Last modified: [last-modified]
This assumes you’ve got a working install of MediaWiki already and just need to tie it into Active Directory.
1. Make sure php-ldap is installed
yum install php-ldap.x86_64
2. Configure OpenLDAP on CentOS to ignore your domain controllers certificate validity. We all trust our own domain controllers don’t we?
vim /etc/openldap/ldap.conf # -------- Make the following edits -------- TLS_REQCERT never # -------- Save and close the file --------
3. Download and extract the latest LDAPAuthentication extension into your ‘mediawiki/extensions’ directory. I’m going to assume you’ve named the extension directory ‘ldapauthentication’ for the remainder of this documentation.
4. Edit your ‘LocalSettings.php’ found in the root of your MediaWiki directory and add the following substituting the values for your own domains information. Make sure you consistently use the same value for “<YOURDOMAINNAME>” at the start of each “array (” line.
vim LocalSettings.php
# -------- Make the following edits --------
require_once( "$IP/extensions/ldapauthentication/LdapAuthentication.php" );
$wgAuth = new LdapAuthenticationPlugin();
$wgLDAPDomainNames = array( "<YOURDOMAINNAME>" );
$wgLDAPServerNames = array( "<YOURDOMAINNAME>" => "<DOMAIN CONTROLLER FQDN>" );
# I recommend using a Global Catalog server for this.
$wgLDAPSearchStrings = array( "<YOURDOMAINNAME>" => "<YOURDOMAINNAME>\\USER-NAME" );
$wgLDAPEncryptionType = array( "<YOURDOMAINNAME>" => "tls" );
$wgLDAPUseLocal = false;
$wgMinimalPasswordLength = 1;
$wgLDAPBaseDNs = array( "<YOURDOMAINNAME>" => "dc=<YOURDOMAIN>,dc=<SOMEPLACE>,dc=<COM>" );
# Example: If your domain is mydomain.internet.ca then you want to put in "dc=mydomain,dc=internet,dc=ca".
$wgLDAPSearchAttributes = array( "<YOURDOMAINNAME>" => "sAMAccountName" );
$wgLDAPRetrievePrefs = array( "<YOURDOMAINNAME>" => "true" );
$wgLDAPPreferences = array('<YOURDOMAINNAME>' => array( 'email' => 'mail','realname' => 'displayname'));
# This will automatically map the users e-mail address and full name from Active Directory to their account in MediaWiki
$wgLDAPDebug = 3; //for debugging LDAP
$wgShowExceptionDetails = true; //for debugging MediaWiki
# -------- Save and close the file --------
That should be it! If it’s not working check your log files.
References
- http://www.mediawiki.org/wiki/Extension:LDAP_Authentication
- http://www.mediawiki.org/wiki/Extension:LDAP_Authentication/Generic_LDAP_Configuration_Examples
- http://stackoverflow.com/questions/2689629/how-do-i-solve-ldap-start-tls-unable-to-start-tls-connect-error-in-php
- http://linux.koolsolutions.com/2010/09/06/howto-enable-ldapactive-directory-authentication-with-mediawiki-part-1/
Thanks a ton for the very detailed steps! Worked like a breeze.
thanks! It worked for me!
You saved my day with this. Let me just one thing from my experience.
Initially, I used a MySQL account for login. After following your guide, I needed to deal with two more things:
1) echo -e “TLS_REQCERT\tnever” >> /etc/openldap/ldap.conf
This was to remove the “incorrect password” lase alarm when trying to log into MediaWiki
2) php /var/www/html/mediawiki/maintenance/update.php
This was to get rid of the “PHP Notice: Uncommitted DB writes (transaction from DatabaseBase::query (LCStore_DB::get))” error message which caused the error message in browser (something like “internal error, check the source code”)
All the best,
Ivan
Hi Eric
im following your sample but i get this error
Unable to start TLS: Can’t contact LDAP server in /var/www/html/mediawiki/extensions/LdapAuthentication/LdapAuthentication.php on line 622
I have also enable debug but dont get a file?
$wgLDAPDebug = 3; //for debugging LDAP
$wgShowExceptionDetails = true; //for debugging MediaWiki
$wgDebugLogGroups[‘ldap’] = ‘/tmp/debug.log’;
What am i doing wrong?
Based on that error I’d guess you are unable to connect to your LDAP server from the server you are running Mediawiki on. That or your LDAP server isn’t listening for SSL connections.
I changed it to “Clear” but then i get nothing.
and i dont get this debug log at all
$wgLDAPDebug = 3;
$wgDebugLogGroups[‘ldap’] = ‘/var/www/html/mw/log/debug.log’;
error_reporting( -1 );
ini_set( ‘display_errors’, 1 );
TLS_CACERTDIR /etc/ssl/certs
TLS_CACERT /etc/ssl/certs/ca-certificates.crt
was using above setting. When i changed it to the line below it worked.
TLS_REQCERT never
That’d do it. Good find.
Hi,
I would like to know if it is possible to integrate this plugin for Secure LDAP?
We are running secure LDAP so I am not sure if it will work with that or not? Can you please confirm. Thank you in advance.
Kind Regards
Umair
This example does use LDAP over SSL.
In media wiki log in page i got new field named as DomainName
But i cant log in through ldap users
Your going to need to check your logs to see why.
What about authentication? In my previous version os MediaWiki, I had to add a $wgLDAPProxyAgent and $wgLDAPProxyAgentPassword
You’re right. In any other AD/LDAP deployment I’ve ever done I’ve needed some kind of bind account to actually connect to AD. Not sure why that’s missing from my post here.
If it follows common practice and based on their documentation (https://www.mediawiki.org/wiki/Extension:LDAP_Authentication/Examples) you’ll need to also specify the following:
$wgLDAPProxyAgent = array('openldap_example_com' => 'cn=readonly,dc=example,dc=com',
);
$wgLDAPProxyAgentPassword = array(
'openldap_example_com' => '*****',
);
The AD account you use for binding should be unique and only needs to be a ‘Domain User’. No other special privileges.
Hello
My Mediawiki version is 1.16.4, does this document still work?
I did all configuration you wrote but still I get wrong password .
I honestly don’t know. We’ve abandoned MediaWiki at work. With passwords you might try, for testing, dropping any symbols and special characters and only be alpha/num.
Also test the domain account by logging into any domain workstation.
Thanks Eric ,
I don’t have access to create an account without symbol in the password .
I am sure that my password works , it is my own account .
Thanks
Sorry. I meant the account being used to bind your MediaWiki to AD to do account lookups. Sometimes symbols causes issues depending on how escaping is done in the code.
Thanks, in the configuration on this page I couldn’t see bind username and password. Is it necessary?
Yes. It should just be a regular AD account, no special permissions.
Hello, do you have any idea, how to restrict access to my Wiki only for members of specific AD group please? Now all AD users are able to log in.
Thanks in advance ;)
It has been a very long time since I’ve looked at this. Sorry I don’t have an answer for you.
Hello Eric, I have found solution, following should be part of ldan.json ;)
“authorization”: {
“rules”: {
“groups”: {
“required”: [“CN=,OU=,DC=,DC=”]
}}},