Topic on Extension talk:LDAP Authentication

Automatic Logon to Mediawiki Using IIS

9
184.184.167.21 (talkcontribs)

Here's what I'm working with:


Windows Server 2008 R2 (AD environment)

IIS 7.5

OpenLDAP (for the CA certificate handling)

Mediawiki 1.17

PHP 5.3.8

MySQL 5.1.50

LDAPAuthentication v.1.2h


Everything is working fine, except I'm unable to figure out how to go about having domain users automatically authenticate to Mediawiki using my current setup. Is there anything special that I should do when using IIS, since all documentation I've seen heavily favors Apache? Thanks.


-Chris

184.184.167.21 (talkcontribs)

Nevermind. I seem to have gotten auto-authentication working with IIS. If anyone is interested, I'll post what I did later.

Jeremfg (talkcontribs)

Sounds like a great idea for my intranet... Would you post it please?

184.184.167.21 (talkcontribs)

Here's what I did to get my setup working...

LocalSettings.php file

##LDAP Authentication Plugin
require_once( "$IP/extensions/LdapAuthentication/LdapAutoAuthentication.php" );
require_once( "$IP/extensions/LdapAuthentication/LdapAuthentication.php" );
$wgLDAPDomainNames		 = array("DOMAIN");
$wgLDAPGroupBaseDNs		 = array("DOMAIN"=>"ou=groups,dc=domain,dc=org");
$wgLDAPAutoAuthDomain		 = "DOMAIN";
$wgLDAPGroupUseFullDN		 = array( "DOMAIN"=>true );
$wgLDAPServerNames		 = array("DOMAIN"=>"vw2k8-adfsmo2.domain.org");
$wgLDAPSearchStrings		 = array( "DOMAIN" => "DOMAIN\USER-NAME" );
$wgLDAPSearchAttributes		 = array("DOMAIN"=>"sAMAccountName");
$wgLDAPBaseDNs			 = array("DOMAIN"=>"dc=domain,dc=org");
$wgLDAPEncryptionType		 = array( "DOMAIN" => "ssl" );
$wgMinimalPasswordLength	 = 1;
#Configure LDAP Group settings
$wgLDAPUseLDAPGroups		 = array( "DOMAIN"=>true );
$wgLDAPGroupObjectclass		 = array( "DOMAIN"=>"group" );
$wgLDAPGroupAttribute		 = array( "DOMAIN"=>"member" );
$wgLDAPGroupNameAttribute	 = array( "DOMAIN"=>"cn" );
#Restrict anonymous users
$wgGroupPermissions['*' ]['createaccount'] 	= false;
$wgGroupPermissions['*' ]['read'] 		= false;
$wgGroupPermissions['*' ]['edit'] 		= false;
#Remove the domain portion of the displayed username. Example: "DOMAIN\username" to "username"
list($dom,$userid) = split('[\]',$_SERVER['REMOTE_USER']); 
$wgLDAPAutoAuthUsername = $userid; 
AutoAuthSetup();

Note: Absent from the config are $wgLDAPProxyAgent and $wgLDAPProxyAgentPassword. You will probably need these. I didn't for some reason, so I omitted them.

Forcing Kerberos Authentication on IIS

Helpful link: http://technet.microsoft.com/en-us/library/cc754628(WS.10).aspx

Important Quote from TechNet: The default setting for Windows authentication is Negotiate. This setting means that the client can select the appropriate security support provider. To force NTLM authentication, you must change the value of the <Provider> element under the <windowsAuthentication> element in the ApplicationHost.config file.

I changed my ApplicationHost.config file to look like this:


                <windowsAuthentication enabled="false">
                    <providers>
                        <add value="NTLM" />
		<!--	<add value="Negotiate" />  -->
                    </providers>
                </windowsAuthentication>

Configuring OpenLDAP client

Read the following link for requesting an SSL certificate for IIS: http://support.microsoft.com/kb/299875

Helpful link: http://www.ashleyknowles.net/2011/07/iis-php-and-ldaps-with-active-directory/

C:\OpenLDAP\sysconf\ldap.conf

#ldap.conf contains the following
TLS_REQCERT never
TLS_CACERT C:\openldap\sysconf\webcert.crt


Okay. That's all I can think of at the moment. If I feel I missed anything, I'll update this post.

Ryan lane (talkcontribs)

Thanks!

146.133.9.141 (talkcontribs)

Big boy! Thanks!

209.253.190.225 (talkcontribs)

Thank you very much for this! I do have one question if you don't mind, in the line "$wgLDAPSearchStrings = array( "DOMAIN" => "DOMAIN\USER-NAME" );" what does "USER-NAME" represent?

207.230.222.230 (talkcontribs)

USER-NAME should be left unchanged This acts as a placeholder variable in the program

203.127.197.23 (talkcontribs)

Thanks for your code. May I ask if this will work with Apache too? I am also trying to implement SSO with mediawiki.

What's the expected behaviour of ldap auto authentication? Does the user do not need to login?

Meaning that once they go to example.com/wiki , they will be auto redirected to the main page with their windows credentials without logging in?

Thanks for your assistance! I really appreciated it.

Reply to "Automatic Logon to Mediawiki Using IIS"