Configuring WikiMedia for an Active Directory based intranet

On By EricIn MediaWiki, Web/Tech

One of my current projects involves creating an internal knowledge base. Wiki’s being a natural for this sort of collaborative content building, I started exploring MediaWiki the engine behind Wikipedia.

An intranet implies a much more closed community than that of the typical Wiki implementation. That being the case, our requirements were;

  1. Authenticate users using their standard Windows Domain username/password.
  2. Resrtict access (read, write) to only authenticated users

I wasn’t sure if domain authentication would be possible using the standard LAMP setup. So, instead I opted to use IIS 6. A great step by step guide for installing MediaWiki on Windows 2003 can be found at http://meta.wikimedia.org/wiki/Installing_MediaWiki_on_Windows_Server_2003_SP1

After getting PHP, MySql, IIS, and MediaWiki installed, you can start configuring LocalSettings.php in the root directory of your wiki installation. To perform the following, simple append the code snippet to LocalSettings.php.

1. Restrict edit to logged in users

$wgGroupPermissions[‘*’][‘edit’] = false;
$wgGroupPermissions[‘user’][‘edit’] = true;

2. Prevent new registrations from anonymous users (Sysops can still create new account)

$wgGroupPermissions[‘*’][‘createaccount’] = false;

3. Define the pages un-authenticate users can see. This is crucial. Otherwise, there’s no way for people to login.

$wgWhitelistRead = array( "Main Page", "Special:Userlogin", "-", "MediaWiki:Monobook.css" );
$wgGroupPermissions[‘*’    ][‘read’]            = false;

4. Authenticate users from an Active Directory.

You will need to download LDAPauthenticate.php from http://bugzilla.wikipedia.org/show_bug.cgi?id=814 to the includes directory in the root of your wiki installation. Details on this file and its usage can be found at http://meta.wikimedia.org/wiki/LDAP. There are links to some configuration examples. However I found the one for AD did not work without modifcation. Here is what I eventually had success with. In my example, the AD name is ad_name.org and the hostname of the server hosting the AD (domain controller) is DC1 and the domain is Domain_name. Subsitute your AD name and Hostname in the following code. In some cases the Active Directory name and Domain name may be the same.

require_once( ‘LdapAuthentication.php’ );
$wgAuth = new LdapAuthenticationPlugin();
$wgLDAPDomainNames = array( "ad_name.org" );
$wgLDAPServerNames = array( "ad_name.org"=>"dc1"  );
$wgLDAPUseSSL = false;
$wgLDAPUseLocal = false;
$wgLDAPAddLDAPUsers = false;
$wgLDAPUpdateLDAP = false;
$wgLDAPMailPassword = false;
$wgLDAPRetrievePrefs = true;
$wgMinimalPasswordLength = 1;
$wgLDAPSearchStrings = array( "ad_name.org"=>"Domain_name\\USER-NAME"  );

Viola. Your wiki is now restricted to only users with valid domain accounts. The lines, $wgLDAPAddLDAPUsers = false; and $wgLDAPUpdateLDAP = false; restrict users from updating their LDAP info via the wiki interface.

Unfortunately there are two things I have not had success with. I have not had success populating the fields (name, email, etc) in the preferences tab after a user has logged in. The tag $wgLDAPRetrievePrefs = true; is supposed to make this happen but it does not.

Additional, I have yet to secure authentication by implementing SSL. Note – $wgLDAPUseSSL = false; This I fairly important and should be done before rolling this out to my users.

I’ll update this post with any additonal information I find. Please let me know if you have an success with these last two items.

3/20/2007 – There is a new version (1.1) of the LDAPauthentication extension. Some of this article may be outmoded as a result. See Part 3 of the series.

16 thoughts on “Configuring WikiMedia for an Active Directory based intranet

  1. Jeremy Harmer

    Thanks for this! Google found your example which got me past first base – all the other examples I found failed but now I read your info I can at least authenticate.

    Like

    Reply

  2. This is fantastic. I am setting one up and dont require users to create a account like you. I just wish Wiki to create a account for them if they are on the AD and logged in already.
    But after I have done as you detailed (so neatly i might add) all i see is a blank page of the URL index.php?title=Special:Userlogin&action=submitlogin&type=login&returnto=Current_events
    Have you had any luck with getting around this? Basically this is the last step before AD utopia 🙂

    Like

    Reply

  3. Thanks Eric! I tried so many examples out there and nothing works, found your site (through a link from WikiMedia LDAP Authentication Configuration Examples) and it works straight away. The only question I have, we have 3 LDAP servers, each with different domain name (don’t ask me why, it’s the way it’s setup by our IT admin). I know I can just use array for the $wgLDAPDomainNames, $wgLDAPServerNames, $wgLDAPSearchStrings, and $wgLDAPEncryptionType, but what about the other variables (i.e., $wgLDAPUseSSL, $wgLDAPUseLocal, $wgLDAPAddLDAPUsers, $wgLDAPUpdateLDAP, $wgLDAPMailPassword, $wgMinimalPasswordLength, and $wgLDAPRetrievePrefs)? Do they need to be in an array?

    Like

    Reply
  4. Reebo

    Awesome, Eric! Thanks for those instructions…super helpful. I tried out the configuration settings you noted for LocalSetting.php and it kind of works…but… only for an existing MediaWiki user that was created in the wiki BEFORE I installed the LDAP Authentication plugin (v1.1d). For example, I created user “jsmith” as a user within MediaWiki BEFORE installing LDAP Authentication on the Wiki. AFTER I installed the LDAP Authetication plugin, I tried to login with the same username “jsmith”, and the wiki seems to Authenticate against AD because I have to log in with the AD password (not the password that was originally used when creating the account in MediaWiki). Question is…why is it only allowing that one user to authenticate against AD from the Wiki? If I try to log into the Wiki with another AD user account (i.e. “jdoe”) I just get a blank screen. Anyone know what’s going on? Below is the part of my LocalSettings.php pertaining to the LDAP Auth plugin:
    require_once( ‘LdapAuthentication.php’ );
    $wgAuth = new LdapAuthenticationPlugin();
    $wgLDAPDomainNames = array( “something.org” );
    $wgLDAPServerNames = array( “something.org”=>”ad0.something.org” );
    $wgLDAPUseSSL = false;
    $wgLDAPUseLocal = false;
    $wgLDAPAddLDAPUsers = false;
    $wgLDAPUpdateLDAP = false;
    $wgLDAPMailPassword = false;
    $wgLDAPRetrievePrefs = true;
    $wgMinimalPasswordLength = 1;
    $wgLDAPSearchStrings = array( “something.org”=>”something\\USER-NAME” );
    I’ve been working on this for over a week now and I think I’m on the ‘home stretch’ with getting LDAP authentication working with MediaWiki 1.9. Can anyone out there help get me running once and for all?
    Cheers,
    -Reebo

    Like

    Reply

  5. These instructions unfortunately are simply incorrect now. Most of the options have changed in the new version of the plugin.
    Also, I don’t see how these instructions are any different from the ones on the configuration instruction pages.
    Since the configuration pages are a wiki, it is better to update the documentation where it is incorrect, and fill in documentation where it is missing. I also have sections where users can mention what configuration worked for them.
    As for the person mentioning multiple domains: I’m sorry your admin creates such havoc in your environment ;). Also, yes, you can use multiple domains, and almost all of the options use the array syntax (which is why this article is so incorrect). Take a look at the official documentation.
    –Ryan Lane

    Like

    Reply

  6. Ryan,
    At the time of this post I did update the Wiki documentation as well as my own blog. More recently I’ve added a third installment to this blog which references the new LDAPauthentication module.

    Like

    Reply
  10. Angel Vico

    Most of the options must be of array type.
    $wgLDAPRetrievePrefs = true; will not work.
    Use $wgLDAPRetrievePrefs = array( “something.org”=>”true” );
    The same with $wgLDAPUseSSL, $wgLDAPAddLDAPUsers, $wgLDAPUpdateLDAP and $wgLDAPMailPassword.

    Like

    Reply
  13. Qiqi

    Hi
    Can someone describe how you configure PHP to support LDAP? i followed the instruction from http://us3.php.net/ldap, but it didn’t work. The operating system is Windows server 2000. I created the path in windows environment variables, copied php_ldap, libeay32.dll and ssleay32.dll to system32, restart the apache. But still got the blank page!
    Can someone please help me?
    Thanks

    Like

    Reply
  14. Luke Evans

    Regarding Angel’s comment about “$wgLDAPRetrievePrefs = array( “something.org”=>”true” );”. Could someone please tell me what ‘something.org’ should be? Should it be AD Domain? Wiki URL?
    Thanks.

    Like

    Reply
  15. Marco Rojas

    This saved me from so much pain I was suffering…here is my working configuration:
    ### LDAP
    require_once (‘extensions/LdapAuthentication/LdapAuthentication.php’);
    $wgAuth = new LdapAuthenticationPlugin();
    $wgLDAPDomainNames = array( “mydomain.local” );
    $wgLDAPServerNames = array( “mydomain.local”=>”172.16.10.10” );
    $wgLDAPUseSSL = false;
    $wgLDAPUseLocal = false;
    $wgLDAPAddLDAPUsers = false;
    $wgLDAPUpdateLDAP = false;
    $wgLDAPMailPassword = false;
    $wgLDAPRetrievePrefs = array( “mydomain.local”=>”true” );
    $wgMinimalPasswordLength = 1;
    $wgLDAPSearchStrings = array( “mydomain.local”=>”mydomain\\USER-NAME” );
    $wgLDAPSearchAttributes = array(“mydomain.local”=>”sAMAccountName”);
    $wgLDAPBaseDNs = array(“mydomain.local”=>”OU=someou,OU=someotherou,DC=test,DC=local”);
    Note that my LdapAuthenticaion.php is inside a folder called LdapAuthentication inside the extensions directory. Change your settings accordingly.
    Thank you so much for taking the time to do this.

    Like

    Reply

Leave a comment