Extension:LDAP Authentication/Requirements

Overview

 * MediaWiki 1.19+ for current version of the plugin
 * PHP must be compiled with LDAP support for any functionality at all
 * PHP must be compiled with SSL support if you wish to authenticate over SSL (highly recommended!)
 * Your server must trust the LDAP server's Certificate's Root CA for SSL to work (mostly affects you if you are using self signed certificates)
 * The DNS name for your LDAP server must match the name in the LDAP server's certificate for SSL to work
 * This support should be included with your distribution's PHP
 * The MediaWiki database must be MySQL or PostgreSQL. SQLite is not currently supported.
 * Smartcard (SSL Client) authentication requires a PEM encoded list of CAs, proxy or anonymous (if allowed on your network) LDAP credentials, and an SSL enabled webserver
 * If you would like to use LDAP as a backend for MediaWiki (creating users, changing passwords, etc), you must provide a user who has write permissions to specific user attributes (please only give this user the minimum amount of access that is required)

Meeting requirements per platform
If you have instructions for any of these sections, don't hesitate to add them.

Certificate trusts
First, place your CA certificates in /etc/pki/tls/certs. If you do not have the CA certificate, you can fetch it using openssl:

The above example pulls CA certificates from a web server (particularly google.com:443), but the example would work the same on an LDAP server. You'd want to use :636 instead of google.com:443.

To pull the CA certificates, you'll want to save all certificates returned greater than 0 (as certificate 0 is the server's certificate). To do so, copy all text in between and including -BEGIN CERTIFICATE- and -END CERTIFICATE-, and place them into a file called .crt.

You can ensure the certificate was copied properly by testing it with openssl:

Next, create hash links to the certificates:

Next, create a CA bundle, as some applications only work properly with a bundled file of CAs (notice that *.crt is assumed be your CA certificates):

Finally, add the trust to openldap's client configuration:


 * 1) Edit /etc/openldap/ldap.conf
 * 2) Add the following lines:

Certificate trusts
Extract your custom CA-certificates same way as above (Red Hat Enterprise Linux and Fedora) but put .crt-file in /usr/local/share/ca-certificates

Automatically update certificate directory and Ubuntus bundled CA-file using the following command:

Ignore the warning.

Finally, add the trust to openldap's client configuration:


 * 1) Edit /etc/ldap/ldap.conf
 * 2) Add the following lines:

Usually, the TLS_CACERTDIR statement only should be sufficient, but due to a bug (probably in libgnutls26) this doesn't work. Another (risky) workaround is to replace the two lines with the following:

The communication with the ldap server is still encrypted, but the client will not compare the server URL with the name in the servers' certificate, thus there is no protection from man-in-the-middle attacks.

Certificate trusts
You need the Root CA certificate which was used to issue the Active Directory server CA certificate. Ask your Windows AD administrator for this certificate or export it yourself in Windows by:
 * Starting Certification Authority snap-in
 * Select the Server Certificate, right-click and choose properties
 * Open tab 'Certification Path'
 * Select the Root CA and click 'View Certificate'
 * Open tab 'Details' and click 'Copy to File...'
 * Choose to export the certificate in .P7B format

Next extract the .pem format certificate on your Linux using openssl: and place it under /etc/ssl/certs

You can test the certificate against your AD servers using openssl: (this should return verify result: 0 (ok))

Next, create hash links to the certificates:

Now the openssl test should work (verify result: 0 (ok)) without -CAfile option:

Next, create a CA bundle, as some applications only work properly with a bundled file of CAs (notice that *.crt is assumed be your CA certificates):

Finally, add the trust to openldap's client configuration:


 * 1) Edit /etc/openldap/ldap.conf
 * 2) Add the following lines:

Solaris 10 and OpenSolaris
TODO.

PHP LDAP support
If you're fortunate enough to be running WAMP, enable the LDAP extension via the WAMP Manager.

TODO: How can I check if my Wiki is running WAMP? How can I enter WAMP Manager?

If not, see the FAQ entry for this.

Certificate trusts
First, see the example of how to get CA certificates using openssl to get the CA certificates needed for the trusts.

Next, create the file and directories: C:\openldap\sysconf\ldap.conf. ldap.conf must be at that exact location, as it is compiled into PHP in the Windows installer.

Next, concatenate all certificates you got using openssl, and place them into: C:\openldap\sysconf\certs.pem.

Next, edit ldap.conf and add:

Finally, restart IIS/Apache.

FreeBSD
To Do.

Mac OS X
Follow the directions for RedHat Linux but put the certificates in the /System/Library/OpenSSL/certs directory and create a combined CA. You shouldn't need the hash links. (<-- needs translation into English)

vi /etc/openldap/ldap.conf and add:

TLS_CACERTDIR /System/Library/OpenSSL/certs TLS_CACERT /System/Library/OpenSSL/certs/CA.crt