Configuring WikiMedia for an Active Directory based intranet – Part 3

On By EricIn MediaWiki, Web/Tech

A while ago, I wrote a post about setting up MediaWiki as an intranet for my non-profit organization. Not wanting to burden people with yet another set of login credentials, I set the wiki to authenticate off of our Active Directory server using the LDAPauthentication extension. At the time (version 1.0 f), the documentation for Windows and AD was spotty and I was glad to add the results of my trials and errors. One thing I was never able to do was have the user prefs (full name and email) pulled from the AD to the wiki user profile.

Since then, the extension has been updated to 1.1d and that feature is more readily available. There are new instructions for configuring an AD server on the Configurations Examples page. To my original code  in LocalSettings.php;

## attempt at authenticating off of  Active Directory at dc01.testAD.org
require_once( ‘LdapAuthentication.php’ );
$wgAuth = new LdapAuthenticationPlugin();
$wgLDAPDomainNames = array( "testAD" );
$wgLDAPServerNames = array( "testAD"=>"dc01.testAD.org"  );
$wgLDAPUseSSL = true;
$wgLDAPUseLocal = false;
$wgLDAPAddLDAPUsers = false;
$wgLDAPUpdateLDAP = false;
$wgLDAPMailPassword = false;
$wgLDAPRetrievePrefs = true;
$wgMinimalPasswordLength = 1;

I added the following;

$wgLDAPSearchStrings = array( "testAD"=>"testAD\\USER-NAME"  );
$wgLDAPEncryptionType = array( "testAD"=>"ssl" );
$wgLDAPSearchAttributes = array(

  "testAD=>"sAMAccountName"
  );
$wgLDAPBaseDNs = array(
  "testAD"=>"dc=testAD,dc=org"
  );

Success! Now the full name and email address appear in Special:Preferences after a user successfully logs in. Finally I can have closure.

Or not. Apparently this works for domain users who have already logged onto the wiki prior to the update, but not those created afterwards. Those users get a Internal Error page with a password-change-forbidden message. Luckily, some intrepid techies had found a solution and posted it (albeit cryptically) on the LDAPAuthentication discussion page. If you have version 1.1d you only need to make changes to the SpecialUserLogin.php in the Includes directory.

Since I don’t have access to the Patch util in Windows, I had to update the file by hand.  To do that, make a backup first. Open SpecialUserLogin.php and find the function initUser (lines 309 to 323). Replace the entire function with the the following code.

function initUser( $u ) {
        global $wgAuth;

        $u->addToDatabase();

               if ( $wgAuth->allowPasswordChange() ) {
                       $u->setPassword( $this->mPassword );
               }

        $u->setEmail( $this->mEmail );
        $u->setRealName( $this->mRealName );
        $u->setToken();

        $wgAuth->initUser( $u );

        $u->setOption( ‘rememberpassword’, $this->mRemember ? 1 : 0 );
        $u->saveSettings();

        return $u;
    }

Success? So far. I created a new domain account and then used it to log on to the intranet. No Internal Error, so I assume everything is Kosher now. I’ll keep you posted.

13 thoughts on “Configuring WikiMedia for an Active Directory based intranet – Part 3

  2. Ankit Madan

    Hi Eric..
    Thanks a ton for your posts..guided me through rough waters.. just a final step left.
    i’m getting this error after clicking login
    start-tls]: Unable to start TLS: Server is unavailable in C:\xampp\htdocs\mediawiki\includes\LdapAuthentication.php on line 165
    though i’m able to ping the LDAP server through the command prompt.
    Also,how do i get the contents block on the top of every page ?

    Like

    Reply
  3. byuk

    is domain authentication possible using LAMP?
    I dont have the possibility to install wiki on IIS/windows however i am using MS Active Directory.
    I tried your config and logging in fails.
    Any help please?

    Like

    Reply

  4. Another commenter, finally helped me figure out how to automatically pull the users name and email for the preferences page. It seems that the syntax should be;
    $wgLDAPRetrievePrefs = array( “something.org”=>”true” );
    That worked wonderfully.

    Like

    Reply
  6. Max Power

    This helps a lot, thanks!
    Now, since we are using LDAP, and already have a known good email, any way to get rid of the “confirm email” additional step to receive watch notifications and the like? I would like to assume each new user to our wiki has a valid email.

    Like

    Reply
  7. Max Power

    This helps a lot, thanks!
    Now, since we are using LDAP, and already have a known good email, any way to get rid of the “confirm email” additional step to receive watch notifications and the like? I would like to assume each new user to our wiki has a valid email.

    Like

    Reply
  8. Shiva Gopalakrishnan

    Hey, fantastic post!!! It helped me solve the LDAP login issue.
    Now, I am a bit greedy. Have you or anyone attempted Single Sign-On with MediaWiki.

    Like

    Reply
  9. Anastas S

    thanks a lot.. post is extremely helpful.
    After 5 hours f@%*!g with it I was able to make it work on CentOS 5.1 Linux. Thanks to your post.
    The only thing I was unable to do is SSL Encryption.
    I’m using latest version of LdapAuthentication.php (v1.2a), but SSL is not working…
    too tired to continue working on it though..
    …must sleep..
    X(

    Like

    Reply
  10. Gene

    Editing the SpecialUserlogin.php file according to your instructions was the answer to roughly 8 hours of searching. Thank you for the help!

    Like

    Reply

  11. Thanks a lot. Its a great feature. But how can i configure it for all users?
    $wgLDAPSearchStrings = array( “myDomain”=>”myDomain\\USER-NAME” );
    $wgLDAPSearchStrings = array( “myDomain”=>”myDomain\\cn” );

    Like

    Reply
  12. Geir Amundsen

    Thank god its friday πŸ™‚ Its monday actually, Thank god for Google and thank god for Eric πŸ™‚
    Thanks πŸ˜‰

    Like

    Reply

Leave a comment