Getting MediaWiki to securely authenticate off of a Win 2003 Active Directory ended up being much trickier than I first thought. The documentation at MediaWiki on the subject was missing some key pieces of information.
Getting Secure LDAP setup on my
AD server was a little beyond me. So I happily dropped that task on my
systems admin, who (I was glad to see) had a little difficulty there
himself. I was able to test the secure LDAP was configured properly
using a utility called LDP.exe which is part of the Windows Resource Kit (2000 or 2003). So while the wiki authentication still wasn’t working I was able to eliminate the AD as the problem.
After changing $wgLDAPUseSSL = false; to $wgLDAPUseSSL = true; I still had no luck. After a long bit of googling, I finally put together the missing pieces of info I needed.
Found on http://www.php.net/ldap . To enable PHP’s LDAP functionality in Windows;
"Note to Win32 Users:
In order to enable this module on a Windows environment, you must copy several files from the DLL folder of the PHP/Win32 binary package to the SYSTEM folder of your windows machine. (Ex: C:\WINNT\SYSTEM32, or C:\WINDOWS\SYSTEM). For PHP <= 4.2.0 copy
libsasl.dll, for PHP >= 4.3.0 copy
libeay32.dll and ssleay32.dll to your SYSTEM folder."
From a user post by jabba at zeelandnet dot nl on that same page. OpenLDAP requires that you create a ldap.conf file in the directory C:\OpenLDAP\sysconf\ . The first line of this text files must be
TLS_REQCERT never. Weirdly enough, this seems to be a hard-coded requirement. You can’t even define the path in php.ini.
Since MediaWiki is used more in LAMP configurations, I can forgive the holes in documentation in the ldap_authenticate documentation around AD in a windows evironment. (In the spirit of digital karma, I will post there next.) But given the importance of these two points to get LDAP functions to work in PHP, I was surprised they were not more prominently noted in php’s documentation. The second point is even buried in the user comments. Perhaps PHP and other open source project might want to consider moving documentation to a Wiki to allow their users to help better document functions.
So as for my original requirments for our intranet wiki;
- Authenticate users using their standard Windows Domain username/password. – Done
- Resrtict access (read, write) to only authenticated users – Done
One remaining item is to pre-populate the user preferences (ie Full Name, email) when the account is logged in. Reportedly the line $wgLDAPRetrievePrefs = true; is supposed to trigger this but I haven’t seen it work. More to come then…