Extension talk:LDAP Authentication/Archive 2

It's over my head, but the authors may be interested in this user's findings:

• http://mail.wikipedia.org/pipermail/mediawiki-l/2005-September/006985.html
• http://mail.wikipedia.org/pipermail/mediawiki-l/2005-September/006997.html

-- Sy / ^(talk) 12:30, 15 September 2005 (UTC)Reply

Ah, good to know. I'm probably not checking the password limit when creating users. This will have to be an outstanding bug for a while. I'm currently evacuated from new orleans, and have no ability to work on the patch.
-- Ryan Lane

This bug is unfortunately in the core code, and not in my plugin. I have submitted a bug (and a patch correcting the problem) into the bugzilla at: http://bugzilla.wikipedia.org/show_bug.cgi?id=4081

--Ryan Lane

Hello All,

I know this isn't a default plugin for MediaWiki, but I am sure that others are using LDAP authentication.

I am using the Ldap plugin on the mediawiki site and I am unable to get nested groups working. I can authenticate when a user is part of a specific group, but when a group is added to the required group it does not work.

Below is my nested groups array in my Localsettings.php file.

$wgLDAPGroupSearchNestedGroups = array( "domain.com"=>true );

I am running mediawiki 1.9.3, php 5.2.0, apache 2.2.3 and Version 1.1c 12/04/2006 of this module.

Can anyone help me out with this?

What can I do to fix this or get further assistance?

Thanks :)

DEBUG:

Entering validDomain
User is using a valid domain.
Setting domain as: domain.com
Entering getCanonicalName
Username isn't empty.
Munged username: User
Entering authenticate
Entering Connect
Using TLS or not using encryption.
Using servers: ldap://dc2.domain.com ldap://dc4.domain.com
Using TLS
Connected successfully
Entering getSearchString
Doing a proxy or anonymous bind
Entering getUserDN
Doing a proxy bind
Created a regular filter: (sAMAccountName=User)
Using base: dc=domain,dc=com
Fetched username is not a string (check your hook code...).
userdn is: CN=User,OU=Operations&NOC,OU=Domain Staff,DC=domain,DC=com
Binding as the user
Binded successfully
Checking for (new style) group membership
Entering isMemberOfRequiredLdapGroup
Required groups:cn=nca se wiki users,ou=groups,dc=domain,dc=com
Entering getUserGroups
Entering getGroups
Search string: (&(member=CN=User,OU=Operations&NOC,OU=Domain Staff,DC=domain,DC=com)(objectclass=group))
Binding as the proxyagentDN
Returned groups:cn=operations,ou=groups,dc=domain,dc=com,cn=nca all,ou=groups,dc=domain,dc=com,cn=nca vpn users,ou=groups,dc=domain,dc=com,cn=nca altiris,ou=groups,dc=domain,dc=com,cn=systems engineering,ou=groups,dc=domain,dc=com,cn=nca    outage,ou=groups,dc=domain,dc=com,cn=altiris helpdesk workers,ou=groups,dc=domain,dc=com,cn=nc tripwire,ou=groups,dc=domain,dc=com,cn=linuxadmins,ou=groups,dc=domain,dc=com,cn=linuxdns,ou=groups,dc=domain,dc=com,cn=nca gw wiki users,ou=groups,dc=domain,dc=com,cn=nca wiki core users,ou=groups,dc=domain,dc=com
Returned groups:,,,,,,,,,,,
Entering searchNestedGroups
Checking groups:cn=operations,ou=groups,dc=domain,dc=com,cn=nca all,ou=groups,dc=domain,dc=com,cn=nca vpn users,ou=groups,dc=domain,dc=com,cn=nca altiris,ou=groups,dc=domain,dc=com,cn=systems engineering,ou=groups,dc=domain,dc=com,cn=nca    outage,ou=groups,dc=domain,dc=com,cn=altiris helpdesk workers,ou=groups,dc=domain,dc=com,cn=nc tripwire,ou=groups,dc=domain,dc=com,cn=linuxadmins,ou=groups,dc=domain,dc=com,cn=linuxdns,ou=groups,dc=domain,dc=com,cn=nca gw wiki users,ou=groups,dc=domain,dc=com,cn=nca wiki core users,ou=groups,dc=domain,dc=com

Entering getUserGroups
Checking membership for: cn=operations,ou=groups,dc=domain,dc=com
Checking membership for: cn=nca all,ou=groups,dc=domain,dc=com
Checking membership for: cn=nca vpn users,ou=groups,dc=domain,dc=com
Checking membership for: cn=nca altiris,ou=groups,dc=domain,dc=com
Checking membership for: cn=systems engineering,ou=groups,dc=domain,dc=com
Checking membership for: cn=nca    outage,ou=groups,dc=domain,dc=com
Checking membership for: cn=altiris helpdesk workers,ou=groups,dc=domain,dc=com
Checking membership for: cn=nc tripwire,ou=groups,dc=domain,dc=com
Checking membership for: cn=linuxadmins,ou=groups,dc=domain,dc=com
Checking membership for: cn=linuxdns,ou=groups,dc=domain,dc=com
Checking membership for: cn=nca gw wiki users,ou=groups,dc=domain,dc=com
Checking membership for: cn=nca wiki core users,ou=groups,dc=domain,dc=com
(Loops about 5 times or so)

Entering searchNestedGroups
Checking groups:cn=operations,ou=groups,dc=domain,dc=com,cn=nca all,ou=groups,dc=domain,dc=com,cn=nca vpn users,ou=groups,dc=domain,dc=com,cn=nca altiris,ou=groups,dc=domain,dc=com,cn=systems engineering,ou=groups,dc=domain,dc=com,cn=nca    outage,ou=groups,dc=domain,dc=com,cn=altiris helpdesk workers,ou=groups,dc=domain,dc=com,cn=nc tripwire,ou=groups,dc=domain,dc=com,cn=linuxadmins,ou=groups,dc=domain,dc=com,cn=linuxdns,ou=groups,dc=domain,dc=com,cn=nca gw wiki users,ou=groups,dc=domain,dc=com,cn=nca wiki core users,ou=groups,dc=domain,dc=com
(Repeats about 10 times or so)

Entering getUserGroups
Checking membership for: cn=operations,ou=groups,dc=domain,dc=com
Checking membership for: cn=nca all,ou=groups,dc=domain,dc=com
Checking membership for: cn=nca vpn users,ou=groups,dc=domain,dc=com
Checking membership for: cn=nca altiris,ou=groups,dc=domain,dc=com
Checking membership for: cn=systems engineering,ou=groups,dc=domain,dc=com
Checking membership for: cn=nca    outage,ou=groups,dc=domain,dc=com
Checking membership for: cn=altiris helpdesk workers,ou=groups,dc=domain,dc=com
Checking membership for: cn=nc tripwire,ou=groups,dc=domain,dc=com
Checking membership for: cn=linuxadmins,ou=groups,dc=domain,dc=com
Checking membership for: cn=linuxdns,ou=groups,dc=domain,dc=com
Checking membership for: cn=nca gw wiki users,ou=groups,dc=domain,dc=com
Checking membership for: cn=nca wiki core users,ou=groups,dc=domain,dc=com
wiki users,ou=groups,dc=domain,dc=com
Checking membership for: cn=nca wiki core users,ou=groups,dc=domain,dc=com
(Loops 137 times)

Entering searchNestedGroups
Couldn't find user in any nested groups.
Couldn't find the user in any groups (2).
Entering strict.
Returning true in strict().
Entering modifyUITemplate

Configuration

require_once( 'LdapAuthentication.php' );
$wgAuth = new LdapAuthenticationPlugin();
$wgLDAPProxyAgent = array( "domain.com"=>"CN=ldapuser,CN=Users,DC=domain,DC=com" );
$wgLDAPSearchAttributes = array( "domain.com"=>"sAMAccountName" );
$wgLDAPProxyAgentPassword = array( "domain.com"=>"password" );
$wgLDAPDomainNames = array( "domain.com" );
$wgLDAPServerNames = array( "domain.com"=>"dc2.domain.com dc3.domain.com"  );
$wgLDAPUseLocal = false;
$wgLDAPAddLDAPUsers = false;
$wgLDAPUpdateLDAP = false;
$wgLDAPMailPassword = false;
$wgLDAPRetrievePrefs = true;
$wgMinimalPasswordLength = 1;
$wgLDAPGroupLowerCaseUsername = false;
$wgLDAPRequiredGroups = array( "domain.com"=>array("cn=nca se wiki users,ou=groups,dc=domain,dc=com") );
$wgLDAPGroupUseFullDN = array( "domain.com"=>true );
$wgLDAPGroupObjectclass = array( "domain.com"=>"group" );
$wgLDAPGroupAttribute = array( "domain.com"=>"member" );
$wgLDAPGroupSearchNestedGroups = array( "domain.com"=>true );
$wgLDAPBaseDNs = array( "ncaustin.com"=>"dc=domain,dc=com" );
$wgLDAPDebug = 4; //for debugging LDAP
$wgShowExceptionDetails = true;  //for debugging MediaWiki
$wgLDAPEncryptionType = array("domain.com"=>"tls");

The group "systems engineering" is a member of nca se wiki users. But I still can't login... I hope this is enough information.

This looks like it may be a bug. The part about "Returned groups" looks completely wrong. It shows the same group a bunch of times. All the looping is pretty strange too. Can you post your configuration with sensitive stuff snipped out?
--Ryan lane 13:30, 27 March 2007 (UTC)Reply

Was this issue ever resolved? I am having the same problem. The only difference is I am doing a straight bind. Any ideas? Thanks.

I just noticed that "$wgLDAPGroupNameAttribute" isn't defined here... it should be defined as $wgLDAPGroupNameAttribute = array ("domain.com"=>"cn");
--Ryan lane 22:48, 30 June 2007 (UTC)Reply

I still can't get it to work. Same errors. Just to clarify, should that be $wgLDAPGroupNameAttribute = array ("domain.com"=>"cn"); or should I substitute cn for my master group name that contains the nested groups that need to be searched? I tried it both ways, but I wanted to make sure my syntax was right. MIS is the master group that contains a bunch of other nested groups. So here is what I used with all the sensitive information removed.

require_once( 'LdapAuthentication.php' );
$wgAuth = new LdapAuthenticationPlugin();
$wgLDAPDomainNames = array( "domain.com" );
$wgLDAPServerNames = array( "domain.com"=>"server1.domain.com server2.domain.com"  );
$wgLDAPSearchStrings = array( "domain.com"=>"USER-NAME@domain.com"  );
$wgLDAPEncryptionType = array( "domain.com"=>"clear" );
$wgLDAPUseLocal = true;
$wgMinimalPasswordLength = 1;

# Disable anonymous editing
$wgGroupPermissions['*']['edit'] = false;

# Anonymous users can't create pages
$wgGroupPermissions['*']['createpage'] = false;

# Disable reading by anonymous users
$wgGroupPermissions['*']['read'] = false;

$wgStrictFileExtensions = false;
$wgCheckFileExtensions = false;
$wgMimeDetectorCommand= "file -bi";
require_once("extensions/SpecialPdf.php");

#DNs in $wgLDAPRequiredGroups must be lowercase, as search result attribute values are...
#$wgLDAPRequiredGroups = array( "domain.com"=>array("cn=mis-tech-2,ou=groups,ou=administrators,dc=domain,dc=com", "cn=mis-tech-1,ou=groups,ou=administrators,dc=domain,dc=com") );
$wgLDAPRequiredGroups = array( "domain.com"=>array("cn=mis,ou=groups,ou=site1,ou=sites,dc=domain,dc=com") );
$wgLDAPGroupUseFullDN = array( "domain.com"=>true );
$wgLDAPGroupObjectclass = array( "domain.com"=>"group" );
$wgLDAPGroupAttribute = array( "domain.com"=>"member" );
#$wgLDAPGroupSearchNestedGroups = array( "domain.com"=>false );
$wgLDAPGroupSearchNestedGroups = array( "domain.com"=>true );
$wgLDAPBaseDNs = array( "domain.com"=>"ou=administrators,dc=domain,dc=com" );
#$wgLDAPBaseDNs = array( "domain.com"=>"ou=groups,ou=administrators,dc=domain,dc=com" );
$wgLDAPSearchAttributes = array( "domain.com"=>"sAMAccountName" );
$wgLDAPGroupNameAttribute = array( "domain.com"=>"mis" );

$wgLDAPDebug = 3;

It should be this exactly (copy, paste):

$wgLDAPGroupNameAttribute = array( "domain.com"=>"cn" );

Once you make this change and authenticate, you should notice this line

Returned groups:,,,,,,,,,,,

Change to

Returned groups:mis-tech-2,mis-tech-1,etc

Basically, it will return the actual groups instead of ,,,,,,,,,. Once it returns the groups, does the Nested Groups work? It's still not working for me. I'm going to make a post to the mailing list. 2007-07-02

I made the change and it did return the proper groups instead of just the commas, but the login still isn't working.

In my case, I can log in if the user is in one of the $wgLDAPRequiredGroups, however, I CANNOT log in when my user is in a group, that is in one of the $wgLDAPRequiredGroups (ie, Nested). In the case of a nested group, I get what you are getting, my debug log shows massive looping when "Entering searchNestedGroups" and "Entering getUserGroups". I'm assuming this has something to do with our GroupNameAttribute, but my PHP is limited. Here is my post to the mailing list. I haven't received a reply yet:mailarchive:mediawiki-l/2007-July/021463.html

Ignore the last thing I wrote (now erased). I'm reading my own function very poorly :) (stupid recursion). $wgLDAPGroupNameAttribute should definately be set as "cn", as that seems to be the naming attribute of your group. The massive looping may be a bug, as I've noticed it happening to a few people. It also may just be poor debug logging on my part. I'm going to change around the logging some to be less spammy, and more informative. Hopefully it'll help us track this problem down.
--Ryan lane 19:55, 6 July 2007 (UTC)Reply

Ryan, If you need help recreating the error, or testing, I'm available M-F 9-6 PST. You can get my email from the postmailarchive:mediawiki-l/2007-July/021463.html Same here. I can help test too. This is a big issue for me in getting this implemented. GT4NE1 at gmail dot com Thanks

Nested groups works fine for me, but...

I use LDAP auth extension to authenticate against AD with quite complicated structure with global groups consisting local groups. Users are members of "departmental" groups, that belong to local level, only. So effectively there is 3 level structure, with users in bottom level groups. When I specify "top level" groups as required ($wgLDAPRequiredGroups) then authentication process takes up to 1min, sometimes even longer. (BTW it is possible to have more then one group in $wgLDAPRequiredGroups array).

So my point is - would it be possible to have some caching for LDAP queries, as vast number of queries performed in authentication process are for groups resolving.

Thanks, Pawel

Fixed in SVN (1.1f) edit

I believe I've fixed the problem. I had some caching issues on searches, that speed up group searching/syncing, but completely clobbered nested group searching. I modified the caching stuff to take into account nested group searching; everything should be working now. Please test this out, and let me know.
--Ryan lane 13:21, 20 August 2007 (UTC)Reply

Tested in a 3-level nested group, works perfectly. Thanks a lot! --Guillaume Moutier 19:32, 30 August 2007 (UTC)Reply

Confirmed working in 1.1g (alpha). Great work Ryan! Thanks!

I setup MediaWiki 1.9.3 and LdapAuthentication.php but got errors about "password-change-forbidden" when logging in as a user in LDAP but not yet in the MW DB. I found that this bug is already fixed in mediawiki svn, just not yet in a released version. If you encounter this, apply this small change:

http://svn.wikimedia.org/viewvc/mediawiki/trunk/phase3/includes/SpecialUserlogin.php?r1=20158&r2=20300

--Mindless 15:58, 30 March 2007 (UTC)Reply

We're running a multi-domain AD environment, and I'm hoping this LDAP extension will make mediawiki "intergratable" into our environment.

So I've set up the ability for our users to login from the different domains, including myself as "dom1/user1". However, now I've logged in, I notice my mediawiki "account" is actually "user1" - ie the "dom1" has disappeared.

Well, we definitely have many instances of username "clashes" - eg there's a "dom3/user1". Won't that mean "dom3/user1" logging in will end up in my mediawiki profile?

Owch :-(

Update: I just had a thought. As slashes of all description are bad as username chars, perhaps getting the AD-retrieved email address to become the mediawiki account name would be the best workaround? e.g. dom1/user1 logs in, and finds themselves in a mediawiki account profile named "user@email.address" instead of the non-unique "user1"?

Email addresses likely won't work as the @ symbol is illegal in user names. Maybe I'll try to work some domain conflict resolution stuff into the next version.
--Ryan lane 14:22, 28 October 2008 (UTC)Reply

How about just DOM "-" USERNAME (eg dom-jhaar). Your "conflict resolution" comment implies you think it should remain "username" unless a clash occurs? I think that would be unwise - specifically as it leads to inconsistancy. What about defaulting to "dom-username", and having (new variable) "$wgLDAPIgnoreDomainInAccountName=1" as the default. That would then allow a new release to by default act like old releases, but would enable users like me to set to zero and enable the multi-domain account support?
--Jason Haar 10:30, 30 October 2008 (NZDT)

When I said conflict resolution, I meant adding something like user@domain or DOMAIN\user. I can't promise anything soon. I'm not really a big fan of dom-user; something more common would be nice. I'll take patches to fix this, but it would probably be a good idea to run the ideas through me before coding them up.
--Ryan lane 22:38, 3 November 2008 (UTC)Reply

I've already looked at user@domain - but the interwiki code appears to misinterpret that? It sort of works - but if you try to change wiki group membership using such accounts, it fails. The backslash would be most "Windows-like" - but as an escape char, it might be misinterpreted by all sorts of things? The forward slash is likewise not a usable choice - which is why I was suggesting lame things like hyphens
--Jason Haar 19:44, 6 November 2008 (NZDT)

I have the same problem right now and I was wondering why the Hook "SetUsernameAttributeFromLDAP" is only used for Auto login. You could use this to build your own unique usernames. --02:22, 22 June 2009 (UTC)

That hook isn't just used for auto-login; it just happens to be documented under that section. You can use it for regular log-in too. See my blog post that uses it to make semi-anonymous user names.
--Ryan lane 21:07, 25 June 2009 (UTC)Reply

In fact, I just moved that into its own section, to clarify that.
--Ryan lane 21:12, 25 June 2009 (UTC)Reply

Hi I've got the Problem that users with underlines in their usernames can't login. Read in another article that I have to change

$this->mTextform = str_replace( '_', ' ', $dbkey );

to

$this->mTextform = str_replace( '_', '_', $dbkey );

int the Title.php. But this didn't make any difference. The Login still doesn't work with users withe underlines in their loginnames. Is there anybody who can help me? ..Thanks...

I honestly don't know how to fix this. The username is passed to the plugin after it is munged by MediaWiki. I'm sure there is somewhere I can hack the core code to fix this, but I haven't looked around for it yet.
--Ryan lane 22:50, 30 June 2007 (UTC)Reply

I had the same problem and fixed it with a small edit in the plugin. I added a line at the beginning of the function "getSearchString"

$username = str_replace(' ','_',$username);

This replaces the space with an underscore when it creates the user username that is sent to the LDAP server. As far as MediaWiki is concerned it will still use the space in the name.
--JoeD July 7th 2007

you might also have to do the same str_replace in the function "authenticate".--80.179.206.193 16:47, 23 April 2009 (UTC)Reply

Ok, so i've setup the wiki before the weekend, and it was working all just fine with LDAP-authentication. Now on monday, when logging in with a user that already exists in the database it comes up with the following Internal server error:

Database error
A database query syntax error has occurred. This may indicate a bug in the software. The last attempted database query was: (SQL query hidden)
from within function "User::addToDatabase". MySQL returned error "1062: Duplicate entry 'ldap-username' for key 2 (localhost)".

Where ldap-username is ofcourse the ldap-user. When I delete the ldap-user from the database, logging in works just fine, but after logging out and in again it comes up with the same error message. It's strange because nothing has changed on the server over the weekend as logging on and off was just working fine last week. With debugging on the authentication has passed. Somehow it is trying to add the user again, while instead it has to update it if I am correct? Anybody got any ideas? -Martin

BTW, I am using the following setup: MediaWiki: 1.9.3, PHP: 5.2.1, MySQL: 5.0.37, LDAP plugin 1.1d. -Martin

Ok, so I fixed the problem, by making a dump and dropping the database. After this importing the database fixed the problem. Somehow there is some caching issue here, but I cannot seem to know which. Also I didn't use database caching upon installation. Maybe this helps somebody out or maybe Ryan can take a look at it in furter development. -Martin

Did you mess around with your database manually? I don't remember any entry called ldap-username... The plugin doesn't ever touch the database directly.
--Ryan lane 21:34, 1 May 2007 (UTC)Reply

Has anyone had any experience getting pywikipediabot to work with LDAP? I tried it and it seems to not work because it can't successfully select the domain name. Any thoughts?

HotMonkeyAC 18:25, 27 April 2007 (UTC)Reply

See: Extension talk:LDAP Authentication#CMS::MediaWiki Breaks. This is a similar issue. the domain stuff is a valid part of the software, and bot frameworks should be providing that info on login. The pywikipediabot developer needs to fix that.
--Ryan lane 20:10, 27 April 2007 (UTC)Reply

one possible fix is to add the line

"wpDomain": self.domain,

to the predata array under def getCookie in login.py

you'll have to set self.domain somewhere else. mine is hardcoded in login.py as

self.domain = 'mydomain'

but this is very nasty. it should be set somewhere else like mywiki_family.py

let me know if this works for you

Jono Brooker 13:27, 20 June 2007 (UTC)Reply

Jono, that worked perfectly. Thank you!!! -HotMonkeyAC 14:48, 26 June 2007 (UTC)Reply

I logged a pywikipedia ticket about this. -maiden_taiwan, 09 May 2008

The problem is now fixed in the pywikipedia software. Maiden taiwan 14:25, 29 May 2008 (UTC)Reply

Hi! I've got a strange problem. I've read a lot, but couldn't find anything, that was helping me. The LDAP-Authentication works well (after some starting troubles) ... when a user logs in, then the user is created in the wiki-database as well, that's good.

1. But is there a way, to import ALL LDAP users to the wiki? Thus, I can see on the userlist site in the wiki all LDAP users, which are able to log in, even those who haven't been logged in yet? Maybe there is a way in combination with another extension?

2. And is there a way, to automatically import the basic LDAP data of a user to his usersite, like Realname and email? Therefore the usersites of the users, who haven't logged in yet, wouldn't be that empty.

I already thought about writing a php script, which inserts the users in die usertable in the wiki DB ... but I'm afraid of destroying the consistency of the DB.

I hope you can give me some hints to achieve that.

thanks -- widi

Unfortunately, that is probably the only way to do it. If you really want to do this, I'd right a php script that uses MediaWiki to add the users, don't manually mess with the database. The SSL auto-authentication hook is probably a good starting ground for figuring out how to do it; you can ignore everything except for the part that actually creates the users.
--Ryan lane 22:44, 30 June 2007 (UTC)Reply

Hi, is there a way to create an account for each user in the ldap annuary now ? Maybe a solution has been designed since june 2007... Thanks --Teriblus 11:10, 13 May 2008 (UTC)Reply

I don't think I understand your question...
--Ryan lane 21:20, 13 May 2008 (UTC)Reply

Oops sorry, I'm french. I would like to create a MediaWiki account for all registered users in LDAP including those wich have never been logged in on the wiki. Is it better now ?.. Thanks --Teriblus 10:30, 14 May 2008 (UTC)Reply

I don't plan on supporting this any time soon. This would require things like scheduled tasks (cron, windows task scheduler, etc), as you'd have to keep it up to date. Also, it would require the deletion (or renaming) of accounts, and the renaming of accounts when they have been modified in LDAP. This isn't exactly an easy feat, and it doesn't really add much as far as I can tell.
--Ryan lane 21:49, 19 May 2008 (UTC)Reply

Too long. 202.54.176.51 10:14, 7 May 2007 (UTC)Reply

Is this better? Enjoy
--Ryan lane 03:55, 13 May 2007 (UTC)Reply

Everything works great for me except the preference pulling, i think (via the $wgLDAPdebug option) i have narrowed it down to it doesn't pull preferences. i have the following line at the end of the LDAP options in localsettings.php:

$wgLDAPRetrievePrefs = true;

but for some reason this is still returning false:

#if ( isset($wgLDAPRetrievePrefs[$_SESSION['wsDomain']]) && $wgLDAPRetrievePrefs[$_SESSION['wsDomain']] ) {
	$this->printDebug("Retrieving preferences",1);

	$entry = @ldap_read($ldapconn, $userdn, "objectclass=*");
	$info = @ldap_get_entries($ldapconn, $entry);
	$this->email = $info[0]["mail"][0];
	$this->lang = $info[0]["preferredlanguage"][0];
	$this->nickname = $info[0]["displayname"][0];
	$this->realname = $info[0]["cn"][0];

	$this->printDebug("Retrieved: $this->email, $this->lang, $this->nickname, $this->realname",2);
#}

I'm not very patient so after posting this i continued to try to fix it. i found that this was also returning false:

 	#if ( isset($wgLDAPRetrievePrefs[$_SESSION['wsDomain']]) && $wgLDAPRetrievePrefs[$_SESSION['wsDomain']] ) {
 		$this->printDebug("Setting user preferences.",1);
 
 		if ('' != $this->lang) {
 			$user->setOption('language',$this->lang);
 		}
 		if ('' != $this->nickname) {
 			$user->setOption('nickname',$this->nickname);
 		}
 		if ('' != $this->realname) {
 			$user->setRealName($this->realname);
 		}
 		if ('' != $this->email) {
 			$user->setEmail($this->email);
 		}
  		$saveSettings = true;
 	#}

i commented out the check blocks and preferences are reported as pulled and after my second edit, they are being populated in wiki, tho preferred language is coming back empty as such:

Retrieved: eberlec@<domain>.com, , Christopher Eberle, Christopher Eberle

Setup is mediawiki 1.9.3, IIS6, mysql 4.1, PHP 5.2.2, windows 2003 standard I have changed the specialuserlogin.php as suggested and here are the settigns from my localsettings.php (incase you need them):

###Create IT User group
$wgGroupPermissions['ITUser']['read'] = true;
$wgGroupPermissions['ITUser']['edit'] = true;
$wgGroupPermissions['ITUser']['createpage'] = true;
$wgGroupPermissions['ITUser']['createtalk'] = true;
$wgGroupPermissions['ITUser']['upload'] = true;

###Only logged in ITUsers can edit
$wgGroupPermissions['*']['edit'] = false;
$wgGroupPermissions['user']['edit'] = false;

###Nobody is allowed to create accounts
$wgGroupPermissions['*']['createaccount'] = false;

###Define pages people not logged in can see
$wgWhitelistRead = array( "Main Page", "Special:Userlogin", "Special:Userlogout", "-", "MediaWiki:Monobook.css" );
$wgGroupPermissions['*']['read']= false;
$wgGroupPermissions['user']['read']=false;
$wgShowIPinHeader = false;

##############################
##LDAP Auth Integration info##
##############################
##These lines should work in conjunction with ldapauthentication.php in the includes dir.

###Setup for LDAP Auth
require_once( 'LdapAuthentication.php' );
$wgAuth = new LdapAuthenticationPlugin();
$wgLDAPDomainNames = array("<domain>","<domain>");
$wgLDAPServerNames = array("<domain>"=>"naddc1.<domain>.com");
$wgLDAPSearchStrings = array("<domain>"=>"<domain>\\USER-NAME");
$wgLDAPEncryptionType = array("<domain>"=>"clear");
$wgLDAPUseLocal = false;
$wgMinimalPasswordLength = 7;
$wgLDAPRetrievePrefs = true;
$wgLDAPDebug=4;

$wgLDAPBaseDNs = array( "<domain>"=>"dc=<domain>,dc=com" );
$wgLDAPSearchAttributes = array( "<domain>"=>"sAMAccountName" ); 

$wgShowExceptionDetails = true;
$wgLogo = "http://mercury/ITWiki/images/c/c9/Logo.png" 

And here is my output:

Entering validDomain
User is using a valid domain.
Setting domain as: <domain>
Entering getCanonicalName
Username isn't empty.
Munged username: Eberlec
Entering authenticate
Entering Connect
Using TLS or not using encryption.
Using servers: ldap://naddc1.<domain>.com
Connected successfully
Entering getSearchString
Doing a straight bind
userdn is: <domain>\Eberlec
Binding as the user
Binded successfully
Entering getUserDN
Created a regular filter: (sAMAccountName=Eberlec)
Using base: dc=<domain>,dc=com
Fetched username is not a string (check your hook code...).
Pulled the user's DN: CN=Christopher Eberle,OU=Local Admins,OU=Groups,OU=NAA,DC=<domain>,DC=com
Retrieving preferences
Retrieved: eberlec@<domain>.com, , Christopher Eberle, Christopher Eberle
Authentication passed
Entering updateUser

(What is the deal with the "Fetched username is not a string"? Seems to be in everyones debug...)

Any help would be appreciated (after the second edit, apparently its just the checks for the variable $wgLDAPRetrievePrefs isn't being read or stored properly. Commenting out the "if" checks makes the whole thing work perfect. Any idea why the if checks aren't working?). eberlec at nicholsal (ignore this parented part) dot com

/me pokes you in the - you are using the wrong syntax for this option, and the option is documented at Extension:LDAP_Authentication#Options_for_using_LDAP_as_a_user_backend. This option, like most options, are defined on a per domain basis. A good way to ensure your options are correct is to never use external documentation for how to configure this plugin. External documentation almost always seems to be completely incorrect. Usually the external docs were written for an older version of the plugin. Options have changed since then.

BTW, the "Fetched username is not a string" part is something most people don't configure. It isn't a bug; I guess I should make the message a little clearer.
--Ryan lane 03:35, 13 May 2007 (UTC)Reply

I'm tackling LDAP authentication for the first time. I've managed to connect and authenticate, logging in with my LDAP username. Ideally, I'd like to login to an account named after LDAP real name, eg. having authenticated with username "johns", the registered account name is "John Smith" instead of "johns". Is this possible? I'm using the following configuration fragment (version 1.1d).

require_once( 'LdapAuthentication.php' );
$wgAuth = new LdapAuthenticationPlugin();
$wgLDAPDomainNames = array( "<domain>" );
$wgLDAPServerNames = array( "<domain>"=>"<domain1> <domain2>"  );
$wgLDAPSearchAttributes = array( "<domain>"=>"uid" );
$wgLDAPBaseDNs = array( "<domain>"=>"o=Gla" );
$wgLDAPEncryptionType = array( "<domain>"=>"false" );
$wgLDAPDebug = 7;
$wgMinimalPasswordLength = 1;

Well, if you have an attribute in LDAP that is the same as the real name, then yes, it is possible. For instance, if the entry's cn value is "John Smith", you can change:

$wgLDAPSearchAttributes = array( "<domain>"=>"uid" );

to:

$wgLDAPSearchAttributes = array( "<domain>"=>"cn" );

This way, the user can log in with "John Smith" instead of "johns". Also, btw, if you don't want to use encryption, set:

$wgLDAPEncryptionType = array( "<domain>"=>"false" );

to:

$wgLDAPEncryptionType = array( "<domain>"=>"clear" );

The plugin defaults to TLS encryption if the setting isn't defined, or if it is set to an incorrect value (for protection purposes). However, if this is working for you, set that to "tls", or remove the entry, since TLS is much better than clear.
--Ryan lane 22:41, 30 June 2007 (UTC)Reply

But in this case, username will look like "John smith" instead of "John Smith" which is not correct. And the main idea was to let users use their login name everywhere, and in a wiki too. There is a hook that calls for a function that extracts user name. Why can't extracted name be used as wiki user? That would be perfect.

81.211.109.234 09:57, 4 November 2008 (UTC)Reply

You should be able to use that hook for this purpose. Take smartcard authentication for instance. I may get "RYAN.LANE.098080980980" as the CN from the card, but the plugin does a lookup on this user, and via the hooks sets the username as "rlane". My username in the wiki at that point in time is "rlane". I think the hook could be used for your purpose too. Don't forget though, that usernames in the wiki need to be unique. By changing a unique name into a non-unique name, you could cause yourself some serious issues.
--Ryan lane 22:08, 18 February 2009 (UTC)Reply

Enterprise LDAP Solution edit

So the basic concept of this plugin is tops! The only issue is that I am using it in an enterprise environment. Users have IDs like 986438, not jsmith.

Seeing attributions like '986438' are useless. I needed to see real names, while allowing login under usernames.

In addition we needed to restrict edit rights to certain groups within the enterprise, and allow sysops and bureaucrat roles to be pulled form LDAP.

My solution was two fold. First off I pull memberOf details from LDAP to determine rights, secondly I pull tons of more info like department, real name, title, phone extension and mailstop. I use all this additional info to populate the user info page on login. This means we can click 986438 and see

John Smith
Title: Software Engineer
Department: ID Services
Email: j.smith@company.com
Phone: 1-555-555-5555
Mailstop: 3n-a

which makes the sysop's role a lot easier to determine if deletes or edits should be respected.

Anyway I was wondering how many people would be interested in this solution. It requires a good deal of edits in the LDAPAuthentication.php file as well as some additional fields in LocalSettings.php

If there is a demand I'll share.

You may want to look at Extension_talk:LDAP_Authentication#ldapinfo. It violates the GPL; however, it pulls information from LDAP using the hcard microformat. You may want to put that into your user's page instead. I may modify this plugin, and add it to MediaWiki's SVN (and make it GPL compliant while I'm at it).
--Ryan lane 22:18, 18 February 2009 (UTC)Reply

Could you share this enterprise solution? I am being asked to do this exact thing and don't really know where to start, I can't seem to get that ldapinfo plugin to work, it just says "LDAP user "*****" not found" --62.172.72.131 10:58, 12 March 2009 (UTC)Reply

LDAP info isn't my plugin, so I can't help you with it.
--Ryan lane 14:54, 20 May 2009 (UTC)Reply

I try to use LDAPAuth for MediaWiki 1.10... it works with

  $wgLDAPEncryptionType = array("D Name"=>"clear");

but not with

  $wgLDAPEncryptionType = array("D Name"=>"ssl");

I get Failed to bind as xxusernamexx when I use ssl... - any idea?

Ok - it works fine ;) I forgot the LDAP-Cert :-/
-- 07:57, 24 May 2007

I am using LDAPAuth and MediaWiki 1.10 and am still having issues when I have $wgLDAPEncryptionType = array("D Name"=>"ssl");

I have the LDAP-cert imported and working as far as I see. Here is an example of my config

require_once( 'LdapAuthentication.php' );
$wgAuth = new LdapAuthenticationPlugin();
$wgLDAPDomainNames = array( "test" );
$wgLDAPServerNames = array( "test"=>"ad.test.lan" );
$wgLDAPEncryptionType = array ( "test"=>"ssl" );
$wgLDAPSearchAttributes = array ("test"=>"sAMAccountName" );
$wgLDAPBaseDNs = array ("test"=>"dc=test,dc=lan" );
$wgLDAPSearchStrings = array ("test"=>"TEST\\USER-NAME" );
$wgLDAPProxyAgent = array ("test"=>"cn=user,ou=test,dc=asynchrony,dc=lan" );
$wgLDAPProxyAgentPassword = array ("test"=>"password" );
$wgLDAPRetrievePrefs = array( "test"=>"true" );
$wgMinimalPasswordLength = 1;
$wgLDAPDebug = 3;

I get Binding as the user and than Failed to bind as username. If I don't use ssl everything works fine......HELP!
-- 27 Aug 2007

Are you sure SSL is enabled on your AD server? Does your web server trust the AD server's CA? Does the fully qualified hostname of the AD server match the CN on the certificate? Try using TLS instead of SSL, it should die in the connect() method instead of the authenticate() method. To see the error messages coming from the LDAP calls, remove the "@" character from before the function calls; the errors should show up in your web server or php error logs.

I recommend testing using a command like:

ldapsearch -Z -x -D "username@DOMAIN" -W -b "dc=YOUR,dc=DOMAIN" -H ldap://ad.test.lan (sAMAccountname=*)

(notice that -Z tells the command to use startTLS, if you want to try it using ldaps, remove the -Z, and change ldap://ad.test.lan to ldaps://ad.test.lan)
--Ryan lane 00:33, 28 August 2007 (UTC)Reply

With the latest version on MW 1.10 getting the following PHP warnings:
[Mon May 28 21:59:59 2007] [error] [client ...] PHP Notice: Undefined index: wsDomain in ..../extensions/LdapAuthentication/LdapAuthentication.php on line 669, referer: http://.../w/Special:Preferences
[Mon May 28 21:59:59 2007] [error] [client ...] PHP Notice: Undefined index: wsDomain in .../extensions/LdapAuthentication/LdapAuthentication.php on line 673, referer: http://.../w/Special:Preferences
[Mon May 28 21:59:59 2007] [error] [client ...] PHP Notice: Undefined index: wsDomain in .../extensions/LdapAuthentication/LdapAuthentication.php on line 677, referer: http://.../w/Special:Preferences
This comes from a failure to check for isset($_SESSION['wsdomain']) in the relevant code (3 spots I've found).

I just finished setting up LdapAuthentication.php version 1.1e with MediaWiki 1.93. After getting the login to work with TLS & SSL to work and the debug info turned on, I see these warnings after successful login:

...

Notice: Undefined index: mail in /var/www/wiki/mediawiki-1.9.3/extensions/LdapAuthentication.php on line 354
Notice: Undefined index: preferredlanguage in /var/www/wiki/mediawiki-1.9.3/extensions/LdapAuthentication.php on line 355
Notice: Undefined index: displayname in /var/www/wiki/mediawiki-1.9.3/extensions/LdapAuthentication.php on line 356
Notice: Undefined index: cn in /var/www/wiki/mediawiki-1.9.3/extensions/LdapAuthentication.php on line 357
Retrieved: , , ,

...

Lines 354-357 contain:

                                $this->email = $info[0]["mail"][0];
                                $this->lang = $info[0]["preferredlanguage"][0];
                                $this->nickname = $info[0]["displayname"][0];
                                $this->realname = $info[0]["cn"][0];

The warnings go away if I remove the setting for $wgLDAPRetrievePrefs.

This should be fixed in 1.1f (currently in SVN, but stable)
--Ryan lane 13:18, 20 August 2007 (UTC)Reply

I needed a real Group Sync to get the LDAP Extension work with the "Group_Based_Access_Control" Extension. I wrote this method and add it to the Class. I call in in the "authenticate" method. It does a real syncronize between AD Group Membership and the Wiki UserGroups. (Note: The Group Name size is limited by wiki database)

04.06.07 by Punisher: E-Mail

  function syncGroups($username){
            $aLDAPGroups = $this->userLDAPGroups;
	    $userID = User::idFromName($username);

	    if(($userID == 0)||(count($aLDAPGroups)== 0))
		return;
		
            $u = User::newFromName($username);
            $aOldGroups = $u->getGroups();

            // Adding new Groups
            for($i=0;$i<count($aLDAPGroups);$i++){
                if(!in_array($aLDAPGroups[$i],$aOldGroups))
		    $u->addGroup($aLDAPGroups[$i]);
            }
	    
            // Remove old Groups
	    for($i=0;$i<count($aOldGroups);$i++){
	       if(($aOldGroups[$i] != 'bot')&&($aOldGroups[$i] != 'bureaucrat')&&($aOldGroups[$i] != 'sysop')){
	           if(!in_array($aOldGroups[$i],$aLDAPGroups))
		      $u->removeGroup($aOldGroups[$i]);
	       }
            }
	    $u->saveSettings();
            return;
	}

Huh? I've tested the plugin against active directory, and it seems to sync groups just fine. Is there something specific not working in the plugin?
--Ryan lane 22:32, 30 June 2007 (UTC)Reply

I actually found a bug in group sync, thanks to bug reports from other users. You may want to try this again.
--Ryan lane 13:17, 20 August 2007 (UTC)Reply

Thanks for this code, works great! I simply added it at the start after the variable initializations, and then called it with:

// LDAP Group Synchronization
	$this->syncGroups($username);

just before the "//Retrieve preferences" line. Syncs our LDAP<->Wiki groups perfectly.
--Andrew Hodder 17:28, 19 February 2008 (UTC)Reply

My WikiSysop user account seems to be locked out now that I've set up MediaWiki to use LDAP authentication and I can't create a WikiSysop user in our LDAP directory. Can I make my own LDAP username a sysop user somehow? The instructions under Adding WikiSysop seem to be for doing so before setting up LDAP; however, I've already gotten LDAP configured.

Nevermind, I found the instructions on the Help:Setting user rights in MediaWiki page and that helped me figure it out.

I modified the extension to use HTTP Basic Authentication, if available. I tried to make it be an AutoAuth plugin, like SSL Auth is in this extension now, but I'm willing to bet it's not 100% right. You'll find a diff against SVN trunk below.

Index: LdapAuthentication.php
===================================================================
--- LdapAuthentication.php      (revision 22916)
+++ LdapAuthentication.php      (working copy)
@@ -56,7 +56,7 @@

        function LdapAuthenticationPlugin() {
        }
-
+
        /**
         * Check whether there exists a user account with the given name.
         * The name will be normalized to MediaWiki's requirements, so
@@ -1587,6 +1587,11 @@
                                $wgHooks['PersonalUrls'][] = 'NoLogout'; /* Disallow logout link */
                        }
                        break;
+               case "http":
+                       $wgAuth->printDebug( "Allowing http basic authentication.", 1 );
+                        $wgHooks['AutoAuthenticate'][] = 'HttpAuth'; /* Hook for magical authN */
+                        $wgHooks['PersonalUrls'][] = 'NoLogout'; /* Disallow logout link */
+                       break;
                default:
                        $wgAuth->printDebug( "Not using any AutoAuthentication methods.", 1 );
        }
@@ -1597,6 +1602,98 @@
        $personal_urls['logout'] = null;
 }

+function HttpAuth(&$user){
+       global $wgUser;
+       global $wgAuth;
+       global $wgLDAPHttpDomain;
+       $wgAuth->printDebug( "Entering HttpAuth.", 1 );
+       $wgAuth->printDebug( "PHP_AUTH_USER = " . $_SERVER['PHP_AUTH_USER'], 1 );
+       $wgAuth->printDebug( "PHP_AUTH_PW = " . $_SERVER['PHP_AUTH_PW'], 1 );
+       $wgAuth->printDebug( "wgLDAPHttpDomain = " . $wgLDAPHttpDomain ,1 );
+       $wgAuth->setDomain($wgLDAPHttpDomain);
+
+       //Give us a user, see if we're around
+       $tmpuser = User::newFromSession();
+
+       //They already with us?  If so, quit this function.
+       if( $tmpuser->isLoggedIn() ) {
+               $wgAuth->printDebug( "User is already logged in.", 1 );
+               return;
+       }
+
+        //Let regular authentication plugins configure themselves for auto
+        //authentication chaining
+        //$wgAuth->autoAuthSetup();
+
+       $authenticated = $wgAuth->authenticate( $_SERVER['PHP_AUTH_USER' ], $_SERVER['PHP_AUTH_PW'] );
+       if ( !$authenticated ) {
+                       //If the user doesn't exist in LDAP, there isn't much reason to
+                       //go any further.
+                       $wgAuth->printDebug("User wasn't found in LDAP, exiting.", 1 );
+                       return;
+               }
+       if ( $tmpuser == null ) {
+               $wgAuth->printDebug( "Username is not a valid MediaWiki username.", 1 );
+               return;
+       }
+
+       //We need the username that MediaWiki will always use, *not* the one we
+       //get from LDAP.
+       $mungedUsername = $wgAuth->getCanonicalName( $_SERVER['PHP_AUTH_USER' ] );
+
+       $wgAuth->printDebug( "User exists in LDAP; finding the user by name in MediaWiki.", 1 );
+
+       //Is the user already in the database?
+       $tmpuser = User::newFromName( $mungedUsername );
+
+       if ( $tmpuser == null ) {
+               $wgAuth->printDebug( "Username is not a valid MediaWiki username.", 1 );
+               return;
+       }
+
+       //If exists, log them in
+       if( $tmpuser->getID() != 0 ) {
+               $wgAuth->printDebug( "User exists in local database, logging in.", 1 );
+               $wgUser = &$tmpuser;
+               $wgAuth->updateUser( $wgUser );
+               $wgUser->setCookies();
+               $wgUser->setupSession();
+               return;
+       }
+       $wgAuth->printDebug( "User does not exist in local database; creating.", 1 );
+
+       //Require SpecialUserlogin so that we can get a loginForm
+       require_once( 'SpecialUserlogin.php' );
+
+       //This section contains a silly hack for MW
+       global $wgLang;
+       global $wgContLang;
+       global $wgRequest;
+       if( !isset( $wgLang ) )
+       {
+               $wgLang = $wgContLang;
+               $wgLangUnset = true;
+       }
+
+       $wgAuth->printDebug( "Creating LoginForm.", 1 );
+
+       //This creates our form that'll let us create a new user in the database
+       $lf = new LoginForm( $wgRequest );
+
+       //The user we'll be creating...
+       $wgUser = &$tmpuser;
+       $wgUser->setName( $wgContLang->ucfirst( $mungedUsername ) );
+
+       $wgAuth->printDebug( "Creating User.", 1 );
+
+
+       //Create the user
+       $lf->initUser( $wgUser );
+
+       //Initialize the user
+       $wgUser->setupSession();
+       $wgUser->setCookies();
+}
+
 /**
  * Does the SSL authentication piece of the LDAP plugin.
  *

This, or something very similar, will be added to 1.1g (or 1.2a if I think the changes made are large enough for a major number release). Thanks for the patch!
--Ryan lane 13:15, 20 August 2007 (UTC)Reply

Thanks. I'm looking forward to that new version.

Hi, is this on the 1.2a release? I don't see any documentation for enabling this option. I also don't see any "PHP_AUTH_USER" or "SERVER" text in the 1.2a release. :(

Yes, this has been added in 1.2a. You won't see SERVER in the plugin, because I allow the admin to choose whatever that want for the auto-auth username. See Extension:LDAP Authentication/Smartcard Configuration Examples and Extension:LDAP Authentication/Kerberos Configuration Examples. If you notice, the kerberos example has the following in LocalSettings.php:

$wgLDAPAutoAuthUsername = preg_replace( '/@.*/', '', $_SERVER["REMOTE_USER"] );

This allows the same code base to be used for kerberos, SSL, radius, SASL, or whatever else you happen to chose on your webserver.
--Ryan lane 23:10, 2 December 2008 (UTC)Reply

I installed the LDAP Auth extension and have it working in MediaWiki 1.7.1 and Windows 2003 Server. The problem I have is that authentication does not work with usernames that include an underscore ("_"). After googling around, it looks like it is normal for MediaWiki to convert underscores ("_") to spaces (" "). Is there any workaround for this? Or, will I have to make sure any AD user that needs Wiki access has a username without any underscores?  :( Please see my included debug output below... Anyone else have this issue :)? Your help is appreciated!

<!--The valid AD username is "wiki_user"-->
Entering validDomain
User is using a valid domain.
Setting domain as: exampledomain
Entering getCanonicalName
Username isn't empty.
Munged username: Wiki user
Entering authenticate
Entering Connect
Using TLS or not using encryption.
Using servers: ldap://ad0.exampledomain.org
Connected successfully
Entering getSearchString
Doing a straight bind
userdn is: exampledomain\Wiki user
Binding as the user
Failed to bind as exampledomain\Wiki user
Entering strict.
Returning true in strict().
Entering modifyUITemplate

Reeboblue 20:32, 13 June 2007 (UTC) E-MailReply

Well, the plugin doesn't currently support this. You may be able to add support for this into the authentication method, similar to how the plugin allows users to lowercase the username. Thing is, no matter what, you can either have users that have underscores, or spaces, not a mix of the two, because the wiki is always going to change underscores to spaces. The plugin unfortunately has no way of changing that. Sorry I couldn't be more help.
--Ryan lane 22:30, 30 June 2007 (UTC)Reply

I'm having a similar problem as the "Nested Groups option not working" guy. Ldapauthentication.php works fine prior to adding group based restrictions. When I add the "#group based auth" section to my config, AD users in the allowed group can no longer authenticate. However, the users that logged in prior to group based restriction were added to the users mySQL table and they can still successfully authenticate although they are no longer in the allowed group.

cat LdapAuthentication.php | grep "'version'"
       'version' => '1.1f (alpha)',

Here is my conf:

#LDAP FUN!!!
require_once( "includes/LdapAuthentication.php" );
$wgAuth = new LdapAuthenticationPlugin();
$wgLDAPDomainNames = array( "DOMAIN" );
$wgLDAPServerNames = array( "DOMAIN"=>"frodo.domain.com legolas.domain.com" );  //this place is run by true geeks
$wgLDAPSearchStrings = array( "DOMAIN"=>"DOMAIN\\USER-NAME" );
$wgLDAPUseSSL = false; //not recommended but OK for testing
$wgLDAPEncryptionType = array( "DOMAIN"=>'clear' ); // this is needed in >= 1.1c
$wgLDAPUseLocal = true; //allows mysql db driven auth (default Root user)
$wgMinimalPasswordLength = 1;
$wgLDAPRetrievePrefs = true;
#$wgLDAPRetrievePrefs = array( "DOMAIN"=>false ); // this is needed in >= 1.1c
$wgLDAPUpdateLDAP = array( "DOMAIN"=>"false" ); //disables mediawiki from updating LDAP
$wgLDAPDebug = 3; //debugging

#group based auth
$wgLDAPBaseDNs = array( "DOMAIN"=>"dc=domain,dc=com" );
$wgLDAPRequiredGroups = array( "DOMAIN"=>array("cn=wiki-sysops,dc=group,dc=domain,dc=com") );
$wgLDAPGroupUseFullDN = array( "DOMAIN"=>true );
$wgLDAPGroupObjectclass = array( "DOMAIN"=>"group" );
$wgLDAPGroupAttribute = array( "DOMAIN"=>"member" );
$wgLDAPGroupSearchNestedGroups = array( "DOMAIN"=>false );
$wgLDAPSearchAttributes = array( "DOMAIN"=>"sAMAccountName" );

Here is the debug log:

Entering validDomain
User is using a valid domain.
Setting domain as: SMP-INC
Entering getCanonicalName
Username isn't empty.
Munged username: Wiki-user
Entering userExists
Entering authenticate
Entering Connect
Using TLS or not using encryption.
Using servers: ldap://frodo.smp-inc.com ldap://legolas.smp-inc.com
Connected successfully
Entering getSearchString
Doing a straight bind
userdn is: SMP-INC\Wiki-user
Binding as the user
Binded successfully
Entering getUserDN
Created a regular filter: (sAMAccountName=Wiki-user)
Using base: dc=smp-inc,dc=com
Fetched username is not a string (check your hook code...).
Pulled the user's DN: CN=wiki-user,CN=Users,DC=smp-inc,DC=com
Checking for (new style) group membership
Entering isMemberOfRequiredLdapGroup
Required groups:cn=wiki-sysops,dc=group,dc=smp-inc,dc=com
Entering getUserGroups
Entering getGroups
Search string: (&(member=CN=wiki-user,CN=Users,DC=smp-inc,DC=com)(objectclass=group))
Returned groups:cn=wiki-sysops,cn=users,dc=smp-inc,dc=com
Returned groups:
Couldn't find the user in any groups (2).
Entering modifyUITemplate
Allowing the local domain, adding it to the list.

Look at my 2 lines that start with "Returned groups:". It appears that the search string is returning results, however it's not listing the groups. When there are multiple groups, the second Returned Groups: line has a bunch of commas, ie:

Returned group:,,,,,,,,

When I turn on nested groups, it also cycles the same groups multiple times. I've read this has happened to other users as well. 6/26/07 15:45 PST

EDIT-i had the wrong OU defined. this has been resolved.

How would I do a search for department number ("departmentnumber") or a group of them in LDAP and restrict the login using those numbers? Thanks

If you want to limit login by an attribute like department number, you can use search based options, like so:

$wgLDAPRequireAuthAttribute = array( "mydomain"=>true );
$wgLDAPAuthAttribute = array( "mydomain"=>"departmentnumber=331" );

Say for instance, you wanted to have multiple department numbers, you could use the following syntax:

$wgLDAPRequireAuthAttribute = array( "mydomain"=>true );
$wgLDAPAuthAttribute = array( "mydomain"=>"|(departmentnumber=331)(departmentnumber=332)(departmentnumber=333)" );

Pretty much any valid LDAP filter works; notice however, that the plugin wraps () around the filter (I'll try to fix this in the future in a backwards-compatible way), so make sure you take that into account.

As for groups, you can define groups however you like in LDAP, and then use group based login restrictions to limit users by group.

Btw, I didn't notice your post earlier because you stuck the question at the top. Please stick all new support requests at the bottom of the page.
--Ryan lane 20:42, 9 July 2007 (UTC)Reply

Needless search (IMHO) edit

I tried this, but it does not work as I expected.

1. The $wgLDAPAuthAttribute does not not effect the initial user search - getUserDn -.
2. It only works for the first (of n) result entries of getUserDN searches.
3. The effect is another search after the binding. This is redundant!

Please patch the getUserDN in a way it uses $wgLDAPAuthAttribute. With this you save a needless search.

I have three cn="jane doe"s in my LDAP, each with different mail addresses. I want only one mail domain to be allowed to log in mail=*@example.org. Jane Doe cannot log in, because getUserDN finds three jane doe, tries the first, fails, error, end. If getUserDN would work as I mentioned above, there would be only one search result: filter=(&(cn=jane doe)(mail=*@example.com)).

I now hardcoded the filter in my getUserDN to get it work quickly. I'm not a experienced PHP coder, otherwise I would send you a patch. :(

212.144.255.11 16:54, 11 November 2008 (UTC)Reply

Any user who uses a § in his password cannot login. Mediwiki is claiming that the password is wrong or has not been entered. Can I change that? Thanks

Does this work with LDAP Authentication turned off? I need to know if it is MediaWiki causing the problem, or the plugin.
--Ryan lane 13:27, 30 July 2007 (UTC)Reply

Two issues:

Local Usernames are Munged edit

If you enable local authentication in addition to the LDAP auth, all usernames are still munged, which causes previously created local MW user accounts with upper-case letters in the middle of them to be unusable (i.e. StatBot). Moving the strtolower() call in to the if {} block that runs only for DOMAIN logins resolves this issue.

Hmm, I never thought of this... (I haven't used local accounts since I transitioned to LDAP). I'm putting this on the todo list.
--Ryan lane 13:30, 30 July 2007 (UTC)Reply

I ran into the same problem today. Here's the fix:

Index: LdapAuthentication.php
===================================================================
--- LdapAuthentication.php      (revision 23725)
+++ LdapAuthentication.php      (working copy)
@@ -964,15 +964,15 @@
                        if ( $this->LDAPUsername != '' ) {
                                $this->printDebug( "Using LDAPUsername.", self::NONSENSITIVE );
                                $username = $this->LDAPUsername;
+
+                               //Change username to lowercase so that multiple user accounts
+                               //won't be created for the same user.
+                               $username = strtolower( $username );
+
+                               //The wiki considers an all lowercase name to be invalid; need to
+                               //uppercase the first letter
+                               $username[0] = strtoupper( $username[0] );
                        }
-
-                       //Change username to lowercase so that multiple user accounts
-                       //won't be created for the same user.
-                       $username = strtolower( $username );
-
-                       //The wiki considers an all lowercase name to be invalid; need to
-                       //uppercase the first letter
-                       $username[0] = strtoupper( $username[0] );
                }

                $this->printDebug( "Munged username: $username", self::NONSENSITIVE );

Almost - The line

$username[0] = strtoupper( $username[0] );

needs to be outside the IF loop - local Wiki accounts still need to have the first character capitalized - otherwise users who enter their uname all lowercase in Special:Userlogin will not be able to login locally. Only the strtolower() call should be inside the if LDAP block.

→Tim Laqua^{Talk | contribs}_{@13:08, 31 July 2007 (UTC)}Reply

Local Users are created with a blank "user_password" field edit

Only Domain user accounts should have a blank user_password field - Local users need to have the standard MW password hash. As-is, any local accounts created are unusable.

This bug must have creeped in recently. I know for sure that at some point in the past this was working properly. It sounds like I need to make some unit tests... I'm adding this to the todo list.
--Ryan lane 13:30, 30 July 2007 (UTC)Reply

ty. btw, great extension. We use it on our Internal HelpDesk wiki against a W2k3 AD at St. Cloud State University. (btw, haven't updated the works on area yet - we're runing MediaWiki 1.10.1 / PHP 5.2.0-8+etch7 apache2handler / MySQL 5.0.32-Debian_7etch1-log --Tim Laqua 14:55, 30 July 2007 (UTC)Reply

Unless I'm mistaken, this bug duplicates the allowPasswordChange doesn't check for $wgLDAPUseLocal bug which is described (and patched) elsewhere on this page. I applied the Christian's suggested patch under that heading, and it appears to have more-or-less solved the problem with missing passwords for locally-created users. (As an aside, however, I'll note that it would be nice if the Domain dropdown list on the create account page didn't show the LDAP domain if remote password creation isn't enabled for LDAP.) --Dmdwiggi 20:46, 14 August 2007 (UTC)Reply

Fixed in SVN edit

I've fixed both of these in SVN. Can you test it out to see if the fixes did in fact fix your problem?

getCanonicalName() fix for Local and AD users edit

I downloaded the latest version from SVN and I noticed this addition in getCanonicalName() :

if ( !isset( $wgLDAPUseLocal ) || !$wgLDAPUseLocal ) {
   //Change username to lowercase so that multiple user accounts
   //won't be created for the same user.
   $username = strtolower( $username );
}

I believe that is a clever step ahead in the solution of this issue.

The condition tested, thou, tests a "constant" for what concerns LdapAuthentication.php, since $wgLDAPUseLocal never changes its value given in LocalSettings.php

This test doesn't help those wikis that use both local (SysOps and Bots with a capital letter in the middle) and AD accounts (case insensitive).

I thought to modify the test condition this way:

if ( isset($_SESSION['wsDomain']) && 'local' != $_SESSION['wsDomain']) {
   //Change username to lowercase so that multiple user accounts
   //won't be created for the same user.
   $username = strtolower( $username );
}

This way I can have $wgLDAPUseLocal == True.

When I select the Local domain, I skip this test and capitalize the first letter without changing the rest. (done in the rest of the code not re-written here)

When I select one AD domain, I lowercase the user name, that for some reason arrives in getCanonicalName() still with mixed lowers and caps.

I was curious to know why $this->LDAPUsername doesn't get set in my wiki configuration... that's why I made this change.

Giovanni 02:50, 22 August 2007 (UTC)Reply

Ah, good catch. That most likely is the best logic. Its in SVN now.
--Ryan lane 04:01, 23 August 2007 (UTC)Reply

Hi, I need some help on how to set up this extension in the following way: we have two AD groups, for example "WikiUsers" and "WikiAdmins". I want to restrict the the usage of the Wiki for these groups, i.e.

• If a user is in neither group, he cannot access the Wiki at all (well, except the main page and the login page)
• If a user is in WikiUsers, he should get read access to all wiki pages (and, if possible, r/w access to his own userpage and to all talk pages)
• If a user is in the WikiAdmin group, he has "full" rights to view/edit the wiki (obviously still restricted by "blocked" pages or the like)

Anyone care to give me a quick howto on how to set up the wiki like that? I'm an LDAP newbie, so any help would be much appreciated. I guess I need to create the respective groups in the wiki and map the two AD group to them, then set $wgGroupPermissions accordingly?

Yep, that would be it. I'm not sure if it possible to restrict edit access like you would like to do with WikiUsers, but I could be wrong. That is more of a MediaWiki permissions thing.
--Ryan lane 19:02, 6 August 2007 (UTC)Reply

I've created a group in my AD called "Wiki Administrators", and given that group sysop permisions with this line:

$wgGroupPermissions['Wiki Administrators'] = $wgGroupPermissions['sysop'];

This doesn't work, because the DB schema allows only 16 chars in the Group name. I am added to the "Wiki Administ" group, which doesn't match, so I am not a sysop.

A work around for this was to shorten the name to Wiki Admins, but the DB schema should allow longer names or the LDAP Auth module should match in a different way.

I don't disagree, but this is a MediaWiki core thing. I've asked the developers before, but didn't get much of a positive response (schema changes are somewhat of a big thing).
--Ryan lane 19:04, 6 August 2007 (UTC)Reply

I'll take a look into making it match a different way (or I'll talk to the developers again).
--Ryan lane 19:28, 6 August 2007 (UTC)Reply

I had the same problem at work. For the authentication of our wikis we have groups with long names. What I have done to solve it is increase the maximum size of the field 'ug_group' of the table 'wik_user_groups' to 255 (the tables of my database have 'wik_' comme prefix). It works! The SQL command would be ...

   ALTER TABLE `wik_user_groups` MODIFY COLUMN `ug_group` varbinary(255)  NOT NULL;

--José Manuel Ciges Regueiro 13:20, 25 November 2009 (UTC)Reply

I am using the $wgLDAPUseLDAPGroups feature. At first, everything works fine... Users are being added to the MW Database, MW Groups are created, and users are put into groups, all according to LDAP. Now: When i Remove a user from a group in LDAP, it stays in all the groups in MW. I found that this is a bug in the code:

$this->printDebug("Checking to see if we need to remove user from: $cGroup",1);
                                if ((!$this->hasLDAPGroup($cGroup)) && ($this->isLDAPGroup($cGroup))) {
                                        $this->printDebug("Removing user from: $cGroup",1);

The Fixed line would be:

                                if ((!$this->hasLDAPGroup($cGroup)) && (!$this->isLDAPGroup($cGroup))) {

I Am using the Version 1.1e right now, but found that the bug is still existent in 1.1f alpha. Keep the good work up, this Extension is GREAT!

Cheers:
Thomas Gruber --17:52, 7 August 2007 (UTC)

Hmm, actually I'm not sure that is a bug. The logic looks correct; well, I actually do see a problem, but not what you are describing. Turn on debugging, and make sure that the "getAllGroups" function is returning your groups. If it isn't then the plugin can't remove the user from the group, because it leaves non-ldap mediawiki groups alone.

Which of course causes a bug I just noticed. If you delete a group from LDAP, that group still exists in mediawiki, and the plugin can't sync it (and hence, can't remove the user from the group).
--Ryan lane 21:50, 7 August 2007 (UTC)Reply

Hi there, i got the following from the Debug output:

Available groups are: bot,sysop,bureaucrat,global-it

When i remove a user from a group, it IS displayed correctly when returning the groups for LDAP, but the user is not removed from the Group in MW - oh and BTW: This is a AD I am trying to use.
Thomas Gruber - 13:49, 8 August 2007 (UTC)

Well, thats the available mediawiki groups. Look for this string "Returned groups:", after seeing "Entering getAllGroups". Btw, can you post your configuration with all sensitive stuff snipped out?
--Ryan lane 02:04, 9 August 2007 (UTC)Reply

Hi again, sorry, that i did not answer a long time. Had Holidays :-). I pasted the Config and the complete Debug output (debug 3) into a file on my server. I think this would definately be too big (and this article is long enough already) -> http://tuxpower.org/~virusmaster/mediawiki-ldap-bug - at the moment i have the problem, that i cannot recheck the problem now, since i do not have access to the AD Server atm. But in the debug output i see no "Entering getAllGroups" which would indicate, that the function is never called in the first place.

--ThomasGruber 13:11, 10 September 2007 (UTC)Reply

Actually, it looks like it isn't finding the user in any groups. If it doesn't find your user in a required group, it won't synchronize groups at all. You need to get group restriction working before you worry about group synchronization. Please upgrade to the newest plugin release; there is a bug in the version you are using that may be causing the issue.
--Ryan lane 16:56, 10 September 2007 (UTC)Reply

Hi, yes i am still alive ;-) I just wanted to tell you, that with the version 1.1g of AuthLDAP it works flawlessly... but i got another thingie... for this i'll open up another 'call'
--ThomasGruber 13:16, 8 January 2008 (UTC)Reply

I am using Mediawiki 1.9 running it on an XAMPP server on Windows XP. My LDAP is not working at all even after pasting the code from the configuration link from mediawiki help. Do i need to copy any ".dll" into the system32 folder in order to make it working?

Also, including LdapAuthication.php and making changes in the LocalSettings.php is all i need to make to LDAP running right ?

I need simple Authentication from my LDAP server as to confirming username and password. What all codes do i need to paste in the respective .php files Please help me on this .. thanks.

Also,When i click on Login button,nothing happens and a blank screen come up. Frustration creeping in.

--220.225.64.6 07:30, 9 August 2007 (UTC)Reply

I don't use XAMPP (and never have before). I also never use apache/php/mysql on Windows. Unless the current documentation on the content page can help, there is nothing I can do for you. Honestly, a little googling on your side is probably a good idea. I know there have got to be other people who have had to have ldap and ssl working with php on windows before.

Maybe someone else here can help you out?
--Ryan lane 14:05, 9 August 2007 (UTC)Reply

Thanks Ryan.. i have reached to the final step now .. things working now .. the error now coming is "start-tls]: Unable to start TLS: Server is unavailable in C:\xampp\htdocs\mediawiki\includes\LdapAuthentication.php on line 165" Though i am able to ping my LDAP normaly through the command prompt.

Also, how to get this contents block on the top of every page ?
--Ankit.madan 07:21, 10 August 2007 (UTC)Reply

Can you post your configuration, with sensitive stuff snipped out?
--Ryan lane 14:03, 13 August 2007 (UTC)Reply

Thanks for helping me on this Ryan

The LocalSetting.php is as follows:

$wgGroupPermissions['*']['edit'] = false;
$wgGroupPermissions['user']['edit'] = true;

###Prevent new registrations from anonymous users (Sysops can still create new account)

$wgGroupPermissions['*']['createaccount'] = false;

###Define the pages un-authenticate users can see. This is crucial.
###Otherwise, there's no way for people to login.

$wgWhitelistRead = array( "Main Page","Special:Userlogin","-","MediaWiki:Monobook.css");
$wgGroupPermissions['*']['read'] = false;


###Authenticate users from an Active Directory.

require_once('LdapAuthentication.php');
$wgAuth = new LdapAuthenticationPlugin();
$wgLDAPDomainNames = array( "ASDF" );
$wgLDAPServerNames = array( "ASDF"=>"10.76.122.2");
$wgLDAPUseSSL = false;
$wgLDAPUseLocal = false;
$wgLDAPAddLDAPUsers = false;
$wgLDAPUpdateLDAP = false;
$wgLDAPMailPassword = false;
$wgLDAPRetrievePrefs = true;
$wgMinimalPasswordLength = 1;
$wgLDAPSearchStrings = array( "ASDF"=>"ASDF\\USER-NAME"  );

I have pasted the .dll files and made changes to the php.ini in the apache/bin folder as that is the path shown in http://localhost/xampp/phpinfo.php under Loaded Configuration File. The Line 165 in LdapAuthentication.php is

		//TLS needs to be started after the connection is made
		if ( $encryptionType == "tls" ) {
			$this->printDebug("Using TLS",2);
	//165-->	ldap_start_tls($ldapconn);
		}

		return $ldapconn;

Please take a look at the official documentation... Most of your configuration settings are invalid. I swear. I have no clue where these old configuration settings are at, but when I find them, all of them are getting deleted, or I'm going to bitch at the person hosting them. This is a pretty common problem...

Notice that since you are not using the correct config setting for encryption that TLS is going to be used. Also, you should use the AD server's fully qualified domain name, not its IP address. If you ever plan on using TLS/SSL, the server's certificate name needs to match the server name used, and the client must trust the CA that signed the certificate. Encryption is generally a good idea if you can get it working.
--Ryan lane 01:02, 16 August 2007 (UTC)Reply

Oops.. i just got it after searching for LDAP+Mediawiki+Windows :)

To be frank documentation is pretty confusing.Which part of it should i use ?There are so many Code Snippets here that i dont know which one to use ! I'm running it on Windows XP,PHP 5.2.3(XAMPP Server),Mediawiki 1.9.3,LdapAuthentication v 1.1d There is no specific documentation for Windows XP. --Ankit.madan 03:57, 16 August 2007 (UTC)Reply

The documentation isn't OS dependent. It is LDAP server dependent for the most part. Look at the configuration examples, and use the one that fits your environment. If you are using AD, and only have a single domain, use Extension:LDAP Authentication/Configuration Examples#Single Domain Requiring Straight Binding Only.

Notice that the main documentation page's explanation of options should be used to ensure that the options you are using have the correct syntax, and do what you expect them to do.

Also notice that there is user provided information about how to configure windows Extension:LDAP Authentication#Windows configuration. I don't use Windows as a web server (Linux is free after all, and I use OSX as my main desktop...), so it is hard for me to provide documentation on how to configure Apache/PHP/MySQL/OpenLDAP/MediaWiki on that platform; honestly, it is a little out of the scope of this documentation. If a user is kind enough to provide precise documentation after doing it, I wouldn't mind having an entire section devoted to it in the documentation, I'm just not likely to ever write it.
Ryan lane 13:40, 17 August 2007 (UTC)Reply

It seems I can authenticate as a domain user, but on Special:Preferences, email and real name are empty. I'm running Apache2, PHP5, MediaWiki 1.7, LdapAuthentication 1.1d.

LocalSettings.php:

require_once( 'LdapAuthentication.php' );
$wgAuth = new LdapAuthenticationPlugin();
$wgLDAPRetrievePrefs = true;
$wgLDAPDebug = 4;
$wgLDAPDomainNames = array( "DOMAIN" );
$wgLDAPServerNames = array( "DOMAIN"=>"pdc.domain.edu" );
$wgLDAPSearchStrings = array( "DOMAIN"=>"DOMAIN\\USER-NAME"  );
$wgLDAPEncryptionType = array( "DOMAIN"=>"false" );
$wgLDAPUseLocal = false;
$wgMinimalPasswordLength = 1;
$wgLDAPBaseDNs = array( "DOMAIN"=>"dc=domain,dc=edu" );
$wgLDAPSearchAttributes = array( "DOMAIN"=>"sAMAccountName" );
$wgLDAPAddLDAPUsers = false;
$wgLDAPUpdateLDAP = false;
$wgLDAPMailPassword = false;

And the debug output:

Entering validDomain
User is using a valid domain.
Setting domain as: Domain
Entering getCanonicalName
Username isn't empty.
Munged username: Jscott
Entering authenticate
Entering Connect
Using TLS or not using encryption.
Using servers: ldap://pdc.domain.edu
Connected successfully
Entering getSearchString
Doing a straight bind
userdn is: DOMAIN\Jscott
Binding as the user
Binded successfully
Entering getUserDN
Created a regular filter: (sAMAccountName=Jscott)
Using base: dc=domain,dc=edu
Fetched username is not a string (check your hook code...).
Pulled the user's DN: CN=Jason Scott,OU=Techs,DC=domain,DC=edu
Authentication passed
Entering updateUser

Please read the documentation. Most of your configuration options are wrong. Almost every configuration option is specified with the domain in question. Specifically, you do not have "$wgLDAPRetrievePrefs" set correctly, and the plug-in considers this to be set to false. BTW, options are set to false by default, so explicitly setting options to false isn't necessary.
--Ryan lane 13:56, 13 August 2007 (UTC)Reply

is MS Active Directory domain authentication possible using LAMP? Specifically can i use Linux/Apache to authenticate users on MS active directory? I dont have the possibility to install wiki on IIS/windows however i am using MS Active Directory. I tried some configs but logging always fails.

Yep. This is supported. I'd imagine a decent amount of people are doing this. Notice that AD will not allow unencrypted binds by default. AD requires the use of some type of encryption (which is kerberos by default -- unfortunately the plugin doesn't currently support kerberos authentication). If your AD server does not have an SSL certificate installed, TLS/SSL binding is not possible, and will cause logins to fail. Turn on debugging to see if encryption is the issue. Also notice that openldap by default will require the AD server's certificate to be trusted, and the server name to match the certificate name. Please see the appropriate PHP/openldap documentation to enable this correctly; if you don't care about the trust, and only care about the encryption, you can turn off the trust setting in openldap. Notice that information on how to do this is in the user provided information section of this article.
--Ryan lane 14:01, 13 August 2007 (UTC)Reply

I have gotten the extension working and authenticating using AD, but I wonder how to connect to the global catalog to authenticate. I would assume from the debug log that the connections use the standard ldap (389) and ldaps (636) ports. I saw a reference to the GC in the documentation but never how to actually connect (if I missed it, my apologies). When I add the :3269 (port for secure GC connections) to the server name it no longer allows me to bind. We have a main domain, and then several sub-domains. For instance, sub1.domain.com, sub2.domain.com... Also each subdomain then has several DC's. My problem is that only the GC can authenticate people from sub1, sub2, sub3, etc... I can't list the servers from the other subdomains because I don't have the privileges to connect. Is there a way to choose the port to connect to or am I going about this wrong?? --Ctbarber 16:05, 14 August 2007 (UTC)Reply

The global catalog is the AD server that hosts it. You will still use either port 389 or 636. AD should take care of the rest for you.
--Ryan lane 00:56, 16 August 2007 (UTC)Reply

Is it possible to restrict the groups the are pulled into mediawiki from an AD other that by using the GroupBaseDN?

The problem is that we have a large AD that contains many groups which have the same CN and the sAMAccountNames of these groups is not unique within the first 16 characters.

What I would like to be able to do is name a group in the AD that contains the groups that I would like mediawiki to pull in. Preferably it would pull all the sub groups as well. I have modified the code so getAllGroups just returns the groups I want but I still need to restrict the groups the user is in to those returned by getAllGroups based on the long name (DN).

You'll have to come up with some method of doing this. If your group names aren't unique within the first 16 characters, mediawiki won't be able to tell the difference. As I mentioned elsewhere on this page, I'll take a look into trying to get the character limit increased.--Ryan lane 13:13, 21 August 2007 (UTC)Reply

I've talked with the core code developers, and there is now a bug in bugzilla regarding it. I'm hoping it'll be put in place for 1.12.
--Ryan lane 16:51, 4 October 2007 (UTC)Reply

I updated from MediaWiki 1.7.1 to 1.10.1. When a new user tries to login, the following error appears: .. .. Authentication passed Entering setPassword Wiki is set to not allow updates

Internal error There was either an external authentication database error or you are not allowed to update your external account. ..

Now with the update, I assume localsettings.php and LDAPauthentication.php should not have been changed. That is those files remain the same. Should something have been changed here? Should something in SpecialUserLogin.php be changed?

Thank you very much Polo 08:42, 23 August 2007 (UTC)Reply

OK, fixed it!!

Edit the LDAAuthentication.php script

change $user->setPassword( ); to $user->mPassword; (round about line 695) change return false; to return true; in the else if path in the setPassword() function. (round about line 367)

Polo 12:24, 23 August 2007 (UTC)Reply

What version of the LDAP plugin are you using? This was fixed quite a while ago. You probably need to upgrade.
--Ryan lane 16:53, 23 August 2007 (UTC)Reply

I also had the exact same problem with mediawiki 1.11 and thankfully your suggested code changes resolved the issue. I tried the latest 3 versions of the plugin and all gave a 'password incorrect' error. Debugging showed the error 'unable to start tls'. reverting back to an old version of the plugin and making the suggested code changes suggested by polo resolved my issue. - Anna

Reverting back worked because the older versions didn't throw an error if tls failed, which is a very bad thing. Now you think you are using encryption, and you really aren't. You need to figure out why TLS failed. You can try SSL, and see if that works for you. Either way, reverting back isn't really a fix.
--Ryan lane 16:45, 4 October 2007 (UTC)Reply

The documentation shows storing the passwords for the Proxy Agent and LDAP Writer in the LocalSettings.php using SHA encryption. When I try to specify the passwords this way, I get errors on binding inside the bindAs() function (called from getSearchString()) and the setPassword() function. If I change the configuration to plain-text passwords, everything works properly.

I am using MediaWiki 1.10.0 on PHP 5.1.6, with LDAP Authentication Plugin 1.1e. Is there some configuration setting or step that I am missing to make SHA-encrypted passwords work?

Thanks... Pcorreia 19:18, 23 August 2007 (UTC)Reply

I can't remember the last time I did this. I usually just use a user who has very few privileges.
--Ryan lane 03:32, 24 August 2007 (UTC)Reply

I've added a WikiSysop user to the LDAP server as directed, but when I log in as WikiSysop I don't have sysop privileges. As it turns out, when I log in as WikiSysop the first time after turning on LDAP authentication, a new user is created in the MediaWiki database named Wikisysop (note the lowercase 's'). This user does not have sysop privileges. I have tried it with $wgLDAPLowerCaseUsername set to both true and false, and I get the same result both times. Here's my LDAP WikiSysop user:

dn: uid=WikiSysop,ou=ServiceAccounts,dc=mydomain,dc=net
objectClass: account
objectClass: simpleSecurityObject
uid: WikiSysop
description: Wiki administrator account
userPassword: (withheld)

Am I missing something? Does anyone have this (a WikiSysop user in LDAP that automatically gets sysop privileges) working with MediaWiki 1.10.0 and LDAP Authentication Plugin 1.1e?

Pcorreia 20:10, 23 August 2007 (UTC)Reply

Well, actually, I don't recommend putting WikiSysop in LDAP. I recommend creating a regular user with the LDAP plugin disabled, and giving it sysop and bureaucrat rights, then enabling the LDAP plugin. You can also turn on $wgLDAPUseLocal temporarily, and log in with WikiSysop and do the same. Essentially, once the plugin is enabled, WikiSysop is never used again.
--Ryan lane 03:35, 24 August 2007 (UTC)Reply

Well, doing this search on our AD is suicide - we would NEVER want a list of all our LDAP groups - we have over 3000. So how about this patch that scopes the search down to all the user's LDAP groups (which will definately hit) and all existing MW local groups, pulled from $wgUser->getAllGroups() - which should yield all groups that we could ever want to compare anything to for this particular session:

Index: LdapAuthentication.php
===================================================================
--- LdapAuthentication.php	(revision 25407)
+++ LdapAuthentication.php	(working copy)
@@ -1361,7 +1361,8 @@
 	function getGroups( $ldapconn, $dn ) {
 		global $wgLDAPGroupObjectclass, $wgLDAPGroupAttribute, $wgLDAPGroupNameAttribute;
 		global $wgLDAPProxyAgent, $wgLDAPProxyAgentPassword;
-
+		global $wgUser;
+		
 		$this->printDebug( "Entering getGroups", self::NONSENSITIVE );
 
 		$base = $this->getBaseDN( self::GROUPDN );
@@ -1370,11 +1371,39 @@
 		$attribute = $wgLDAPGroupAttribute[$_SESSION['wsDomain']];
 		$nameattribute = $wgLDAPGroupNameAttribute[$_SESSION['wsDomain']];
 
-                // We actually want to search for * not \2a
-                $value = $dn;
-                if ( $value != "*" )
-                        $value = $this->getLdapEscapedString( $value );
-		$filter = "(&($attribute=$value)(objectclass=$objectclass))";
+		// We actually want to search for * not \2a
+		$value = $dn;
+		if ( $value != "*" )
+				$value = $this->getLdapEscapedString( $value );
+		
+		# Check to see if the search is scoped or not
+ 		if ( $value == "*" ) {
+			# HOLY CRAP!  All is too many - lets just get everything that
+			# we MIGHT need to compare to - filter on ALL MW groupnames and
+			# all user groupsnames
+			$localAvailGrps = $wgUser->getAllGroups();
+			
+			# We're going to scope down to existing MW groups
+			$attribute = $wgLDAPGroupNameAttribute[$_SESSION['wsDomain']];
+			
+			$filter = "(&(objectclass=$objectclass)(|";
+			
+			# Build filter for MW groups
+			foreach($localAvailGrps as $value) {
+				$filter .= "($attribute=$value)";
+			}
+			
+			# If the user has LDAP groups, build the filter for those too
+			if ( $this->foundUserLDAPGroups ) {
+				foreach($this->userLDAPGroups as $value) {
+					$filter .= "($attribute=$value)";
+				}
+			}
+			$filter .= "))";
+		} else {
+			# Scoped search, filter on the $dn provided
+			$filter = "(&($attribute=$value)(objectclass=$objectclass))";
+		}
 
 		$this->printDebug( "Search string: $filter", self::SENSITIVE );

→Tim Laqua^{Talk | contribs}_{@16:25, 2 September 2007 (UTC)}Reply

This is a good solution to the problem (...actually, it is far better than the solution I was thinking of). Thanks for the patch, I'll be including this in the next release.
--Ryan lane 17:00, 10 September 2007 (UTC)Reply

I believe I've fixed this problem in 1.1g. I actually didn't include the patch, but I've added $wgLDAPLocallyManagedGroups, which allows the plugin to not have to check to see if a group is an LDAP group or not. So, now getAllGroups() is simply not called unless $wgLDAPGroupsPrevail is enabled, which doesn't need to be unless you are using one of those (insecure) access control plugins.

Notice that the default behavior of the group synch stuff slightly changed. bot, sysop, and bureaucrat (which are always considered to be part of $wgLDAPLocallyManagedGroups) will sync normally, but never have members removed (unless you remove them manually). All other groups that are not part of $wgLDAPLocallyManagedGroups will have members added/removed normally.
--Ryan lane 21:19, 21 September 2007 (UTC)Reply

Fair enough - and much appreciated. I don't really think LDAP (or any of the other security related extensions) belongs as an "interface" type either, but for now it was the only one that even maybe fit (no access --> no interface), and of course, that alone proves the point that we need some new categories. There is an on-going discussion at Template_Talk:Extension#Type_taxonomy. Please feel free to add your ideas. Egfrank 14:21, 11 September 2007 (UTC)Reply

It looks like there is a category called User identity, which contains all of the auth plugins. I think this is probably fine.
--Ryan lane 18:54, 21 September 2007 (UTC)Reply

Hello,

I just updated MediaWiki to 1.11 and am having some problems with the LDAP extension. I just updated the extension to 1.1f. Here is a sample of my configuration (that worked on 1.10):

# BEGIN ALL LDAP CRAP

// Active Directory LDAP Authentication
require_once( 'LdapAuthentication.php' );
$wgAuth = new LdapAuthenticationPlugin();

$wgLDAPDomainNames = array( "MYDOMAIN" );
$wgLDAPServerNames = array( "MYDOMAIN"=>"mydomaincontroller.mydomain.edu" );
$wgLDAPUseLocal = false;
$wgLDAPEncryptionType = array( "MYDOMAIN"=>"clear" );
$wgLDAPRetrievePrefs = array( "MYDOMAIN"=>true ); //<- this is how to do it
$wgMinimalPasswordLength = 8;
$wgLDAPSearchStrings = array( "MYDOMAIN"=>"MYDOMAIN\\USER-NAME" ); //BINDING

### GROUP CRAP

#DNs in $wgLDAPRequiredGroups must be lowercase, as search result attribute values are...
$wgLDAPRequiredGroups = array( "MYDOMAIN"=>array("cn=wikiusers,ou=ntfs groups,ou=enterprise,dc=mydomain,dc=edu") );
$wgLDAPGroupUseFullDN = array( "MYDOMAIN"=>true );
$wgLDAPGroupObjectclass = array( "MYDOMAIN"=>"group" );
$wgLDAPGroupAttribute = array( "MYDOMAIN"=>"member" );
$wgLDAPGroupSearchNestedGroups = array( "MYDOMAIN"=>false );
$wgLDAPBaseDNs = array( "MYDOMAIN"=>"dc=mydomain,dc=edu" );
$wgLDAPSearchAttributes = array( "MYDOMAIN"=>"sAMAccountName" );

/** $wgLDAPUseSSL = true;    //Commented out because these options use syntax
$wgLDAPUseLocal = false;     //for 1.0 and below (and are hence incorrect)
$wgLDAPAddLDAPUsers = false;
$wgLDAPUpdateLDAP = false;
$wgLDAPMailPassword = false;
$wgLDAPRetrievePrefs = true; */

//FOR DEBUGGING ONLY
$wgLDAPDebug = 1; //for debugging
$wgShowExceptionDetails = true;  //for debugging MediaWiki

Now keep in mind the above worked fine in 1.10. After updating I get the error:

Incorrect password entered. Please try again.

I have had several people try their passwords and everyone gets the same message. When enabling debugging I get the following:

Entering validDomain
User is using a valid domain.
Setting domain as: MYDOMAIN
Entering getCanonicalName
Username isn't empty.
Munged username: Acook001
Entering authenticate
Entering Connect
Missing LDAP support; please ensure you have either compiled LDAP support in, or have enabled the module.
Failed to connect
Entering strict.
Returning true in strict().
Entering modifyUITemplate

I'm not sure why it's saying: Missing LDAP support; please ensure you have either compiled LDAP support in, or have enabled the module. Any ideas?? Thanks!

HotMonkeyAC 16:36, 11 September 2007 (UTC)Reply

Anyone still around in here?? HotMonkeyAC 16:13, 20 September 2007 (UTC)Reply

I'm probably doing the check for the ldap module improperly... This is an issue with the plugin. You can comment out the return statement after the check in the code for now. In the next release I'll give a warning and won't cause the plugin to die (I'll try to figure out the proper way to detect the module too).
--Ryan lane 19:00, 21 September 2007 (UTC)Reply

Thanks for the reply Ryan. Do you happen to know where in the code I'd need to comment out? Maybe you can provide a line number? I'll let you know if it works.

-HotMonkeyAC 14:13, 25 September 2007 (UTC)Reply

I changed this in 1.1g. If you upgrade, it should work for you.
--Ryan lane 16:43, 4 October 2007 (UTC)Reply

I've been struggling to get this to move past the very first stage on my intranet wiki. I'm continuing to get these errors:

Entering validDomain
User is not using a valid domain.
Setting domain as: invaliddomain
Entering modifyUITemplate

I added a "strlen($domain)" into the debugging code and it returned 0! I guess this means my $domain variable is empty. What does this mean? How do I fix this?

Does the login page have a selectable domain? If not, the plugin probably isn't configured properly. Post your config with sensitive stuff snipped out.
--Ryan lane 19:02, 21 September 2007 (UTC)Reply

Hi Ryan,

I could do simple user authentication using LDAP.

But my aim was to authenticate and allow only a group of users to access the site. But i am unable to authenticate the user. Can you please tell me where am i going wrong.

The following is my code and the debug output.

$wgLDAPRequiredGroups = array( "domain"=>array("cn=group_admins,ou=groups,ou=abc,ou=bom,oc=ind,dc=ad,dc=abc,dc=com") );
$wgLDAPGroupUseFullDN = array( "ad.abc.com"=>true );
$wgLDAPGroupObjectclass = array( "ad.abc.com"=>"group" );
$wgLDAPGroupAttribute = array( "ad.abc.com"=>"member" );
$wgLDAPGroupSearchNestedGroups = array( "ad.abc.com"=>true );
$wgLDAPGroupNameAttribute = array( "ad.abc.com"=>"cn" )

Entering validDomain
User is not using a valid domain.
Setting domain as: invaliddomain
Entering modifyUITemplate
Username Received: Harshal m
Username isn't empty.
Munged username: Harshal m
Entering authenticate
Entering Connect
Using TLS or not using encryption.
Using servers: ldap://ad.abc.com
Connected successfully
Entering getSearchString
Doing a straight bind
Username is : Harshal_m
Password is : 
userdn is: abc\Harshal_m
Binding as the user
Binded successfully
Entering getUserDN
Created a regular filter: (sAMAccountName=Harshal m)
Using base: dc=ad,dc=abc,dc=com
Fetched username is not a string (check your hook code...).
Pulled the user's DN: 
Checking for (new style) group membership
Entering isMemberOfRequiredLdapGroup
Required groups:cn=group_admins,ou=groups,ou=abc,ou=bom,oc=ind,dc=ad,dc=abc,dc=com
Entering getUserGroups
Entering getGroups
Search string: (&(member=)(objectclass=group))
Returned groups:
Returned groups:
Couldn't find the user in any groups (1).
Entering strict.
Returning true in strict().
Entering modifyUITemplate

Do you have underscores in your username? Underscores cause problems because MediaWiki turns them into spaces. Essentially, the wiki is searching for a user with the samaccountname of "Harshal m", and can't find the user (and therefore can't use the DN in the search for the group).
--Ryan lane 19:09, 21 September 2007 (UTC)Reply

Thanks Ryan.Yes. I do have underscores as a part of the username. Can you suggest a workaround for the same.
--Harshalm 11:13, 24 September 2007 (UTC)Reply

I think someone else on this page has a workaround for this posted. This seems to be a pretty common problem. I'm going to see if there is a core-code way of fixing this...
--Ryan lane 16:42, 4 October 2007 (UTC)Reply

Btw, here is the workaround someone else posted: Extension_talk:LDAP_Authentication#Problems_with_underlines_in_username_.28AD.29
--Ryan lane 16:55, 4 October 2007 (UTC)Reply

We have the LDAP connectivity to AD working well - except that it looks like the wiki real_name is being populated by our AD cn - which for us, is a login code (we are numbers not names in AD).

Ideally I'd like it to be a friendly givenName but am not sure what to change or set. I've tried changing the following code, but to no avail.

// in retrieve preferences
if (isset($info[0]["cn"])) {
        $this->realname = $info[0]["cn"][0];
}

any help greatly appreciated

# pull back display name, email etc
$wgLDAPRetrievePrefs = array("production.local" => true);

Changing:

// in retrieve preferences
if (isset($info[0]["cn"])) {
        $this->realname = $info[0]["cn"][0];
}

to:

// in retrieve preferences
if (isset($info[0]["givenname"])) {
        $this->realname = $info[0]["givenname"][0];
}

Should work properly. This is the only spot these are used when retrieving preferences...
--Ryan lane 19:15, 21 September 2007 (UTC)Reply

thanks, Callum Wilson 08:41, 25 September 2007 (UTC)Reply

An additional note for those that have number based AD cn's, it is worth changing the Special:Listusers to include the user_real_name. This change is unlikely to affect non-LDAP auth sites with self-chosen usernames because they won't care about the users' real name. To do this:

• open the file {wikidir}/includes/SpecialListuser.php
• then change these bits of code
• firstly, in GetQueryInfo(), add user_real_name to the fields paramater

'fields' => array('user_real_name','user_name',
                        'MAX(user_id) AS user_id',
                        'COUNT(ug_group) AS numgroups',
                        'MAX(ug_group) AS singlegroup'),
                        'options' => array('GROUP BY' => 'user_name'),
                        'conds' => $conds

• then in formatRow() add in the realname display:

        function formatRow( $row ) {
                $userPage = Title::makeTitle( NS_USER, $row->user_name );

                $name = $this->getSkin()->makeLinkObj( $userPage, htmlspecialchars( $userPage->getText() ) );
                $realname = ': <i>' .  $row->user_real_name . '</i>';

                if( $row->numgroups > 1 || ( $this->requestedGroup && $row->numgroups == 1 ) ) {
                        $list = array();
                        foreach( self::getGroups( $row->user_id ) as $group )
                                $list[] = self::buildGroupLink( $group );
                        $groups = implode( ', ', $list );
                } elseif( $row->numgroups == 1 ) {
                        $groups = self::buildGroupLink( $row->singlegroup );
                } else {
                        $groups = '';
                }

                return '<li>' . wfSpecialList( $name . $realname, $groups ) . '</li>';
        }

--Callum Wilson 09:42, 28 September 2007 (UTC)Reply

Thanks. How do I change the "special:Recentchanges" list, to include the user_real_name? --David, 18:58, 31 January 2008 (UTC)

I have a fresh install of Mediawiki 1.11. Two problems:

First: require_once( 'LdapAuthentication.php' ); doesn't work. I have to use require_once( './includes/LdapAuthentication.php' );. Without the ./includes/, I get this error:

Warning: require_once(LdapAuthentication.php) [function.require-once]: failed to open stream: No such file or directory in /var/www/html/wiki/LocalSettings.php on line 4

Fatal error: require_once() [function.require]: Failed opening required 'LdapAuthentication.php' (include_path='.:/usr/share/pear') in /var/www/html/wiki/LocalSettings.php on line 4

Second: no matter what options I put in LocalSettings.php, I cannot get the LDAP authentication to do anything. Here is a sanitized version of my settings:

require_once( './includes/LdapAuthentication.php' );
$wgAuth = new LdapAuthenticationPlugin();
$wgLDAPDomainNames = array( "ADDomain" );
$wgLDAPServerNames = array( "ADDomain"=>"XXXXX.XXXXX.XXX"  );
$wgLDAPSearchStrings = array( "ADDomain"=>"XXXXX\\USER-NAME"  );
$wgLDAPEncryptionType = array( "ADDomain"=>"ssl" );
$wgLDAPUseLocal = false;
$wgMinimalPasswordLength = 1;
$wgLDAPBaseDNs = array( "ADDomain"=>"OU=XXXXXX,DC=XXXXX,DC=XXXXX" );
$wgLDAPSearchAttributes = array( "ADDomain"=>"sAMAccountName" );
$wgLDAPDebug = 3;
$wgLDAPRetrievePrefs = array( "ADDomain"=>true );
$wgShowExceptionDetails = true;

If I alter the code in /includes/LdapAuthentication.php to add some bad PHP, then I do get a runtime error. But it seems that no matter what I use with the above code, I never get anything on my wiki remotely resembling LDAP authentication.

If I replace wgLDAPServerNames with a bogus server name, I get no error.

Note well that despite setting the debug level to 3, I get nothing that would even slightly suggest any LDAP activities are going on.

Aren Cambre 17:39, 24 September 2007 (UTC)Reply

By the way, I am using 1.1g. Aren Cambre 18:17, 24 September 2007 (UTC)Reply

Aha, the documentation is bad. You have to put these commands at the end of your LdapSettings.php file, not at the beginning. Aren Cambre 16:00, 27 September 2007 (UTC)Reply

Hi,

I've all up-to-date versions of mediawiki and the ldap plugin. Still I have the The Same exact problem as Aren. I put all things in but the login page didn't change a bit... No errors, logs, anything!

Rodrigo.-

I recently moved my Wiki from a Fedora box to a Suse 9 Enterprise Server box. I installed openLDAP, and compiled PHP --with-LDAP...everything went fine. HOWEVER, now when logging in I am getting an error that says "Incorrect Password". I debugged and this is what it's showing:

Entering validDomain
User is using a valid domain.
Setting domain as: MYDOMAIN
Entering getCanonicalName
Username isn't empty.
Munged username: Acook001
Entering authenticate
Entering Connect
Using TLS or not using encryption.
Using servers: ldap://mydomaincontroller-dc-003.mydomain.edu
Connected successfully
Entering getSearchString
Doing a straight bind
userdn is: MYDOMAIN\Acook001
Binding as the user
Failed to bind as MYDOMAIN\Acook001
Entering strict.
Returning true in strict().
Entering modifyUITemplate

All of the configuration was copied from a working install. Everything is the same (Mediawiki version, database, etc). Is there a reason why I'm getting the error Failed to bind as MYDOMAIN\Acook001? Please help!

Resolved HotMonkeyAC 16:59, 28 September 2007 (UTC)Reply

I'm trying to get the wgHooks['SetUsernameAttributeFromLDAP'][] = 'SetUsernameAttribute'; to work but doesn't seem to work. First of all I got an error, stating that function SetUsernameAttribute in the LocalSettings.php file was suppose to return true. Added that code but it still doesn't work. Any ideas would be most appreciated.

Code:

$wgHooks['SetUsernameAttributeFromLDAP'][] = 'SetUsernameAttribute';

function SetUsernameAttribute(&$LDAPUsername, $info) {
        $LDAPUsername = $info[0]['givenname'][0] . $info[0]['sn'][0];
        return 1;
}

I've also tried to analyze the output with $wgLDAPDebug = 7. It gave no indication that the hook were doing anything. Returning $LDAPUsername instead of 1 or 'true' doesn't work either. Other then that quirk I can't seem to get nestedgroups to work but you can easily work around that, tediuos, but it works.

Hmm. This should be working fine if you end with "return true;". Let me test this and get back to you.
--Ryan lane 16:25, 4 October 2007 (UTC)Reply

$wgLDAPEncryptionType = array( "domain"=>"SSL" );

works, but

$wgLDAPEncryptionType = array( "domain"=>"ssl" );

doesn't. Does SSL have to be capitalized? Should this be in the documentation?

Aren Cambre 16:21, 27 September 2007 (UTC)Reply

No. It is definitely "ssl". If you put "SSL" it will use "tls" because "SSL" isn't a valid type (I don't do a tolower...). Most likely, if you change from using "ssl" to "tls", or don't define the encryption type (which will cause it to default to tls), it'll work for you.
--Ryan lane 16:29, 4 October 2007 (UTC)Reply

There is no need for email confirmation if the email address comes from a known-good source like an LDAP directory. Therefore, I'd like to propose:

• Autocreated users with email pulled from LDAP should have appropriate values in the user_email_authenticated field of the user table indicating the email is pre-confirmed. Suggested value is the timestamp of the most recent LDAP query where the user's personal info was last checked.
• The user's personal info is checked on each LDAP authentication.
• The real name, e-mail, and nickname fields are not editable by the user.

Aren Cambre 18:30, 27 September 2007 (UTC)Reply

Looks like $wgEmailAuthentication may satisfy the first bullet point. Aren Cambre 18:57, 27 September 2007 (UTC)Reply

I'd prefer the realname to stay editable because many corporate directories do odd things such as surname, firstname. just my 2p. --Callum Wilson 09:45, 28 September 2007 (UTC)Reply

It would be nice if we had an option to choose that behavior. Aren Cambre 13:10, 28 September 2007 (UTC)Reply

If these changes don't require manual database modification, I'll try to work it into the next version.
--Ryan lane 16:31, 4 October 2007 (UTC)Reply

It looks like the only one that needs anything done is #3. This will probably require core code changes. Notice that with this one, even if the user edits the field, the next time they log in, the field will be overwritten. I'll look into the core code changes, and I'll make a new config option to allow for preferences to be customized.
--Ryan lane 19:20, 16 August 2008 (UTC)Reply

Hi,

I updated from MW 1.10.0 to 1.11.0 and LDAPAuth 1.0a to 1.1g today. Of course, I had to redo my LDAP config strings, but once that was working and I was able to login to the wiki, I immediately noticed a significant performance degradation.

I have a parallel wiki running on the same hardware that is at 1.10.0/1.0a and every page load takes literally three times longer on 1.11.0/1.1g! Most pages on 1.10 take 1 second to load, while it takes 3 seconds on 1.11.

After doing some digging, I realized that if I allow unauthenticated access to all pages, the performance is what I would expect: 1 second page loads. When I require authentication, the main and auth pages come up in 1 second, but once I actually authenticate via LDAP, I am back to 3 seconds per page.

I have done the routine steps of disabling all other extensions, and played with some of the LDAP settings, but haven't made a dent in the problem. Anyone have a thought as to what might cause this behavior?

-- Jonathan King

I can't imagine why this would happen, the plugin should only be called on login (unless you are using auto-authentication, like SSL Auth). I'll see if I can replicate this.
--Ryan lane 16:38, 4 October 2007 (UTC)Reply

Ryan and all, sorry for the false alarm. It turns out that the problem only occurred for IE7 users with WikEd enabled. Once disabled, performance returned to normal levels. --jonathan king

I'm still getting to grips with LDAP itself, and this is also my first MediaWiki extension, so I'd appreciate some walkthrough for installing this.

I'm using Fedora DS (but that ought not to matter, as the protocol should be the same), MW 1.11.0 and LdapAuthentication 1.1g

Please feel free to ask questions about my set up to work out how to get this installed and working correctly.

Thanks — Timotab 17:30, 17 October 2007 (UTC)Reply

Take a look at the documentation; if you have any specific problems, feel free to ask.
--Ryan lane 13:44, 18 October 2007 (UTC)Reply

OK, I did some reading and have a better understanding of our LDAP configuration, and armed with that knowledge, got it working just fine. Does this have the option to have the change password page hook into LDAP and change the LDAP password? Also, can I (and if so how do I) control groups (such as Bureaucrat and Sysop) in the LDAP db? — Timotab 16:40, 22 October 2007 (UTC)Reply

Glad to hear you got it working.

Yes, the password field in MediaWiki can change LDAP passwords, but you'll have to configure the plugin to have a user that is allowed to change passwords in LDAP (a little insecure); See Options for using LDAP as a user backend for more information. You can also control groups through LDAP; See Group options and Group synchronization.
--Ryan lane 22:40, 24 October 2007 (UTC)Reply

I want to authenticate against an LDAP server and have local accounts also. Auto creating users does not work for me. I'm using MediaWiki 1.9.3 en plugin version 1.11g. Are there other option in LocalSettings I have to set to make this work? This is the error I recieve:

Login error: There is no user by the name "xxxxxx". Check your spelling, or create a new account.

Here's (part of) my config:

$wgLDAPUseLocal = true;
$wgLDAPDisableAutoCreate = array("MyDomain"=>"false");
$wgMinimalPasswordLength = 1;
...

--Tkuipers 10:45, 26 October 2007 (UTC)Reply

I noticed I made a typo; 'false' is not a string so I changed it to

$wgLDAPDisableAutoCreate = array("MyDomain"=>false);

This gave me the following error, which is discussed earlier.

<password-change-forbidden>

Backtrace:

#0 /usr/share/mediawiki/includes/SpecialUserlogin.php(311): User->setPassword('xxxxxx')
#1 /usr/share/mediawiki/includes/SpecialUserlogin.php(352): LoginForm->initUser(Object(User))
#2 /usr/share/mediawiki/includes/SpecialUserlogin.php(407): LoginForm->authenticateUserData()
#3 /usr/share/mediawiki/includes/SpecialUserlogin.php(103): LoginForm->processLogin()
#4 /usr/share/mediawiki/includes/SpecialUserlogin.php(19): LoginForm->execute()
#5 /usr/share/mediawiki/includes/SpecialPage.php(625): wfSpecialUserlogin(NULL, Object(SpecialPage))
#6 /usr/share/mediawiki/includes/SpecialPage.php(431): SpecialPage->execute(NULL)
#7 /usr/share/mediawiki/includes/Wiki.php(182): SpecialPage::executePath(Object(Title))
#8 /usr/share/mediawiki/includes/Wiki.php(47): MediaWiki->initializeSpecialCases(Object(Title), Object(OutputPage), Object(WebRequest))
#9 /usr/share/mediawiki/index.php(48): MediaWiki->initialize(Object(Title), Object(OutputPage), Object(User), Object(WebRequest))
#10 {main}

--Tkuipers 10:51, 26 October 2007 (UTC)Reply

I upgraded to MediaWiki version 1.10.2 (in combination with LDAPAuthetication 1.11.g) because I didn't want to do all the patching by hand and got confused about the different solutions. Everything is working fine with stock versions.

--Tkuipers 10:56, 26 October 2007 (UTC)Reply

in most recent version (1.1g), there seems to be a bug creating the new userdn. Since the userdn seems to get prepended to the wgLDAPWriteLocation isn't a field separator (comma) necessary. I got an error from my ldap server without it, but when I added it, it seemed to work.

*** LdapAuthentication.php.save Mon Oct 29 10:55:38 2007
--- LdapAuthentication.php      Mon Oct 29 10:55:48 2007
***************
*** 799,805 ****
                                if ( isset( $wgLDAPWriteLocation[$_SESSION['wsDomain']] ) ) {
                                        $this->printDebug( "wgLDAPWriteLocation is set, using that", NONSENSITIVE );
                                        $userdn = $wgLDAPSearchAttributes[$_SESSION['wsDomain']] . "=" .
!                                               $username . $wgLDAPWriteLocation[$_SESSION['wsDomain']];
                                } else {
                                        $this->printDebug( "wgLDAPWriteLocation is not set, failing", NONSENSITIVE );
                                        //getSearchString will bind, but will not unbind
--- 799,805 ----
                                if ( isset( $wgLDAPWriteLocation[$_SESSION['wsDomain']] ) ) {
                                        $this->printDebug( "wgLDAPWriteLocation is set, using that", NONSENSITIVE );
                                        $userdn = $wgLDAPSearchAttributes[$_SESSION['wsDomain']] . "=" .
!                                               $username . "," . $wgLDAPWriteLocation[$_SESSION['wsDomain']];
                                } else {
                                        $this->printDebug( "wgLDAPWriteLocation is not set, failing", NONSENSITIVE );
                                        //getSearchString will bind, but will not unbind

Thanks for the bug report. I'll have this fixed in the next version.
--Ryan lane 21:40, 29 October 2007 (UTC)Reply

I have set the $wgLDAPDomainNames for a single domain with local set to false. I would like to remove this drop down from the login screen, is there a setting that I can use to remove the drop down, or would I have to modify the code for that page? Thank you.

You can hide this with CSS; edit MediaWiki:Common.css, and add the following:

#mw-user-domain-section {
    display: none !important;
}

I had everything working fine in mediawiki-1.9.4 (after following workaround). Installed from scratch 1.11 and it doesn't work anymore. The first time I login with the user I get following messages:

 Entering validDomain 
 User is using a valid domain.
 Setting domain as: exampleNonADDomain
 Entering getCanonicalName
 Username isn't empty.
 Munged username: Sow
 Entering userExists
 Entering authenticate
 Entering Connect
 Using TLS or not using encryption.
 Using servers: ldap://mydomain.com
 Connected successfully
 Entering getSearchString
 Doing a straight bind
 userdn is: uid=Sow,ou=People,dc=mydomain,dc=com
 Binding as the user
 Bound successfully
 Authentication passed
 Entering initUser
 Entering updateUser
 Entering modifyUITemplate

The second time I login there are such messages:

 Entering validDomain
 User is using a valid domain.
 Setting domain as: exampleNonADDomain
 Entering getCanonicalName
 Username isn't empty. 
 Munged username: Sow
 Entering modifyUITemplate

I know I use correct password. My LocalSettings.php (only end of it):

  $wgLogo = '';
  require_once 'LdapAuthentication.php';
  $wgAuth = new LdapAuthenticationPlugin();
  $wgLDAPDomainNames = array(
    'exampleNonADDomain' ,
  );
  $wgLDAPServerNames = array(
    'exampleNonADDomain' => 'mydomain.com',
  );
  $wgLDAPUseLocal = false;
  $wgLDAPAddLDAPUsers = false;
  $wgLDAPUpdateLDAP = false;
  $wgLDAPMailPassword = false;
  $wgLDAPSearchStrings = array(
    'exampleNonADDomain' => 'uid=USER-NAME,ou=People,dc=mydomain,dc=com',
  );
  $wgLDAPEncryptionType = array(
    'exampleNonADDomain' => 'clear',
  );
  $wgLDAPRetrievePrefs = true;
  $wgMinimalPasswordLength = 1;
  //FOR DEBUGGING ONLY
  $wgLDAPDebug = 8; //for debugging
  $wgShowExceptionDetails = true;  //for debugging MediaWiki

Is there anything I am missing??

What version of the plugin are you using?
--Ryan lane 17:51, 7 November 2007 (UTC)Reply

LdapAuthentication.php ver. 1.1g (seems to be the last one.
--mbronczyk 23:43, 8 November 2007 (UTC)Reply

First let's start by using the options correctly (obviously you've been reading other people's configuration options, against my advice):

Remove:

  $wgLDAPUseLocal = false;
  $wgLDAPAddLDAPUsers = false;
  $wgLDAPUpdateLDAP = false;
  $wgLDAPMailPassword = false;

As all of those are not even defined correctly, and if they were, false is generally the default for everything... Now, change:

  $wgLDAPRetrievePrefs = true;

to:

  $wgLDAPRetrievePrefs = array(
    'exampleNonADDomain' => true
    );

In fact, you should also try using false for that one, just in case, at first.
--Ryan lane 15:36, 9 November 2007 (UTC)Reply

Thanks for your help. The cause of the problem was using the same username and password. I am only testing in closed environment so didn't bother with real passwords. Should read all the comments more carefully before. Thanks for the plugin.
--mbronczyk 23:40, 12 November 2007 (UTC)Reply

I like to restict read/write support to certain pages or categories based on LDAP group members. Which Patch/Extension is supposed to work with this Extension? --TimHaegele 15:33, 11 November 2007 (UTC)Reply

I am trying to do the same thing, and what I've got set up is at login it queries the AD for all groups the user is a member of and stores them in the session variable. Then, I use one of the Page Security plugins and change the part where it looks for if the user is a member of a group to check the array of LDAP groups. I store it in the session variable because it takes a long time to search the whole LDAP structure every time it's used. Also, it doesn't create a billion Wiki groups that map to AD groups. If anyone has any critiques of this method, please let me know. --Danielha 14:42, 12 November 2007 (UTC)Reply

Apparently Extension:Group Based Access Control may. I added a patch in for them, so I'd imagine it works. Of course, I don't recommend any of these (for reasons why, read the top of that page, or the page of any of the access control plugins). Use a CMS, or a wiki that is designed for it.
--Ryan lane 19:41, 15 November 2007 (UTC)Reply

I am trying to setup my wiki to work with LDAP and only allow certain users access based on the group they are in. I have it so that it is authenticating against AD and binding successfully for users. When I put in the code to try and restrict it to specific groups, it will not authenticate anymore. The debug statements contain:

User is using a valid domain.
Setting domain as: LDAPNAME
Entering getCanonicalName
Username isn't empty.
Munged username: Sjordan
Entering authenticate
Entering Connect
Using TLS or not using encryption.
Using servers: ldap://ldap.server.com:3268
Connected successfully
Entering getSearchString
Doing a straight bind
userdn is: sjordan@students.server.com
Binding as the user
Failed to bind as sjordan@students.server.com <-- if this fails, I try it again with sjordan@server.com which then binds successfully
Bound successfully
Entering getUserDN
Created a regular filter: (sAMAccountName=Sjordan)
Entering getBaseDN
basedn is not set for this type of entry, trying to get the default basedn.
Entering getBaseDN
basedn is DC=server,DC=com
Using base: DC=server,DC=com
Fetched username is not a string (check your hook code...). This message can be safely ignored if you do not have the SetUsernameAttributeFromLDAP hook defined.
Pulled the user's DN: CN=sjordan,OU=Employees,DC=server,DC=com
Checking for (new style) group membership
Entering isMemberOfRequiredLdapGroup
Required groups:cn=* dept - information technology,ou=exchange distribution groups,dc=server,dc=com
Entering getUserGroups
Entering getGroups
Entering getBaseDN
basedn is not set for this type of entry, trying to get the default basedn.
Entering getBaseDN
basedn is DC=server,DC=com
Search string: (&(sAMAccountName=Sjordan)(objectclass=user))
Returned groups:cn=sjordan,ou=employees,dc=server,dc=com
Returned groups:
Couldn't find the user in any groups (2).
Entering strict.
Returning true in strict().
allowPasswordChange - Line 1
Entering modifyUITemplate

My local settings file contains:

require_once( "$IP/extensions/LdapAuthentication.php" );
$wgAuth = new LdapAuthenticationPlugin();
$wgLDAPDebug = 3;
$wgLDAPDomainNames = array("LDAPNAME");
$wgLDAPServerNames = array("LDAPNAME"=>"ldap.server.com:3268");
$wgLDAPUseLocal = false;
$wgLDAPEncryptionType = array("LDAPNAME"=>"clear");
$wgLDAPSearchStrings = array("LDAPNAME"=>"USER-NAME@students.server.com");
$wgLDAPSearchAttributes = array("LDAPNAME"=>"sAMAccountName");
$wgLDAPBaseDNs = array("LDAPNAME"=>"DC=server,DC=com");
$wgLDAPRequiredGroups = array("LDAPNAME"=>array("CN=* Dept - Information Technology,OU=Exchange Distribution Groups,DC=server,DC=com"));
$wgLDAPGroupAttribute = array("LDAPNAME"=>"sAMAccountName");
$wgLDAPGroupObjectclass = array("LDAPNAME"=>"user");
$wgLDAPGroupNameAttribute = array( "LDAPNAME"=>"group" );
$wgLDAPRetrievePrefs = array("LDAPNAME"=>true);
$wgShowExceptionDetails = true

i'm not sure why it is only showing that one group, when I look at memberOf using dsquery with the same filter, i'm receiving a lot more information. Thanks, Shane.

You are searching for users instead of groups. Try this:

$wgLDAPGroupAttribute = array("LDAPNAME"=>"member");
$wgLDAPGroupObjectclass = array("LDAPNAME"=>"group");
$wgLDAPGroupNameAttribute = array( "LDAPNAME"=>"cn" );

That should return groups instead of users.
--Ryan lane 16:10, 13 December 2007 (UTC)Reply

I made those changes, and it is still not returning any groups. Thanks, Shane

Recently i've successfully managed to implement LDAP authentification with local LDAP server, problem is that LDAP directory, for instance, doesn't have attribute displayName, but it has some other attribute to use instead of displayname. In the end i've hacked LdapAuthentication.php to suit my needs.

My proposition is to use an array to map predefined user prefrences variables (mail, preferredlanguage, ..) to their corresponding values in a LDAP directory, if that array is not defined then default mappings should be used. Is this doable? --Dodobas 14:37, 29 November 2007 (UTC)Reply

I've been wanting to add this for a while, and never got to it; I've added it to the todo list.
--Ryan lane 16:20, 13 December 2007 (UTC)Reply

Hi. We have an SSL LDAP server which uses a non-standard CA. Is there a way to turn off certificate checking? Failing that, where is the CA registry kept?

Thanks.

Simsong 05:54, 4 December 2007 (UTC)Reply

It depends on what type of OS your web server is on. If you are on a Linux system, you can define it in your /etc/openldap/ldap.conf file. If you want to turn off checking, you can set "TLS_REQCERT never". If you want to add your CA, you can add it to the same file via "TLS_CACERT <path to base64 encoded cert>" and/or "TLS_CACERTDIR <path to a directory of hash linked cert files>".
--Ryan lane 16:25, 13 December 2007 (UTC)Reply

I get this error with 1.1g:

PHP Notice:  Undefined offset:  0 in /var/www/html/itwiki/includes/LdapAuthentication.php on line 1149

It shows up in the browser at login. Once the login page redirects to the Main page, the error is gone and everything functions normally. I don't know if it's something in my config causing the trouble or not so i'll post it just in case (sanitized):

// Prevent users from creating accounts
$wgGroupPermissions['*']['createaccount'] = false;
// Block access to all pages except Login and Logout pages for users who are not logged in.
$wgWhitelistRead = array( "Special:Userlogin", "Special:Userlogout", "-", "MediaWiki:Monobook.css" );
$wgGroupPermissions['*']['read']= false;
// * This breaks access to other pages //  $wgGroupPermissions['user']['read']=false;
$wgShowIPinHeader = false;
// * Doesn't work as expected // $wgGroupPermissions['MY-GROUP'] = $wgGroupPermissions['sysop'];

// Load the LDAP module
require_once( 'LdapAuthentication.php' );

//Turn on debugging, 0-3
$wgLDAPDebug = 0;  //

// LDAP Settings
$wgAuth = new LdapAuthenticationPlugin();
$wgLDAPDomainNames = array( "DOMAIN" );
$wgLDAPServerNames = array( "DOMAIN"=>"SERVER01.foo.com" );
$wgLDAPSearchStrings = array( "DOMAIN"=>"DOMAIN\USER-NAME" );
$wgLDAPEncryptionType = array( "DOMAIN"=>'clear' ); // this is needed in >= 1.1c
$wgMinimalPasswordLength = 1;
$wgLDAPRetrievePrefs = array( "DOMAIN"=>true,   ); // this is needed in >= 1.1c
$wgLDAPGroupUseFullDN = array( "DOMAIN"=>true );
$wgLDAPGroupObjectclass = array( "DOMAIN"=>"group" );
$wgLDAPGroupAttribute = array( "DOMAIN"=>"member" );
$wgLDAPGroupSearchNestedGroups = array( "DOMAIN"=>false );
$wgLDAPBaseDNs = array( "DOMAIN"=>"cn=MY-GROUP,ou=groups,dc=foo,dc=com" );
$wgLDAPSearchAttributes = array( "DOMAIN"=>"sAMAccountName" );
$wgShowExceptionDetails = true;

// Disallow the use of the local database (MySQL)
$wgLDAPUseLocal = false;

If anyone can tell me how to get rid of it, that would be great!

Your php configuration may have "display_errors = on" set. Set this to off (notice this is the secure thing to do anyway).

I do wonder about your configuration though... Why are you setting group options, if you aren't doing group syncronization, or group restriction? Also, notice that you should define "$wgLDAPSearchStrings" like this:

$wgLDAPSearchStrings = array( "DOMAIN"=>"DOMAIN\\USER-NAME" );

Notice the extra backslash. It is important. That may also fix your problem.

--Ryan lane 23:15, 22 January 2008 (UTC)Reply

To those who thought NetWare was dead, fear not! It took quite a bit of yelling at my company's 6.5 SP7 box, but I finally got it to run MediaWiki, and then to auth against eDirectory. But some changes to the LDAP Plugin are needed to drop the use of ldaps:// and actually pass a port number to the ldap_connect() call (This patch is a HACK!):

--- LdapAuthentication.orig.php	2007-12-08 22:30:08.000000000 -0500
+++ LdapAuthentication.php	2007-12-08 22:11:00.000000000 -0500
@@ -158,10 +158,12 @@ class LdapAuthenticationPlugin extends A
 			case "ssl":
 				$this->printDebug( "Using SSL", SENSITIVE );
 				$serverpre = "ldaps://";
+				$serverport = 636;
 				break;
 			default:
 				$this->printDebug( "Using TLS or not using encryption.", SENSITIVE );
 				$serverpre = "ldap://";
+				$serverport = 389;
 		}
 
 		//Make a space seperated list of server strings with the ldap:// or ldaps://
@@ -169,16 +171,16 @@ class LdapAuthenticationPlugin extends A
 		$servers = "";
 		$tmpservers = $wgLDAPServerNames[$_SESSION['wsDomain']];
 		$tok = strtok( $tmpservers, " " );
-		while ( $tok ) {
-			$servers = $servers . " " . $serverpre . $tok;
-			$tok = strtok( " " );
-		}
+		//while ( $tok ) {
+		//	$servers = $servers . " " . $serverpre . $tok;
+		//	$tok = strtok( " " );
+		//}
 		$servers = rtrim($servers);
 
 		$this->printDebug( "Using servers: $servers", SENSITIVE );
 
 		//Connect and set options
-		$ldapconn = @ldap_connect( $servers );
+		$ldapconn = @ldap_connect( $servers, $serverport );
 		ldap_set_option( $ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);
 		ldap_set_option( $ldapconn, LDAP_OPT_REFERRALS, 0);
 

Sorry to hear you are stuck using netware ;).
--Ryan lane 16:47, 13 December 2007 (UTC)Reply

Hah, actually, I chose to stick with NetWare because I wasn't impressed with NSS support on Novell's OES1 iteration. The kernel module would randomly unload itself from memory, among other things, so I stayed with NetWare for this generation. Next upgrade we do will probably be all Linux. Besides, I kind of like NetWare....It's quirky and quite unique :)
--Kumba 01:48, 17 December 2007 (UTC)Reply

And I state this is a hack because I did this at 3am in the morning, and haven't touched PHP code really in-depth since 3.x, so doing anything more would probably be tricky. That stated, however, I think it'd be a nice addition to use the above as a template, and design a ports variable, say $wgLDAPServerPorts, which would take an array as an assignment wherein each array member represents an LDAP domain (or Novell Tree), and each domain is itself an array taking exactly two args: unencrypted server port and encrypted server port. That way, if $wgLDAPEncryptionType references ssl, then the secure port (def. 636) is used; else, unsecure (def. 389).

389 is default for tls or clear, 636 is default for SSL. PHP should be doing this for you. You should only have to specifically define the ports if you use something non-standard, which makes this patch a little redundant.
--Ryan lane 16:47, 13 December 2007 (UTC)Reply

Should, but wasn't. I don't know what the core problem was, but even with the plugin's debugging turned on, I wasn't getting anywhere until I made the modifications highlighted in the patch. Whether it's a NetWare-specific oddity or not, I'm unsure. The funny thing is, Apache using ldaps:// forms works fine. Of course, I also found that I wasn't granting browse rights for the CN attribute to the [Public] user at the root of my tree, which was breaking contextless logins as well. I may have to try again now that I got that fixed. As I saw this and the use of a proxy user as two different ways to get anonymous ldap browsing to work.
--Kumba 01:48, 17 December 2007 (UTC)Reply

Some interesting side-effects and other notes:

• WikiSysop doesn't need to exist in eDirectory. Even though the bind against ldap fails, I guess if WikiSysop is in the local database, it somehow gets a non-zero result (or whatever result is being checked) returned and lets it log in. Cancel that, it was something weird in my config causing that. I wound up adding the Wikisysop user to my eDirectory tree in a top-level OU of its own, and creating a second "admin" domain specifically for the sysop login (I may put other wiki-specific users here, like bureaucrats and such), as my regular users are isolated in another top-level OU and need to stay separate.
  • You don't really need to add the wiki-specific users. I don't use any of those users personally, just create a regular user, turn off the plugin, promote the user, and turn the plugin back on. After that point, you won't need the default users ever again. You could also configure the plugin to pull groups from LDAP, and assign the proper permissions to certain groups. If you do that, you don't even have to do the more annoying stuff I mentioned previously.
    --Ryan lane 16:47, 13 December 2007 (UTC)Reply
    • Yeah, all I have for now is just the wikisysop user in eDirectory. I may do what you suggest down the road and create a admin-level group in eDir and have my -admin domain auth against that to determine what users get what rights. For a first run at setting up Wiki software, I'll probably stay with this until me and our DBA can get some content added, then start playing with it some more.
      --Kumba 01:48, 17 December 2007 (UTC)Reply
• Users don't have much of an ability to update stuff. Granted, I'm being pretty strict on allowing any change to flow back up into eDirectory, but I'd think it'd be possible for Wiki to be a little more flexible in this area. Like say, adding the user to the local database if not already present BUT not using the database as an authenticator (I don't think $wgLDAPUseLocal and $wgLDAPAddLDAPUsers control it like this; it's either one or the other, not the mix I suggest), only to store preferences. Not sure if this capability is present, as I only started playing with this yesterday, but I'd prefer this over a schema update and storing all the data in eDirectory itself.
  • This is what the plugin does by default. If a user doesn't exist in the database, it gets added automatically when they first login. Any preference they change is saved in the database. Any preferences pulled from LDAP automatically overwrite any locally set preferences.
    --Ryan lane 16:47, 13 December 2007 (UTC)Reply
    • Well, when I tried updating someone's user profile data, I get an error back stating that I'm authing against an external database and preference saving isn't allowed. Either I have a variable disabled that shouldn't be, or it's because I'm communicating with eDirectory instead of a more normal LDAP implementation, like AD.
      --Kumba 01:48, 17 December 2007 (UTC)Reply
• If someone's up to it, writing an Identity Manager driver for MediaWiki would completely work around this.
• If you're a touch old-fashioned, and like using all lowercase names in eDirectory, then make sure to use $wgLDAPLowerCaseUsername. It'll save some headaches, as eDirectory seems to be rather case sensitive on the DNs.
• Novell actually has a wiki entry on their site for auth'ing MW against eDirectory, using this very plugin. But I suspect it's a bit dated: http://wiki.novell.com/index.php/Using_eDirectory_to_control_access_to_MediaWiki
  • I'm sure it probably is outdated. I'm not a big fan of people writing documentation in other places for this plugin, but I don't complain about that documentation since I'm able to update it myself. (if you look through the history, you'll notice I've updated it on occasion)
    --Ryan lane 16:47, 13 December 2007 (UTC)Reply
• On NetWare, you'll need to export your server's self-signed certificate via ConsoleOne (iManager may do this too) and place it into SYS:\PHP5\CERT (or wherever you have PHP), then restart Apache2 (AP2WEBDN, AP2WEBUP) so that PHP re-scans the cert folder and notes the new cert. Export it in DER format, and do NOT include the private key. The cert is in the Security container at the top of the tree, in the CA object (if my memory is correct).
• Updated Apache, PHP, and MySQL binaries can be found at http://www.gknw.net/. I advise visiting the forums too -- Günter is very helpful and knows lots about running this wacky setup on NetWare.
• MySQL 5.0.45 has a bug in mysql_install_db, btw, so get 5.0.27 and copy the two *.sql scripts from the bin folder to 5.0.45's bin folder before running it.

Anyways, that's all I can think of for now. I'll add more if I discover something.

--Kumba 22:15, 9 December 2007 (UTC)Reply

Hi there... I bet this is a known 'issue', but i am reporting it anyways since that feature would be VERY useful in our environment here...
The Problem: we use nested groups here, for example: (((qa-north + qa-south) = qa ) + prog-dept = tech) ...
Now we want to let all people of tech edit the wiki. At the moment we have to add ALL users of all the other groups to another virtual wiki access group (or tech directly) and then allow tech with $wgGroupPermissions to access various functions. Would it be possible (and clean to implement) to add a feature to add a wiki user to all the nested groups a user is in? (namely in this example tech, qa, and qa-north if a user is in qa-north)
This feature would be VERY appreciated.
--ThomasGruber 13:32, 8 January 2008 (UTC)Reply

Yeah, this is a known issue. The reason this doesn't work is because my nested group code was written for group restriction, and for performance sake, the code stops searching ldap for higher nestings when it finds a required group. I'll need to rework the code for this to work. I'll put it on my todo list, but lately I've been very busy with other projects.
--Ryan lane 16:19, 9 January 2008 (UTC)Reply

Just had the same problem. Quick (and dirty) patching (against latest version) was to do the following:

• add " var $nested_group_found; " in the global variables declaration,
• add " global $nested_group_found; " at the beginning of the "authenticate" function,
• in the same function as above, right after fetching User's groups (that makes line 394), add this line:

array_push($this->userLDAPGroups,substr($nested_group_found,3,strpos($nested_group_found,",")-3));

(here I use 3 because group name starts with "cn=..."

• and finally, in the function that searches for the nested group, when it is found (line 1256), add:

$nested_group_found = $checkme;

As I said quite dirty. This works if the User is in only one of the groups you are looking for because as Ryan said, the code stops after finding the first one. But at least you can use this nested group for access control...
Guimou

I am trying to setup my wiki to work with LDAP and only allow certain users access based on the group they are in. I have it so that it is authenticating against AD and binding successfully for users. When I put in the code to try and restrict it to specific groups, it will not authenticate anymore. The debug statements contain:

 Entering validDomain
 User is using a valid domain.
 Setting domain as: ABC
 Entering getCanonicalName
 Username isn't empty.
 Munged username: Mohanc
 Entering authenticate
 Entering Connect
 Using TLS or not using encryption.
 Using servers: ldap://ad.abc.com
 Connected successfully
 Entering getSearchString
 Doing a straight bind
 userdn is: ARRK\Mohanc
 Binding as the user
 Bound successfully
 Entering getUserDN
 Created a regular filter: (sAMAccountName=Mohanc)
 Entering getBaseDN
 basedn is not set for this type of entry, trying to get the default basedn.
 Entering getBaseDN
 basedn is DC=abc, DC=com
 Using base: DC=abc, DC=com
 Fetched username is not a string (check your hook code...). This message can be safely ignored if you do not have the SetUsernameAttributeFromLDAP hook defined.
 Pulled the user's DN: CN=MohanC,OU=LVL,OU=Users,OU=AIN,DC=abc,DC=com
 Checking for (new style) group membership
 Entering isMemberOfRequiredLdapGroup
 Warning: implode() [function.implode]: Bad arguments. in C:\wamp\www\wiki\extensions\LdapAuthentication.php on line 1185
 Required groups:
 Entering getUserGroups
 Entering getGroups
 Entering getBaseDN
 basedn is not set for this type of entry, trying to get the default basedn.
 Entering getBaseDN
 basedn is DC=abc, DC=com
 Search string: (&(member=CN=MohanC,OU=LVL,OU=Users,OU=AIN,DC=abc,DC=com)(objectclass=group))
 Returned groups:cn=developers,cn=users,dc=abc,dc=com,cn=rac group,cn=users,dc=abc,dc=com
 Returned groups:developers,rac group
 Warning: in_array() [function.in-array]: Wrong datatype for second argument in C:\wamp\www\wiki\extensions\LdapAuthentication.php on line 1200
 Warning: in_array() [function.in-array]: Wrong datatype for second argument in C:\wamp\www\wiki\extensions\LdapAuthentication.php on line 1200
 Couldn't find the user in any groups (2).
 Entering strict.
 Returning true in strict().
 Entering modifyUITemplate

However, If you see above it do return the groups for the user but still it won't authenticate the user. Also, when I enable the group based restriction there are some PHP related warnings.

My local settings file contains:

 #LDAP Auth Start
 require_once 'extensions/LdapAuthentication.php';
 $wgAuth = new LdapAuthenticationPlugin();
 $wgLDAPDomainNames = array('abc');
 $wgLDAPServerNames = array('abc' => 'ad.abc.com');
 $wgLDAPSearchStrings = array( 'abc' => 'ABC\\USER-NAME');
 $wgLDAPEncryptionType = array( 'abc' => 'clear');
 $wgLDAPUseLocal = false;
 $wgMinimalPasswordLength = 8;
 $wgLDAPBaseDNs = array( 'abc' => 'DC=abc, DC=com');
 $wgLDAPSearchAttributes = array( 'abc' => 'sAMAccountName');
 #GROUPS
 $wgLDAPRequiredGroups = array('abc' => 'ou=groups, dc=abc, dc=com');
 $wgLDAPGroupUseFullDN = array( 'abc'=> true);
 $wgLDAPGroupObjectclass = array('abc' => 'group');
 $wgLDAPGroupAttribute = array('abc' => 'member');
 $wgLDAPGroupSearchNestedGroups = array('abc' => false);
 $wgLDAPGroupNameAttribute = array( 'abc'=>'cn' );
 #Debug Purpose only
 $wgLDAPDebug = 99;
 #LDAP Auth Ends

I am using MediaWiki 1.6.10 and LdapAuthentication 1.1g.

Please advice.

Regards,

Mohan

Notice that:

$wgLDAPRequiredGroups = array('abc' => 'ou=groups, dc=abc, dc=com');

should be an array of arrays, and it should list specific groups, not an ou. An example would be:

$wgLDAPRequiredGroups = array('abc' => array( 'cn=wikiadmins, ou=groups, dc=abc, dc=com', 'cn=wikiusers, ou=groups, dc=abc, dc=com' ) );

--Ryan lane 23:09, 22 January 2008 (UTC)Reply

function allowPasswordChange() (line 586 of LDAPAuthentication.php) doesn't predefine these variables to a base case so depending on flow of execution through the function they are either undefined or set when tested. They should be set to something say "false" at the top of the function.

I'm assuming this is fixed? I'm checking to see if they are set or not. They don't need a base case. If they aren't defined, then it is the same as if they are turned off.
--Ryan lane 21:51, 16 August 2008 (UTC)Reply

I'm using MediaWiki 1.9.3 and Ldapauthentication 1.1g

My LocalSettings.php

// LDAP Add
require_once( "includes/LdapAuthentication.php" );
$wgAuth = new LdapAuthenticationPlugin();
$wgLDAPDomainNames      = array( "MI" );
$wgLDAPServerNames      = array( "MI"=>"ql1dc5.mi.corp.rockfin.com" );
$wgLDAPUseLocal         = false;
$wgLDAPEncryptionType = array( "MI"=>"tls" );
$wgLDAPSearchStrings = array( "MI"=>"MI\\USER-NAME" );
$wgMinimalPasswordLength= 1;
$wgLDAPRetrievePrefs    = true;
$wgLDAPUpdateLDAP       = false;
$wgLDAPAddLDAPUsers     = false;
$wgLDAPDebug=3;
$wgLDAPLowerCaseUsername = array("MI"=>true);
$wgLDAPGroupUseRetrievedUsername = array("MI"=>false);
$wgLDAPGroupBaseDNs = array("MI"=>"dc=mi,dc=corp,dc=rockfin,dc=com");
$wgLDAPUserBaseDNs = array("MI"=>"dc=mi,dc=corp,dc=rockfin,dc=com");
# AD Group Stuff
$wgLDAPRequiredGroups = array( "MI"=>array("cn=it team wmd,ou=restricted,ou=distribution groups,ou=groups,dc=mi,dc=corp,dc=rockfin,dc=com") );
$wgLDAPGroupUseFullDN = array( "MI"=>true );
$wgLDAPGroupObjectclass = array( "MI"=>"group" );
$wgLDAPGroupAttribute = array( "MI"=>"member");
$wgLDAPGroupSearchNestedGroups = array( "MI"=>true );
$wgLDAPGroupNameAttribute = array( "MI"=>"cn" );
$wgLDAPBaseDNs = array("MI"=>"dc=mi,dc=corp,dc=rockfin,dc=com");
$wgLDAPSearchAttributes = array("MI"=>"samaccountname");
// End LDAP

It authenticates the user correctly but craps out on the groups.

Entering validDomain
User is using a valid domain
Entering getCanonicalName
Munged username: Jmcdonald
Entering Connect
Entering Connect
Using servers: ldap://ql1dc5.mi.corp.rockfin.com
Connected successfully
Entering getSearchString
Doing a straight bind
userdn is: MI\Jmcdonald
Binding as the user
Binded successfully
Checking for (new style) group membership
Entering isMemberOfRequiredLdapGroup
Required groups:cn=it team wmd,ou=restricted,ou=distribution groups,ou=groups,dc=mi,dc=corp,dc=rockfin,dc=com
Entering getGroups
Search string: (&(member=MI\Jmcdonald)(objectclass=group))
Warning: ldap_get_entries(): supplied argument is not a valid ldap result resource in /var/www/wikitest.mi.corp.rockfin.com/htdocs/includes/LdapAuthentication.php on line 857
Warning: array_shift() [function.array-shift]: The argument should be an array in /var/www/wikitest.mi.corp.rockfin.com/htdocs/includes/LdapAuthentication.php on line 860
Warning: Invalid argument supplied for foreach() in  /var/www/wikitest.mi.corp.rockfin.com/htdocs/includes/LdapAuthentication.php on line 863
Returned groups:
Couldn't find the user in any groups (1).

The search string should be McDonald\, Joe, etc... (distinguishedName)

Remove the following:

$wgLDAPUpdateLDAP       = false;
$wgLDAPAddLDAPUsers     = false;
$wgLDAPLowerCaseUsername = array("MI"=>true);
$wgLDAPGroupBaseDNs = array("MI"=>"dc=mi,dc=corp,dc=rockfin,dc=com");
$wgLDAPUserBaseDNs = array("MI"=>"dc=mi,dc=corp,dc=rockfin,dc=com");

And set these options:

$wgLDAPRetrievePrefs    = array("MI"=>true); # nearly all options use the array syntax
$wgLDAPGroupUseRetrievedUsername = array("MI"=>true);

Notice that you are using AD-style straight binding. To search for a user in a group, you can't use the AD-style syntax, and instead have to use the user's full DN. When the plugin binds as the user, it will only get the user's full DN if you set "$wgLDAPGroupUseRetrievedUsername". Also, there shouldn't be a reason to lowercase the user's login. AD generally doesn't care so much about case. If you are still having issues, you can try adding that back in.

--Ryan lane 15:44, 7 February 2008 (UTC)Reply

Thanks for the help. I made the corrections but it still didn't work. I modified the $wgLDAPEncryptionType to clear and everything worked (I tried both ssl and tls.)

--jmcdonald 10:43, 8 February 2008

You likely have an issue with your SSL trust; or, you may not have an SSL certificate installed on your AD server.
--Ryan lane 17:05, 19 February 2008 (UTC)Reply

I have done like this and got it working. I also took a look at how to add new admin-user. But where should I add that user? To ldap-server or to Localsettings.php?

--ThaFox 15:46, 18 November 2008

Hi, Like a few other I am also trying to set up group based permissions for my wiki. I started with adding LDAP authentication for n entire domain and that worked just fine.

Now I am trying to restrict access to only a group and am not bale to do it right.

these are my settings...

require_once( 'LdapAuthentication.php' );
$wgAuth = new LdapAuthenticationPlugin();
$wgLDAPDomainNames = array("abc");
$wgLDAPServerNames = array("abc"=>"abc.xyz.com");
$wgLDAPEncryptionType = array("abc"=>"clear");
$wgLDAPSearchAttributes = array("abc"=>"sAMAccountName");
$wgLDAPBaseDNs = array("abc"=>"dc=abc,dc=xyz,dc=com");
$wgLDAPSearchStrings = array("abc"=>"abc\\USER-NAME");
$wgLDAPRetrievePrefs = array("abc"=>true);
$wgMinimalPasswordLength = 1;
$wgGroupPermissions['*']['edit'] = false;
$wgGroupPermissions['user']['edit'] = true;
$wgGroupPermissions['*']['createaccount'] = false;
It does not work even if these 2 are commented
$wgLDAPAddLDAPUsers = false;
$wgLDAPUpdateLDAP = false;

Group Permissions

$wgLDAPGroupUseFullDN = array("abc"=>true );

$wgLDAPGroupUseRetrievedUsername = array("abc"=>true );

$wgLDAPGroupObjectclass = array("abc"=>"group");

$wgLDAPGroupAttribute = array("abc"=>"member");

$wgLDAPGroupNameAttribute = array("abc"=>"sAMAccountName");

$wgLDAPRequiredGroups = array(
   "abc"=>array(
     "cn=gp_developers,cn=gp_groups,ou=Groups,ou=Lins,dc=abc,dc=xyz,dc=com",
        
     )
 );  (The normal domain based authentication works when this part is commented out..so I ma assuming there's a problem here..but I do not know what)

$wgLDAPGroupSearchNestedGroups = array("abc"=>false);

I have the LDAPAuth...php version 1.1g, PHP version 5.2 and apache 2.2. Do I need any other extension for Group based restriction to work?

Any help will be highly appreciated.

Thanks

cn=...,cn=.. doesn't look like a valid name to me. Is gp_groups an OU? --213.182.148.34 11:49, 27 February 2008 (UTC)Reply

Hi all... I'm in a situation where I can authenticate users via LDAP, but there are no appropriate LDAP groups which match the subset of users that I want to authorise for access to the wiki. What I need is for users to be authenticated by the LDAP extension, and then the logon should be rejected if their username does not appear in the white-list file. Does this sound possible? I'd be happy to jump in and make PHP changes myself, if someone could point me in the right direction. - Borofkin 04:27, 18 February 2008 (UTC)Reply

Don't worry -- this has turned out to be a dead-easy modification. - Borofkin 05:58, 18 February 2008 (UTC)Reply

You may be able to do this without modifying the code if you are using a search based configuration, by doing the following:

//Require the following additional search string.
$wgLDAPAuthAttribute = array(
  "yourDomain"=>"!(|(uid=user1)(uid=user2)(uid=user3)(uid=...))"
  );

--Ryan lane 17:03, 19 February 2008 (UTC)Reply

Hello, I have my wiki setup to authenticate against AD. I would also like to set it up to check and see if the username is in a local list before allowing them access. I am willing to place all the names in an array and then check against the array. Or, place the users in the table and then only allow the user to authenticate if they are in the table. Any help would be great. Thanks, Shane

I have created an array of usernames and then a loop to check the user against that array, I placed this the getCanonicalName function. This is placed directly after the if statement to see if the username is not blank:

 $LDAPallowedUsers = array("sjordan", "ebock", "ereger", "djoseph2", "ntennant", "jfarley1", "jraisovich", "araisovich"); 
 $num_users = 0;
 foreach($LDAPallowedUsers as $num=>$users){ 
   $matches = strcmp(strtolower($users), strtolower($username)); 
   if($matches == 0){ 
     $num_users++;
   }
 } 
 if($num_users == 0){
   return 'XXYYXX';
 } 

This probably isn't the best way, since it still goes and does a check for XXYYXX user in the domain, but it is working. I wanted to define my array in the LocalSetting.php file, but when I try to do this, it causes the wiki to generate blank pages. Anyone know what I have to do to create the array in LocalSettings? - Shane

I recommend restricting by AD groups instead. Notice, however, this is the same question that was asked above. Also, in response to the code posted as a solution: it'll work, but it probably a better idea to put this in the authenticate() function, somewhere close to the top.
--Ryan lane 18:28, 3 March 2008 (UTC)Reply

I have tried a slight change which seems to accomplish what you are mentioning. I put a global variable $wgLDAPAllowedUsers in the authenticate function and added a statement just below the debug statement also in the authenticate function

global $wgLDAPAllowedUsers
.
.
.
if (!in_array(strtolower($username), $wgLDAPAllowedUsers)) {
   return false;
}

Then in LocalSettings.php I can put in the array of users I want.

$LDAPallowedUsers = array("sjordan", "ebock", "ereger", "djoseph2", "ntennant", "jfarley1", "jraisovich", "araisovich"); 

[[Rbarton 15:26, 23 September 2008 (UTC)]]Reply

We have a Mediawiki 1.11 with the "LDAP Authentication Extension" installed. It works with an AD server flawlessly.

As we have several Wikis working in a Wiki family it would be great to authenticate once for all the wikis in the family. Otherwise one has to authenticate for each Wiki individually. The entire Wiki Family is running under the same domain.

Is there a way to tweak, hack or extend the environment so one can login once for several Wikis? I guess one has to fiddle with the user_token cookie. But I couldn't really find information about the process. Any help is highly appreciated. Thank you.

I haven't looked into this much. You may want to look at how they plan on doing this with SSO for wikipedia. I believe this is the extension in question.
--Ryan lane 18:25, 3 March 2008 (UTC)Reply

Thank you for the hint. CentralAuth is a SUL (Single User Login) effort. Dealing with the problem of people having accounts with different user names for different wikis. Thus it is about merging users. Single Sign On among Wikis may happen at a later point in time, is stated on the project pages.

The OpenID Extension is doing a Single Sign On though it doesn't make sense when you've got AD or LDAP...

Now that you point that out, it looks like you are completely right. No SSO, just merging as of now. OpenID/Shibboleth/WebSSO/Federation, and other approaches do SSO by authenticating in one spot, and passing an authentication token to all sites. This isn't the kind of thing that can be done with regular web authentication. You may want to look at using Federation (aka Shibboleth aka WebSSO). Federated authentication works along side LDAP authentication, and in many cases is simply an add-on to another product you are already using. You may want to take a look at Sun's suite of products (Sun Directory Server, Sun Access Manager), as they are free for use unless you want support. Access manager does SSO. You may also want to look at Atlassian's crowd authentication. There is already a MediaWiki plugin available for crowd auth.
--Ryan lane 19:33, 14 March 2008 (UTC)Reply

Is there any configuration option that when a user logs in for the first time, the E-Mail-Adress is automatically copied to the wiki database?

$wgLDAPRetrievePrefs = array( "domainname"=>true );

This will pull the "mail", "preferredLanguage", "displayName", and "cn" attributes from the user's LDAP entry, if available, and populate the wiki database with those values. If you need to change the attributes, you'll have to do it manually in the code for now. A more customizable way of doing this is on the todo list for the next release.
--Ryan lane 18:23, 3 March 2008 (UTC)Reply

I am trying to setup my wiki to work with LDAP and only allow certain users access based on the group they are in. I have it so that it is authenticating against LDAP and binding successfully for users. When I put in the code to try and restrict it to specific groups, it will not authenticate anymore. The debug statements contain:

 Entering validDomain
 Entering validDomain
 User is using a valid domain.
 Setting domain as: ARRK
 Entering getCanonicalName
 Username isn't empty.
 Munged username: Rajeshmr
 Entering authenticate
 Entering Connect
 Using TLS or not using encryption.
 Using servers:  ldap://127.0.0.1
 Connected successfully
 Entering getSearchString
 Doing an anonymous bind
 Entering getUserDN
 Created a regular filter: (uid=Rajeshmr)
 Entering getBaseDN
 basedn is not set for this type of entry, trying to get the default basedn.
 Entering getBaseDN
 basedn is DC=arrkgroup, DC=com
 Using base: DC=arrkgroup, DC=com
 Fetched username is not a string (check your hook code...). This message can be safely ignored if you do not have the SetUsernameAttributeFromLDAP hook defined.
 userdn is: uid=rajeshmr,ou=People,dc=example,dc=com
 Binding as the user
 Bound successfully
 Checking for (new style) group membership
 Entering isMemberOfRequiredLdapGroup
 Required groups:cn=arrk, ou=group,  dc=example, dc=com
 Entering getUserGroups
 Entering getGroups
 Entering getBaseDN
 basedn is not set for this type of entry, trying to get the default basedn.
 Entering getBaseDN
 basedn is DC=example, DC=com
 Search string: (&(memberuid=Rajeshmr)(objectclass=posixgroup))
 Returned groups:cn=arrk,ou=group,dc=example,dc=com
 Returned groups:arrk
 Couldn't find the user in any groups (2).
 Entering strict.
 Returning true in strict().
 Entering modifyUITemplate

However, If you see above it do return the groups for the user but still it won't authenticate the user.

My local settings file contains:

 #LDAP Auth Start
 require_once 'extensions/LdapAuthentication.php';
 $wgAuth = new LdapAuthenticationPlugin();
 $wgLDAPDomainNames = array('ARRK');
 $wgLDAPServerNames = array('ARRK' => '127.0.0.1');
 #$wgLDAPSearchStrings = array( 'ARRK' => 'uid=USER-NAME,ou=people,dc=example,dc=com');
 $wgLDAPSearchAttributes = array( 'ARRK' => 'uid');
 $wgLDAPBaseDNs = array( 'ARRK' => 'DC=example, DC=com');
 $wgLDAPEncryptionType = array( 'ARRK' => 'clear');
 $wgLDAPUseLocal = false;
 $wgMinimalPasswordLength = 1;
 $wgLDAPRequiredGroups = array('ARRK'=>array('cn=arrk, ou=group,  dc=example, dc=com'));
 $wgLDAPGroupUseFullDN = array( 'ARRK'=>false);
 $wgLDAPGroupLowerCaseUsername = true;
 $wgLDAPGroupObjectclass = array('ARRK' => 'posixgroup');
 $wgLDAPGroupAttribute = array('ARRK' => 'memberuid');
 $wgLDAPGroupSearchNestedGroups = array('ARRK' => false);
 $wgLDAPGroupNameAttribute = array( 'ARRK'=>'cn' );
 $wgLDAPDebug = 9;
 #LDAP Auth Ends

I am using MediaWiki 1.6.10 and LdapAuthentication 1.1g.

Please advice.

Regards, Rajesh

You may notice that the group being returned is "cn=arrk,ou=group,dc=example,dc=com", and the group you are requiring is "cn=arrk, ou=group, dc=example, dc=com". Take the spaces out of the group you are requiring.
--Ryan lane 19:24, 14 March 2008 (UTC)Reply

I stumbled over the same problem today. Maybe the issue should be mentioned on the main page. (Btw, you do a great job, Ryan)
--TimPe 2008-05-21

First of all thanks for the great work!

I want to authenticate with LDAP and synchronize then these Groups with my local Database. For testing i setted up a Domaincontroller with the Domain "Streichelzoo.de" and I created for example a User "Test2" who is in 2 Groups "asdf" and "Testgruppe". These Groups i get wonderfully displayed at the Debug Mode in "Returned Groups" but not in Effective Groups. Here is the Debug:

  Setting domain as: Streichelzoo
  Entering getCanonicalName
  Username isn't empty.
  Munged username: Test2
  Entering authenticate
  Entering Connect
  Using TLS or not using encryption.
  Using servers: ldap://admin.streichelzoo.de
  Connected successfully
  Lowercasing the username: Test2
  Entering getSearchString
  Doing a straight bind
  userdn is: Streichelzoo\test2
  Binding as the user
  Bound successfully
  Entering getUserDN
  Created a regular filter: (sAMAccountName=test2)
  Entering getBaseDN
  basedn is not set for this type of entry, trying to get the default basedn.
  Entering getBaseDN
  basedn is dc=streichelzoo,dc=de
  Using base: dc=streichelzoo,dc=de
  Fetched username is not a string (check your hook code...). This message can be safely ignored if you do not have the          SetUsernameAttributeFromLDAP hook defined.
  Pulled the user's DN: CN=Test2,CN=Users,DC=streichelzoo,DC=de
  Retrieving LDAP group membership
  Entering getUserGroups
  Entering getGroups
  Entering getBaseDN
  basedn is not set for this type of entry, trying to get the default basedn.
  Entering getBaseDN
  basedn is dc=streichelzoo,dc=de
  Search string: (&(member=CN=Test2,CN=Users,DC=streichelzoo,DC=de)(objectclass=group))
  Returned groups:cn=asdf,cn=users,dc=streichelzoo,dc=de,cn=testgruppe,cn=users,dc=streichelzoo,dc=de
  Returned groups:asdf,testgruppe
  Entering getAllGroups
  Entering getGroups
  Entering getBaseDN
  basedn is not set for this type of entry, trying to get the default basedn.
  Entering getBaseDN
  basedn is dc=streichelzoo,dc=de
  Search string: (&(member=*)(objectclass=group))
  Returned groups:cn=hilfedienstgruppe,cn=users,dc=streichelzoo,dc=de,cn=administratoren,cn=builtin,dc=streichelzoo,dc=de,cn=   benutzer,cn=builtin,dc=streichelzoo,dc=de,cn=g㤳te,cn=builtin,dc=streichelzoo,dc=de,cn=leistungsprotokollbenutzer,cn=builtin,dc=   streichelzoo,dc=de,cn=schema-admins,cn=users,dc=streichelzoo,dc=de,cn=organisations-admins,cn=users,dc=streichelzoo,dc=de,cn=dom㤮en   -admins,cn=users,dc=streichelzoo,dc=de,cn=richtlinien-ersteller-besitzer,cn=users,dc=streichelzoo,dc=de,cn=pr㤭windows 2000    kompatibler    zugriff,cn=builtin,dc=streichelzoo,dc=de,cn=windows-autorisierungszugriffsgruppe,cn=builtin,dc=streichelzoo,dc=de,cn=wikiuser,cn=users,dc=streichelzoo,dc=de,cn=wikiadmins,cn=users,dc=streichelzoo,dc=de,cn=asdf,cn=users,dc=streichelzoo,dc=de,cn=haus,cn=users,dc=streichelzoo,dc=de,cn=testgruppe,cn=users,dc=streichelzoo,dc=de
  Returned groups:hilfedienstgruppe,administratoren,benutzer,g㤳te,leistungsprotokollbenutzer,schema-admins,organisations-admins,dom㤮en-admins,richtlinien-ersteller-besitzer,pr㤭windows 2000 kompatibler zugriff,windows-autorisierungszugriffsgruppe,wikiuser,wikiadmins,asdf,haus,testgruppe
  Authentication passed
  Entering updateUser
  Setting user groups.
  Entering setGroups.
  Locally managed groups: bot,sysop,bureaucrat,
  Adding all groups to wgGroupPermissions: hilfedienstgruppe,administratoren,benutzer,g㤳te,leistungsprotokollbenutzer,schema-admins,      organisations-admins,dom㤮en-admins,richtlinien-ersteller-besitzer,pr㤭windows 2000 kompatibler    zugriff,windows-autorisierungszugriffsgruppe,wikiuser,wikiadmins,asdf,haus,testgruppe
  Available groups are: Administrator,bot,sysop,bureaucrat,WikiAdmins
  Effective groups are: dom㤮en-benutze,*,user,autoconfirmed
  Checking to see if user is in: Administrator
  Entering hasLDAPGroup
  Checking to see if user is in: bot
  Entering hasLDAPGroup
  Checking to see if user is in: sysop
  Entering hasLDAPGroup
  Checking to see if user is in: bureaucrat
  Entering hasLDAPGroup
  Checking to see if user is in: WikiAdmins
  Entering hasLDAPGroup
  Saving user settings.

Here are my Settings in the LocalSettings.php

  require_once 'extensions/LdapAuthentication.php';
  $wgAuth = new LdapAuthenticationPlugin();
  #$wgLDAPBaseDNs = "streichelzoo";
  $wgLDAPBaseDNs = array('Streichelzoo'=>'dc=streichelzoo,dc=de');
  $wgLDAPDomainNames = array('Streichelzoo');
  $wgLDAPServerNames = array('Streichelzoo' => 'admin.streichelzoo.de');
  $wgLDAPSearchStrings = array('Streichelzoo' => 'Streichelzoo\\USER-NAME');
  $wgLDAPEncryptionType = array('Streichelzoo' => 'clear');
  $wgLDAPUseLocal = false;
  $wgMinimalPasswordLength = 1;
  $wgLDAPGroupUseFullDN = array("Streichelzoo"=>true);
  $wgLDAPLowerCaseUsername = array("Streichelzoo"=>true);
  $wgLDAPGroupObjectclass = array("Streichelzoo"=>"group");
  $wgLDAPGroupAttribute = array("Streichelzoo"=>"member");
  $wgLDAPGroupNameAttribute = array( "Streichelzoo"=>"cn" );
  $wgLDAPUseLDAPGroups = array("Streichelzoo"=>"true");
  $wgLDAPLocallyManagedGroups = array("Streichelzoo"=>array( "" ));
  $wgLDAPGroupsPrevail = array("Streichelzoo"=>true);
  $wgLDAPGroupSearchNestedGroups = array("streichelzoo"=>true);
  $wgLDAPSearchAttributes = array( "Streichelzoo"=>"sAMAccountName" );

Is something wrong here? I have no more idea what i could do...

Greets Franz

Groups only get modified if they are set in $wgGroupPermissions in LocalSettings.php; this is a MediaWiki-ism. Once you assign the groups rights, they'll show up.
--Ryan lane 14:23, 28 March 2008 (UTC)Reply

When LdapAuthenticationPlugin::getSearchString() returns an empty string and smartcard auth is not used, the search is performed, but returns a result on my setup:

$entry = Array
(
    [count] => 1
    [0] => Array
        (
            [objectclass] => Array
                (
                    [count] => 2
                    [0] => top
                    [1] => OpenLDAProotDSE
                )
            [0] => objectclass
            [count] => 1
            [dn] => 
        )
)

My quick and dirty solution is to change: (LdapAuthenticationPlugin.php@112)

//Search for the entry.
	$entry = @ldap_read( $ldapconn, $searchstring, "objectclass=*" );

to:

//Search for the entry.
if ( $searchstring != '' )
	$entry = @ldap_read( $ldapconn, $searchstring, "objectclass=*" );

This gives me the correct behaviour.

...and just for completeness, I'm using version 1.1g on Debian and not using the smartcard stuff, if that helps.

83.67.10.100

Thanks for the patch, I'll add this in the next version.
--Ryan lane 22:26, 24 April 2008 (UTC)Reply

When you have LDAP issues (be they configuration or otherwise,) the user accounts are written into the database regardless of whether they were written into the LDAP directory successfully. Ideally, this should be transactional. When developing my configuration I had to keep hacking out the wiki users from the MySQL tables.

83.67.10.100

I'll put this on my (ever increasing, hasn't decreased in a while) todo list; thanks for the report!
--Ryan lane 22:25, 24 April 2008 (UTC)Reply

I just looked into this, and I can't replicate this problem. Can you please provide me a more detailed problem report? Please provide MediaWiki version, Ldap plugim version, in what circumstance users are being added to the local database, and not in LDAP, how the LDAP configuration was incorrect in this situation, and anything else that may be applicable. I also looked at the code and can't see a situation in which this would be possible.
--Ryan lane 18:23, 2 January 2009 (UTC)Reply

Hello -

For about an hour, I had the LDAP Authentication working successfully.

Now I have an issue with authentication. After all was working, I reset the machine address for a static address for this linux server,and rebooted. I tried to authenticate, and now receive this debug error:

Entering validDomain
User is using a valid domain.
Setting domain as: abc.local
Entering getCanonicalName
Username isn't empty.
Munged username: Hessond
Entering authenticate
Entering Connect
Using TLS or not using encryption.
Using servers: ldap://servername.abc.local
Connected successfully
Entering getSearchString
Doing a straight bind
userdn is: ABC.LOCAL\Hessond
Binding as the user
Failed to bind as ABC.LOCAL\Hessond
Entering strict.
Returning true in strict().
Entering modifyUITemplate

Please can you assist? I've been hacking at this way too long. Best, D

Please post your configuration with any sensitive info snipped out.
--Ryan lane 22:26, 24 April 2008 (UTC)Reply

I have mediawiki 1.10, and LdapAuthentication.php 1.1g.

I have this settings in LocalSettings.php:

require_once( "$IP/extensions/LdapAuthentication.php" );

$wgAuth = new LdapAuthenticationPlugin();

$wgLDAPDomainNames = array("wikiLDAPdomain");

$wgLDAPServerNames = array("wikiLDAPdomain"=>"myserver.mycompany.com");

$wgLDAPUseLocal = true;

$wgLDAPEncryptionType = array("wikiLDAPdomain"=>"SSL");

$wgLDAPSearchAttributes = array("wikiLDAPdomain"=>"uid");

$wgLDAPBaseDNs = array("wikiLDAPdomain"=>"dc=myserver,dc=mycompany.com");

$wgLDAPDisableAutoCreate = array("wikiLDAPdomain"=>true);

$wgLDAPDebug = 3;

When I tried to login, I got the following debug info:

Entering validDomain

User is using a valid domain

Setting domain as: wikiLDAPdomain

Entering getCanonicalName

Username isn't empty

Munged username: myname@mycompany.com

Entering modifyUITemplate

Allowing the local domain, adding it to the list

That is, I didnot see "Entering authenticate" and "Entering Connect" that most people will see.

Can someone tell me what link is broken? Thanks.

You likely do not have LDAP support in PHP. Check to ensure that you do using "php -i".
--Ryan lane 22:23, 24 April 2008 (UTC)Reply

Hi, is it possible do save the Realname instead of Username if a user makes his sign on a Side? In our Ldap we log in with a Number, for the Login thats ok but I want wo see who has written an article. Thanks in Advance --87.154.138.194 20:18, 10 April 2008 (UTC)Reply

You may be able to do this in the getCanonicalName() function. I'll look into it and hopefully give you a better/more in depth answer.
--Ryan lane 22:28, 24 April 2008 (UTC)Reply

That would be pefect if you could help me :-) Thanks a lot Ryan --62.159.112.104 09:58, 30 April 2008 (UTC)Reply

You may be interested in my #Enterprise LDAP Solution to show real name and much more as the User page. Also allows roles to be dependent on LDAP (sysop and bureaucrats)

Any update on this or the next stable version of the extension?

I've been so busy lately that I'm not expecting another release for a while. I'm sure it is probably doable, though. I mean, I do it in the SSL authentication portion of the code. You may want to look at how I'm doing it there, and see if you can replicate it. In fact, here is how I set the username to something other than what the user's smartcard has (in LocalSettings.php):

// This hook is called by the LdapAuthentication plugin. It is a configuration hook. Here we
// are specifying what attibute we want to use for a username in the wiki.
// The hook calls the function defined below.
$wgHooks['SetUsernameAttributeFromLDAP'][] = 'SetUsernameAttribute';

// This function allows you to get the username from LDAP however you need to do it.
function SetUsernameAttribute(&$LDAPUsername, $info) {
        $LDAPUsername = $info[0]['cn'][0];
        // All hooks have to return a boolean in MediaWiki
        return true;
}

Notice that this won't work if you are doing straight binds, unless you are doing AD-style binding (ie: DOMAIN\\USER-NAME) and are doing extra configuration.
--Ryan lane 22:11, 26 June 2008 (UTC)Reply

Hi there,

Been new user of LDAP Auth wich is working fine, but my rss feed are not working anymore, do we have a fix or workaround for that ?

Thanks a lot in advance.

you can get me per email at flamontagne@no_spam.noxent.com (need to remove the no_spam)

I'm not sure what to tell you, this plugin shouldn't affect that at all (and my RSS feeds are working just fine). Disable the LDAP plugin and see if your RSS feeds start working again; if so, check your configuration for something very wrong; if not, then the LDAP plugin isn't your problem.
--Ryan lane 22:30, 24 April 2008 (UTC)Reply

Hi, I'm not sure if I did something wrong with the set-up, but my images directory doesn't have any security on it, so you don't need to authenticate to view them. If you remove read permission from public users, this solves the problem, but then even authenticated users can't view the images. Obviously the issue is that the images are being viewed as flat files.

Thanks in advance for any help!

You need to use img_auth.php, otherwise Apache is handing out the images, and Apache isn't asking for authentication.
--Ryan lane 22:20, 24 April 2008 (UTC)Reply

Hello, Is there a way to have apache handle the LDAP authentication but then have this extension grab the user name and log them into mediawiki after they have authenticated through apache? Much thanks in advance for your help!

Yes, but this extension is overkill if that is all you need. You might want to look at Extension:HttpAuth or one of the other extensions like it. This extension is useful if you want to do more than what Apache's module can do, and/or want to deliver a friendlier login screen.
--Ryan lane 17:12, 28 October 2008 (UTC)Reply

Hiya All,

My users all have account names with an underscore in them e.g. Name_Surname.

When entering NAME_SURNAME I get this with debugging turned on:

Connected successfully
Entering getSearchString
Doing a straight bind
userdn is: ENTERPRISE\Wayne humphrey
Binding as the user
Failed to bind as ENTERPRISE\Wayne humphrey
Entering modifyUITemplate

However if I hard code my user name in LocalSettings.php e.g. Replace

 "ENTERPRISE"=>"ENTERPRISE\\USER-NAME",

With

 "ENTERPRISE"=>"ENTERPRISE\\MyName_Surname", 

I get a sucsefful login:

Connected successfully
Entering getSearchString
Doing a straight bind
userdn is: DOMAIN\MyName_Surname
Binding as the user
Bound successfully
Entering getUserDN
Created a regular filter: (=MyName surname)
Entering getBaseDN
basedn is not set for this type of entry, trying to get the default basedn.
Entering getBaseDN
basedn is not set.
Using base:
Couldn't find an entry
Pulled the user's DN:
Authentication passed
Entering updateUser

so mediwiki stripping the underscore.

I have worked around this problem by adding the following to this extension:

In function getSearchString

add

$username =  str_replace(' ','_',$username);

below

$tmpuserdn = $wgLDAPSearchStrings[$_SESSION['wsDomain']];

I know this is a dirty hack, so does anyone have any better ways in doing this?

Thanks,

--wayne

This has come up in the past, and is somewhere around here on this page, or possible in the archive. I have no graceful way to solve this.
--Ryan lane 22:01, 26 June 2008 (UTC)Reply

Is there any way to use the MediaWiki API with LDAP authentication? Logins via the API all fail because the API does not know about the "wpDomain" value. --Maiden taiwan 17:02, 20 May 2008 (UTC)Reply

Never mind, looking at MW source code, it looks like it's aware of domains. Just have to figure out how to use it. --Maiden taiwan 17:05, 20 May 2008 (UTC)Reply

Hi I have MediaWiki 1.11 running on Windows 2003/IIS/PHP/My SQL with the ldap 1.1g extension installed

I am able to authenticate when the $wgLDAPEncryptionType is set to clear but not when set to ssl.

• All DC's have ssl certs installed for LDAPs
• The trusting CA certificate has been added to the trusted root certificate authorities using the mmc certificates snap-in on the server running WIMP/MediaWiki
• From the WIMP/MediaWiki server I have validated 636/3289 ldaps access to AD is working by using ldp.exe and binding to AD over ssl without issue
• php.ini has been updated to enable the php ldap extension
• LocalSettings.php has been updated as follows (sensitive information removed

# S Coney Installed Extension LDAP Authentication 1.1g

require_once $IP . "/extensions/LdapAuthentication/LdapAuthentication.php";
$wgAuth= new LdapAuthenticationPlugin(); 

$wgLDAPDomainNames = array( "domain1" ); 
$wgLDAPServerNames = array( "domain1"=>"dc1.msp.domain1.net dc2.msp.domain1.net dc3.msp.domain1.net" ); 
$wgLDAPSearchStrings = array("domain1"=>"domain1\\USER-NAME");
$wgLDAPEncryptionType = array("domain1"=>"ssl");
$wgMinimalPasswordLength = 1; 

$wgLDAPSearchAttributes = array("domain1"=>"sAMAccountName");
$wgLDAPBaseDNs = array("domain1"=>"dc=msp,dc=domain1,dc=net");

$wgLDAPDebug = 3;

When trying to logon to MediaWiki with these settings I get

Entering validDomain
User is using a valid domain.
Setting domain as: domain1
Entering getCanonicalName
Username isn't empty.
Munged username: User05
Entering userExists
Entering authenticate
Entering Connect
Using SSL
Using servers: ldaps://dc1.msp.domain1.net ldaps://dc2.msp.domain1.net ldaps://dc3.msp.domain1.net
Connected successfully
Entering getSearchString
Doing a straight bind
userdn is: domain1\User05
Binding as the user
Failed to bind as domain1\User05
Entering modifyUITemplate

If I set the $wgLDAPEncryptionType to a value of "clear" I get authenticated, the first time as follows (creating the mediawiki account. Subsequent logons create less debug due to the account already existing but work successfully.

Entering validDomain
User is using a valid domain.
Setting domain as: domain1
Entering getCanonicalName
Username isn't empty.
Munged username: User05
Entering userExists
Entering authenticate
Entering Connect
Using TLS or not using encryption.
Using servers: ldap://dc1.msp.domain1.net ldap://dc2.msp.domain1.net ldap://dc3.msp.domain1.net
Connected successfully
Entering getSearchString
Doing a straight bind
userdn is: domain1\User05
Binding as the user
Bound successfully
Entering getUserDN
Created a regular filter: (sAMAccountName=User05)
Entering getBaseDN
basedn is not set for this type of entry, trying to get the default basedn.
Entering getBaseDN
basedn is dc=msp,dc=domain1,dc=net
Using base: dc=msp,dc=domain1,dc=net
Fetched username is not a string (check your hook code...). This message can be safely ignored if you do not have the SetUsernameAttributeFromLDAP hook defined.
Pulled the user's DN: CN=User05,OU=admins,OU=dsUsers,DC=msp,DC=domain1,DC=net
Authentication passed
Entering initUser
Entering updateUser
Entering authenticate
Entering Connect
Using TLS or not using encryption.
Using servers: ldap://dc1.msp.domain1.net ldap://dc2.msp.domain1.net ldap://dc3.msp.domain1.net
Connected successfully
Entering getSearchString
Doing a straight bind
userdn is: domain1\User05
Binding as the user
Bound successfully
Entering getUserDN
Created a regular filter: (sAMAccountName=User05)
Entering getBaseDN
basedn is not set for this type of entry, trying to get the default basedn.
Entering getBaseDN
basedn is dc=msp,dc=domain1,dc=net
Using base: dc=msp,dc=domain1,dc=net
Pulled the user's DN: CN=User05,OU=admins,OU=dsUsers,DC=msp,DC=domain1,DC=net
Authentication passed
Entering updateUser

Any feedback on this much appreciated!

Openssl/PHP don't use Microsoft's system trust. See someone's documentation on how to configure it for Windows. Notice that I don't necessarily support using "TLS_REQCERT never", but instead you should use "TLS_CACERTFILE <some path to your CA file>". Note that "TLS_REQCERT never" is better than authenticating without encryption.
--Ryan lane 22:21, 26 June 2008 (UTC)Reply

Hi Guys,

I have install media wiki and everything is working perfectly. when i tried to configure LDAP i'm getting this error: "Error, Setup.php must be included from the file scope, after DefaultSettings.php PHP Notice: Undefined variable: wgCommandLineMode in E:\MediaWiki\LocalSettings.php on line 33 PHP Notice: Undefined variable: wgCacheEpoch in E:\MediaWiki\LocalSettings.php on line 132 "

i've looked in many sites on google to solve this problem but with no success. the problem start when i use this line in the LocalSettings.php:

require_once( "$IP/extensions/LdapAuthentication.php" );

Someone got any idea?

help is appreciated.

thanks, ofer.

Are you putting this into the bottom of the file?
--Ryan lane 22:17, 26 June 2008 (UTC)Reply

In debugging, I kept seeing the getGroups function searching with the filter "(&(memberUid=NAME)(objectclass=))", even though I had set the $wgLDAPGroupObjectClass variable to an appropriate value ("posixGroup"). getGroups was then unable to find any groups, and the LDAP user was therefore unable to log in. I changed line 1408 of LdapAuthentication.php from this:

$filter = "(&($attribute=$value)(objectclass=$objectclass))";

to this:

$filter = "$attribute=$value";

and now it works. getGroups finds the user's groups, and LDAP users in the required group can log onto the wiki without a problem.

My question here: do I really need the objectclass test? I can put it back if I need it, but it doesn't look like I really need it. - Jredmond 16:23, 4 June 2008 (UTC)Reply

You don't need the objectclass if the attribute you are searching for only exists in groups.
--Ryan lane 21:59, 26 June 2008 (UTC)Reply

My organization has zillions of groups so that a call to @ldap_search crashed php (1.8Mb response when running the query in ldapsearch). Here is a patch that fixes it by only returning useful fields. BTW Thanks a lot for the great extension!

Index: LdapAuthentication.php
===================================================================
--- LdapAuthentication.php      (revision 36340)
+++ LdapAuthentication.php      (working copy)
@@ -1418,7 +1418,7 @@
                        $bind = $this->bindAs( $ldapconn, $wgLDAPProxyAgent[$_SESSION['wsDomain']], $wgLDAPProxyAgentPassword[$_SESSION['wsDomain']] );
                }

-               $info = @ldap_search( $ldapconn, $base, $filter );
+               $info = @ldap_search( $ldapconn, $base, $filter, array( "dn", $nameattribute) );
                if ( !$info ) {
                        $this->printDebug( "No entries returned from search.", SENSITIVE );

Hi, I'm having some trouble with the extension : the dn retrieved from LDAP is an email address, and it is used as the user name for local users. The problem is I can't use the built-in user right management with these users because when you type a name with '@' in it, the page thinks you're trying to edit a user from another wiki. Is there a way to use for instance the cn instead of the dn? (with users still logging using their dn). Thanks!

See this discussion for an idea of how you might be able to do this.
--Ryan lane 22:12, 26 June 2008 (UTC)Reply

It seems to me there is two bugs in the function addUser since (at least) v1.1g. The first is near the lines 800-801 where a comma may be omitted

if ( isset( $wgLDAPWriteLocation[$_SESSION['wsDomain']] ) ) {
    $this->printDebug( "wgLDAPWriteLocation is set, using that", NONSENSITIVE );
    $userdn = $wgLDAPSearchAttributes[$_SESSION['wsDomain']] . "=" .
        $username . "," . $wgLDAPWriteLocation[$_SESSION['wsDomain']];
} else {

and the second near the line 828 where it is considered the entire table

if ( $wgLDAPRequireAuthAttribute[$_SESSION['wsDomain']] ) {
    $values[$wgLDAPAuthAttribute[$_SESSION['wsDomain']]] = "true";
}

Moreover, I don't see what should make these 3 last lines:

• must LDAPRequireAuthAttribute really be set to "true"/"false" (and not true/false - string vs boolean, see doc) ?
• LDAPAuthAttribute is not a LDAP attribute in view of the doc but is an expression, I'm wrong ?

~ Seb35 13:08, 1 July 2008 (UTC)Reply

This code is probably the least used, which would probably be why it still has bugs; you are the first to report them, and this part of the code isn't part of my normal tests (I guess I'll start testing this as well now). All of the above looks correct, and as a matter of fact, the second part isn't even needed. You also pointed out an error in my documentation ($wgLDAPRequireAuthAttribute should take a boolean, not a string), which is now fixed. I'll fix all of this in the next release.
--Ryan lane 14:07, 1 July 2008 (UTC)Reply

Hi,

I'm trying to use smartcard authentication... I seem to be missing something pretty obvious, since the extension doesn't even get to the the stage of searching my directory... but what? The output in the browser looks like this:

Entering AutoAuthSetup.
Allowing smartcard authentication.
wgLDAPSSLUsername = Heinrich Opgenoorth
wgLDAPSSLUsername is not null, adding hooks.
Entering SSLAuth.

Fatal error: Call to private method User::loadfromsession() from context '' in /var/www/mw/extensions/LdapAuthentication.php on line 1768

My LocalSettings.php contains the following lines:

require_once( "$IP/extensions/LdapAuthentication.php" );
$wgLDAPDomainNames = array("testLDAPdomain");
$wgLDAPServerNames = array("testLDAPdomain"=>"directory.fraunhofer.de");
$wgLDAPEncryptionType = array("testLDAPdomain"=>"clear");
$wgLDAPSearchAttributes = array("testLDAPdomain"=>"cn");
$wgLDAPBaseDNs = array("testLDAPdomain"=>"ou=".$_SERVER['SSL_CLIENT_S_DN_OU'].",o=fraunhofer,c=de");
$wgLDAPDebug = 5;
$wgLDAPAutoAuthMethod = "smartcard";
$wgLDAPSmartcardDomain = "testLDAPdomain";
if (isset($_SERVER['SSL_CLIENT_S_DN_CN'])) {
    $wgLDAPSSLUsername = $_SERVER['SSL_CLIENT_S_DN_CN'];
}

$wgHooks['SetUsernameAttributeFromLDAP'][] = 'SetUsernameAttribute';
function SetUsernameAttribute(&$LDAPUsername, $info) {
        $LDAPUsername = $info[0]['cn'][0] . " " . $info[0]['ou'][0];
        return true;
}

AutoAuthSetup();

The extension version is 1.1g, MediaWiki 1.12 (I also tried 1.10, same effect).

Any ideas welcome...

Heinrich opgenoorth, 04 Jul 2008

I think some things changed in later versions of MediaWiki. It looks like I've updated the local version of the LDAP plugin I'm using to work with newer versions of MediaWiki and didn't commit the changes. Please try changing the line:

$tmpuser = User::LoadFromSession();

to:

$tmpuser = User::newFromSession();

If that doesn't solve your problem, I'll need to commit my changes (which I can't do at work, so it'll be a day or two before I can get to it).
--Ryan lane 13:18, 7 July 2008 (UTC)Reply

Changing the line, the above error message is gone, but instead I get a MediaWiki internal error:

Original exception: exception 'MWException' with message 'Unstub loop detected on call of $wgUser->getOption from StubUserLang::_newObject
' in /var/www/mw/includes/StubObject.php:54
Stack trace:

...I omit the Stack trace; best I just wait until you have committed the changes from your most recent version... Thanks, Heinrich

Hello,

I'm trying to connect Mediawiki with LDAP and always appears a blank page, the code I use is this:

// Validación LDAP
require_once( "$IP/extensions/LdapAuthentication.php" );

$wgAuth = new LdapAuthenticationPlugin(); //Nombres de los dominios que utilizarás.
$wgLDAPDomainNames = array("Alumnes","Professors");

//Asociación entre nombre de dominio y nombre DNS de la máquina donde se va a validar.
$wgLDAPServerNames = array("Alumnes"=>"*********", "Professors"=>"**********");

//Podemos permitir la convivencia de autenticación local del wiki con LDAP.
$wgLDAPUseLocal = true; //Encriptación en las solicitudes LDAP.
$wgLDAPEncryptionType = array("Alumnes"=>"clear", "Professors"=>"clear");

//Le decimos cual es la base de la consulta
$wgLDAPBaseDNS = array("Alumnes"=>"dc=Udl,dc=es", "Professors"=>"ou=People, dc=Udl, dc=es");
$wgLDAPSearchAttributes = array("Alumnes"=>"uid", "Professors"=>"uid");

//Utilizamos los grupos LDAP para las directivas de grupo:
$wgLDAPGroupsPrevail = array("Alumnes"=>true, "Professors"=>true);
$wgLDAPGroupNameAttribute = array("Alumnes"=>"cn", "Professors"=>"cn");

$wgLDAPDebug = 3;

With the Debugg it give me this messages:

Entering validDomain
User is using a valid domain.
Setting domain as: Alumnes
Entering getCanonicalName
Username isn't empty.
Munged username: C4768695
Entering userExists
Entering authenticate
Entering Connect
It looks like you are issing LDAP support; please ensure you have either compiled LDAP support in, or have enabled the module. If the authentication is working for you, the plugin isn't properly detecting the LDAP module, and you can safely ignore this message.
Using TLS or not using encryption.
Using servers: ldap://************

What's the matter? Thanks for all.

Your PHP doesn't have LDAP support (as the debug output mentions - although it mentions it with a typo ;) ). You need to either compile PHP with LDAP support, or you need to install the LDAP module for PHP, and include it in your php.ini file. If you are using a flavor of Red Hat, you can just install the php-ldap package.
--Ryan lane 13:50, 21 July 2008 (UTC)Reply

Error

Entering validDomain
User is not using a valid domain.
Setting domain as: invaliddomain
Entering modifyUITemplate
Allowing the local domain, adding it to the list.

LocalSettings.php:

$wgLDAPDomainNames = array(
  "university_edu"
  );

$wgLDAPServerNames = array(
  "university_edu"=>"ldap.its.university.edu",
  );

$wgLDAPUseLocal = true;

$wgLDAPEncryptionType = array(
  "university_edu"=>"clear",
  );

$wgLDAPSearchStrings = array(
  "university_edu"=>"uid=[search],ou=Accounts,dc=its,dc=university,dc=edu"
  );

$wgLDAPSearchAttributes = array(
  "university_edu"=>"uid"
  );

$wgLDAPBaseDNs = array(
  "university_edu"=>"dc=its,dc=university,dc=edu"
  );
#$wgLDAPGroupBaseDNs = array(
#  "university_edu"=>"ou=group,dc=its,dc=university,dc=edu"
#  );
$wgLDAPUserBaseDNs = array(
  "university_edu"=>"ou=people,dc=its,dc=university,dc=edu"
  );

wgLDAPDebug = 2;

require_once( 'LdapAuthentication.php' ); //or the appropriate lines for putting it in the extensions directory
$wgAuth = new LdapAuthenticationPlugin(); //or the appropriate lines for putting it in the extensions directory

• $domain appears to be empty.
• I have tried installing the extension in includes and extensions. Same result.
• ExtensionFunctions.php is installed.
• LDAP support is enabled in php.
• I have a joomla install that uses ldap fine.
• I can also telnet to the ldap server.

Thoughts? -- niels

Move these to the top (I've never tested with these after the options):

require_once( 'LdapAuthentication.php' ); //or the appropriate lines for putting it in the extensions directory
$wgAuth = new LdapAuthenticationPlugin(); //or the appropriate lines for putting it in the extensions directory

Also, please provide the full debug output.
--Ryan lane 14:06, 24 July 2008 (UTC)Reply

Oh. and this:

$wgLDAPServerNames = array(
  "university_edu"=>"ldap.its.university.edu",
  );

should look like this (notice the missing comma):

$wgLDAPServerNames = array(
  "university_edu"=>"ldap.its.university.edu"
  );

--Ryan lane 14:07, 24 July 2008 (UTC)Reply

Is there other debug output somewhere? This is all that comes up in my browser, even in debug level 3.

Debug info

Entering validDomain
User is not using a valid domain.
Setting domain as: invaliddomain
Entering modifyUITemplate
Allowing the local domain, adding it to the list.

LocalSettings.php (everything is at the end)

require_once( "$IP/extensions/LdapAuthentication.php" );
$wgAuth = new LdapAuthenticationPlugin();

$wgLDAPDomainNames = array(
  "university_edu"
  );

$wgLDAPServerNames = array(
  "university_edu"=>"ldap.its.university.edu"
  );

$wgLDAPUseLocal = true;

$wgLDAPEncryptionType = array(
  "university_edu"=>"clear"
  );

$wgLDAPSearchStrings = array(
  "university_edu"=>"uid=[search],ou=people,dc=its,dc=university,dc=edu"
  );

$wgLDAPSearchAttributes = array(
  "university_edu"=>"uid"
  );

$wgLDAPBaseDNs = array(
  "university_edu"=>"dc=its,dc=university,dc=edu"
  );

#$wgLDAPGroupBaseDNs = array(
#  "university_edu"=>"ou=group,dc=its,dc=university,dc=edu"
#  );

$wgLDAPUserBaseDNs = array(
  "university_edu"=>"ou=people,dc=its,dc=university,dc=edu"
  );

$wgLDAPDebug = 3;

-- niels

Are you getting a white screen? Does anything of interest show up in your web server error log, or your php log? If you get a white screen, you don't have LDAP support in PHP. You either need to compile support in, or add the appropriate package for your distro (recommended).
--Ryan lane 20:31, 24 July 2008 (UTC)Reply

the apache doesn't log any errors related to this (trust me, it logs a lot of other errors for other installed web apps!). I looked for a php log, haven't found one yet (any suggestions on that while you're here?) I do not get a white screen, mediawiki renders fine, and I can login using the local mediawiki user database. PHP LDAP support is installed. Has been. I have a Joomla install that authenticates against the same ldap server. Here are the settings in Joomla:

Host: ldap.its.university.edu
Port: 389
LDAP V3: Yes
Negotiate TLS: No
Follow referrals: No
Authorization Method: Bind and Search 	
Base DN: ou=people,dc=its,dc=university,dc=edu
Search String: uid=[search]
Users DN: <blank>
Connect username: blank 	
Connect password: blank
Map: Full Name: fullName
Map: E-mail: mail
Map: User ID: uid

-- niels

Hi everyone

I would like to modify the login procedure. I want to get the username with something like the AUTH_USER variable of PHP, and bind to the AD with another account (having read/browse rights). Then I could retrieve info about the real user logging in and continue the normal flow of the LdapAuthentication extension. I think I will have to go deep in the PHP code ... anyone can help ?

Thanks

Michael      14 / 08 / 2008

I just added support for this in 1.2a; download the newest version of the plugin from svn, and be sure to also download LdapAutoAuthentication.php. Hopefully I'll have some documentation soon for various types of web authentication (Kerberos, NTLM, htpasswd, smartcard, etc.).
--Ryan lane 22:21, 16 August 2008 (UTC)Reply

Auto-auth (kerberos) examples? edit

Ryan, can you run through some real quick basics of setting up the kerberos (IIS integrated authentication, correct?) settings with the autoauth piece? I know that others have been chomping at the bit for this functionality, and I think I'm close, but I've not been able to make it work quite yet. Thanks a ton for this; it's been pretty fantastic! --Lane 04:19, 19 September 2008 (UTC)

I've been hoping to get to this for a while, but haven't had the time. Hopefully I'll get a chance to do it this week or next week.
--Ryan lane 17:13, 28 October 2008 (UTC)Reply

Hi, I'm trying to use this plugin on a Windows 2003 system running IIS, with PHP 5.2.3 and Mediawiki 1.12.0, and I cannot for the life of me get a TLS-encrypted login to work. Using clear, it works, but whenever I enable TLS, I get:

Entering validDomain
User is using a valid domain.
Setting domain as: ****
Entering getCanonicalName
Username isn't empty.
Munged username: ****
Entering authenticate
Entering Connect
Using TLS or not using encryption.
Using servers: *****
Using TLS
Failed to start TLS.
Failed to connect
Entering strict.
Returning false in strict().
Entering modifyUITemplate
Allowing the local domain, adding it to the list.

The "Failed to start TLS" bit there caught my eye. Is there some add-on I have to install to support TLS? I couldn't find anything that I'm missing either on this page or on php.net, so I'm hoping somebody can point me in the right direction here. --155.72.100.4 16:59, 30 July 2008 (UTC)Reply

Are you using Active Directory (AD)? If so, it may not support TLS, or you may not have a certificate installed on the AD server. Try using "ssl" instead of "tls". Some AD servers will have ldaps enabled, but not tls over ldap. If that doesn't work, you need to ensure the AD server has a cert installed. If you do have a cert installed, you need to ensure that your client trusts the CA that signed the certificate. Some directions have been given by users for doing stuff like this.
--Ryan lane 22:25, 16 August 2008 (UTC)Reply

I'd like to remove the domain selection from the login screen because we only have one domain so select. Somebody knows how this can be achieved in the current version (MW 1.13.0, LDAP_Authentication 1.2a)? I don't see an Id on the select so I could hide it via CSS directly. If there's know option currently, can this be added in a future version please? Thanks. - Jan

I'll add the id; it'll be the same as the name. If you want to backport the change to your version of MediaWiki, you'll be safe. I'll add this to the todo list.
--Ryan lane 18:25, 11 September 2008 (UTC)Reply

I have been working on getting mediawiki to auth against a w2k3 domain. used an above fix to restore the _'s that are present in all domain acounts, and also tested the php->ldap login outside of mediawiki with a script I found on http://www.gossamer-threads.com/lists/wiki/mediawiki/43821

The linked script works, as long as I set $ldaprdn = ''; (this is the equivlanet of $wgLDAPBaseDNs I used ldp from the windows 2000 admin kit and know it should be dc=mycompany,dc=local but I dont know of any other options.

what would be a way to set this variable to nothing if the plugin does not require it, and to find out correct values for other required fields if it is?

I also notice that I am still getting a capital letter for the first part of my username. I see that caused problems in the past, and have tried posted solutions with no change. What is the current/correct fix?

What would really be helpful is getting more error info than simply "Failed to bind as mydomain\myuser"

If all you want to do is basic AD authentication, you don't need to know the basedn. All you need to know is the hostname of the AD server, and the domain name. See the simple configuration example for active directory.
--Ryan lane 22:43, 3 November 2008 (UTC)Reply

Along with $wgLDAPRequiredGroups, would it be possible for you to create a complementary variable, $wgLDAPDeniedGroups, that excludes members of certain NT groups? It would be very handy to be able to express: "Everybody in group X, but not in group Y, can authenticate." Maiden taiwan 11:01, 18 September 2008 (UTC)Reply

I'll think about adding this to the next release.
--Ryan lane 22:45, 3 November 2008 (UTC)Reply

Ryan, can you give a starting point to configuring this for Windows Integrated authentication? I'm assuming this will use a variation on the way it's set up to use smartcard auth, but I've not been able to get it to work as of yet.

Thanks! --Laduncan 21:17, 3 October 2008 (UTC)Reply

I'll try to get some documentation out for this ASAP. I know a lot of people are really wanting this... Sorry for the wait!
--Ryan lane 22:46, 3 November 2008 (UTC)Reply

We successfully rolled out the LDAP extension to four MediaWiki sites, one of which is using auto authentication with the Apache server's mod_authnz_ldap. Thank you for this great extension!

We did run into three issues, two of which I fixed with small edits to LdapAuthentication.php, and one which is outstanding.

We want users who already have LDAP accounts to be able to login without creating additional wiki accounts (the LDAP extension does this nicely) and we want users who do not already have LDAP accounts to be able to create new wiki accounts (the LDAP extension lets us do this also), but all of our wikis require email confirmation to be able to edit.

This is a problem for users who create new wiki accounts, because the LDAP extension removes the email address input from the create account page. Consequently users cannot provide an email address (and therefore cannot edit) unless they subsequently go to their preferences page.

Relatedly, we only have only one domain. We do use $wgLDAPUseLocal, for users who do not already have accounts in LDAP, but we _always_ want to try LDAP first, and fallback to wiki accounts. Again, the LDAP extension does this nicely. We just do not want users to see the domain selection input. We want the wiki to appear to the user exactly as it would if we were not using the LDAP extension, but their LDAP passwords work : )

To solve these problems, I commented out the "usedomain" and "useemail" lines in LdapAuthentication.php:

@@ -552,8 +552,8 @@
 			$template->set( 'create', false );
 		}
 
-		$template->set( 'usedomain', true );
-		$template->set( 'useemail', false );
+		#$template->set( 'usedomain', true );
+		#$template->set( 'useemail', false );
 
 		$tempDomArr = $wgLDAPDomainNames;
 		if ( $wgLDAPUseLocal ) {

Then, because the domain form parameter is no longer submitted when users login, I had to set in manually in LdapAuthentication.php:

@@ -891,7 +891,7 @@
 	 */
 	function setDomain( $domain ) {
 		$this->printDebug( "Setting domain as: $domain", NONSENSITIVE );
-		$_SESSION['wsDomain'] = $domain;
+		$_SESSION['wsDomain'] = 'default';
 	}
 
 	/**

This works, but I would prefer that there were configuration options to have the same effect, without editing the LdapAuthenitcation.php source. For example, I wish there were configuration options to show the email input on the create account page, and hide the domain select input. I wish there were a configuration option to explicitly set which domain will always be used - like $wgLDAPAutoAuthDomain for non-automatic login : )

I'll add this to my TODO list.
--Ryan lane 22:54, 3 November 2008 (UTC)Reply

Or, I wish if there is only one domain configured, the LDAP extension would hide the domain select input and always use that one domain?

I think this was a wishlist of someone else, and I'm hoping to allow users to fix this by modifying their CSS. This is a fix that will require a core code change.
--Ryan lane 22:54, 3 November 2008 (UTC)Reply

MediaWiki is case sensitive about usernames - it allows two usernames with the same letters but different case: e.g. Petervg and PeterVG. Consequently some of our existing MediaWiki accounts use mixed case: e.g. PeterVG

The LDAP extension's getCanonicalName() makes usernames case insensitive by lowercasing them, and uppercasing the first letter. This means that when we want to fallback to local MediaWiki accounts, users with mixed case usernames, like PeterVG, cannot login.

I got around this be commenting out the strtolower() call in getCanonicalName():

@@ -1068,7 +1068,7 @@
 				//Change username to lowercase so that multiple user accounts
 				//won't be created for the same user.
 				//But don't do it for the local domain!
-				$username = strtolower( $username );
+				#$username = strtolower( $username );
 			}
 
 			//The wiki considers an all lowercase name to be invalid; need to

Again, I wish there were a configuration option to disable getCanonicalName(), instead of having to edit LdapAuthentication.php

I'd recommend renaming users with mix characters to all lowercase. Unless this was fixed and I'm not aware of it, if a user logs in via ldap with UsErname, and Username, and UsernamE, three different accounts will be created. LDAP isn't checking case, but MediaWiki is; MediaWiki sees the users as three separate users.
--Ryan lane 22:54, 3 November 2008 (UTC)Reply

Finally! I mentioned that we require email confirmation to edit the wiki. We do not want to disable email confirmation, but all of the email addresses in out LDAP database are already confirmed. So we do not want users with LDAP accounts, where their email address is retrieved by the LDAP extension from their LDAP account, to have to confirm their email. In other words, when the LDAP extension retrieves an email address from LDAP, we want it to mark that address as confirmed.

I have not got around to fixing this, so we currently have to tell all our users with LDAP accounts that they can use their LDAP password to login, but that they must then go to the preferences page and send themselves a confirmation email.

I wish there were a configuration option to mark email address retrieved from LDAP as confirmed : )

This should be on the TODO list; if it isn't I'll add it.
--Ryan lane 22:54, 3 November 2008 (UTC)Reply

Hi All I have upgraded to mediawiki mediawiki-1.13.2-40.99 via rpm ,All thing are working fine before upgradation but after upgrading there seems to be a problem when i press edit.we use ldap authentication for wiki. This is debug log please give sugestion debug result is

Entering validDomain
User is not using a valid domain.
Setting domain as: invaliddomain
Entering getCanonicalName
Username isn't empty.
Munged username: ******
Entering authenticate
Entering Connect
Using TLS or not using encryption.
Using servers: 
Using TLS
Failed to start TLS.
Failed to connect
<Entering strict.
<br>Returning true in strict().
<br>Entering modifyUITemplatedtd">



This error occured 
[error] [client ****************] PHP Notice:  Undefined index:  invaliddomain in /var/www/wiki/sysadmin/LdapAuthentication.php on line 148, referer: *************************************************



error] [client *************] PHP Warning:  ldap_start_tls() [<a href='function.ldap-start-tls'>function.ldap-start-tls</a>]: Unable to start TLS: Can't contact LDAP server in /var/www/wiki/sysadmin/LdapAuthentication.php on line 166, referer: ************************************************************************************
<nowiki><nowiki>Insert non-formatted text here</nowiki></nowiki>

What distro is this? I'm not sure how they package the software, and have no clue what could have happened. It'll be really hard for me to debug this. I recommend always downloading the module manually. There isn't a guarantee the distro is taking version compatibility into consideration.
--Ryan lane 22:57, 3 November 2008 (UTC)Reply

Hi everyone, I have been trying to get MediaWiki running on IIS, Windows Server 2003 with a mysql DB for a few weeks now. I have incorporated LDAP so users can manually login with their domain credentials. However i desperatly need to automate this process. Is there any current method to achieve this?? I have been browsing the web for ages now, and although people discuss the idea, there seems no be no notes on successes or failures! Is this totally unachievable at the moment??

Everyone seems to be asking this right now. I did add code to do this recently, but I don't have documentation written yet. I'll try to get some out soon.
--Ryan lane 22:58, 3 November 2008 (UTC)Reply

Ryan, I'm also trying to get this to work, so even some brief notes would be helpful. Of more concern is that I'm currently using LdapAuthentication.php version 1.1g with MediaWiki 11.1.0 for manual authentication, and it works fine; but LdapAuthentication.php version 1.2a results in a white screen (which I understand is a PHP issue, but I don't have access to the PHP logs).
Snuck 01:10, 3 February 2009 (UTC)Reply

I just got it to work with php REMOTE_USER (after the web server authenticated the user using LDAP). I used the 1.2a version with Mediawiki 1.13.2; some bugs and notes:

1. Don't forget to download (and include) LdapAutoAutentication.php as well ( http://svn.wikimedia.org/viewvc/mediawiki/trunk/extensions/LdapAuthentication/ )

2. In LdapAuthentication.php: function AutoAuthSetup has a check on the mediawiki version, this however results in the wrong hook being set, this was the one that worked for me:

 $wgHooks['UserLoadFromSession'][] = 'LdapAutoAuthentication::Authenticate';

3. In LdapAuthentication.php (about line 564): it says wgLDAPAutoAutoDomain, with should be wgLDAPAutoAuthDomain

4.In LocalSettings, make sure you have (amongst the other needed LDAP settings):

 $wgLDAPAutoAuthDomain = "<my domain>";
 $wgLDAPAutoAuthUsername = $_SERVER['PHP_AUTH_USER'];
 $wgHooks['SetUsernameAttributeFromLDAP'][] = 'SetUsernameAttribute';
 //This function allows you to get the username from LDAP however you need to do it.
 //This is the username MediaWiki will use. (>> for me this should be 'uid')
 function SetUsernameAttribute(&$LDAPUsername, $info) {
   $LDAPUsername = $info[0]['uid'][0];
   return true;
 }
 AutoAuthSetup();

Regards, Gyuri

I'm marking these fixes as TODOs; thanks!
--Ryan lane 22:59, 3 November 2008 (UTC)Reply

Fixed the above fixes in SVN
--Ryan lane 17:26, 11 November 2008 (UTC)Reply

I have some problems to sync groups from AD. Login with AD account works fine, but it wont pull group names from AD. After I removed the @ from ldap_search at line 1420 I became an error Search: Can't contact LDAP server. But how it comes? Authentification on LDAP works so how he cant contact ldap server???

Thanks for advice..

debug output at login:

Entering validDomain
User is using a valid domain.
Setting domain as: DOMAIN
Entering getCanonicalName
Username isn't empty.
Munged username: Username
Entering authenticate
Entering Connect
Using TLS or not using encryption.
Using servers: ldap://dc.domain.intern
Connected successfully
Lowercasing the username: Username
Entering getSearchString
Doing a straight bind
userdn is: DOMAIN\username
Binding as the user
Bound successfully
Entering getUserDN
Created a regular filter: (sAMAccountName=username)
Entering getBaseDN
basedn is not set for this type of entry, trying to get the default basedn.
Entering getBaseDN
basedn is dc=domain,dc=intern
Using base: dc=domain,dc=intern
Fetched username is not a string (check your hook code...). This message can be safely ignored if you do not have the SetUsernameAttributeFromLDAP hook defined.
Pulled the user's DN: CN=Username,OU=sampleou,DC=domain,DC=intern
Retrieving LDAP group membership
Entering getUserGroups
Entering getGroups
Entering getBaseDN
basedn is not set for this type of entry, trying to get the default basedn.
Entering getBaseDN
basedn is dc=domain,dc=intern
Search string: (&(member=CN=Username,OU=sampleou,DC=domain,DC=intern)(objectclass=group))

Warning: ldap_search() [function.ldap-search]: Search: Can't contact LDAP server in wiki\extensions\LdapAuthentication.php on line 1420
No entries returned from search.
Authentication passed
Entering updateUser
Setting user groups.
Entering setGroups.
Locally managed groups is unset, using defaults: bot,sysop,bureaucrat
Available groups are: bot,sysop,bureaucrat,groupa,groupb,groupc
Effective groups are: *,user,autoconfirmed
Checking to see if user is in: groupa
Entering hasLDAPGroup
Checking... [stripped]
Saving user settings.

settings:

 require_once( 'extensions/LdapAuthentication.php' );
 $wgAuth = new LdapAuthenticationPlugin();
 $wgLDAPDomainNames = array('DOMAIN');
 $wgLDAPServerNames = array('DOMAIN'=>'dc.domain.intern',);
 $wgLDAPEncryptionType = array('DOMAIN'=>'clear');
 $wgMinimalPasswordLength = 1;
 $wgLDAPUseLocal = false;
 #$wgLDAPRetrievePrefs = array("DOMAIN"=>true);
 $wgLDAPLowerCaseUsername = array("DOMAIN"=>true);
 $wgLDAPDebug = 5;
 $wgLDAPSearchStrings = array('DOMAIN'=>'DOMAIN\\USER-NAME');
 $wgLDAPSearchAttributes = array('DOMAIN'=>'sAMAccountName');
 $wgLDAPBaseDNs  = array('DOMAIN'=>'dc=domain,dc=intern');
 $wgLDAPGroupUseFullDN = array('DOMAIN'=>true);
 $wgLDAPGroupObjectclass = array('DOMAIN'=>'group');
 $wgLDAPGroupAttribute = array('DOMAIN'=>'member');
 $wgLDAPGroupSearchNestedGroups = array('DOMAIN'=>true);
 $wgLDAPGroupNameAttribute = array('DOMAIN'=>'cn');
 $wgLDAPUseLDAPGroups = array('DOMAIN'=>true);
 $wgLDAPGroupUseRetrievedUsername = array('DOMAIN'=>true);

 $wgGroupPermissions['groupa']['createpage']	= true;
 $wgGroupPermissions['groupb']['createpage']	= true;
 $wgGroupPermissions['groupc']['createpage']	= true;

What version of the plugin and MediaWiki are you using?
--Ryan lane 23:19, 5 November 2008 (UTC)Reply

Looking at the version in HEAD for MW 1.14:

 if ( version_compare( $wgVersion, '1.14.0', '<' ) ) {
   $wgHooks['UserLoadAfterLoadFromSession'][] = 'LdapAutoAuthentication::Authenticate';
 } else {
   $wgHooks['UserLoadFromSession'][] = 'LdapAutoAuthentication::Authenticate';
 }

Don't you want that the other way around? If current code version is < 1.14, use UserLoadFromSession and fake the isLoggedIn()?

(By the way, thanks many times for resolving that recursive load() issue, and for having great sample code to look at in LDAP_Authenticate for other Auth developers.)

Thinkling 00:12, 4 November 2008 (UTC)Reply

Yeah, looks like I have that backwards. I'll fix this ASAP. Going into the TODO. Thanks!
--Ryan lane 23:14, 5 November 2008 (UTC)Reply

Fixed! Thanks for the bug report.
--Ryan lane 17:18, 11 November 2008 (UTC)Reply

It looks like a bug - all of the sudden no user were able to log in to wiki.

After a little investigation we found: In the function getGroups, there is a code that bring all the groups from LDAP (why?). In the end of the function, before printing all the groups it calls "implode":

$this->printDebug( "Returned groups:" . implode( ",", $groups ) . "", SENSITIVE );
$this->printDebug( "Returned groups:" . implode( ",", $shortnamegroups ) . "", SENSITIVE );

While there are too many groups in the LDAP, the function implode doesn't return, and the Wiki doesn't work. After removing the printDebug, the Wiki worked again. --D 09:00, 5 November 2008 (UTC)

Oops. Didn't think about that. I'll refactor the printDebug method to handle arrays so that I don't do this kind of thing unless debug is turned on. This is going on my TODO. Thanks for the bug report!
--Ryan lane 23:16, 5 November 2008 (UTC)Reply

So far I have set up LDAP authentication to use AD usernames and passwords for logging in to the wiki. My settings file looks like this

$wgLDAPDomainNames = array(
  "cc3-sbhs.internal"
  );

$wgLDAPServerNames = array(
  "cc3-sbhs.internal"=>"sow-sr-001.cc3-sbhs.internal",
    );

$wgLDAPUseLocal = true;

$wgLDAPEncryptionType = array(
  "cc3-sbhs.internal"=>"clear",
  );
$wgLDAPBaseDNs = array("cc3-sbhs.internal"=>"DC=sow-sr-001");

$wgLDAPSearchStrings = array(
  "cc3-sbhs.internal"=>"USER-NAME@cc3-sbhs.internal",
  );
lse
$wgLDAPGroupUseFullDN = array(
  "cc3-sbhs.internal"=>true
  );
 
$wgLDAPDebug = 3;

This works fine so far, but I want to be able to restrict it to particular groups within AD. Unfortunately, most of the syntax for these configuration settings is baffling to me. Can anyone explain in fairly simple terms how to set this up? I can provide domain names, server names, group names etc. as required.

Thanks in advance --Carelesshx 15:07, 6 November 2008 (UTC)Reply

Hey Ryan thank you so much for this extension. I've used with two employers. I had to make the following modification to get logins by group to work though. It's probably the way that AD is configured at my company, but only the first group was getting checked. The groups were all at the same level (attribute was memberOf) of the same search result (so only one entry, but multiple groups in it). In case anyone else runs into the issue here's what I did to make it work (code probably not greatest as I was just monkeying the PHP code, haven't really used PHP in a long time):

Code diff -u edit

$ diff -u LdapAuthentication.php.orig LdapAuthentication.php.altered
--- LdapAuthentication.php.orig      2008-11-06 15:29:43.000000000 -0600
+++ LdapAuthentication.php.altered    2008-11-06 15:51:56.000000000 -0600
@@ -1440,6 +1440,11 @@

                       array_push( $groups, $mem );
                       array_push( $shortnamegroups, $shortnamemem );
+
+         array_shift( $entry[$nameattribute] );
+         foreach ( $entry[$nameattribute] as $othergroups ) {
+            array_push( $groups, strtolower( $othergroups ) );
+         }
               }

               $both_groups = array();

LocalSettings.php config edit

#LDAP login
$wgLDAPDebug = 3;
require_once 'extensions/LdapAuthentication/LdapAuthentication.php';
$wgAuth = new LdapAuthenticationPlugin();
$wgLDAPDomainNames = array( 'mydomain' );
$wgLDAPServerNames = array( 'mydomain' => 'ldap-server' );
$wgLDAPSearchStrings = array( 'mydomain' => 'USER-NAME@mydomain.mysite.com' );
$wgLDAPBaseDNs = array( 'mydomain' => 'dc=mydomain,dc=mysite,dc=com' );
$wgLDAPEncryptionType = array( 'mydomain' => 'clear' );
$wgLDAPLowerCaseUsername = array( 'mydomain' => true );
$wgLDAPRetrievePrefs = array( 'mydomain' => true );
$wgLDAPRequiredGroups = array( 'mydomain' => array( strtolower('CN=Super Duper Group,OU=Clever Corporation,DC=mydomain,DC=mysite,DC=com') ) );
$wgLDAPGroupUseFullDN = array( 'mydomain' => false );
$wgLDAPGroupObjectclass = array( 'mydomain' => 'user' );
$wgLDAPGroupAttribute = array( 'mydomain' => 'sAMAccountName' );
$wgLDAPGroupSearchNestedGroups = array( 'mydomain' => false );
$wgLDAPGroupNameAttribute = array( 'mydomain' => 'memberof' );
$wgLDAPBaseDNs = array( 'mydomain' => 'dc=mydomain,dc=mysite,dc=com' );
$wgLDAPSearchAttributes = array( 'mydomain' => 'sAMAccountName' );
$wgLDAPUseLocal = true;
$wgMinimalPasswordLength = 1;

Dori 00:12, 7 November 2008 (UTC)Reply

At some point in time I'm going to add memberOf support so that no one will have to do hacky stuff. I have to rework my group code some before doing so though. Hopefully it'll be soon and I'll fix your problem in a nice way ;).
--Ryan lane 17:22, 11 November 2008 (UTC)Reply

Hello Ryan,

Some of my users’ base DNs do not match the required group’s base DN. Because of this, no matching groups are returned for the user since the plug-in sees the user as a non-member of the required group’s base DN. Is there something I can reconfigure in the plug-in settings or is this feature not included? Below, jpn\Jdoe is a member of the usa\group1 universal group.

Using servers: ldap://jpn.company.com
Using TLS
Connected successfully
Entering getSearchString
Doing a straight bind
userdn is: jpn\Jdoe
Binding as the user
Bound successfully
Entering getUserDN
Created a regular filter: (sAMAccountName=Jdoe)
Entering getBaseDN
basedn is ou=workers,dc=jpn,dc=company,dc=com
Using base: ou=workers,dc=jpn,dc=company,dc=com
Fetched username is not a string (check your hook code...). This message can be safely ignored if you do not have the SetUsernameAttributeFromLDAP hook defined.
Pulled the user's DN: CN=Doe\, John,OU=Workers,DC=jpn,DC=company,DC=com
Checking for (new style) group membership
Entering isMemberOfRequiredLdapGroup
Required groups:cn=group1,ou=groups,dc=usa,dc=company,dc=com,cn=group2,ou=groups,dc=usa,dc=company,dc=com
Entering getUserGroups
Entering getGroups
Entering getBaseDN
basedn is ou=groups,dc=usa,dc=company,dc=com
Search string: (&(member=CN=Doe\5c, John,OU=Workers,DC=jpn,DC=company,DC=com)(objectclass=group))
Returned groups:
Returned groups:
Couldn't find the user in any groups (1).
Entering strict.
Returning true in strict().
Entering modifyUITemplate

Below are my settings:

$wgLDAPDomainNames = array(
 "usa",
 "jpn"
$wgLDAPServerNames = array(
 "usa"=>"usa.company.com",
 "jpn"=>"jpn.company.com"
 );
$wgLDAPUseLocal = false;
$wgLDAPEncryptionType = array(
 "usa"=>"clear",
 "jpn"=>"clear"
 );
$wgLDAPSearchStrings = array(
 "usa"=>"usa\\USER-NAME",
 "jpn"=>"jpn\\USER-NAME"
 );
$wgLDAPSearchAttributes = array(
 "usa"=>"sAMAccountName",
 "jpn"=>"sAMAccountName"
 );
$wgLDAPBaseDNs = array(
 "usa"=>"dc=usa,dc=company,dc=com",
 "jpn"=>"dc=jpn,dc=company,dc=com"
 );
$wgLDAPGroupBaseDNs = array(
 "usa"=>"ou=groups,dc=usa,dc=company,dc=com",
 "jpn"=>"ou=groups,dc=usa,dc=company,dc=com"
 );
$wgLDAPUserBaseDNs = array(
 "usa"=>"ou=workers,dc=usa,dc=company,dc=com",
 "jpn"=>"ou=workers,dc=jpn,dc=company,dc=com"
 );
$wgLDAPGroupUseFullDN = array(
 "usa"=>true,
 "jpn"=>true
 );
$wgLDAPLowerCaseUsername = array(
 "usa"=>false,
 "jpn"=>false
 );
$wgLDAPGroupObjectclass = array(
 "usa"=>"group",
 "jpn"=>"group"
 );
$wgLDAPGroupAttribute = array(
 "usa"=>"member",
 "jpn"=>"member"
 );
$wgLDAPGroupNameAttribute = array(
 "usa"=>"cn",
 "jpn"=>"cn"
 );
$wgLDAPUseLDAPGroups = array(
 "usa"=>true,
 "jpn"=>true
 );
$wgLDAPRequiredGroups = array(
 "usa"=>array(
   "cn=group1,ou=groups,dc=usa,dc=company,dc=com",
   "cn=group2,ou=groups,dc=usa,dc=company,dc=com"
   ), 
 "jpn"=>array(
   "cn=group1,ou=groups,dc=usa,dc=company,dc=com",
   "cn=group2,ou=groups,dc=usa,dc=company,dc=com"
   )
 );
$wgLDAPGroupSearchNestedGroups = array(
 "usa"=>true,
 "jpn"=>true
 );

thx, --MadX 09:27, 21 November 2008 (UTC)Reply

I believe for this to work, you need to point the plugin to whichever server is the active directory global catalog for both domains.
--Ryan lane 20:40, 10 December 2008 (UTC)Reply

A useful extension that builds on this extension is ldapinfo. http://webdesignessence.com/os/ldapinfo/#Description

But I can not find the meta wiki talk page about that extension.

I adapted the extension to use the hcard microformat. The output of the ldapinfoAdapted is then a call to a hcard template { {hcard| with the needed parameters } }

I'm having an issue installing this extension. It seems that whenever I attempt to login with a domain account it tells me "Login error:Incorrect password entered. Please try again." I decided to try debugging but I see no output on the login screen. Where does the debug information display or write to?

I do see the domain dropdown menu at the login screen so the extension is obviously being used.

My setup: Windows 2003 server, IIS 6, MediaWiki 1.13.3, PHP 5.2.8, (PHP installed) OpenLDAP ($Id: ldap.c,v 1.161.2.3.2.13 2008/05/04 21:19:17 colder Exp $) 2004 API, OpenSSL (OpenSSL 0.9.8i 15 Sep 2008). Domain controller's base OU is 'DC=testdomain,DC=net', all the group OU's are under that.

Just for reference, here is the config I'm using:

require_once 'extensions/LdapAuthentication.php';
$wgAuth = new LdapAuthenticationPlugin();
$wgLDAPDebug = 4;
$wgLDAPDomainNames = array(  'testdomain'  );
$wgLDAPServerNames = array(  'testdomain' => 'dc.testdomain.net'  );
$wgLDAPSearchAttributes = array(  'testdomain' => 'sAMAccountName'  );
$wgLDAPBaseDNs = array(  'testdomain' => 'DC=testdomain,DC=net'  );
$wgLDAPEncryptionType = array(  'testdomain' => 'ssl'  );
$wgMinimalPasswordLength = 1;
$wgLDAPUseLocal = false;

-- Michael

What version of the plugin are you using? The version of the plugin in SVN doesn't log to the screen anymore, it logs to a file; see the svn commit message (it isn't a production ready version of the plugin). Btw, if all you are doing is basic AD authentication, and don't need any of the other stuff (like group searching, preference pulling, etc.), you can use the following line:

$wgLDAPSearchStrings = array( 'testdomain' => 'TESTDOMAIN\\USER-NAME' ) );

and remove:

$wgLDAPSearchAttributes = array( 'testdomain' => 'sAMAccountName' );

$wgLDAPBaseDNs = array( 'testdomain' => 'DC=testdomain,DC=net' );

--Ryan lane 16:41, 15 December 2008 (UTC)Reply

Hi Ryan, thanks for your response.

I was using v1.2b. I've updated to the version in subversion and I get the following with my original configuration:

2008-12-15 17:23:10 wikidb-itops_: Entering validDomain

2008-12-15 17:23:10 wikidb-itops_: User is using a valid domain.

2008-12-15 17:23:10 wikidb-itops_: Setting domain as: testdomain

2008-12-15 17:23:10 wikidb-itops_: Entering getCanonicalName

2008-12-15 17:23:10 wikidb-itops_: Username isn't empty.

2008-12-15 17:23:10 wikidb-itops_: Munged username: ***username***

2008-12-15 17:23:10 wikidb-itops_: Entering userExists

2008-12-15 17:23:10 wikidb-itops_:

2008-12-15 17:23:10 wikidb-itops_: Entering authenticate

2008-12-15 17:23:10 wikidb-itops_:

2008-12-15 17:23:10 wikidb-itops_: Entering Connect

2008-12-15 17:23:10 wikidb-itops_: Using SSL

2008-12-15 17:23:10 wikidb-itops_: Using servers: ldaps://dc.testdomain.net

2008-12-15 17:23:10 wikidb-itops_: Connected successfully

2008-12-15 17:23:10 wikidb-itops_: Entering getSearchString

2008-12-15 17:23:10 wikidb-itops_: Doing an anonymous bind

2008-12-15 17:23:10 wikidb-itops_: Failed to bind as

2008-12-15 17:23:10 wikidb-itops_: with password:

2008-12-15 17:23:10 wikidb-itops_: Failed to bind

2008-12-15 17:23:10 wikidb-itops_: User DN is blank

2008-12-15 17:23:10 wikidb-itops_: Entering allowPasswordChange

2008-12-15 17:23:10 wikidb-itops_: Entering modifyUITemplate

It does not appear to be using the domain\name I put in to bind as?

With your suggested configuration modification, I get the following:

2008-12-15 17:27:55 wikidb-itops_: Entering validDomain

2008-12-15 17:27:55 wikidb-itops_: User is using a valid domain.

2008-12-15 17:27:55 wikidb-itops_: Setting domain as: testdomain

2008-12-15 17:27:55 wikidb-itops_: Entering getCanonicalName

2008-12-15 17:27:55 wikidb-itops_: Username isn't empty.

2008-12-15 17:27:55 wikidb-itops_: Munged username: ***username A***

2008-12-15 17:27:55 wikidb-itops_: Entering userExists

2008-12-15 17:27:55 wikidb-itops_:

2008-12-15 17:27:55 wikidb-itops_: Entering authenticate

2008-12-15 17:27:55 wikidb-itops_:

2008-12-15 17:27:55 wikidb-itops_: Entering Connect

2008-12-15 17:27:55 wikidb-itops_: Using SSL

2008-12-15 17:27:55 wikidb-itops_: Using servers: ldaps://dc.testdomain.net

2008-12-15 17:27:55 wikidb-itops_: Connected successfully

2008-12-15 17:27:55 wikidb-itops_: Entering getSearchString

2008-12-15 17:27:55 wikidb-itops_: Doing a straight bind

2008-12-15 17:27:55 wikidb-itops_: userdn is: testdomain\***username B***

2008-12-15 17:27:55 wikidb-itops_:

2008-12-15 17:27:55 wikidb-itops_: Binding as the user

2008-12-15 17:27:55 wikidb-itops_: Failed to bind as testdomain\***username B***

2008-12-15 17:27:55 wikidb-itops_: with password: ***password***

2008-12-15 17:27:55 wikidb-itops_: Entering allowPasswordChange

2008-12-15 17:27:55 wikidb-itops_: Entering modifyUITemplate

With both configurations I've tried logging in as various accounts, nothing seems to be valid.

I do not think that I want to use basic authentication because it looks like it was trying to log in with 'username B' (which is what I put in the configuration) even though I may try to login with 'username A' on the login screen.

My configuration with IIS is such that they must provide domain user credentials to access mediawiki to begin with. A second login is ok though, using those same credentials. If it were possible to autolog them in based on the credentials they already gave ($_SERVER['AUTH_USER']) that would be ideal -- however in that case I would still need to be able to login as a local user to access the wiki Admin account that was created on installation.

I appreciate your work on this extension and your continuing effort with support.

-- Michael

USER-NAME is the exact string you need to put in, when the user logs in, USER-NAME will be replaced with the username the user submitted.

Hi, when i try to login i get a white page. I'm sure PHP have LDAP enabled because i made a test script and it can connect and bind without problems.

MediaWiki version: 1.13.3

Plugin version: 1.2a and SVN 45350

Config:

$wgLDAPDebug = 5;
$wgDebugLogGroups["ldap"] = 'file.log';
require_once( "$IP/extensions/LdapAuthentication.php" );
$wgAuth = new LdapAuthenticationPlugin();
$wgLDAPDomainNames = array("test.es");
$wgLDAPServerNames = array("test.es"=>"ldap.test.es");
$wgLDAPUseLocal = true;
$wgLDAPEncryptionType = array("test.es"=>"clear");
$wgLDAPSearchAttributes = array('test.es' => 'uid');
$wgLDAPBaseDNs = array('test.es' => 'dc=test,dc=es');
$wgLDAPUserBaseDNs = array('test.es' => 'ou=usuarios,dc=test,dc=es');
$wgMinimalPasswordLength = 1;
$wgLDAPProxyAgent = array('test.es'=>'cn=proxyuser,dc=test,dc=es');
$wgLDAPProxyAgentPassword = array('test.es'=>'XXXX');

Log:

2009-01-03 15:25:11 Entering validDomain

2009-01-03 15:25:11 User is not using a valid domain.

2009-01-03 15:25:11 Setting domain as: invaliddomain

2009-01-03 15:25:11 Entering allowPasswordChange

2009-01-03 15:25:11 Entering modifyUITemplate

2009-01-03 15:25:11 Allowing the local domain, adding it to the list.

2009-01-03 15:25:45 Entering validDomain

2009-01-03 15:25:45 User is using a valid domain.

2009-01-03 15:25:45 Setting domain as: test.es

2009-01-03 15:25:45 Entering getCanonicalName

2009-01-03 15:25:45 Username isn't empty.

2009-01-03 15:25:45 Munged username: user.name

2009-01-03 15:25:45 Entering userExists

2009-01-03 15:25:45

2009-01-03 15:25:45 Entering authenticate

2009-01-03 15:25:45

2009-01-03 15:25:45 Entering Connect

2009-01-03 15:25:45 Using TLS or not using encryption.

2009-01-03 15:25:45 Using servers: ldap://ldap.test.es

2009-01-03 15:25:45 Connected successfully

2009-01-03 15:25:45 Entering getSearchString

2009-01-03 15:25:45 Doing a proxy bind

2009-01-03 15:26:30 Failed to bind as cn=proxyuser,dc=test,dc=es

2009-01-03 15:26:30 with password: XXXXX

2009-01-03 15:26:30 Failed to bind

2009-01-03 15:26:30 User DN is blank

2009-01-03 15:26:30 Entering allowPasswordChange

2009-01-03 15:26:30 Entering modifyUITemplate

2009-01-03 15:26:30 Allowing the local domain, adding it to the list.

Can you try this with the stable version of the plugin (svn rev 43434), and see if it works for you? I made significant changes since then, and there is a possibility that I broke proxy binding; I haven't tested proxy bind yet since I made the changes.
--Ryan lane 15:09, 5 January 2009 (UTC)Reply

I get the same results in that version.

-- Vicente

I just realized you mentioned you are getting a white page... That means you are getting a php crash. What is showing up in your php error logs (may show in your http error logs)?
--Ryan lane 23:29, 12 January 2009 (UTC)Reply

Maybe it's just me but it seems like $wgLDAPAuthAttribute is broken in 1.2a when not using auto authentication (on mediawiki 1.13.3 & php5). See my debug output:

Fetched username is not a string (check your hook code...). This message can be safely ignored if you do not have the SetUsernameAttributeFromLDAP hook defined.
userdn is: cn=First Last,o=Some Company,ou=people,dc=domain,dc=com

Binding as the user
Bound successfully
Checking for auth attributes

Warning: ldap_read() [function.ldap-read]: Search: No such object in /var/www/vhosts/wiki/mediawiki/extensions/LdapAuthentication.php on line 336

Warning: ldap_get_entries(): supplied argument is not a valid ldap result resource in /var/www/vhosts/wiki/mediawiki/extensions/LdapAuthentication.php on line 337
Failed auth attribute check
Entering strict.
Returning false in strict().
Entering allowPasswordChange
Entering modifyUITemplate
Allowing the local domain, adding it to the list.

Here are my settings:

## Section for configuring LDAP authentication
require_once("extensions/LdapAuthentication.php");
$wgAuth = new LdapAuthenticationPlugin();
$wgLDAPDomainNames = array(
  "companyLDAPdomain"
  );
$wgLDAPServerNames = array(
  "companyLDAPdomain"=>"ldap.company.com"
  );
$wgLDAPUseLocal = true;
$wgLDAPEncryptionType = array(
  "companyLDAPdomain"=>"clear"
  );
$wgLDAPProxyAgent = array(
  "companyLDAPdomain"=>"cn=wiki,ou=proxy,dc=company,dc=com"
  );
$wgLDAPProxyAgentPassword = array(
  "companyLDAPdomain"=>"password"
  );
$wgLDAPSearchAttributes = array(
  "companyLDAPdomain"=>"uid"
  );
$wgLDAPBaseDNs = array(
  "companyLDAPdomain"=>"ou=people,dc=company,dc=com"
  );
$wgLDAPRequireAuthAttribute = array(
  "companyLDAPdomain"=>true
  );
$wgLDAPAuthAttribute = array(
  "companyLDAPdomain"=>"wikiAttributes=externalwiki"
  );

$wgLDAPDebug = 3;

The userdn in question does have that custom attribute (from a custom schema) 'wikiAttributes' defined and it's set to 'externalwiki'. Am I doing something wrong or is there really a bug? I tried hacking lines 336 & 337 but to no avail. This also seems to be happening on the latest from subversion as of rev 45670.

--Howard, 01/11/2009

Try setting your auth attribute to the following:

$wgLDAPAuthAttribute = array( "companyLDAPdomain"=>"(wikiAttributes=externalwiki)" );

--Ryan lane 23:23, 12 January 2009 (UTC)Reply

Thank you for the quick response! I finally got to the bottom of this. Turns out your code is perfect (sorry); this is a permissions issue. The proxy user had access to those attributes, but once it did the bind to the user in question; it had no access to any of its own attributes! I guess reading through the debug statements carefully is something I should've done _first_. Oops!

--Howard H 14:33, 14, January 2009 (CST)

Is it possible to set up kerberos to work in a Windows environment? If yes; How?? --Aroekene 15:26, 12 January 2009 (UTC)Reply

Your question isn't very clear. Are you looking to use IIS+mediawiki+AD? Are you looking to use apache and mediawiki on windows with AD? Are you looking to use apache and mediawiki on linux with AD? All of the answers are likely yes. You pretty much just need to follow the directions for the kerberos part. I'd make sure that regular LDAP authentication is working before you try enabling kerberos (one step at a time is always best).
--Ryan lane 23:26, 12 January 2009 (UTC)Reply

Windows Server 2003 - IIS6 - AD - MediaWiki - Ldap Authentication. Regular LDAP is working fine. I'll try to go trough the examples one more time. --Aroekene 08:57, 13 January 2009 (UTC)Reply

Make sure "Integrated authentication" is enabled in IIS. Also, ensure that your client has gssapi/spengo/kerberos/integrated auth enabled. You may also want to check your server strings, and make sure it is $_SERVER["REMOTE_USER"]; it is possible this string is something different in IIS. I haven't tested this in IIS.
--Ryan lane 14:10, 13 January 2009 (UTC)Reply

How do you set up LDAP to deal with usernames containing underscore (_). It seems like the underscore in usernames is converted to spaces ( ). --Aroekene 15:28, 12 January 2009 (UTC)Reply

This question has been answered numerous times on this discussion page; there are workarounds, and I don't intend on fixing this right now.
--Ryan lane 23:27, 12 January 2009 (UTC)Reply

I had some problems with a username for the LDAP Wikimedia France (fr:Utilisateur:(:Julien:)) because of its parenthesis : debug=" Created a regular filter: (sn=\5c28:Julien:\5c29)". I succeed by changing getLdapEscapedString into :

return str_replace(
                       array( "\\", "*", "(", ")", "\x00" ), //replace this
                       array( "\\5c", "\\2a", "\\28", "\\29", "\\00" ), //with this
                       $string //in this
               );

~ Seb35 11:13, 13 January 2009 (UTC)Reply

Thanks for the bug report, I'll add this in the TODO. I'll release this with the next version.
--Ryan lane 14:11, 13 January 2009 (UTC)Reply

I just installed LdapAuthentication and LdapAutoAuthentication from SVN, and I'm noticing now that there's an error thrown that AuthPlugin is needed. Looking back, I see that earlier versions of the plugin appear to have a require_once for AuthPlugin.php, but that has been removed. Was that intentional? I'm running MediaWiki 1.11.0, and I can't get the plugin to run without that line. --Laduncan 20:03, 13 January 2009 (UTC)Reply

It shouldn't be required. That said, I didn't make that change, and it may only apply to 1.12 and higher. Try adding it back in and see if it works...
--Ryan lane 22:33, 13 January 2009 (UTC)Reply

I needed to add require_once("AuthPlugin.php"); to LocalSettings.php.

Without it, I was getting this error:

Class 'AuthPlugin' not found in extensions/LdapAuthentication/LdapAuthentication.php on line 70

on Debian Lenny, Mediawiki 1.12.0, LDAP Authentication Plugin 1.2b. --Albert25 14:43, 2 January 2011 (UTC)Reply

1. Don't edit the archives!
2. Don't use the Debian MediaWiki package. I refuse to offer support for that version of MediaWiki.

   --Ryan lane 19:00, 2 January 2011 (UTC)Reply

Hi.

I'm currently working on a Wiki project, and I'm a very beginner with wiki.

However, i'd like to be able to check if somebody is in Active Directory.

The following code is in the loginToUse() method of the Outputpage class (in OutputPage.php) (which is easier for me now)

$auth = new LdapAuthenticationPlugin();
echo $auth->userExists("firstname.lastname");

And the response of the log is :

Entering userExists

1

Moreover, the LocalSettings.php file is configured properly because I can authenticate to the wiki with LDAP.

Where is the problem ?

Thanks

In some situations, the plugin always returns true in userExists, here is the line of code that is returning true:

        //If we can't add LDAP users, we don't really need to check
        //if the user exists, the authenticate method will do this for
        //us. This will decrease hits to the LDAP server.
        //We do however, need to use this if we are using auto authentication.
        if ( ( !isset( $wgLDAPAddLDAPUsers[$_SESSION['wsDomain']] ) || !$wgLDAPAddLDAPUsers[$_SESSION['wsDomain']]) && !$this->useAutoAuth() ) {
            return true;
        }

If you aren't using auto-authentication, and you aren't allowing the wiki to add users, the plugin will always return true in this method. As the comments mention, the authenticate method will fail if the user doesn't exist, so it is redundant (and a waste of resources) to first check if the user exists unless we absolutely have to.

If you have a valid need for this kind of functionality, you can add an option to have the wiki always check for existence.
--Ryan lane 15:57, 17 February 2009 (UTC)Reply

I've setup a Kerberos/OpenLDAP SSO solution for my group. I'm trying to get mediawiki to authenticate against the kerberos server and use LDAP to get simple user information (like their name and maybe email address). My goal is to not allow new user accounts to be created or anonymous edits and views on the wiki. I have mod_auth_kerb setup and working correctly. I'm getting an error message from mediawiki that I can't figure out. Here is the message:

Warning: call_user_func_array() [function.call-user-func-array]: First argument is expected to be a valid callback, 'LdapAutoAuthentication::Authenticate' was given in /srv/web/mediawiki-1.13.3/includes/Hooks.php on line 117
Internal error

Detected bug in an extension! Hook LdapAutoAuthentication::Authenticate failed to return a value; should return true to continue hook processing or false to abort.

Backtrace:

#0 /srv/web/mediawiki-1.13.3/includes/User.php(748): wfRunHooks('UserLoadFromSes...', Array)
#1 /srv/web/mediawiki-1.13.3/includes/User.php(221): User->loadFromSession()
#2 /srv/web/mediawiki-1.13.3/includes/User.php(1732): User->load()
#3 /srv/web/mediawiki-1.13.3/includes/User.php(1745): User->getGroups()
#4 /srv/web/mediawiki-1.13.3/includes/User.php(1718): User->getEffectiveGroups()
#5 /srv/web/mediawiki-1.13.3/includes/User.php(1864): User->getRights()
#6 [internal function]: User->isAllowed('read')
#7 /srv/web/mediawiki-1.13.3/includes/StubObject.php(58): call_user_func_array(Array, Array)
#8 /srv/web/mediawiki-1.13.3/includes/StubObject.php(184): StubObject->_call('isAllowed', Array)
#9 [internal function]: StubUser->__call('isAllowed', Array)
#10 /srv/web/mediawiki-1.13.3/includes/Title.php(1450): StubUser->isAllowed('read')
#11 /srv/web/mediawiki-1.13.3/includes/Wiki.php(149): Title->userCanRead()
#12 /srv/web/mediawiki-1.13.3/includes/Wiki.php(54): MediaWiki->preliminaryChecks(Object(Title), Object(OutputPage), Object(WebRequest))
#13 /srv/web/mediawiki-1.13.3/index.php(93): MediaWiki->initialize(Object(Title), NULL, Object(OutputPage), Object(User), Object(WebRequest))
#14 {main}

Here are all of my additions (to the bottom) of my LocalSettings.php file:

# LDAP Authentication
require_once('extensions/LdapAuthentication.php');

$wgLDAPDomainNames = array("testing");
$wgLDAPServerNames = array("testing"=>"ldaps.example.com");

$wgLDAPAutoAuthDomain = "testing";

$wgLDAPProxyAgent = array("testing"=>"cn=ldapbrowser,dc=example,dc=com");
$wgLDAPProxyAgentPassword = array("testing"=>"password");
$wgLDAPBaseDNs = array("testing" => "dc=example,dc=com");

$wgLDAPSearchAttributes = array("testing" => "uid");

$wgLDAPAutoAuthUsername = preg_replace( '/@.*/', '', $_SERVER["REMOTE_USER"] );

AutoAuthSetup();

# Prevent new user registrations
$wgGroupPermissions['*']['createaccount'] = false;
# Restrict anonymous editing
$wgGroupPermissions['*']['edit'] = false;
# Restrict anonymous reads
$wgGroupPermissions['*']['read'] = false;

$wgShowExceptionDetails = true;

$wgLDAPDebug = 3;

I'm running the latest packaged Apache2 and PHP on a Ubuntu 8.04 server. I'm using the latest mediawiki (1.13.3) and Ldap_Authentication extension 1.2a.

Let me know if I can provide any other info to help diagnose this error. I really appreciate the work you've done on the extension and the support!

Thanks, Ken

I think I may be missing an argument in a function, can you please try the following patch:

--- LdapAutoAuthentication.php.old      2009-02-03 17:20:13.460951000
-0600
+++ LdapAutoAuthentication.php  2009-02-03 17:25:08.974031000 -0600
@@ -7,7 +7,16 @@
         *
         * @access public
         */
-       static function Authenticate( $user, &$result ) {
+       static function AuthenticateAfterLoad( $user ) {
+               return LdapAutoAuthentication::Authenticate( true, $user );
+       }
+
+       /**
+        * Does the web server authentication piece of the LDAP plugin.
+        *
+        * @access public
+        */
+       static function Authenticate( &$result, $user ) {
                global $wgUser;
                global $wgAuth;
                global $wgLDAPAutoAuthUsername;

--- LdapAuthentication.php.old  2009-02-03 17:25:44.236929000 -0600
+++ LdapAuthentication.php      2009-02-03 17:26:13.602250000 -0600
@@ -1741,7 +1741,7 @@
                if ( version_compare( $wgVersion, '1.14.0', '<' ) ) {
                        $wgHooks['UserLoadFromSession'][] = 'LdapAutoAuthentication::Authenticate';
                } else {
-                       $wgHooks['UserLoadAfterLoadFromSession'][] = 'LdapAutoAuthentication::Authenticate';
+                       $wgHooks['UserLoadAfterLoadFromSession'][] = 'LdapAutoAuthentication::AuthenticateAfterLoad';
                }
                $wgHooks['PersonalUrls'][] = 'LdapAutoAuthentication::NoLogout'; /* Disallow logout link */
        }

--Ryan lane 15:48, 17 February 2009 (UTC)Reply

I'm fairly new to php, but I managed to get MWv1.12 with PHP5.2.0 up and running with little difficulty. I'm running on Windows Server 2003 with IIS6.0

I have LDAPAuthentication.php (1.1g I think) integrating with my AD .. until a few days ago. It has just stopped working. I've turned on debugging and get the following:

Entering validDomain
User is using a valid domain.
Setting domain as: development
Entering getCanonicalName
Username isn't empty.
Munged username: wikiuser
Entering authenticate
Entering Connect
It looks like you are issing LDAP support; please ensure you have either compiled LDAP support in, or have enabled the module. If the authentication is working for you, the plugin isn't properly detecting the LDAP module, and you can safely ignore this message.
Using TLS or not using encryption.
Using servers: ldap://dc1.development.com ldap://dc2.development.com

I've added some more debug output, and in LDAPAuthentication.php the page just stops on the line :

$ldapconn = @ldap_connect( $servers );

My LocalSetting.php file contains the following:

# LDAP Authentication
require_once ("extensions/LdapAuthentication.php");
$wgAuth = new LdapAuthenticationPlugin();
$wgLDAPDomainNames = array(development");
$wgLDAPServerNames = array("development" => "dc1.development.com dc2.development.com");
$wgLDAPProxyAgent  = array("development"=>"cn=wikiuser,cn=Users,dc=development,dc=com");
$wgLDAPProxyAgentPassword = array("development"=>"wikipassword");
$wgLDAPSearchAttributes = array("development"=>"sAMAccountName");
$wgLDAPBaseDNs = array("development" => "DC=development, DC=com");
$wgLDAPUseLocal = false;
$wgLDAPEncryptionType = array("development" => "clear");
$wgMinimalPasswordLength = 1;
$wgLDAPDebug = 4;

I've checked and access to my domain controllers on port 389 seems fine. The user I'm authenticating with is active and not locked out or anything similar. I tried just replacing the LDAPAuthentication.php with the 1.2a version, but that doesn't run at all, so I'm assuming that I'missing some new variables in LocalSettings or something, I'll have to look into that.

It's been working fine for months, and this week I have this problem. Does anyone know of a microsoft patch or something else that may have stopped PHP being able to query the AD?

I know it's not a lot to go on, but can anyone help?

Thanks --Jcc105 09:44, 30 January 2009 (UTC)Reply

If nothing changed on the web server side, I'd check on the AD side. Maybe there is an issue with one of your AD servers? Did you try putting dc2 before dc1 in the ServerNames option? Does your security log on the AD server show that the proxyagent is successfully authenticating? Also, I'm sure this is probably a typo, but this line is missing a quote:

$wgLDAPDomainNames = array(development");

It should be:

$wgLDAPDomainNames = array("development");

--Ryan lane 15:45, 17 February 2009 (UTC)Reply

Hi,

i am using the LDAP Extension in one of my wikis and everything is working fine! Now í installed a new wiki and i wanted to use the LDAP Authentification, too. I used the same configuration as in my first wiki but it is not working! After the login i get a white page. The URL seems to be ok. Had anyone the same problem or has anyone an idea what the fault is?

Thanks!

Is this new wiki on a new server? If so, you may be missing ldap support in php. Or maybe you are missing ssl support? Is anything showing up in your php logs (possibly in your webserver's error_log or ssl_error_log).
--Ryan lane 15:41, 17 February 2009 (UTC)Reply

I had the exact same issue and here is how I solved it:

I ran this command to install LDAP support in php

sudo apt-get php5-ldap

After that I rebooted the server and then this LDAP auth. extension started working. Thanks for the tip, Ryan! --65.196.104.59 18:17, 23 September 2009 (UTC)Reply

See on page: Extension:LDAP Authentication/Kerberos Configuration Examples

// After we set all configuration options, we want to setup the Auto Auth plugin. This will // create an instance of LdapAuthentication as $wgAuth

how does AutoAuthSetup() work's on localsettings.php

It finishes setting up the plug-in, and creates $wgAuth. I'm not sure if this answers your question.
--Ryan lane 20:30, 26 February 2009 (UTC)Reply

Can the creator of this extension or other users confirm that this extension (1.2) is really stable MW1.6 upwards all the way to 1.14.0? --Piksi 11:38, 24 February 2009 (UTC)Reply

It should be, but I don't have a test suite set up to test for this kind of compatibility. I also don't have good enough hardware, or licenses for things like Windows 2003 Enterprise Edition.

If someone wants to donate a Macbook Pro with a lot of RAM, and a Windows 2003 Enterprise Edition license, I'll be more than happy to set up a proper testing environment with unit tests. I'd probably be more likely to kill some of the other AD related TODO's too.
--Ryan lane 20:29, 26 February 2009 (UTC)Reply

Working fine on MW1.14 --62.172.72.131 12:25, 12 March 2009 (UTC)Reply

Hi, I'm trying to autentifcate against an AD on Windows 2003 SBS Server. With Ldap Browser login succseed.

my config:

require_once("AuthPlugin.php");
require_once ('extensions/LdapAuthentication.php');

$wgAuth = new LdapAuthenticationPlugin();

$wgLDAPDomainNames = array(
  'Test'
);

$wgLDAPServerNames = array(
  'Test' => 'ad.Test.local'
);

$wgLDAPSearchStrings = array(
  'Test' => 'USER-NAME@Test.local'
);

$wgLDAPEncryptionType = array(
  'Test' => 'clear'
);

$wgLDAPUseLocal = false;

$wgMinimalPasswordLength = 1;

$wgLDAPBaseDNs = array(
  'Test' => 'DC=Test,DC=local'
);

$wgLDAPSearchAttributes = array(
  'Test' => 'sAMAccountName'
);

$wgLDAPUserBaseDNs = array(
  "Test"=>"CN=SBSUsers,OU=Users,OU=MyBusiness,DC=Test,DC=local"
  );

$wgLDAPDebug = 99;

After failed Login:

    Entering validDomain
    User is using a valid domain.
    Setting domain as: Test
    Entering getCanonicalName
    Username isn't empty.
    Munged username: TestUser
    Entering userExists

    Entering authenticate

    Entering Connect
    Using TLS or not using encryption.
    Using servers: ldap://ad.Test.local
    Connected successfully
    Entering getSearchString
    Doing a straight bind
    userdn is: TestUser@Test.local

    Binding as the user
    Failed to bind as TestUser@Test.local
    with password: 123
    Entering allowPasswordChange
    Entering modifyUITemplate

I don't know why Binding failed. User and Password are right.

Thank you!

Everything looks right to me. Are you sure your AD server allows binds without encryption? By default it doesn't.
--Ryan lane 14:22, 3 March 2009 (UTC)Reply

Thank you for the fast reply

No I'm not sure. Do you know where I can check / change it in windows?

Not sure; it is going to be in the security policy on the domain controller though. Should be something like "require secure channel for authentication". I'd check for you, but I don't have a Windows 2003 system to check against.
--Ryan lane 20:56, 3 March 2009 (UTC)Reply