Category: MediaWiki

Configuring WikiMedia for an Active Directory based intranet – Part 3

On By EricIn MediaWiki, Web/Tech13 Comments

A while ago, I wrote a post about setting up MediaWiki as an intranet for my non-profit organization. Not wanting to burden people with yet another set of login credentials, I set the wiki to authenticate off of our Active Directory server using the LDAPauthentication extension. At the time (version 1.0 f), the documentation for Windows and AD was spotty and I was glad to add the results of my trials and errors. One thing I was never able to do was have the user prefs (full name and email) pulled from the AD to the wiki user profile.

Since then, the extension has been updated to 1.1d and that feature is more readily available. There are new instructions for configuring an AD server on the Configurations Examples page. To my original code  in LocalSettings.php;

## attempt at authenticating off of  Active Directory at dc01.testAD.org
require_once( ‘LdapAuthentication.php’ );
$wgAuth = new LdapAuthenticationPlugin();
$wgLDAPDomainNames = array( "testAD" );
$wgLDAPServerNames = array( "testAD"=>"dc01.testAD.org"  );
$wgLDAPUseSSL = true;
$wgLDAPUseLocal = false;
$wgLDAPAddLDAPUsers = false;
$wgLDAPUpdateLDAP = false;
$wgLDAPMailPassword = false;
$wgLDAPRetrievePrefs = true;
$wgMinimalPasswordLength = 1;

I added the following;

$wgLDAPSearchStrings = array( "testAD"=>"testAD\\USER-NAME"  );
$wgLDAPEncryptionType = array( "testAD"=>"ssl" );
$wgLDAPSearchAttributes = array(

  "testAD=>"sAMAccountName"
  );
$wgLDAPBaseDNs = array(
  "testAD"=>"dc=testAD,dc=org"
  );

Success! Now the full name and email address appear in Special:Preferences after a user successfully logs in. Finally I can have closure.

Or not. Apparently this works for domain users who have already logged onto the wiki prior to the update, but not those created afterwards. Those users get a Internal Error page with a password-change-forbidden message. Luckily, some intrepid techies had found a solution and posted it (albeit cryptically) on the LDAPAuthentication discussion page. If you have version 1.1d you only need to make changes to the SpecialUserLogin.php in the Includes directory.

Since I don’t have access to the Patch util in Windows, I had to update the file by hand.  To do that, make a backup first. Open SpecialUserLogin.php and find the function initUser (lines 309 to 323). Replace the entire function with the the following code.

function initUser( $u ) {
        global $wgAuth;

        $u->addToDatabase();

               if ( $wgAuth->allowPasswordChange() ) {
                       $u->setPassword( $this->mPassword );
               }

        $u->setEmail( $this->mEmail );
        $u->setRealName( $this->mRealName );
        $u->setToken();

        $wgAuth->initUser( $u );

        $u->setOption( ‘rememberpassword’, $this->mRemember ? 1 : 0 );
        $u->saveSettings();

        return $u;
    }

Success? So far. I created a new domain account and then used it to log on to the intranet. No Internal Error, so I assume everything is Kosher now. I’ll keep you posted.