 12, 2011 at 10:26 am
    
    Hi, in reply to your comment above:
    
    I was able to use the plugin with only clear-text binding, so far. Even tried different types of certificates for LDAPS for my AD which didn’t work.
    
    I’ve read all the relevant documentation for it, followed instructions which still haven’t worked either.
    
    I guess my main question on that previous post was to verify from you that have a bit more knowledge on the matter whether passing binding-phase data through SSL encrypted traffic (which works Ok for my wiki site) still makes the bind-passwords viewable.
    
    Overall i was asking if the conf. below is OK:
    SSL for the site/content login forms -enabled
    SSL for binding passwd of AD -disabled
    
    Also, the logs where enabled the whole time I was doing my testing.
    
    Reply
    - Ryan Lane says:
      
      April 12, 2011 at 5:33 pm
      
      Your credentials are being passed in the clear. You really don’t want to do this.
      
      Are you sure your Active Directory server even has SSL enabled? It doesn’t by default. Even if it does, most use some kind of internal CA, which your web server will need to trust.
      
      Reply
      - chris d says:
        
        April 13, 2011 at 9:46 am
        
        Hi again,
        
        Ok then I guess I’ll be trying to switch to ldaps:// connection again after your input on the matter. The server with active directory has certificate services installed as well, with a root certificate (5yrs is the default for WS2003 i think) to identify it as a CA.
        
        It was being used as an internal certificate authority as well for outlook webmail access so the server is SSL enabled overall.
        
        NOTE:
        As my configurations for both server and test-server have changed a lot by trial-and-error, I have managed to make ldap on php/apache undetectable by your plugin or php overall.
        
        So, until I fix this general issue I will get back to you. Need to re-trace exactly what I did and fix it and then hopefully I can provide you with more input on the matter.
        
        ALSO: I used openldap\conf\ as suggested on the doc for windows platform to trust the certificates with both the cert. and key files.
        Until I provide better info or progress,
        
        Thanks for your input on this issue.
Werz says:

March 22, 2011 at 3:20 pm

Hi,

i have set up an Wiki with ldap authentification.

It works for fine as long as i do not try to restirct it to certain groups.

Hard to debug.

Any hints.

Best regards,
Werz

Reply
- Werz says:
  
  March 22, 2011 at 3:33 pm
  
  bte can i make it work without an certificat? Or is this impossible?
  As I said, the login works as long as i do not try to restrict via groups. So there must be a working connetion between the wiki and the ldap server.
  
  But if i try to get the cert from server… there is no.
  Cheers Werz
  
  Reply
  - Ryan Lane says:
    
    March 22, 2011 at 4:46 pm
    
    You can use “clear” for encryption type, but you should really try to get ssl working properly. See the requirements section of the documentation for this.
    
    Reply
- Ryan Lane says:
  
  March 22, 2011 at 4:45 pm
  
  I would need to see your config, and your debug log with sensitive stuff snipped out.
  
  Reply
- Werz says:
  
  March 23, 2011 at 8:52 am
  
  Hi Ryan,
  
  thanks for your fast reply, here are my settings:
  
  #### LDAP settings
  require_once( “$IP/extensions/LdapAuthentication/LdapAuthentication.php” );
  $wgAuth = new LdapAuthenticationPlugin();
  
  #### Uncomment this line to see debug messages:
  $wgLDAPDebug = 3;
  $wgDebugLogGroups["ldap"] = “/tmp/debug.log” ;
  
  $wgLDAPDomainNames = array(“Domain1″,”Domain2″);
  $wgLDAPServerNames = array(“Domain1″ => “servername.domain1.com”, “Domain2″ => “serverIP”);
  
  $wgLDAPSearchStrings = array(“Domain1″ => “Domain1\USER-NAME”,”Domain2″ => “Domain2\USER-NAME”);
  $wgLDAPEncryptionType = array(“Domain1″ => “clear”,”DOmain2″ => “clear”);
  
  $wgLDAPUseLocal = false;
  $wgLDAPAddLDAPUsers = false;
  $wgLDAPUpdateLDAP = false;
  $wgLDAPMailPassword = false;
  $wgLDAPRetrievePrefs = true;
  $wgMinimalPasswordLength = 1;
  
  ### Group permissions
  $wgLDAPRequiredGroups = array(“Domain1″ => array(“cn=it.Wiki_USER,ou=Groups,dc=Domain1,dc=COM”));
  $wgLDAPGroupUseFullDN = array(“Domain1″ => true);
  $wgLDAPGroupObjectclass = array(“Domain1″ => “*”);
  $wgLDAPGroupAttribute = array(“Domain1″ => “member”);
  $wgLDAPGroupSearchNestedGroups = array(“Domain1″ => false);
  $wgLDAPGroupNameAttribute = array(“Domain1″ => “cn”);
  $wgLDAPBaseDNs = array(“Domain1″ => “dc=domain1,dc=com”);
  
  That’s all. Unfortunately it does not work.
  If I comment out $wgLDAPRequiredGroups it work… but of course then anyone can login… which should not be :-)
  
  Cheers, Werz
  
  Reply
Werz says:

March 23, 2011 at 9:02 am

Hi Ryan,

here is my debug output with $wgLDAPRequiredGroups:

wiki: Entering validDomain
wiki: User is using a valid domain.
wiki: Setting domain as: Domain1
wiki: Entering getCanonicalName
wiki: Username isn’t empty.
wiki: Munged username: Username
wiki: Entering authenticate
wiki:
wiki: Entering Connect
wiki: Using TLS or not using encryption.
wiki: Using servers: ldap://servername.domain1.com
wiki: Connected successfully
wiki: Entering getSearchString
wiki: Doing a straight bind
wiki: userdn is: Domain1\Username
wiki:
wiki: Binding as the user
wiki: Bound successfully
wiki: Entering getUserDN
wiki: Created a regular filter: (=Username)
wiki: Entering getBaseDN
wiki: basedn is not set for this type of entry, trying to get the default basedn.
wiki: Entering getBaseDN
wiki: basedn is dc=domain1,dc=com
wiki: Using base: dc=domain1,dc=com
wiki: Couldn’t find an entry
wiki: Pulled the user’s DN:
wiki: Entering getGroups
wiki: Retrieving LDAP group membership
wiki: Searching for the groups
wiki: Entering searchGroups
wiki: Entering getBaseDN
wiki: basedn is not set for this type of entry, trying to get the default basedn.
wiki: Entering getBaseDN
wiki: basedn is dc=domain1,dc=com
wiki: Search string: (&(member=)(objectclass=*))
wiki: Returned groups:
wiki: Entering checkGroups
wiki: Checking for (new style) group membership
wiki: Required groups: cn=it.wiki_user,ou=groups,dc=domain1,dc=com
wiki: Couldn’t find the user in any groups.
wiki: Entering strict.
wiki: Returning true in strict().
wiki: Entering allowPasswordChange
wiki: Entering modifyUITemplate

That’s it. Hope you can help me :-)

Cheers, Paul

Reply
Werz says:

March 24, 2011 at 8:28 am

hmm still not working… have no clue what is wrong…

Reply
- Werz says:
  
  March 24, 2011 at 9:16 am
  
  Hi Ryan, now it works!
  
  But I got another question:
  If I use wgLDAPRequiredGroups, what do i have to do to give access for users in different groups.
  I mean something like the user must be in this OR in that group.
  
  Cheers, Paul Werz
  
  Reply
  - Ryan Lane says:
    
    March 24, 2011 at 6:00 pm
    
    You should use group synch instead of required groups in this scenario. It’ll be easier. I think adding multiple groups to the required groups array may work for this, though (it should be an OR by default).
    
    Reply
Leslie says:

May 12, 2011 at 8:51 pm

I am using the latest snapshot of LdapAuthentication 1.2d (2010-11-23), Apache 2.2.14, MediaWiki 1.16.2, our LDAP server requiring protocol 3, SSL. I am not an LDAP admin but have used and configured other clients with our server.

I am having trouble configuring validating on a filter. I’m not sure if I should be using wgLDAPgroups or not. I’m obviously working against the extension somehow.

This is what I want if I were using openldap 2.3.33:

ldapsearch -D “uid=username,ou=authenticaate,dc=domain,dc=com” -b “ou=authorize,dc=domain,dc=com” -H ldaps//hostname.domain.com -W “(&(uid=username)(chx=1234))”

This is what I want if I were using PHP:

$ds = ldap_connect(“ldaps://hostname.domain.com”);
$r = ldap_bind($ds, “cn=username,ou=authenticate,dc=domain,dc=com”, “password”);
$sr = ldap_search($ds, “ou=authorize,dc=domain,dc=com”, “(&(uid=username)(chx=1234))”);

I can successfully bind to LDAP using your LdapAuthentication but get confused when I try to require an LDAP group.

Here’s my latest attempt using LdapAuthentication.php. MediaWiki returns “Login error. Incorrect password entered. Please try again.”:

$wgLDAPDomainNames = array( “myLDAP” );
$wgLDAPServerNames = array( “myLDAP” => “hostname.domain.com” );
$wgLDAPUseLocal = false;
$wgLDAPEncryptionType = array( “myLDAP”=>”ssl” );
$wgLDAPPort = array( “myLDAP”=>636 );
$wgLDAPSearchStrings = array(“myLDAP”=>”uid=USER-NAME,ou=authenticate,dc=domain,dc=com”);
$wgLDAPBaseDNs = array(” myLDAP”=>”ou=authorize,dc=domain,dc=edu” );
$wgLDAPSearchAttributes = array( “myLDAP”=>”ou=authorize,dc=domain,dc=edu” );
$wgMinimalPasswordLength = 1;

$wgLDAPRequiredGroups = array( “myLDAP”=>array(“1234″) );
$wgLDAPGroupUseFullDN = array( “myLDAP”=>false );
$wgLDAPGroupObjectclass = array( “myLDAP”=>”1234″ );
$wgLDAPGroupAttribute = array( “myLDAP”=>”uid” );
$wgLDAPGroupSearchNestedGroups = array( “myLDAP”=>false );
$wgLDAPGroupNameAttribute = array( “myLDAP”=>”chx” );
$wgLDAPDebug = 3;
$wgLDAPLowerCaseUsername = array( “myLDAP”=>true );

I also hacked searchGroups() to change the filter to:

$filter = “(&($attribute=$value)(chx=$objectclass))”;

I get in the $wgDebugLogGroups file:

2011-05-12 18:48:08 wikidb-mw_: Entering validDomain
2011-05-12 18:48:08 wikidb-mw_: User is using a valid domain.
2011-05-12 18:48:08 wikidb-mw_: Setting domain as: myLDAP
2011-05-12 18:48:08 wikidb-mw_: Entering getCanonicalName
2011-05-12 18:48:08 wikidb-mw_: Username isn’t empty.
2011-05-12 18:48:08 wikidb-mw_: Munged username: Username
2011-05-12 18:48:08 wikidb-mw_: Entering authenticate
2011-05-12 18:48:08 wikidb-mw_:
2011-05-12 18:48:08 wikidb-mw_: Entering Connect
2011-05-12 18:48:08 wikidb-mw_: Using SSL
2011-05-12 18:48:08 wikidb-mw_: Using servers: ldaps://hostname.domain.com
2011-05-12 18:48:08 wikidb-mw_: Connected successfully
2011-05-12 18:48:08 wikidb-mw_: Lowercasing the username: Username
2011-05-12 18:48:08 wikidb-mw_: Entering getSearchString
2011-05-12 18:48:08 wikidb-mw_: Doing a straight bind
2011-05-12 18:48:08 wikidb-mw_: userdn is: uid=username,ou=authenticate,dc=domain,dc=com
2011-05-12 18:48:08 wikidb-mw_:
2011-05-12 18:48:08 wikidb-mw_: Binding as the user
2011-05-12 18:48:08 wikidb-mw_: Bound successfully
2011-05-12 18:48:08 wikidb-mw_: Entering getGroups
2011-05-12 18:48:08 wikidb-mw_: Retrieving LDAP group membership
2011-05-12 18:48:08 wikidb-mw_: Searching for the groups
2011-05-12 18:48:08 wikidb-mw_: Entering searchGroups
2011-05-12 18:48:08 wikidb-mw_: Entering getBaseDN
2011-05-12 18:48:08 wikidb-mw_: basedn is not set for this type of entry, trying to get the default basedn.
2011-05-12 18:48:08 wikidb-mw_: Entering getBaseDN
2011-05-12 18:48:08 wikidb-mw_: basedn is ou=authorize,dc=domain,dc=com
2011-05-12 18:48:08 wikidb-mw_: Search string: (&(uid=username)(chx=1234))
2011-05-12 18:48:08 wikidb-mw_: Returned groups: uid=username,ou=authenticate,dc=domain,dc=com
2011-05-12 18:48:08 wikidb-mw_: Entering checkGroups
2011-05-12 18:48:08 wikidb-mw_: Checking for (new style) group membership
2011-05-12 18:48:08 wikidb-mw_: Required groups: 3592
2011-05-12 18:48:08 wikidb-mw_: Checking against: uid=arvin,ou=authenticate,dc=purdue,dc=edu
2011-05-12 18:48:08 wikidb-mw_: Couldn’t find the user in any groups.
2011-05-12 18:48:08 wikidb-mw_: Entering strict.
2011-05-12 18:48:08 wikidb-mw_: Returning true in strict().
2011-05-12 18:48:08 wikidb-mw_: Entering allowPasswordChange
2011-05-12 18:48:08 wikidb-mw_: Entering modifyUITemplate

Reply
- Ryan Lane says:
  
  June 22, 2011 at 1:35 am
  
  I replied to you on the extension’s support page. I’m not totally sure how you are searching for the groups. The way you are going about it is not a normal LDAP way of handling groups. That said, if you see this response, please respond on the thread on the support page, since it’s a little easier for me to see.
  
  Reply
David says:

June 15, 2011 at 8:55 am

Hi,

I also get the wrong password message here is my settings:

require_once( “$IP/extensions/LdapAuthentication/LdapAuthentication.php” );
$wgAuth = new LdapAuthenticationPlugin();

$wgLDAPDomainNames = array( “domain.com” );
$wgLDAPServerNames = array( “domain.com” => “x.x.x.x y.y.y.y z.z.z.z ” );
$wgLDAPSearchStrings = array( “domain.com” => “USER-NAME@domain.com” );
$wgLDAPEncryptionType = array( “domain.com” => “ssl” );
$wgLDAPUseLocal=false;
$wgShowExceptionDetails = true;
$wgLDAPAddLDAPUsers = false;
$wgLDAPUpdateLDAP = false;

$wgLDAPDebug = 3;
$wgDebugLogGroups["ldap"] = “/tmp/debug.log” ;

—– From the log /tmp/debug.log ——-

2011-06-15 08:42:01 knowledgebase-pss_: Entering validDomain
2011-06-15 08:42:01 knowledgebase-pss_: User is using a valid domain.
2011-06-15 08:42:01 knowledgebase-pss_: Setting domain as: domain.com
2011-06-15 08:42:01 knowledgebase-pss_: Entering getCanonicalName
2011-06-15 08:42:01 knowledgebase-pss_: Username isn’t empty.
2011-06-15 08:42:01 knowledgebase-pss_: Munged username: myuser
2011-06-15 08:42:01 knowledgebase-pss_: Entering userExists
2011-06-15 08:42:01 knowledgebase-pss_:
2011-06-15 08:42:01 knowledgebase-pss_: Entering authenticate
2011-06-15 08:42:01 knowledgebase-pss_:
2011-06-15 08:42:01 knowledgebase-pss_: Entering Connect
2011-06-15 08:42:01 knowledgebase-pss_: Using SSL
2011-06-15 08:42:01 knowledgebase-pss_: Using servers: ldaps://x.x.x.x ldaps://y.y.y.y ldaps://z.z.z.z
2011-06-15 08:42:01 knowledgebase-pss_: Connected successfully
2011-06-15 08:42:01 knowledgebase-pss_: Entering getSearchString
2011-06-15 08:42:01 knowledgebase-pss_: Doing a straight bind
2011-06-15 08:42:01 knowledgebase-pss_: userdn is: myuser@domain.com
2011-06-15 08:42:01 knowledgebase-pss_:
2011-06-15 08:42:01 knowledgebase-pss_: Binding as the user
2011-06-15 08:42:01 knowledgebase-pss_: Failed to bind as myuser@domain.com
2011-06-15 08:42:01 knowledgebase-pss_: Entering allowPasswordChange
2011-06-15 08:42:01 knowledgebase-pss_: Entering modifyUITemplate

Dont know where to start really. Thanks!

Reply
Jeff B says:

October 14, 2011 at 8:46 pm

I just wanted to say thank you for everyone’s comments. You guys helped me out so much.
I just wanted a small wiki my small team of IT guys could us in our intranet.

My Setup:
I was running Mediawiki on a Windows 2008 computer using Wamp, trying to connect to a 2008 AD. I could get it to connect, but only using clear passwords. I was able to later do a work around by putting in the line
TLS_REQCERT never
in my ldap.conf file in c:\openldap\sysconf.

But I needed better, the likelihood that we would get a MitM, or a DNS hijack is slim, but I still couldn’t sleep well unless I got the certificates working.

My fix was not to use openssl to pull the certificate off the server using -

“openssl s_client -connect adserver1.testad.example.com:636″

Instead what I had to do was install Active Directory Certificate Services on my DC. Then follow this website to make a self signed cert – very easy to follow.
http://www.christowles.com/2010/11/enable-ldap-over-ssl-ldaps-on-windows.html

Once I had a certificate I exported the certificate as a .cer file to my wamp server inside my c:\openldap\sysconf folder and edited the ldap.conf file to TLS_CACERT c:\openldap\sysconf\dc1.cer

SSL now works! Seriously this all took me several days just gathering all the right info and troubleshooting. That last little bit saved me. active directory doesn’t support ssl out of the box. No wonder it wasn’t working.

Reply