Configuring WikiMedia for an Active Directory based intranet – Part 3

A while ago, I wrote a post about setting up MediaWiki as an intranet for my non-profit organization. Not wanting to burden people with yet another set of login credentials, I set the wiki to authenticate off of our Active Directory server using the LDAPauthentication extension. At the time (version 1.0 f), the documentation for Windows and AD was spotty and I was glad to add the results of my trials and errors. One thing I was never able to do was have the user prefs (full name and email) pulled from the AD to the wiki user profile.

Since then, the extension has been updated to 1.1d and that feature is more readily available. There are new instructions for configuring an AD server on the Configurations Examples page. To my original code  in LocalSettings.php;

## attempt at authenticating off of  Active Directory at dc01.testAD.org
require_once( ‘LdapAuthentication.php’ );
$wgAuth = new LdapAuthenticationPlugin();
$wgLDAPDomainNames = array( "testAD" );
$wgLDAPServerNames = array( "testAD"=>"dc01.testAD.org"  );
$wgLDAPUseSSL = true;
$wgLDAPUseLocal = false;
$wgLDAPAddLDAPUsers = false;
$wgLDAPUpdateLDAP = false;
$wgLDAPMailPassword = false;
$wgLDAPRetrievePrefs = true;
$wgMinimalPasswordLength = 1;

I added the following;

$wgLDAPSearchStrings = array( "testAD"=>"testAD\\USER-NAME"  );
$wgLDAPEncryptionType = array( "testAD"=>"ssl" );
$wgLDAPSearchAttributes = array(

  "testAD=>"sAMAccountName"
  );
$wgLDAPBaseDNs = array(
  "testAD"=>"dc=testAD,dc=org"
  );

Success! Now the full name and email address appear in Special:Preferences after a user successfully logs in. Finally I can have closure.

Or not. Apparently this works for domain users who have already logged onto the wiki prior to the update, but not those created afterwards. Those users get a Internal Error page with a password-change-forbidden message. Luckily, some intrepid techies had found a solution and posted it (albeit cryptically) on the LDAPAuthentication discussion page. If you have version 1.1d you only need to make changes to the SpecialUserLogin.php in the Includes directory.

Since I don’t have access to the Patch util in Windows, I had to update the file by hand.  To do that, make a backup first. Open SpecialUserLogin.php and find the function initUser (lines 309 to 323). Replace the entire function with the the following code.

function initUser( $u ) {
        global $wgAuth;

        $u->addToDatabase();

               if ( $wgAuth->allowPasswordChange() ) {
                       $u->setPassword( $this->mPassword );
               }

        $u->setEmail( $this->mEmail );
        $u->setRealName( $this->mRealName );
        $u->setToken();

        $wgAuth->initUser( $u );

        $u->setOption( ‘rememberpassword’, $this->mRemember ? 1 : 0 );
        $u->saveSettings();

        return $u;
    }

Success? So far. I created a new domain account and then used it to log on to the intranet. No Internal Error, so I assume everything is Kosher now. I’ll keep you posted.

Advertisements
This entry was posted in MediaWiki, Web/Tech. Bookmark the permalink.

13 Responses to Configuring WikiMedia for an Active Directory based intranet – Part 3

  1. jfew says:

    Bless you, kind soul, for posting these details! You’re helping 55 employees become much more happy and productive.

    Like

  2. Ankit Madan says:

    Hi Eric..
    Thanks a ton for your posts..guided me through rough waters.. just a final step left.
    i’m getting this error after clicking login
    start-tls]: Unable to start TLS: Server is unavailable in C:\xampp\htdocs\mediawiki\includes\LdapAuthentication.php on line 165
    though i’m able to ping the LDAP server through the command prompt.
    Also,how do i get the contents block on the top of every page ?

    Like

  3. byuk says:

    is domain authentication possible using LAMP?
    I dont have the possibility to install wiki on IIS/windows however i am using MS Active Directory.
    I tried your config and logging in fails.
    Any help please?

    Like

  4. Another commenter, finally helped me figure out how to automatically pull the users name and email for the preferences page. It seems that the syntax should be;
    $wgLDAPRetrievePrefs = array( “something.org”=>”true” );
    That worked wonderfully.

    Like

  5. Wayne Dixon says:

    Thanks for the great info. We now have our wiki setup with LDAP Authentication.

    Like

  6. Max Power says:

    This helps a lot, thanks!
    Now, since we are using LDAP, and already have a known good email, any way to get rid of the “confirm email” additional step to receive watch notifications and the like? I would like to assume each new user to our wiki has a valid email.

    Like

  7. Max Power says:

    This helps a lot, thanks!
    Now, since we are using LDAP, and already have a known good email, any way to get rid of the “confirm email” additional step to receive watch notifications and the like? I would like to assume each new user to our wiki has a valid email.

    Like

  8. Shiva Gopalakrishnan says:

    Hey, fantastic post!!! It helped me solve the LDAP login issue.
    Now, I am a bit greedy. Have you or anyone attempted Single Sign-On with MediaWiki.

    Like

  9. Anastas S says:

    thanks a lot.. post is extremely helpful.
    After 5 hours f@%*!g with it I was able to make it work on CentOS 5.1 Linux. Thanks to your post.
    The only thing I was unable to do is SSL Encryption.
    I’m using latest version of LdapAuthentication.php (v1.2a), but SSL is not working…
    too tired to continue working on it though..
    …must sleep..
    X(

    Like

  10. Gene says:

    Editing the SpecialUserlogin.php file according to your instructions was the answer to roughly 8 hours of searching. Thank you for the help!

    Like

  11. hansi1279 says:

    Thanks a lot. Its a great feature. But how can i configure it for all users?
    $wgLDAPSearchStrings = array( “myDomain”=>”myDomain\\USER-NAME” );
    $wgLDAPSearchStrings = array( “myDomain”=>”myDomain\\cn” );

    Like

  12. Geir Amundsen says:

    Thank god its friday πŸ™‚ Its monday actually, Thank god for Google and thank god for Eric πŸ™‚
    Thanks πŸ˜‰

    Like

  13. Davinium says:

    Thanks a lot, it’s now working like a charm,
    great job Eric

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s