This is a bugfix release related to the previous 1.2b release. The following has changed:

• Fixed issue with single domains, and non-auto-authentication domains being non-operational due to security fix in 1.2b
• Fixed another issue with mail me a password not working properly

To download this version, please use the extension distributor (http://www.mediawiki.org/wiki/Special:ExtensionDistributor/LdapAuthentication), select “Development version (trunk)”, and click “Continue”.

Share:

This release contains a security bugfix for users of register_globals. Most configuration options in the extension did not have default values; this release sets defaults for all configuration globals. Users are recommended to update to this version, or disable register_globals. If you do not have register_globals enabled, you are not affected.

The following has changed since 1.2a:

• Fixed issue with group synchronization and nested groups
• Added support for exclusion groups in addition to required groups
  • Configured via $wgLDAPExcludedGroups; syntax the same as $wgLDAPRequiredGroups
• Fixed check for returns with no entries
• Added memberOf support

Share:

Solaris 10 and above and Red Hat Enterprise Linux (RHEL) 5 and above have support for NFSv4. Unfortunately, how each OS handles the newest version is different, and the way it is mounted is drastically different.

How each OS handles NFSv3 and NFSv4

All Linux distros treat NFSv4 as a different filesystem. Solaris treats NFSv4 as a newer version, which is the sane, and sensible way of handling it IMO; thanks Linux…. To mount an NFSv4 filesystem in RHEL 5, you mount it the following way:

mount -t nfs4 <server>:<share> <mountpoint>

For NFSv3, you mount it the following way:

Share:

Recently, I deployed OpenSSO as a web single sign on service for a number of web servers, one of which was running MediaWiki. I haven’t yet written a SAML2 plugin for MediaWiki, so I am running an OpenSSO web agent for Apache, with the LDAP plugin doing auto-authentication.

After deploying the web agent, MediaWiki started parsing things incorrectly. Wiki-syntax like:

== Test ==
== Test2 ==
=== Test 3 ===

Was being corrupted, and turning into something like:

Share:

In part 1 of this series, I discussed basic password authentication for Active Directory (AD). In this article I will discuss enabling group restrictions and synchronization, and retrieving preferences for AD. I’ll first discuss group restrictions, then synchronization, then retrieving preferences.

Group restrictions and synchronization will require you to somewhat understand the LDAP structure that your AD environment is built upon. Don’t worry, this isn’t as scary as it sounds, and I’ll explain how to find all of the information you’ll require.

Share:

If, like me, you have had issues with replication in Sun Directory Server, maybe this post will help.

The dsadm list-certs -C command will show you what CA certificates you are trusting, but it won’t show you how it is trusting a certificate. If you are getting an error like “Bind failed with response: Failed to bind to remote (900).”, and you know SSL should be working properly, you probably want to check to see exactly how your CA certificates are being trusted.

To do this, use the certutil command:

Share:

For some corporate wikis, it is beneficial to allow anonymous edits; however, anonymous edits in MediaWiki track IP addresses, and in most corporate environments, it is simple to identify a user simply by knowing what IP address they came from. Also, most corporate environments are opposed to allowing non-authenticated write-access to any resource (for good reason).

So, if you wanted to have a wiki, like a wiki for polls, that needed some form of anonymity for users to trust using it, using the LDAP Authentication extension in a clever way can allow you to do this.

Share:

In part 1 of this series, I discussed basic password authentication for Active Directory (AD). In this article, I will discuss basic password authentication for LDAP domains with the posix schema.

For basic password authentication against an LDAP domain with the posix schema, you need to configure three or four things:

1. Domain name
2. Server names
3. How to bind to the LDAP servers
4. The proxy user used to find your user accounts (optional depending on your environment)

Prerequisites

Please see and complete the “Create a local sysop”, and “Enabling the plugin” sections of part 1 before proceeding.

Share:

Configuring the LDAP Authentication plugin for MediaWiki can be a daunting task. In this series of posts, I’ll go over the basics of configuring the plugin for common environments. In a later series of posts, I’ll go into each environment in detail.

Part 1 will discuss basic password authentication for Active Directory (AD). Part 2 will discuss basic password authentication for LDAP domains with the posix schema. Part 3 will discuss enabling group restrictions and synchronization, and retrieving preferences for AD. Part 4 will discuss group restrictions and synchronization, and retrieving preferences for LDAP domains with the posix schema.

Share:

In part 1 I discussed how to configure NSS and OpenSSL. In part 2, I discussed how to configure pam_pkcs11 and how to test a smartcard against the NSS database we set up. In this part, I’ll discuss how to add pam_krb5 into the mix to automatically get a Kerberos ticket from an Active Directory domain using PKINIT.

Notice that this post will discuss a package that is yet to be officially released by Red Hat. Whenever this is officially released, it may have different configuration options, or different functionality. I’ll update this post at that time.

Share: