Topic on Project:Support desk

Single Sign On - LDAP Extension

9
2401:7400:C800:32AC:80F7:7960:2BA0:E95F (talkcontribs)

HELLO!

Need some help here. Appreciate the help from all subject matter experts. So right now, I am trying to implement auto login to my mediawiki site. Currently, users are able to login to mediawiki using their windows account and password.

Next, I would like to implement the auto-login function (without them entering their credentials). Below is my code.

require_once( "$IP/extensions/LdapAuthentication/LdapAuthentication.php" );
require_once( "$IP/extensions/LdapAuthentication/LdapAutoAuthentication.php" );
//$wgAuth = new LdapAuthenticationPlugin(); #Commented out for autologin
$wgLDAPAutoAuthDomain = "MYDOMAIN"; //uncomment for auto login 
$wgDiff3 = "";

# Authenticate against Active Directory
$wgLDAPDomainNames = array( "MYDOMAIN" );
$wgLDAPServerNames = array( "MYDOMAIN" => "MYDOMAINSERVER" );
$wgLDAPSearchStrings = array( "MYDOMAIN" => "USER-NAME@MYDOMAIN" );

$wgLDAPEncryptionType = array( "MYDOMAIN" => "clear" ); 
$wgLDAPUseLocal = false;
$wgMinimalPasswordLength = 1;


$wgLDAPBaseDNs = array(
  'MYDOMAIN' => 'cn=Users,dc=domain,dc=com'
);
 
$wgLDAPSearchAttributes = array(
  'MYDOMAIN' => 'sAMAccountName' );
 
 
$wgLDAPGroupUseFullDN = array( "MYDOMAIN"=>true );
$wgLDAPBaseDNs = array( 'MYDOMAIN' => 'dc=MYDOMAIN,dc=example,dc=com' );
$wgLDAPSearchAttributes = array( 'MYDOMAIN' => 'sAMAccountName' );
$wgLDAPGroupsUseMemberOf = array( "MYDOMAIN" => true );


//The objectclass of the groups we want to search for
$wgLDAPGroupObjectclass = array( "MYDOMAIN"=>"group" );

//The attribute used for group members
$wgLDAPGroupAttribute = array( "MYDOMAIN"=>"member" );

//The naming attribute of the group
$wgLDAPGroupNameAttribute = array( "MYDOMAIN"=>"cn" );
$userid = $_SERVER['REMOTE_USER'];
$wgLDAPAutoAuthUsername = $userid; 
AutoAuthSetup();

Once I implemented the above, the domain name in my dropdownlist become empty and the username and password I entered denies my entry into the site although it is correct.

Why is this happening? Please assist! Greatly appreciated it!

THANKS ALL SO MUCH!

175.156.223.209 (talkcontribs)

Just to add on ,the server that I'm running is Apache 2.2

MarkAHershberger (talkcontribs)

You will have to install and configure kerberos for apache. Once you do that, you can use the [Extension:Auth_remoteuser Auth_remoteuser] extension to handle authentication.

2401:7400:C800:32AC:A11F:6ADF:598A:40BB (talkcontribs)
MarkAHershberger (talkcontribs)

mod_auth_kerb shouldn't be needed with IIS. That is what I would try first on Windows.

2401:7400:C800:32AC:A11F:6ADF:598A:40BB (talkcontribs)

Or are you advising me to use Auth_remoteuser extension instead of LDAP extension? Thanks!

MarkAHershberger (talkcontribs)

If you just need SSO authentication, then you should use Auth_remoteuser.

203.120.42.151 (talkcontribs)

I've tried to install and configure mod_auth_kerb on my Apache Server. But I am using Windows and the information I googled tends to be more towards Linux. Any help please? Thanks!

MarkAHershberger (talkcontribs)

If you are using IIS, SSO should already work, right? And then you would need something like Auth_remoteuser to get the logged in user.

Reply to "Single Sign On - LDAP Extension"