Configuring WikiMedia for an Active Directory based intranet – Part 2

Getting MediaWiki to securely authenticate off of a Win 2003 Active Directory ended up being much trickier than I first thought. The documentation at MediaWiki on the subject was missing some key pieces of information.

Getting Secure LDAP setup on my
AD server was a little beyond me. So I happily dropped that task on my
systems admin, who (I was glad to see) had a little difficulty there
himself. I was able to test the secure LDAP was configured properly
using a utility called LDP.exe which is part of the Windows Resource Kit (2000 or 2003). So while the wiki authentication still wasn’t working I was able to eliminate the AD as the problem.

After changing   $wgLDAPUseSSL = false; to   $wgLDAPUseSSL = true; I still had no luck. After a long bit of googling, I finally put together the missing pieces of info I needed.

Key 1
Found on http://www.php.net/ldap . To enable PHP’s LDAP functionality in Windows;

"Note to Win32 Users:
   In order to enable this module on a Windows environment, you must copy several files from the DLL folder of the PHP/Win32 binary package to the SYSTEM folder of your windows machine. (Ex: C:\WINNT\SYSTEM32, or C:\WINDOWS\SYSTEM). For PHP <= 4.2.0 copy
   libsasl.dll, for PHP >= 4.3.0 copy
libeay32.dll and ssleay32.dll to your SYSTEM folder."

Key 2
From a user post by jabba at zeelandnet dot nl on that same page. OpenLDAP requires that you create a ldap.conf file in the directory C:\OpenLDAP\sysconf\ . The first line of this text files must be
TLS_REQCERT never
. Weirdly enough, this seems to be a hard-coded requirement. You can’t even define the path in php.ini.

Success.
 

Since MediaWiki is used more in LAMP configurations, I can forgive the holes in documentation in the ldap_authenticate documentation around AD in a windows evironment. (In the spirit of digital karma, I will post there next.) But given the importance of these two points to get LDAP functions to work in PHP, I was surprised they were not more prominently noted in php’s documentation. The second point is even buried in the user comments. Perhaps PHP and other open source project might want to consider moving documentation to a Wiki to allow their users to help better document functions.

So as for my original requirments for our intranet wiki;

  1. Authenticate users using their standard Windows Domain username/password. – Done
  2. Resrtict access (read, write) to only authenticated users – Done

One remaining item is to pre-populate the user preferences (ie Full Name, email) when the account is logged in. Reportedly the line $wgLDAPRetrievePrefs = true; is supposed to trigger this but I haven’t seen it work. More to come then…

3/20/2007 – There is a new version (1.1) of the LDAPauthentication extension. Some of this article may be outmoded as a result. See Part 3 of the series.

Advertisements

From my treo

Before I took the plunge and forked over a few hundred $ and bought me treo 650, I used to think the ‘from my treo/blackberry’ signature on email was a conceit. Now after a few months I realize it’s really a request for forgivesness in advance for typos, crypto abbr.’s, and gennerally curt msgs. I am certain that a certain point spelling will be a rare talent.

Eric Santiago Director IT/Business Systems ************ 212-***-3411

**via palm treo**

VPN Quarantine

My non-profit organization has two-thirds of its staff working from home offices and other remote locations. Currently they rely heavily on using Remote Desktop to access our Terminal Server just to use Outlook and access our network shares. This is not ideal for a number of reasons.

  1. Even with the donated licenses on Techsoup.org there is a per user cost
  2. Remote Desktop is very sensitive to fluctuations in connectivity and drops frequently
  3. TS 2000 has no way of restricting user sessions so users consistently have several open sessions from not logging out properly. This eats at the server resources and performance suffers.
  4. TS 2000 does not allow files to be transferred from the local client to the server. Users are constantly emailing themselves files.

For these and other reasons I’ve started exploring VPN. But as any techie knows, home computers are like kids in day care; rife with every virus known to man. Unfortunately, since we don’t provide or maintain employee computers we are faced with the problem of making sure they are up to date with Windows patches and AntiVirus.

Assuring that remote clients meet a certain standard before allowing access can be accomplished by using the Quarantine features available through RSAS in Windows 2003 and by designing a custom vpn installer using CMAK (part of the Win 2003 resource kit).

After some intensive searches, I was able to locate some scripts that use the Windows Update feature to list and install any missing patches. While I haven’t come up with a final script yet, here are some of the resources that have some promising examples.

Some testing will help me determine if I can develop a script that works with both Windows 2000 and XP machines.

The trickier part is verifying if a clients AV definitions are up to date. While we use Symantec AV Corp. Ed. it would be a hard sell to make it a requirement for home users who may already have an AV client installed. One very interesting script I found – http://www.igt.ethz.ch/main.htm?http://www.igt.ethz.ch/www/Corporation/Internal/admin/Public/HowTo/VPN-NAQC.htm#Anti-Virus;intra-admhowto – uses the Security Center feature installed in XP SP2 to verify that an AV product is installed and is up to date. Very Cool. Unfortunately, that restricts remote clients to XP SP2. Oh well.

That script is the only one I’ve seen that allows for clients to have flexibility in the AV client they use. There are tons of scripts for checking Symantec specifically so I won’t list those I found.

Next step is for me to slap these scripts together and integrate it into a distributable VPN client. Check back later for the results.