Mailing List Archive: Wikipedia: Mediawiki

Active Directory Integration

Index | Next | Previous | View Threaded

jwgoerlich at gmail

Oct 28, 2006, 4:20 AM

Post #1 of 11 (38737 views)
Permalink

Active Directory Integration

Hello,

First, my apologies if this is the wrong place to ask or if this
question has been asked before.

I am looking to implement Wiki in a corporate setting. Has any work
been done to integrate the Wiki user accounts and permissions with a
directory services, such as Active Directory? If so, could some
friendly person give me a reference or a link?

Thanks in advance,

J Wolfgang Goerlich
_______________________________________________
MediaWiki-l mailing list
MediaWiki-l [at] Wikimedia
http://mail.wikipedia.org/mailman/listinfo/mediawiki-l

brion at pobox

Oct 28, 2006, 11:02 AM

Post #2 of 11 (38578 views)
Permalink

Re: Active Directory Integration [In reply to]

J Wolfgang Goerlich wrote:
> I am looking to implement Wiki in a corporate setting. Has any work
> been done to integrate the Wiki user accounts and permissions with a
> directory services, such as Active Directory? If so, could some
> friendly person give me a reference or a link?

http://meta.wikimedia.org/wiki/LDAP_Authentication is the first hit on
Google for the search "mediawiki active directory"

There is an LDAP authentication plugin which is reasonably widely used;
as far as I know it ought to work with Active Directory.

-- brion vibber (brion @ pobox.com)
_______________________________________________
MediaWiki-l mailing list
MediaWiki-l [at] Wikimedia
http://mail.wikipedia.org/mailman/listinfo/mediawiki-l

semweb at elemental-programming

Oct 29, 2006, 12:20 PM

Post #3 of 11 (38562 views)
Permalink

Re: Active Directory Integration [In reply to]

I've made a very simple implementation
for our site. It works and is simple.

Look at includes/AuthPlugin.php

jwgoerlich at gmail

Oct 30, 2006, 12:12 PM

Post #4 of 11 (38565 views)
Permalink

Re: Active Directory Integration [In reply to]

Many thanks for the advice. I will get on integrating MediaWiki with
Active Directory.

J Wolfgang Goerlich
_______________________________________________
MediaWiki-l mailing list
MediaWiki-l [at] Wikimedia
http://mail.wikipedia.org/mailman/listinfo/mediawiki-l

jwgoerlich at gmail

Dec 12, 2006, 4:05 AM

Post #5 of 11 (38499 views)
Permalink

Re: Active Directory Integration [In reply to]

Hello again,

Per this list's recommendations, I downloaded the LdapAuthentication
plugin 1.1b and followed the documentation at:

http://meta.wikimedia.org/wiki/LDAP_Authentication
http://bugzilla.wikipedia.org/attachment.cgi?id=2830&action=view

I added the PHP code to the LocalSettings.php file. Authentication
appears to work. However, the logon never redirects to the main page.
With $wgLDAPDebug = 2, I get the following output:

Entering validDomain
User is using a valid domain
Setting domain as: abctech.com
Entering getCanonicalName
Username isn't empty.
Munged username: Jwgoerlich
Entering userExists
Entering authenticate
Entering Connect

This looks about right, but no go. Any suggestions?

J Wolfgang Goerlich

The PHP code that I added to the LocalSettings is:

require_once( 'LdapAuthentication.php' );
$wgAuth = new LdapAuthenticationPlugin();
$wgLDAPDomainNames = array("abctech.com");
$wgLDAPServerNames = array("abctech.com"=>"dc7.abctech.com");
$wgLDAPUseLocal = false;
$wgLDAPUseSSL = array ("abctech.com"=>false);
$wgLDAPUseTLS = array ("abctech.com"=>true);
$wgLDAPSearchStrings = array("abctech.com"=>"Abctech\\USER-NAME");
$wgLDAPDebug = 2;
_______________________________________________
MediaWiki-l mailing list
MediaWiki-l [at] Wikimedia
http://mail.wikipedia.org/mailman/listinfo/mediawiki-l

Ryan.Lane at ocean

Dec 12, 2006, 6:20 AM

Post #6 of 11 (38496 views)
Permalink

Re: Active Directory Integration [In reply to]

> I added the PHP code to the LocalSettings.php file. Authentication
> appears to work. However, the logon never redirects to the main page.
> With $wgLDAPDebug = 2, I get the following output:
>
> Entering validDomain
> User is using a valid domain
> Setting domain as: abctech.com
> Entering getCanonicalName
> Username isn't empty.
> Munged username: Jwgoerlich
> Entering userExists
> Entering authenticate
> Entering Connect
>

Hmm... Doesn't really look right. If the plugin is stopping at the
connect function, then most likely PHP doesn't have LDAP support. You
are getting a blank screen I'm assuming?

> This looks about right, but no go. Any suggestions?
>
> J Wolfgang Goerlich
>
>
> The PHP code that I added to the LocalSettings is:
>
> require_once( 'LdapAuthentication.php' );
> $wgAuth = new LdapAuthenticationPlugin();
> $wgLDAPDomainNames = array("abctech.com");
> $wgLDAPServerNames = array("abctech.com"=>"dc7.abctech.com");
> $wgLDAPUseLocal = false;
> $wgLDAPUseSSL = array ("abctech.com"=>false);
> $wgLDAPUseTLS = array ("abctech.com"=>true);

You may want to try SSL instead of TLS just in case.

> $wgLDAPSearchStrings = array("abctech.com"=>"Abctech\\USER-NAME");
> $wgLDAPDebug = 2;

And try setting debug to 4. Otherwise your settings look fine.

V/r,

Ryan Lane
_______________________________________________
MediaWiki-l mailing list
MediaWiki-l [at] Wikimedia
http://mail.wikipedia.org/mailman/listinfo/mediawiki-l

jwgoerlich at gmail

Dec 12, 2006, 9:13 AM

Post #7 of 11 (38504 views)
Permalink

Re: Active Directory Integration [In reply to]

> You are getting a blank screen I'm assuming?

Yes, a blank screen. Tried SSL with much the same result. Tried
debugging at level 4, which only gives me the name of the server.

Entering validDomain
User is using a valid domain
Setting domain as: abctech.com
Entering getCanonicalName
Username isn't empty.
Munged username: Jwgoerlich
Entering userExists
Entering authenticate
Entering Connect
Using SSL
Using servers: ldaps://dc7.abctech.com

Alternatively, since I am using PHP on IIS with integrated
authentication, couldn't I use the get_current_user() and avoid LDAP
altogether? I would think so but am foggy on how to implement this.

Thanks,

J Wolfgang Goerlich
_______________________________________________
MediaWiki-l mailing list
MediaWiki-l [at] Wikimedia
http://mail.wikipedia.org/mailman/listinfo/mediawiki-l

Ryan.Lane at ocean

Dec 12, 2006, 1:43 PM

Post #8 of 11 (38489 views)
Permalink

Re: Active Directory Integration [In reply to]

> Yes, a blank screen. Tried SSL with much the same result. Tried
> debugging at level 4, which only gives me the name of the server.
>
> Entering validDomain
> User is using a valid domain
> Setting domain as: abctech.com
> Entering getCanonicalName
> Username isn't empty.
> Munged username: Jwgoerlich
> Entering userExists
> Entering authenticate
> Entering Connect
> Using SSL
> Using servers: ldaps://dc7.abctech.com

It definitely looks like PHP doesn't have LDAP support. If the
connection was failing because of TLS or SSL, you'd be getting past the
connect function, and would get an "Incorrect password" error. You would
also see " Failed to connect" in the debugging info.

>
> Alternatively, since I am using PHP on IIS with integrated
> authentication, couldn't I use the get_current_user() and avoid LDAP
> altogether? I would think so but am foggy on how to implement this.

I think there is an extension to do this, mine doesn't support it
though... Is this it?
http://meta.wikimedia.org/wiki/User:Otheus/Auto_Login_via_REMOTE_USER

Might wanna look at this too:
http://meta.wikimedia.org/wiki/Web_server_Authentication

V/r,

Ryan Lane
_______________________________________________
MediaWiki-l mailing list
MediaWiki-l [at] Wikimedia
http://mail.wikipedia.org/mailman/listinfo/mediawiki-l

jwgoerlich at gmail

Dec 13, 2006, 4:39 AM

Post #9 of 11 (38495 views)
Permalink

Re: Active Directory Integration [In reply to]

Thanks, Ryan. Comments inline.

> It definitely looks like PHP doesn't have LDAP support.

I did add the LDAP extension during setup. Do I need to do something
else to enable LDAP support?

> Might wanna look at this too:
> http://meta.wikimedia.org/wiki/Web_server_Authentication

Hmmm. I enabled it and now my Wiki displays the helpful 500 server
error. Something about "$wgAuth = new Auth_remoteuser();" causes PHP
to blowout.

J Wolfgang Goerlich
_______________________________________________
MediaWiki-l mailing list
MediaWiki-l [at] Wikimedia
http://mail.wikipedia.org/mailman/listinfo/mediawiki-l

jwgoerlich at gmail

Dec 13, 2006, 4:47 AM

Post #10 of 11 (38507 views)
Permalink

Re: Active Directory Integration [In reply to]

> Might wanna look at this too:
> http://meta.wikimedia.org/wiki/Web_server_Authentication

In the RemoteUser.php, under the Auth_remoteuser, within the
Auth_remoteuser() function, the following line generates a HTTP 500:

array_push($wgExtensionFunctions, 'Auth_remote_user_hook');

When I comment that line out, then the Wiki loads and displays the
"Login Required" page.

J Wolfgang Goerlich
_______________________________________________
MediaWiki-l mailing list
MediaWiki-l [at] Wikimedia
http://mail.wikipedia.org/mailman/listinfo/mediawiki-l

Ryan.Lane at ocean

Dec 13, 2006, 8:15 AM

Post #11 of 11 (38508 views)
Permalink

Re: Active Directory Integration [In reply to]

> I did add the LDAP extension during setup. Do I need to do
> something else to enable LDAP support?

Yes, did you look at this part of the documentation?
http://meta.wikimedia.org/wiki/LDAP_Authentication#Windows_configuration

>
> > Might wanna look at this too:
> > http://meta.wikimedia.org/wiki/Web_server_Authentication
>
> Hmmm. I enabled it and now my Wiki displays the helpful 500
> server error. Something about "$wgAuth = new
> Auth_remoteuser();" causes PHP to blowout.
>

That isn't my plugin, so I can't help you with it... Not sure exactly
who manages that one.

V/r,

Ryan Lane
_______________________________________________
MediaWiki-l mailing list
MediaWiki-l [at] Wikimedia
http://mail.wikipedia.org/mailman/listinfo/mediawiki-l

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads