Wednesday, March 25, 2009

MediaWiki & Active Directory Authentication

I had a heck of a time getting MediaWiki to properly authenticate against Active Directory so I thought I would document my configuration in hopes that someone can gain from my trauma.

I was finally able to get authentication working with MediaWiki version 1.14 with the LDAP Authentication extension (version 1.2a) and the LDAPAutoAuthentication extension.

There are many ways to configure the extensions depending on what you want to do. I was looking to accomplish several things:
  1. Automatically authenticate the logged in user using integrated authentication.
  2. Automatically populate the users name and email address with information out of the directory.
  3. Populate wiki groups based on Active Directory group membership.
  4. Only use the login id for the wiki username and not the DOMAIN\username that you typically see.
In order to simply get auto authentication to work you need to add code similar to below to LocalSettings.php.
//LDAP Authentication Configuration
require_once( "$IP/extensions/LdapAuthentication.php" );
require_once( "$IP/extensions/LdapAutoAuthentication.php" );
//the domain name is any arbitrary name that you will use as a variable
$wgLDAPDomainNames = array("my_domain");
//define the fully qualified name of your AD domain
$wgLDAPServerNames = array("my_domain"=>"");
//there are other, probably more secure ways to do this, but I know this works.
$wgLDAPEncryptionType = array("my_domain"=>"clear");
//this is the short name of your domain, not the arbitrary variable mentioned below
$wgLDAPAutoAuthDomain = "my_domain";
//this is how you get the wiki user to be username as opposed to DOMAIN\username
$wgLDAPAutoAuthUsername = $userid;
$wgLDAPBaseDNs = array("my_domain"=>"DC=mydomain,dc=com");
$wgLDAPSearchAttributes = array("my_domain" => "sAMAccountName");
$wgMinimalPasswordLength = 1;
Those changes will get your users into the wiki without being prompted for user name and password.

If you would like to pull their name and email address from the directory add the following code into LocalSettings.php right before 'AutoAuthSetup();'
//this is where you define the credentials necessary to read information from AD
//you only need this if you want to pull the name, email address and groups from AD
$wgLDAPProxyAgent = array('my_domain' => 'CN=ldapbinduser,OU=Users,DC=mydomain,DC=com');
$wgLDAPProxyAgentPassword = array('my_domain' => 'theldappassword');
$wgLDAPPreferences = array("my_domain"=>array( "email"=>"mail","realname"=>"cn","nickname"=>"givenName"));
Finally, if you want to pull group assignments you will need to setup custom Wiki groups - add the following code somewhere before you start building the LDAP authentication.

//Custom Wiki Groups
$wgGroupPermissions['AD Group #1']['read'] = true;
$wgGroupPermissions['AD Group #2']['read'] = true;
$wgGroupPermissions['AD Group #3']['read'] = true;
Note that the wiki group names and the AD group names need to be identical. You can read all about the rights that can be assigned and additional configuration parameters for wiki groups here.

Once you have defined your groups you can have the login process automatically add users to those groups based on their AD group memberships. Just add the following code right before 'AutoAuthSetup();' (and after the code that was defined above).
//Group Configuration
$wgLDAPGroupUseFullDN = array( "my_domain"=>true );
$wgLDAPGroupObjectclass = array( "my_domain"=>"group" );
$wgLDAPGroupAttribute = array( "my_domain"=>"member" );
$wgLDAPGroupSearchNestedGroups = array( "my_domain"=>false );
$wgLDAPGroupNameAttribute = array( "my_domain"=>"cn" );
$wgLDAPUseLDAPGroups = array( "my_domain"=>true );
$wgLDAPGroupNameAttribute = array( "my_domain"=>"cn" );

I do not believe that this will remove users from groups once they have been added, but I haven't tested that yet.

The only weird thing that I have experienced is that, for some users, the first time they hit the wiki it tells them that they must log in first. If they refresh they are able to get right in. I assume that it is just a lag between creating the account and allowing login. I have a small set of users so it hasn't caused a problem.

Hopefully this is helpful and will save you the time that I spent with trial and error getting this all to work correctly. One final tip - you can add '$wgLDAPDebug = 3;' to LocalSettings.php to get debug information about what is going on with LDAP authentication if you run into any issues.

No comments:

Post a Comment