Extension:LDAP Authentication/FAQ

From MediaWiki.org

Manual on MediaWiki Extensions
List of MediaWiki Extensions

LDAP Authentication Release status: stable
Implementation	User identity
Description	Provides LDAP authentication, and some authorization functionality for MediaWiki
Author(s)	Ryan Lane
Last Version	1.2a (2009-05-06)
MediaWiki	1.6+
License	GPL
Download	Version 1.2b (alpha) Version 1.2a

[edit] Where do I download the extension?

See the download section of the infobox on any of the pages of this documentation.

[edit] Is the extension compatible with...?

[edit] Solaris LDAP Client

[edit] Problem

If your server happens to use Solaris LDAP client instead of OpenLDAP (determiend through phpinfo()) then you will be unable to connect to LDAP servers. The cause is the expected Host name passed to ldap_connect(). The example below illustrates the issue.

[edit] Example

Works on OpenLDAP, bombs on Solaris CLient

<?php

// LDAP variables
$ldaphost = "ldap://ldap.server.com";  // your ldap servers
$ldapport = 389;                 // your ldap server's port number

// Connecting to LDAP
$ldapconn = ldap_connect($ldaphost, $ldapport)
          or die("Could not connect to $ldaphost");

 echo $ldapconn;
		  
?>

The cause is the ldap:// portion

Works with Solaris Client

<?php

// LDAP variables
$ldaphost = "ldap.server.com";  // your ldap servers
$ldapport = 389;                 // your ldap server's port number

// Connecting to LDAP
$ldapconn = ldap_connect($ldaphost, $ldapport)
          or die("Could not connect to $ldaphost");

		  echo $ldapconn;
		  
?>

The code within LDAAuthenticationPlugin.php adds ldap://, ldapi://, or ldaps:// for server names. This will cause it to fail.

[edit] Remedy

Remove the $serverpre value for the block below;

$servers = "";
		$tmpservers = $wgLDAPServerNames[$_SESSION['wsDomain']];
		$tok = strtok( $tmpservers, " " );
		while ( $tok ) {
			$servers = $servers . " " . $serverpre . $tok;
			$tok = strtok( " " );
		}
		$servers = rtrim($servers);

[edit] MediaWiki 1.9

[edit] Official workaround

[edit] LdapAuthentication.php up to 1.1c (>=1.1d can skip this)

I've added a bug into MediaWiki's bugzilla to get part of this fixed. One part of the workaround is in my code (which will be fixed and released soon), and the other is in MediaWiki's code. So, to make it work, please change the following in LdapAuthentication.php in the initUser() function (if using 1.1c or below):

       $user->setPassword( '' );

to:

       $user->mPassword = '' ;

and add the following function to LdapAuthentication.php:

        /**
         * Can the wiki change passwords in LDAP?
         * Return true if yes.
         *
         * @return bool
         * @access public
         */    
        function allowPasswordChange() {
                global $wgLDAPUpdateLDAP, $wgLDAPMailPassword;

                if ( isset($wgLDAPUpdateLDAP[$_SESSION['wsDomain']]) ) {
                        $updateLDAP = $wgLDAPUpdateLDAP[$_SESSION['wsDomain']];
                }
                if ( isset($wgLDAPMailPassword[$_SESSION['wsDomain']]) ) {
                        $mailPassword = $wgLDAPMailPassword[$_SESSION['wsDomain']];
                }
                
                if ( $updateLDAP || $mailPassword ) {
                        return true;
                } else {
                        return false;
                }       
        }               

[edit] SpecialUserlogin.php (all Versions MediaWiki 1.9.x)

And in includes/SpecialUserlogin.php you can use the following patch (you probably want to patch by hand since this patch is against SVN):

--- SpecialUserlogin.php        (revision 19677)
+++ SpecialUserlogin.php        (working copy)
@@ -307,13 +307,18 @@
         * @private
         */
        function initUser( $u ) {
+               global $wgAuth;
+
                $u->addToDatabase();
-               $u->setPassword( $this->mPassword );
+
+               if ( $wgAuth->allowPasswordChange() ) {
+                       $u->setPassword( $this->mPassword );
+               }
+
                $u->setEmail( $this->mEmail );
                $u->setRealName( $this->mRealName );
                $u->setToken();
 
-               global $wgAuth;
                $wgAuth->initUser( $u );
 
                $u->setOption( 'rememberpassword', $this->mRemember ? 1 : 0 );

[edit] How do I install the extension?

See the install section of the about page.

[edit] How do I configure the extension?

See the configuration pages.

[edit] How do I configure PHP with LDAP on Windows?

You need to:

1. Add the PHP directory to the PATH system variable
   • Ensure libeay32.dll and ssleay32.dll are in this path
2. Edit the php.ini file, and change:

    ;extension=php_ldap.dll

   
   

   to:

   
   

   extension=php_ldap.dll

3. Restart your web server

[edit] How do I fix certificate trust issues with LDAPS or LDAP with StartTLS on Windows?

If you are having trust issues with LDAPS or LDAP with StartTLS, you'll need to modify your ldap.conf file. This file seems to be hardcoded in PHP on Windows. Put your openldap options into the following file (create the directories and file):

C:\openldap\sysconf\ldap.conf

[edit] Authentication fails for usernames with underscores; how do I fix this?

This is currently unsupported in the extension. MediaWiki replaces underscores with spaces in usernames, and the extension therefore, gets the username with the underscores replaced.

Here is a user submitted hack for getting this to work:

I added a line at the beginning of the function "getSearchString":

$username = str_replace(' ','_',$username);

This replaces the space with an underscore when it creates the user username that is sent to the LDAP server. As far as MediaWiki is concerned it will still use the space in the name.
--JoeD July 7th 2007

You might also have to do the same str_replace in the function "authenticate".--80.179.206.193 16:47, 23 April 2009 (UTC)

[edit] Can I use one attribute to authenticate users, but use another as the username?

You can do this using the 'SetUsernameAttributeFromLDAP' hook. For instance, in the following configuration, authentication is done with the "cn" attribute, but the username is being set with the "uid" attribute:

require_once( "$IP/extensions/LdapAuthentication.php" );
$wgAuth = new LdapAuthenticationPlugin();
 
$wgLDAPDomainNames = array( "testLDAPdomain" );
$wgLDAPServerNames = array( "testLDAPdomain"=>"testLDAPserver.LDAP.example.com testLDAPserver2.LDAP.example.com" );
$wgLDAPProxyAgent = array( "testLDAPdomain"=>"cn=proxyagent,ou=profile,dc=LDAP,dc=example,dc=com" );
$wgLDAPProxyAgentPassword = array( "testLDAPdomain"=>"S0M3L0ngP@$$w0r6ofS0meV@rie222y!" );
$wgLDAPSearchAttributes = array( "testLDAPdomain"=>"cn" );
$wgLDAPBaseDNs = array( "testLDAPdomain"=>"dc=LDAP,dc=example,dc=com" );
 
$wgHooks['SetUsernameAttributeFromLDAP'][] = 'SetUsernameAttribute';
 
//This function allows you to get the username from LDAP however you need to do it.
//This is the username MediaWiki will use.
function SetUsernameAttribute(&$LDAPUsername, $info) {
        $LDAPUsername = $info[0]['uid'][0];
        return true;
}

[edit] I installed the extension, but now I don't have a Sysop user; how do I give myself Sysop rights?

There are a few ways of doing this; however, the easiest method is:

1. Log in with your regular account (to ensure your account is created)
2. Disable the extension
3. Log in as WikiSysop
4. Go to Special:Userrights and add the sysop group to your regular account
5. Re-enable the extension

[edit] How do I remove the domain list from Special:Userlogin?

You can hide this with CSS; edit MediaWiki:Common.css, and add the following:

#mw-user-domain-section {
    display: none !important;
}

[edit] How do I integrate LDAP authentification with Confirm Account creation extension ?

See Extension:ConfirmAccount/Integration with LDAP Authentication extension