Extension:LDAP Authentication/Suggestions
From MediaWiki.org
About - Requirements - Configuration - Options - Changelog - Roadmap - Suggestions - User provided info - FAQ - Support
 Release status: stable |
|
|---|---|
| Implementation | User identity |
| Description | Provides LDAP authentication, and some authorization functionality for MediaWiki |
| Author(s) | Ryan Lane |
| Last Version | 1.2a (2009-05-06) |
| MediaWiki | 1.6+ |
| License | GPL |
| Download | |
[edit] Suggestions
- Please add check "isset( $_SESSION['wsDomain'] )" on lines 518, 609 and 613 (version 1.2b (alfa)) to fix "Notice: Undefined index: wsDomain" error notice. May be this check should be added to more places, but I received notices only for three mentioned. -- kettari
- If the domain isn't being set, there is a problem with MediaWiki core, or somewhere else in the LDAP plugin. The code shouldn't have to check for the domain, because it should always be set.
- I also haven't been able to reproduce these php notices. Can you post your configuration in the support section, so that I can try to reproduce the bug?
--Ryan lane 13:39, 8 July 2009 (UTC)- I'm having this "undefined index: wsdomain" issue as well (posted details in support section). You mentioned that if this occurs then the domain isn't being set and there's a problem in the core. Just wondering if you know exactly where this domain variable is supposed to be set?
--Richardj87- This issues has been resolved (See http://www.mediawiki.org/wiki/Extension_talk:LDAP_Authentication#Undefined_index:_wsDomain_error for details)
--Richardj87
- This issues has been resolved (See http://www.mediawiki.org/wiki/Extension_talk:LDAP_Authentication#Undefined_index:_wsDomain_error for details)
- I'm having this "undefined index: wsdomain" issue as well (posted details in support section). You mentioned that if this occurs then the domain isn't being set and there's a problem in the core. Just wondering if you know exactly where this domain variable is supposed to be set?
- Is it possible that when using the ldap authentication plugin that the users email address would be automatically confirmed since it is being pulled out of active directory? Axelseaa 14:29, 17 July 2007 (UTC)
- I was under the impression that this was the case; I'll take a look into this.
--Ryan lane 13:42, 17 August 2007 (UTC)
- I was under the impression that this was the case; I'll take a look into this.
- I've had a recurring problem where mediawiki won't create a new account if the username and password in LDAP are identical - no errors are thrown, it just shows the login as incorrect. Is it possible to get an error to appear for this, or is it a restriction of mediawiki rather than the plugin? Other than that, it works perfectly, thanks a lot for your work.
-- Nickt- I don't see why this would fail, unless it is an issue with mediawiki; I think it is a good idea of mediawiki to do this, but I generally handle this with LDAP, so I've never tested it (as that is a terribly insecure password).
--Ryan lane 14:06, 5 November 2007 (UTC)- Understood - thanks a lot for the reply.
-- Nickt- Seems another user had this issue, and I took the time to dig through MediaWiki core. This is a MediaWiki core issue. They don't allow username and password to be identical. This was most likely added after they had that massive sysop password crack incident.
--Ryan lane 16:00, 13 December 2007 (UTC)
- Seems another user had this issue, and I took the time to dig through MediaWiki core. This is a MediaWiki core issue. They don't allow username and password to be identical. This was most likely added after they had that massive sysop password crack incident.
- Understood - thanks a lot for the reply.
- I don't see why this would fail, unless it is an issue with mediawiki; I think it is a good idea of mediawiki to do this, but I generally handle this with LDAP, so I've never tested it (as that is a terribly insecure password).
- Hello Ryan and all. I just spent the better part of a working week getting Active Directory 2003 auth with Groups over SSL working with Mediawiki using this plugin. Firstly, thanks so much for writing it! However, figuring out what needs to be done is not easy, as the different versions of parameters, modifications and config examples on this page and on the net make it all very confusing. The lack of clear error returning can sometimes make it difficult to troubleshoot where a problem lies (SSL, certs, PHP, etc). I'm going to make the same changes from my test server to production next week, so I'll document it and make a step-by-step howto if anyone's interested? I imagine alot of people would be.
- Further, would it be possible to tidy up this documentation any? I'd suggest moving the "OLD DEPRECATED" group auth into a lower section, or maybe a subpage, and the current group auth moved up, so people use that first instead of the old stuff which doesn't work. Also, a quick overview of other required auth modules and a few pointers to their config tips would also be infinitely helpful, not a walkthru, just one sentence with the basic requirements, I found just a small amount of advice like this helped me immensely when getting AD LDAP Auth working with PmWiki as well.
--Super Jamie 05:32, 2 November 2007 (UTC)- Yes, I'd like to agree that once I understood what to do, getting it working was easy, but the documentation here is terse. It partly assumes that you know LDAP through and through, I think, but that's not always the case - I happen to be learning LDAP at the same time. I"m not expecting for this to be an LDAP tutorial in any way, but to have more examples of how the code would be used in a real situation would have helped me understand what was meant to go where your placeholder text is much sooner. — Timotab 13:01, 2 November 2007 (UTC)
- My #1 tip to getting this plugin working, is to never, ever, read other people's configuration examples. Only use the documentation here, as the documentation everywhere else is going to almost definately be wrong. I have to have the ability to change configuration options every once in a while when the code needs rearranging, or when I find a better way of doing something.
- As for error returning, using "$wgLDAPDebug = 3;" will return quite a bit of error messages. I've tried adding in error reporting for when php_ldap is missing, but haven't successfully been able to check for SSL support. The prerequisites for using this plugin are listed at the top of this page.
- A tutorial on how to set up active directory and the client system for plugin use is fine by me, but I'm unlikely to ever write it (as I don't have easy access to a Windows Server 2003 OS, if someone buys me a copy, I'll happily use it for testing).
--Ryan lane 14:06, 5 November 2007 (UTC) - Hi guys, I've written that documentation up, located at User:Super_Jamie/LDAP_HOWTO, hope it helps someone. --Super Jamie 05:14, 7 November 2007 (UTC)
- Further, would it be possible to tidy up this documentation any? I'd suggest moving the "OLD DEPRECATED" group auth into a lower section, or maybe a subpage, and the current group auth moved up, so people use that first instead of the old stuff which doesn't work. Also, a quick overview of other required auth modules and a few pointers to their config tips would also be infinitely helpful, not a walkthru, just one sentence with the basic requirements, I found just a small amount of advice like this helped me immensely when getting AD LDAP Auth working with PmWiki as well.
- I would recommend a comment to the debug message if the bind fails to indicate that it may be a server connection problem. It's mentioned on the PHP:ldap_connect page, but it is confusing that a connection to the server isn't actually made until the bind, even though the debug messages return "Connected successfully" before then.
- I can successfully login in using my LDAP credentials, and Real Name and Email are pulled form LDAP and can be seen in preferences. The issue is that none of the actions show my Real Name, only my username. Is this an issue with the extension or mediawiki?
- This is normal for mediawiki. Real Name can be used in signatures, but for revision history, recent changes, etc. it will show your username, not the real name. Search the lists and you may find if this can be changed, but I'm assuming no.
--Ryan lane 18:21, 15 December 2008 (UTC)
- This is normal for mediawiki. Real Name can be used in signatures, but for revision history, recent changes, etc. it will show your username, not the real name. Search the lists and you may find if this can be changed, but I'm assuming no.
- Is it possible to add the function strictUserAuth of AuthPlugin in the LDAP plug-in in a fashion mode? I don't see all the uses of this function, but I have to use it in our wiki to authorize e.g. WikiSysop to be authenticated with the local database (and all others with LDAP). It is possible to add a list of names authorized (or not, depending of $wgLDAPUseLocal) to be authenticated with the local database and/or to add a hook for specific usages. What do you think about all that? ~ Seb35 08:40, 7 August 2009 (UTC)
- Yes, I'll add this for the next release. I'll probably use a syntax like:
- $wgLDAPAllowLocalUsers = array( "DOMAIN1" => array( "user1", "user2", "..." ), "DOMAIN2" => array( "..." ) );
- Yes, I'll add this for the next release. I'll probably use a syntax like:
