Configuring WikiMedia for an Active Directory based intranet

One of my current projects involves creating an internal knowledge base. Wiki’s being a natural for this sort of collaborative content building, I started exploring MediaWiki the engine behind Wikipedia.

An intranet implies a much more closed community than that of the typical Wiki implementation. That being the case, our requirements were;

  1. Authenticate users using their standard Windows Domain username/password.
  2. Resrtict access (read, write) to only authenticated users

I wasn’t sure if domain authentication would be possible using the standard LAMP setup. So, instead I opted to use IIS 6. A great step by step guide for installing MediaWiki on Windows 2003 can be found at http://meta.wikimedia.org/wiki/Installing_MediaWiki_on_Windows_Server_2003_SP1

After getting PHP, MySql, IIS, and MediaWiki installed, you can start configuring LocalSettings.php in the root directory of your wiki installation. To perform the following, simple append the code snippet to LocalSettings.php.

1. Restrict edit to logged in users

$wgGroupPermissions[‘*’][‘edit’] = false;
$wgGroupPermissions[‘user’][‘edit’] = true;

2. Prevent new registrations from anonymous users (Sysops can still create new account)

$wgGroupPermissions[‘*’][‘createaccount’] = false;

3. Define the pages un-authenticate users can see. This is crucial. Otherwise, there’s no way for people to login.

$wgWhitelistRead = array( "Main Page", "Special:Userlogin", "-", "MediaWiki:Monobook.css" );
$wgGroupPermissions[‘*’    ][‘read’]            = false;

4. Authenticate users from an Active Directory.

You will need to download LDAPauthenticate.php from http://bugzilla.wikipedia.org/show_bug.cgi?id=814 to the includes directory in the root of your wiki installation. Details on this file and its usage can be found at http://meta.wikimedia.org/wiki/LDAP. There are links to some configuration examples. However I found the one for AD did not work without modifcation. Here is what I eventually had success with. In my example, the AD name is ad_name.org and the hostname of the server hosting the AD (domain controller) is DC1 and the domain is Domain_name. Subsitute your AD name and Hostname in the following code. In some cases the Active Directory name and Domain name may be the same.

require_once( ‘LdapAuthentication.php’ );
$wgAuth = new LdapAuthenticationPlugin();
$wgLDAPDomainNames = array( "
ad_name.org" );
$wgLDAPServerNames = array( "
ad_name.org"=>"dc1"  );
$wgLDAPUseSSL = false;
$wgLDAPUseLocal = false;
$wgLDAPAddLDAPUsers = false;
$wgLDAPUpdateLDAP = false;
$wgLDAPMailPassword = false;
$wgLDAPRetrievePrefs = true;
$wgMinimalPasswordLength = 1;
$wgLDAPSearchStrings = array( "
ad_name.org"=>"Domain_name\\USER-NAME"  );

Viola. Your wiki is now restricted to only users with valid domain accounts. The lines, $wgLDAPAddLDAPUsers = false; and $wgLDAPUpdateLDAP = false; restrict users from updating their LDAP info via the wiki interface.

Unfortunately there are two things I have not had success with. I have not had success populating the fields (name, email, etc) in the preferences tab after a user has logged in. The tag $wgLDAPRetrievePrefs = true; is supposed to make this happen but it does not.

Additional, I have yet to secure authentication by implementing SSL. Note – $wgLDAPUseSSL = false; This I fairly important and should be done before rolling this out to my users.

I’ll update this post with any additonal information I find. Please let me know if you have an success with these last two items.

3/20/2007 – There is a new version (1.1) of the LDAPauthentication extension. Some of this article may be outmoded as a result. See Part 3 of the series.

Advertisements
This entry was posted in MediaWiki, Web/Tech. Bookmark the permalink.

16 Responses to Configuring WikiMedia for an Active Directory based intranet

  1. Jeremy Harmer says:

    Thanks for this! Google found your example which got me past first base – all the other examples I found failed but now I read your info I can at least authenticate.

    Like

  2. Wayne C says:

    This is fantastic. I am setting one up and dont require users to create a account like you. I just wish Wiki to create a account for them if they are on the AD and logged in already.
    But after I have done as you detailed (so neatly i might add) all i see is a blank page of the URL index.php?title=Special:Userlogin&action=submitlogin&type=login&returnto=Current_events
    Have you had any luck with getting around this? Basically this is the last step before AD utopia 🙂

    Like

  3. Thanks Eric! I tried so many examples out there and nothing works, found your site (through a link from WikiMedia LDAP Authentication Configuration Examples) and it works straight away. The only question I have, we have 3 LDAP servers, each with different domain name (don’t ask me why, it’s the way it’s setup by our IT admin). I know I can just use array for the $wgLDAPDomainNames, $wgLDAPServerNames, $wgLDAPSearchStrings, and $wgLDAPEncryptionType, but what about the other variables (i.e., $wgLDAPUseSSL, $wgLDAPUseLocal, $wgLDAPAddLDAPUsers, $wgLDAPUpdateLDAP, $wgLDAPMailPassword, $wgMinimalPasswordLength, and $wgLDAPRetrievePrefs)? Do they need to be in an array?

    Like

  4. Reebo says:

    Awesome, Eric! Thanks for those instructions…super helpful. I tried out the configuration settings you noted for LocalSetting.php and it kind of works…but… only for an existing MediaWiki user that was created in the wiki BEFORE I installed the LDAP Authentication plugin (v1.1d). For example, I created user “jsmith” as a user within MediaWiki BEFORE installing LDAP Authentication on the Wiki. AFTER I installed the LDAP Authetication plugin, I tried to login with the same username “jsmith”, and the wiki seems to Authenticate against AD because I have to log in with the AD password (not the password that was originally used when creating the account in MediaWiki). Question is…why is it only allowing that one user to authenticate against AD from the Wiki? If I try to log into the Wiki with another AD user account (i.e. “jdoe”) I just get a blank screen. Anyone know what’s going on? Below is the part of my LocalSettings.php pertaining to the LDAP Auth plugin:
    require_once( ‘LdapAuthentication.php’ );
    $wgAuth = new LdapAuthenticationPlugin();
    $wgLDAPDomainNames = array( “something.org” );
    $wgLDAPServerNames = array( “something.org”=>”ad0.something.org” );
    $wgLDAPUseSSL = false;
    $wgLDAPUseLocal = false;
    $wgLDAPAddLDAPUsers = false;
    $wgLDAPUpdateLDAP = false;
    $wgLDAPMailPassword = false;
    $wgLDAPRetrievePrefs = true;
    $wgMinimalPasswordLength = 1;
    $wgLDAPSearchStrings = array( “something.org”=>”something\\USER-NAME” );
    I’ve been working on this for over a week now and I think I’m on the ‘home stretch’ with getting LDAP authentication working with MediaWiki 1.9. Can anyone out there help get me running once and for all?
    Cheers,
    -Reebo

    Like

  5. Ryan Lane says:

    These instructions unfortunately are simply incorrect now. Most of the options have changed in the new version of the plugin.
    Also, I don’t see how these instructions are any different from the ones on the configuration instruction pages.
    Since the configuration pages are a wiki, it is better to update the documentation where it is incorrect, and fill in documentation where it is missing. I also have sections where users can mention what configuration worked for them.
    As for the person mentioning multiple domains: I’m sorry your admin creates such havoc in your environment ;). Also, yes, you can use multiple domains, and almost all of the options use the array syntax (which is why this article is so incorrect). Take a look at the official documentation.
    –Ryan Lane

    Like

  6. Ryan,
    At the time of this post I did update the Wiki documentation as well as my own blog. More recently I’ve added a third installment to this blog which references the new LDAPauthentication module.

    Like

  7. Shane madi says:

    Eric
    Thanks for the page. I followed everything and it seems like it is authenticating. However after logging in, I get a blank page.
    http://localhost/index.php?title=Special:Userlogin&action=submitlogin&type=login&returnto=Main_Page
    What could be the problem?

    Like

  8. boby says:

    You have used WIMP setup. Is it possible to use LAMP? will MS AD authentication work from Linux?
    I have tried some things with no success.

    Like

  9. This post is intended only to clarify the instructions found at http://www.mediawiki.org/wiki/Extension:LDAP_Authentication. If you need further support, please ask for it on that forum.

    Like

  10. Angel Vico says:

    Most of the options must be of array type.
    $wgLDAPRetrievePrefs = true; will not work.
    Use $wgLDAPRetrievePrefs = array( “something.org”=>”true” );
    The same with $wgLDAPUseSSL, $wgLDAPAddLDAPUsers, $wgLDAPUpdateLDAP and $wgLDAPMailPassword.

    Like

  11. Thank you so much, Angel. Changing $wgLDAPRetrievePrefs to an array was the last missing piece to this puzzle. That was tremendously helpful.

    Like

  12. wiki headache says:

    Thanks Angel
    That helped me too…
    I can’t believe i found the answer here and not somewhere on…say…mediawiki.org

    Like

  13. Qiqi says:

    Hi
    Can someone describe how you configure PHP to support LDAP? i followed the instruction from http://us3.php.net/ldap, but it didn’t work. The operating system is Windows server 2000. I created the path in windows environment variables, copied php_ldap, libeay32.dll and ssleay32.dll to system32, restart the apache. But still got the blank page!
    Can someone please help me?
    Thanks

    Like

  14. Luke Evans says:

    Regarding Angel’s comment about “$wgLDAPRetrievePrefs = array( “something.org”=>”true” );”. Could someone please tell me what ‘something.org’ should be? Should it be AD Domain? Wiki URL?
    Thanks.

    Like

  15. Marco Rojas says:

    This saved me from so much pain I was suffering…here is my working configuration:
    ### LDAP
    require_once (‘extensions/LdapAuthentication/LdapAuthentication.php’);
    $wgAuth = new LdapAuthenticationPlugin();
    $wgLDAPDomainNames = array( “mydomain.local” );
    $wgLDAPServerNames = array( “mydomain.local”=>”172.16.10.10” );
    $wgLDAPUseSSL = false;
    $wgLDAPUseLocal = false;
    $wgLDAPAddLDAPUsers = false;
    $wgLDAPUpdateLDAP = false;
    $wgLDAPMailPassword = false;
    $wgLDAPRetrievePrefs = array( “mydomain.local”=>”true” );
    $wgMinimalPasswordLength = 1;
    $wgLDAPSearchStrings = array( “mydomain.local”=>”mydomain\\USER-NAME” );
    $wgLDAPSearchAttributes = array(“mydomain.local”=>”sAMAccountName”);
    $wgLDAPBaseDNs = array(“mydomain.local”=>”OU=someou,OU=someotherou,DC=test,DC=local”);
    Note that my LdapAuthenticaion.php is inside a folder called LdapAuthentication inside the extensions directory. Change your settings accordingly.
    Thank you so much for taking the time to do this.

    Like

  16. Esmeralda says:

    Wow, this piece of writing is nice, my younger sister is
    analyzing such things, so I am going to cconvey her.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s