Mediawiki Authentication using ldap

From Notes_Wiki

Home > CentOS > CentOS 6.x > Web based tools or applications > Mediawiki configuration > Mediawiki Authentication using ldap

Mediawiki supports LDAP based authentication with extension 'LdapAuthentication'. To configure mediawiki authentication using ldap use: Note that LDAP authentication may not work with SQLite database back-end

  1. yum -y install php-ldap
  2. service httpd restart
  3. Download latest LdapAuthentication plugin for installed media-wiki version from http://www.mediawiki.org/wiki/Special:ExtensionDistributor/LdapAuthentication
  4. Extract the downloaded file in extensions folder
  5. Add following lines to 'LocalSettings.php' file for a non-SSL, non-TLS LDAP server such as OpenLDAP with anonymous read enabled: 
    require_once("$IP/extensions/LdapAuthentication/LdapAuthentication.php");
    

    $wgAuth = new LdapAuthenticationPlugin();
    

    

    $wgLDAPDomainNames = array('Domain_name',);
    

    $wgLDAPServerNames = array('Domain_name' => 'LDAP_server_IP_or_FQDN',);
    

    

    #Avoid using local groups.  This is recommended by plugin author
    

    #$wgLDAPUseLocal = false;
    

    

    #This can be uncommented on test machines to debug ldap issue, not meant for production.
    

    #$wgLDAPDebug = 3;
    

    #$wgDebugLogGroups['ldap'] = '/tmp/debug.log';
    

    

    $wgLDAPEncryptionType = array('Domain_name' => 'clear',);
    

    $wgLDAPSearchAttributes = array('Domain' => 'uid',);
    

    $wgLDAPBaseDNs = array('Domain_name' => 'Base_dn',);
    

    $wgLDAPPreferences = array('Domain_name' => array('email' => 'mail', 'realname' => 'displayName', 'nickname' => 'cn',),);
    

    $wgLDAPLowerCaseUsername = array('Domain_name' => true, );
    

    $wgLDAPGroupUseFullDN = array('Domain_name' => false, );
    

    $wgLDAPGroupObjectclass = array('Domain_name' => 'posixGroup',);
    

    $wgLDAPGroupAttribute = array('Domain_name' => 'memberUid',);
    

    $wgLDAPGroupNameAttribute = array('Domain_name' => 'cn',);
    

    

    #This should be avoided on really large setup as per plugin author documentation
    

    $wgLDAPGroupsPrevail = array('Domain_name' => true,);
    Here Domain_name should be replaced with recognizable name which would also be shown to user on login page. Base_dn should be replaced by LDAP base_dn. Few settings such as User and Group search dn have been omitted for simplicity. Note that all arrays values can take multiple key, value pairs but only one is used in this example for simplicity. In large setups one can put multiple values in necessary arrays.
  6. For secure authentication change clear to ssl for $wgLDAPEncryptionType and ensure that CA certificate is mentioned in /etc/openldap/ldap.conf. LDAP server must be resolvable by using FQDN for SSL connection to succeed.
  7. To force user to be from a specific LDAP group also append: 
    $wgLDAPRequiredGroups = array('Domain_name' => array('Required_Group',),);
    Here Required_Group is dn for group for which user must be a member
  8. To ensure users belonging to a particular group can never login use: 
    $wgLDAPExcludedGroups = array('Domain_name' => array('Exclude_Group',),);
    Here Exclude_Group is dn for group whose members would be denied access.
  9. Create necessary schema for LDAP using 'extensions/LdapAuthentication/schema/ldap-mysql.sql' file. For database information refer to LocalSettings.php file.


In case of 389-DS in comparison to openLDAP some parameters will change as follows: 

   require_once("$IP/extensions/LdapAuthentication/LdapAuthentication.php");
   $wgAuth = new LdapAuthenticationPlugin();
   $wgLDAPDomainNames = array('Domain_name',);
   $wgLDAPServerNames = array('Domain_name' => 'LDAP_server_hostname_or_ip',);
   #Avoid using local groups. This is recommended by plugin author 
   #$wgLDAPUseLocal = false; 
   #This can be uncommented on test machines to debug ldap issue, not meant for production. 
   #$wgLDAPDebug = 3; 
   #$wgDebugLogGroups['ldap'] = '/tmp/debug.log'; 
   
   $wgLDAPEncryptionType = array('Domain_name' => 'clear',);
   $wgLDAPSearchAttributes = array('Domain_name' => 'uid',);
   $wgLDAPBaseDNs = array('Domain_name' => 'Base_dn',);
   $wgLDAPPreferences = array('Domain_name' => array('email' => 'mail', 'realname' => 'displayName', 'nickname' => 'cn',),);
   $wgLDAPLowerCaseUsername = array('Domain_name' => true, );
   $wgLDAPGroupUseFullDN = array('Domain_name' => true, );
   $wgLDAPGroupObjectclass = array('Domain_name' => 'posixGroup',);
   $wgLDAPGroupAttribute = array('Domain_name' => 'uniquemember',);
   $wgLDAPGroupNameAttribute = array('Domain_name' => 'cn',);
   #This should be avoided on really large setup as per plugin author documentation 
   $wgLDAPGroupsPrevail = array('Domain_name' => true,);


Troubleshooting setup

ldap_domains table does not exists error

It is possible that ldap_domains table does not exists error is shown. To solve that login into MySQL database used by mediawiki and use: 

     CREATE TABLE ldap_domains(domain_id int not null primary key auto_increment, domain varchar(255) binary not null, user_id int not null);
     CREATE INDEX user_id on ldap_domains(user_id);

The queries have been obtained using schema/ldap-mysql.sql file from LdapAuthentication plugin source files.


Some internal error

After login the wiki may show some internal error indication. This can happen if the SQL schema defined at extensions/LdapAuthentication/schema/ldap-mysql.sql is not added to wiki database properly.

Refer http://www.mediawiki.org/wiki/Extension:LDAP_Authentication/Configuration_Options for more details



Home > CentOS > CentOS 6.x > Web based tools or applications > Mediawiki configuration > Mediawiki Authentication using ldap

Retrieved from "http://www.sbarjatiya.com/notes_wiki/index.php?title=Mediawiki_Authentication_using_ldap&oldid=6754"