Discussion:
How to enable ldap authentication in mediawiki?
王鸿瑞
2007-10-18 01:47:05 UTC
Permalink
Hi

I have a AD server, it's domain name is exchangetest.umtest.local. I want
to configure mediawiki using AD authentication. For example, A user login
mediawiki, if he is in AD, then he will be created in mediawiki and log on
successfully, if he is not in AD, he will log on failed.

I have read about LDAP Authentication,but can't resolve the issue. my
LocallSeting.php is like below:



$wgGroupPermissions['*' ]['createaccount'] = false;
$wgGroupPermissions['user']['createaccount'] = false;
$wgGroupPermissions['*']['read'] = true;
$wgGroupPermissions['*']['edit'] = false;
$require_once("extensions/LdapAuthentication.php");
$wgAuth= new LdapAuthenticationPlugin();
$wgLDAPDomainNames = array( "exchangetest" );
$wgLDAPServerNames = array( "exchangetest"=>"
exchangetest.exchangetest.umtest.local" );
$wgLDAPProxyAgent =
array("exchangetest"=>"cn=administrator,cn=users,dc=exchangetest,dc=umtest,dc=local");
$wgLDAPProxyAgentPassword = array("exchangetest"=>"Password");
$wgLDAPSearchAttributes = array ("exchangestest"=>"sAMAccountName");
$wgLDAPBaseDNs = array("dc=exchangetest,dc=umtest,dc=local");
$wgLDAPUseSSL = array( "exchangetest"=>"ssl");

$wgLDAPUseLocal = false;
$wgLDAPDisableAutoCreate = array("exchangetest"=>"false");
$wgMinimalPasswordLength = 1;
I am a newbie on mediawiki, Could you please give me some advice?

Best Regards

hrwang
Lane, Ryan
2007-10-18 13:03:13 UTC
Permalink
Post by 王鸿瑞
$wgLDAPUseSSL = array( "exchangetest"=>"ssl");
This should be:

$wgLDAPEncryptionType = array("exchangetest"=>"ssl");

As of right now you are actually using start_tls, and not ldaps (as the
plugin defaults to start_tls for user protection purposes). If you have
an SSL cert installed on your AD server, it should have the same effect,
but they use different ports, and the encryption is slightly different;
notice that not all AD servers are set up to use start_tls. By default
AD doesn't use ldaps or start_tls, you are required to install a
certificate.

If you have a certificate installed, you may have a certficate trust
issue. If you use:

$wgLDAPEncryptionType = array("exchangetest"=>"clear");

and it works, you know this is an SSL issue. I strongly recommend
against leaving this as "clear" though.
Post by 王鸿瑞
$wgLDAPUseLocal = false;
$wgLDAPDisableAutoCreate = array("exchangetest"=>"false");
These two default to false (pretty much everything defaults to false).

Set:

$wgLDAPDebug = 3;

That will give you debugging info. If you can't figure out the problem,
post your debug info with sensitive stuff snipped out.

V/r,

Ryan Lane
王鸿瑞
2007-10-19 08:08:37 UTC
Permalink
Hi, Ryan Lane

Thanks for your reply first.
I changed my configuration follow your directions, like below:
$wgGroupPermissions['*' ]['createaccount'] = false;
$wgGroupPermissions['user']['createaccount'] = false;
$wgGroupPermissions['*']['read'] = true;
$wgGroupPermissions['*']['edit'] = false;


$require_once("extensions/LdapAuthentication.php");
$wgAuth= new LdapAuthenticationPlugin();
$wgLDAPDomainNames = array( "exchangetest" );
$wgLDAPServerNames = array( "exchangetest"=>"
exchangetest.exchangetest.umtest.local" );
$wgLDAPProxyAgent =
array("exchangetest"=>"cn=administrator,cn=users,dc=exchangetest,dc=umtest,dc=local");

$wgLDAPProxyAgentPassword = array("exchangetest"=>"Password");
$wgLDAPSearchAttributes = array ("exchangestest"=>"sAMAccountName");
$wgLDAPBaseDNs =
array("exchangetest"=>"dc=exchangetest,dc=umtest,dc=local");
$wgLDAPEncryptionType = array("exchangetest"=>"ssl");
$wgMinimalPasswordLength = 1;
$wgLDAPDebug = 3;

then, I log on wiki, can find the debug messages:
Entering validDomain
User is using a valid domain.
Setting domain as: exchangetest
Entering getCanonicalName
Username isn't empty.
Munged username: Jma
Entering authenticate
Entering Connect
Using SSL
Using servers: ldaps://137.134.68.117
Connected successfully
Entering getSearchString
Doing a proxy bind
Failed to bind as
cn=administrator,cn=users,dc=exchangetest,dc=umtest,dc=local
Failed to bind
User DN is blank
Entering strict.
Returning true in strict().
Entering modifyUITemplate

I am not clear why bind administrator failed. My environment are AD server
(windows) and wiki server(linux).
I check log file which in /var/log/httpd/ssl_error_log on wiki server, can
find messages :

[Sat Jun 13 13:44:41 2015] [warn] RSA server certificate is a CA certificate
(BasicConstraints: CA == TRUE !?)
[Sat Jun 13 13:44:41 2015] [warn] RSA server certificate CommonName (CN)
`localhost.localdomain' does NOT match server name!?

Could certificate on AD server cause binding error ?
Post by Lane, Ryan
Post by 王鸿瑞
$wgLDAPUseSSL = array( "exchangetest"=>"ssl");
$wgLDAPEncryptionType = array("exchangetest"=>"ssl");
As of right now you are actually using start_tls, and not ldaps (as the
plugin defaults to start_tls for user protection purposes). If you have
an SSL cert installed on your AD server, it should have the same effect,
but they use different ports, and the encryption is slightly different;
notice that not all AD servers are set up to use start_tls. By default
AD doesn't use ldaps or start_tls, you are required to install a
certificate.
If you have a certificate installed, you may have a certficate trust
$wgLDAPEncryptionType = array("exchangetest"=>"clear");
and it works, you know this is an SSL issue. I strongly recommend
against leaving this as "clear" though.
Post by 王鸿瑞
$wgLDAPUseLocal = false;
$wgLDAPDisableAutoCreate = array("exchangetest"=>"false");
These two default to false (pretty much everything defaults to false).
$wgLDAPDebug = 3;
That will give you debugging info. If you can't figure out the problem,
post your debug info with sensitive stuff snipped out.
V/r,
Ryan Lane
_______________________________________________
MediaWiki-l mailing list
http://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Lane, Ryan
2007-10-22 14:56:48 UTC
Permalink
Post by 王鸿瑞
Entering validDomain
User is using a valid domain.
Setting domain as: exchangetest
Entering getCanonicalName
Username isn't empty.
Munged username: Jma
Entering authenticate
Entering Connect
Using SSL
Using servers: ldaps://137.134.68.117
You really should be using a fully qualified domain name that matches
the CN of your AD server's certificate. SSL will fail if the names don't
match.
Post by 王鸿瑞
Connected successfully
Entering getSearchString
Doing a proxy bind
Failed to bind as
cn=administrator,cn=users,dc=exchangetest,dc=umtest,dc=local
Failed to bind
Either the password for the proxy user is wrong, or you have an SSL
issue. I'd bet it is an SSL issue.

Also, you *really* shouldn't use an admin account as your proxy agent.
Make a special account for it, and if possible (after you have
everything working), try to limit the user's rights to binding and
searching for users; meaning, the user shouldn't be able to log into a
desktop/server system.
Post by 王鸿瑞
User DN is blank
Entering strict.
Returning true in strict().
Entering modifyUITemplate
I am not clear why bind administrator failed. My environment
are AD server
(windows) and wiki server(linux).
I check log file which in /var/log/httpd/ssl_error_log on
[Sat Jun 13 13:44:41 2015] [warn] RSA server certificate is a
CA certificate
(BasicConstraints: CA == TRUE !?)
[Sat Jun 13 13:44:41 2015] [warn] RSA server certificate
CommonName (CN) `localhost.localdomain' does NOT match server name!?
These are warnings about the certificate on your web server, not on the
AD server.
Post by 王鸿瑞
Could certificate on AD server cause binding error ?
Yes, and this is likely the case. On your Linux system, put the
following into /etc/ldap.conf, and /etc/openldap/ldap.conf (or remove
/etc/openldap/ldap.conf, and link that file to /etc/ldap.conf):

TLS_CACERT /etc/pki/tls/certs/ca.crt
TLS_CACERTDIR /etc/pki/tls/certs

Where ca.crt is the CA certificate that signed your AD server's
certificate in PEM format. Notice you can use whatever directory is
acceptable for your distro. Red Hat Enterprise Linux (RHEL) 5 uses the
above location, RHEL 4 uses /usr/share/ssl/certs. You can also try:

TLS_REQCERT never

to tell your system to not check for validity of the certificate. This
is, of course, more insecure as it can open you up to man in the middle
attacks.

V/r,

Ryan Lane
王鸿瑞
2007-10-23 12:04:49 UTC
Permalink
Thanks, Ryan.
I have a issue, Could you give me some suggestion please!
My certificate on AD server is generated when I install Exhange2007. The
certificate is sign by exchange, sign to exchange.
Post by 王鸿瑞
Entering Connect
Using SSL
Using servers: ldaps://exchangetest.exchangetest.umtest.local
Connected successfully
Entering getSearchString
From these debug information, I guess ssl is set up on AD. But, when I use
ldp.exe to connect AD by ssl port 636, can't open connection.

My AD's FQDN is exchangetest.exchangetest.umtest.local,when I write
ldaps://exchangetest.exchangetest.umtest.local in browser, can't access it .
Change url to ldap://exchangetest.exchangetest.umtest.local, can access it .

I think ssl is not set up on my AD, right ? Maybe I should create another
certificate, sign to exchangetest.exchangetest.umtest.local ?

I apologize for my fool question. I change my LocalSetting.php many times
for testing, but failed always.

Best Regards
Lane, Ryan
2007-10-23 13:30:49 UTC
Permalink
Post by 王鸿瑞
Thanks, Ryan.
I have a issue, Could you give me some suggestion please!
My certificate on AD server is generated when I install
Exhange2007. The certificate is sign by exchange, sign to exchange.
Self signed certificates can be problematic, but using:

TLS_REQCERT never

in your ldap.conf *should* solve that issue.
Post by 王鸿瑞
Post by 王鸿瑞
Entering Connect
Using SSL
Using servers: ldaps://exchangetest.exchangetest.umtest.local
Connected successfully
Entering getSearchString
From these debug information, I guess ssl is set up on AD.
But, when I use ldp.exe to connect AD by ssl port 636, can't
open connection.
My AD's FQDN is exchangetest.exchangetest.umtest.local,when I
write ldaps://exchangetest.exchangetest.umtest.local in
browser, can't access it .
Change url to ldap://exchangetest.exchangetest.umtest.local,
can access it .
I think ssl is not set up on my AD, right ? Maybe I should
create another certificate, sign to
exchangetest.exchangetest.umtest.local ?
If you can't connect to port 636, you don't have a certificate
installed, or you have a firewall blocking the port.
Post by 王鸿瑞
I apologize for my fool question. I change my
LocalSetting.php many times for testing, but failed always.
No problem. Changing LocalSettings.php at this point in time won't help
you, as the problem lies outside of MediaWiki.

V/r,

Ryan Lane

Jack Eapen C
2007-10-18 13:08:26 UTC
Permalink
Hi,

What are the lines needed for getting Active Directory groups as MW
groups? IS that possible? In such a case will the AD groups co-exist
with already existing MW groups?


Regards,

Jack Eapen
----------------------------------------------------------------

"People forget how fast you did a job - but they remember how well you
did it"


-----Original Message-----
From: mediawiki-l-bounces-RusutVdil2icGmH+5r0DM0B+***@public.gmane.org
[mailto:mediawiki-l-bounces-RusutVdil2icGmH+5r0DM0B+***@public.gmane.org] On Behalf Of Lane, Ryan
Sent: Thursday, October 18, 2007 6:33 PM
To: MediaWiki announcements and site admin list
Subject: Re: [Mediawiki-l] How to enable ldap authentication in
mediawiki?
Post by 王鸿瑞
$wgLDAPUseSSL = array( "exchangetest"=>"ssl");
This should be:

$wgLDAPEncryptionType = array("exchangetest"=>"ssl");

As of right now you are actually using start_tls, and not ldaps (as the
plugin defaults to start_tls for user protection purposes). If you have
an SSL cert installed on your AD server, it should have the same effect,
but they use different ports, and the encryption is slightly different;
notice that not all AD servers are set up to use start_tls. By default
AD doesn't use ldaps or start_tls, you are required to install a
certificate.

If you have a certificate installed, you may have a certficate trust
issue. If you use:

$wgLDAPEncryptionType = array("exchangetest"=>"clear");

and it works, you know this is an SSL issue. I strongly recommend
against leaving this as "clear" though.
Post by 王鸿瑞
$wgLDAPUseLocal = false;
$wgLDAPDisableAutoCreate = array("exchangetest"=>"false");
These two default to false (pretty much everything defaults to false).

Set:

$wgLDAPDebug = 3;

That will give you debugging info. If you can't figure out the problem,
post your debug info with sensitive stuff snipped out.

V/r,

Ryan Lane

_______________________________________________
MediaWiki-l mailing list
MediaWiki-l-RusutVdil2icGmH+5r0DM0B+***@public.gmane.org
http://lists.wikimedia.org/mailman/listinfo/mediawiki-l


This electronic mail (including any attachment thereto) may be confidential and privileged and is intended only for the individual or entity named above. Any unauthorized use, printing, copying, disclosure or dissemination of this communication may be subject to legal restriction or sanction. Accordingly, if you are not the intended recipient, please notify the sender by replying to this email immediately and delete this email (and any attachment thereto) from your computer system...Thank You
Lane, Ryan
2007-10-18 13:17:16 UTC
Permalink
Post by Jack Eapen C
What are the lines needed for getting Active Directory groups
as MW groups? IS that possible? In such a case will the AD
groups co-exist with already existing MW groups?
See:


http://www.mediawiki.org/wiki/Extension:LDAP_Authentication#Group_option
s

http://www.mediawiki.org/wiki/Extension:LDAP_Authentication#Group_based_
restrictions_.28NEW.29

http://www.mediawiki.org/wiki/Extension:LDAP_Authentication#Group_synchr
onization


It is possible, and the groups will be controlled via LDAP (AD) except
for a list of groups you specify.

V/r,

Ryan Lane
Loading...