User talk:Ryan lane/LQT Archive 1

SmoothGallery
Hi, are there any examples of how Extension:SmoothGallery looks and works? It would be cool if you could link to a test/example page for this extension. Thanks --128.250.80.15 01:40, 10 January 2007 (UTC)


 * Yeah, I wish I had a publicly available test site. I may look into getting one. The SmoothGallery site has examples of SmoothGallery in action, but nothing that is user modifiable like this extension allows. --Ryan lane 21:32, 11 January 2007 (UTC)


 * I have one now. It is at my sandbox. --Ryan lane 06:55, 3 March 2007 (UTC)

Hi, I get a problem with your smoothgallery extension installed on a Spanish interface wiki http://es.antropologia.diwiki.org. When I edit any article, around 10 "undefined" labels appear after the normal edit button bar.s!? Benjamin bois 17:21, 25 June 2007 (UTC)


 * Yeah, this is a known bug, and the fix is documented on the extension page (Extension:SmoothGallery). This is fixed in MediaWiki 1.10+. --Ryan lane 19:26, 6 July 2007 (UTC)

Memorize
Hi, Ryan.

I've added references to your memorize extension to Wikiversity's quiz project. We're mainly centered around the quiz extension at the moment, but the quiz extension isn't really designed to do pair matching, and your memorize extension looks excellent (the matching mode is great).

Perhaps you could join the quiz project and tell us a bit about how your extension is developing. What stage is it at? Might it be implemented on Wikiversity? Have you got people giving you feedback about it?

Cheers,

McCormack 06:36, 15 April 2007 (UTC)


 * Hello,


 * The memorize extension is a really simple extension. It essentially just adds a parser extension tag, and adds the Memorizable javascript into the headers. People can create regular tables, and add the tag into the table headers. Most of the real development work is over at Memorizable. I believe the license on the javascript would be compatible with the Wikiversity project, and the license on the extension is GPL. If it is added to Wikiversity, I'd be happy to offer any further development necessary.


 * The extension is currently stable. The only change really needed is to make the javascript only output when the extension is actually in use on a page (which is an easy fix).


 * It would be nice if the javascript could handle more than two columns of data, and I may add support for that in the future (if memorizable will accept patches that is). --Ryan lane 13:31, 16 April 2007 (UTC)


 * Hi Ryan. I see that the JS file is released under an "X11 (aka MIT) open source license". Is this compatible with Wikimedia projects? Do you have any contact with the copyright holder of the JS file? McCormack 04:54, 3 May 2007 (UTC)


 * Suggested changes before moving to Wikiversity...
 * It should be able to start in "matching mode".
 * It should be possible to remove the choice between modes.
 * It should be possible not to have the options. (Optional options)


 * McCormack 04:59, 3 May 2007 (UTC)


 * I'll take a look at the javascript to work these changes into the extension. As for the license, it is probably up to Wikiversity whether or not they'll want to use it. The license given says it is fine to use the software in any way as long as the help section, and links to memorizable.org are kept. I'll talk to the developers about how we can meet their license requirements and still be able to modify the code how we like. --Ryan lane 18:10, 4 May 2007 (UTC)


 * One of the things I noticed on reading the licence is that it is a custom version of the X11 open source - and the custom bit is a requirement for a visible credit to the programmer (in the options section). I suspect this would have to go, although I'm sure that information about the origin of the script would be given in the help page we would build for it. Thanks for following up on this! McCormack 18:21, 4 May 2007 (UTC)

Hello, are you sure your extension works with MW 1.11 ? (please, have a look at my question. --Henrique 10:53, 3 November 2007 (UTC)


 * This extension is so simple, the chances of it not working in 1.11 is slim. I haven't tested it, but I commented on the talk page; you don't have it configured properly. --Ryan lane 13:52, 5 November 2007 (UTC)
 * Hello, here is a french translation of your extention, working here, hope it will be ok. --Henrique 18:17, 12 November 2007 (UTC)


 * The javascript itself is from memorizable.org. For international support, you may want to work with them. I'd imagine they'd love a translation. I'll work the internationalization into the plugin; thanks for the help. --Ryan lane 19:44, 15 November 2007 (UTC)

LDAP Authentication
Hi Ryan. Any idea when you might be able to get to "1.1f: Add options to specifiy search bases for users, and groups"? We need to specify a different base for our groups. &mdash;JEREMY 16:05, 6 June 2007 (UTC + 8.00)


 * I'm out of the country for work right now. I've been working on the plugin some out here though, and I just added that in a couple of days ago. I'll send it up to the SVN server when I get back (a few days from now). --Ryan lane 05:15, 10 June 2007 (UTC)


 * Good stuff! Thanks for that! &mdash;JEREMY 15:45, 11 June 2007 (UTC + 8.00)


 * Sorry for the wait, I've added that change in the latest SVN version. The version in SVN (revision 23338) is currently stable. I'll be releasing it soon, but you don't really need to wait for the release. Just make sure to use revision 23338. --Ryan lane 21:06, 24 June 2007 (UTC)


 * Thanks again. Err... So, how do we actually go about implementing groups search? Where do we specify the base, for example? &mdash;JEREMY 11:41, 26 June 2007 (UTC + 8.00)


 * Wow, you want documentation too!? ;) Kidding of course. I just added the config options to Extension:LDAP Authentication --Ryan lane 14:27, 28 June 2007 (UTC)


 * When we $wgLDAPUseLDAPGroups = array("Interzone"=>true); we get Warning: in_array: Wrong datatype for second argument in LdapAuthentication.php on line 1401. Where we should start debugging? &mdash;JEREMY 10:32, 04 July 2007 (UTC + 8.00)


 * Well, that looks like a bug, but it may be happening because you may be missing some configuration. What does the rest of your configuration look like?


 * Like this:

$wgLDAPDomainNames = array("Interzone"); $wgLDAPServerNames = array("Interzone"=>"spike.per.[SLD].[TLD]"); $wgLDAPUseLocal = false; $wgLDAPEncryptionType = array("Interzone"=>"clear"); $wgLDAPSearchAttributes = array("Interzone"=>"uid"); $wgLDAPBaseDNs = array("Interzone"=>"ou=People,dc=[SLD],dc=[TLD]"); $wgLDAPGroupBaseDNs = array("Interzone"=>"ou=Groups,dc=[SLD],dc=[TLD]"); $wgLDAPGroupUseFullDN = array("Interzone"=>"false"); $wgLDAPLowerCaseUsername = array("Interzone"=>true); $wgLDAPGroupObjectclass = array("Interzone"=>"posixGroup"); $wgLDAPGroupAttribute = array("Interzone"=>"memberUid"); $wgLDAPGroupNameAttribute = array("Interzone"=>"cn");
 * 1) $wgLDAPUseLDAPGroups = array("Interzone"=>true);
 * (Actual [SLD] and [TLD] redacted.)
 * When we uncomment the $wgLDAPUseLDAPGroups line, we get the error. &mdash;JEREMY 10:34, 10 July 2007 (UTC + 8.00)


 * I've summed up how to do group synchronization as well here: Extension:LDAP_Authentication I'll try to track down the bug, make it output a warning, and fail gracefully. --Ryan lane 19:24, 6 July 2007 (UTC)


 * Ah; it's the quotes around "false" in the line following the one commented-out in the listing above. We remove those and it works!&mdash;JEREMY 14:38, 12 July 2007 (UTC + 8.00)

Working with the Access Control extension?
Hi Ryan. We've got the group restrictions stuff working (thanks!) but we're now trying to use the LDAP groups with the Access Control extension. It's not working out of the box, and we're having difficulty verifying that the LDAP groups are actually being exposed to mediawiki in such a way that the GBAC extension can see them. Any tips for beginners?&mdash;JEREMY 15.06, 18 July 2007 (UTC + 8.00)


 * Hmm... I haven't looked at this much (as those extensions really just provide an illusion of security). I think the author of the plugin wrote a patch to work with the LDAP plugin. Although, I may be thinking of another one of those access control extensions. I'll take a look when I get a chance. --Ryan lane 21:08, 23 July 2007 (UTC)


 * Is there some easy way for us to view/expose the groups that your plugin has grepped from the directory?&mdash;JEREMY 12.20, 01 August 2007 (UTC + 8.00)


 * As far as I can remember, the groups are actually created in the wiki when you add group permissions in LocalSettings.php. Once the groups have permissions associated, they should be exposed in the interface. --Ryan lane 19:06, 6 August 2007 (UTC)


 * Thanks very much; we're all sorted now. Great work, btw! &mdash;JEREMY 18.50, 13 August 2007 (UTC + 8.00)

Password Encryption
Ryan, In your example you have the following

$wgLDAPProxyAgentPassword = array( "testLDAPdomain"=>"{SHA}KqYKj/f81HPTIeAUav2eJt85UUc=" );

What method are you using to encrypt the password? And are there any requirements for changes made to a core mediawiki install to allow for this?


 * Although this should work, it seems to be hit or miss depending on the LDAP server and configuration. I got that password using phpldapadmin though. --Ryan lane 21:06, 23 July 2007 (UTC)

Ryan, your extention effectively "authenticates" by pulling the userPassword value. This isn't actual authentication. A) This requires userPassword attribute be exposed to *everybody* - this is the LDAP equivalent of leaving your shadow password file world readable. It's a "Really bad idea."

Here's a debug log from slapd after I've spent 3 hours tracking down "Why isn't ldap allowing auth?"

=> access_allowed: auth access to "uid=daemon,dc=example,dc=com" "userPassword" requested => acl_get: [1] attr userPassword access_allowed: no res from state (userPassword) => acl_mask: access to entry "uid=daemon,dc=example,dc=com", attr "userPassword" requested => acl_mask: to value by "", (=0) <= check a_dn_pat: cn=manager,dc=example,dc=com <= check a_dn_pat: self <= check a_dn_pat: anonymous <= acl_mask: [3] applying auth(=xd) (stop) <= acl_mask: [3] mask: auth(=xd) => access_allowed: auth access granted by auth(=xd) send_ldap_result: conn=0 op=0 p=3 send_ldap_result: err=49 matched="" text="" send_ldap_response: msgid=1 tag=97 err=49 conn=0 op=0 RESULT tag=97 err=49 text= daemon: epoll: listen=7 active_threads=0 tvp=NULL daemon: activity on 1 descriptor daemon: activity on: 11r daemon: read active on 11 connection_get(11) connection_get(11): got connid=0 connection_read(11): checking for input on id=0 connection_read(11): input error=-2 id=0, closing. Basically, what this translates to, is a protocol violation. Your extention doesn't understand ldap saying "No, I'm not going to let you see your userPassword hash until you auth." your extention attempts to pull down the userPassword again, ldap says "I'm granting you permission to authenticate" at which point your extention basically slams the connection closed.

... Basically, your extention needs to be able to handle the situation where anonymous is NOT granted world read access to critical data that must in a hostile network be revealed at most to the person who owns it. Or, where your extention actually attempts to authenticate *before* trying to pull down password hashes. The fact that you recommend putting the pw hash in the LocalSettings.php file alone reveals that you're doing a straight compare - the hash is a salted, one way hash - you cannot derive the pwd from the hash, ergo, you don't know the password... You just compare the hashes.


 * I believe I had support for comparing hashes at some point in time in the plugin (which is likely why the documentation mentioned using hashes), but the support isn't there anymore. I've removed the information in the documentation about using hashes for passwords. Your intepretation of what the plugin does is completely wrong however.


 * To be clear, the plugin will only do one of two things (unless you are using SSL Authentication):
 * Try to bind as the user
 * Bind as a proxyagent, find the user's DN, and then try to bind as the user


 * This is truly the best way to do authentication. Both compares, and/or pulling userPassword are truly bad ideas. When you use a compare, the password can't be salted... This opens you up to rainbow table attacks.


 * A good security practice is to create a user specific to what you need; meaning, the user only has very limited access. In the case of a proxy agent, the user should only have the ability to search for specific attributes needed for finding DNs, or groups, or auth attributes, or whatever preferences you are pulling. In this case, using a clear text password only opens you to a very selective (and known) amount of risk. Either way, it is better than allowing anonymous access.


 * If you still aren't assured that the plugin isn't secure enough for your tastes, you are welcome to peruse the code. I've done security audits of the code a number of times, but it always helps having more eyes looking! --Ryan lane 17:24, 3 March 2008 (UTC)

Problems with UserNames
Hi. I tried to use your LDAP Authentication and have got this problem (MediaWiki 1.13.3). We are using user names like this Name.Surname. LDAP Authentication extension turns them to Name.surname, but it's absolutely different names as for wiki.


 * This is by design. If a user typed their username in different case every time they logged in, MediaWiki would create a new user account every single time. This is due to the fact that MediaWiki is case sensitive for usernames, but when binding against LDAP, LDAP isn't case sensitive. --Ryan lane 22:29, 31 March 2010 (UTC)

Error by finding getURL
I have installed SmoothGalery! Upload the SmoothGallery.php in my extensions Folder and the SmoothGallery Folder in extensions folder. And insert this in my LocalSettings.php

$wgUseImageResize = true; include("extensions/SmoothGallery.php"); $wgSmoothGalleryExtensionPath = "/mediawiki/extensions/smoothgallery"; $wgSmoothGalleryDelimiter = "\n" ;

I get the following error:

Fatal error: Call to a member function getUrl on a non-object in /www/htdocs/v110248/other/mediawiki/extensions/SmoothGallery.php on line 241

Line 241 ist: $full_thumb = $full_thumb_obj->getUrl;

What i wan't to do is:

 Image:001.jpg Image:002.jpg


 * I haven't tested smoothgallery with any recent versions of mediawiki. I just finished updating another plugin, so this one is on my todo list next. --Ryan lane 00:38, 20 August 2007 (UTC)


 * THX! Please tell when you fix it! My e-mail is: rpgtiger2k3@msn.com
 * --Kampfschaf 12:36, 20 August 2007 (UTC)


 * It should be working fine. I tested this recently with MediaWiki 1.11; use the newest version from SVN. --Ryan lane 13:46, 18 October 2007 (UTC)

LDAP help
Hi Ryan,

I'm thoroughly confused, trying to figure out from the start how to get your LDAP extension installed and working. Could you provide help here? Thanks! &mdash; Timotab 13:28, 18 October 2007 (UTC)


 * I can only answer questions that address a specific problem. The documentation is there to give you the basics. For the most part you can just copy and paste from the configuration examples, and change a couple settings and it'll work. --Ryan lane 13:47, 18 October 2007 (UTC)

LDAP question
Hello, Ryan! I have a question about your extention. I need, that Wiki tooks user database not from Wiki's DB, but from External DB where is all employees are registered. It is possible to do this with your extension? Idea is that users with his IntraNet logins may login into Wiki!

Best regards Peter Sokolov, psc@elkor.lv


 * If your external database is an LDAP database of some variety, then yes. --Ryan lane 17:34, 29 November 2007 (UTC)

And what if my external database is another MySQL database? It is possible?


 * No, this plugin can't handle that case. --Ryan lane 19:38, 29 November 2007 (UTC)

IBM / Tivoli LDAP support?
Hi Ryan

we currently use IBM/Tivoli Directory services on an iSeries box (AS400, system i5 .. or what ever you currently want to call it), and I wondered if there was going to be any support for this ? We use this LDAP for all our internal things Bugzilla, sametime etc. and I would love to change our wiki over from a clunky java one to the very cool media wiki ... Do you think its worth attempting to try and get it working with our current set up and see what happens or will it npt work at all?

Thanks in advance - Sharon Bellamy Morpheus UK


 * I haven't run into an LDAP server the plugin doesn't support yet. Your search strings/search attributes may look a little different, but I'd imagine most of the configuration examples should work fine. If you need any help, you can email me through this wiki, or you can continue to post questions here, or on the Extension Talk:LDAP Authentication page. --Ryan lane 13:47, 21 July 2008 (UTC)

SimpleSecurityObject
Hi, Ryan,

I'd like to request for your help, please.

We have a Open LDAP setup that only uses SimpleSecurityObject. While in Mediawiki authentication plug-in, it looks for inetOrgPerson?

User get the error like this below. My question is, is it possible to modify the plugin/auth page to pass this login/useradd?

Thank you so much for your attention.

Shao

A database query syntax error has occurred. This may indicate a bug in the software. The last attempted database query was:

INSERT INTO `bbwiki_user` (user_id,user_name,user_password,user_newpassword,user_newpass_time,user_email,user_email_authenticated,user_real_name,user_options,user_token,user_registration,user_editcount) VALUES (NULL,'Xyzuser',,,'20080904143011',,NULL,,'quickbar=1\nunderline=2\ncols=80\nrows=25\nsearchlimit=20\ncontextlines=5\ncontextchars=50\nskin=\nmath=1\nrcdays=7\nrclimit=50\nwllimit=250\nhighlightbroken=1\nstubthreshold=0\npreviewontop=1\neditsection=1\neditsectiononrightclick=0\nshowtoc=1\nshowtoolbar=1\ndate=default\nimagesize=2\nthumbsize=2\nrememberpassword=0\nenotifwatchlistpages=0\nenotifusertalkpages=1\nenotifminoredits=0\nenotifrevealaddr=0\nshownumberswatching=1\nfancysig=0\nexternaleditor=0\nexternaldiff=0\nshowjumplinks=1\nnumberheadings=0\nuselivepreview=0\nwatchlistdays=3\nvariant=en\nlanguage=en\nsearchNs0=1','2830062654d9404d1201e202b94ec8a7','20080904143011','0') from within function "User::addToDatabase". MySQL returned error "1048: Column 'user_id' cannot be null (localhost)".

--74.2.196.226 4 September 2008


 * Can you post your configuration and a debug output ($wgLDAPDebug = 3) with all sensitive stuff snipped out? I've never seen a problem that has caused a database error. --Ryan lane 18:32, 11 September 2008 (UTC)


 * Hi, Please see the debug info and LocalSettings file below

Entering validDomain User is using a valid domain. Setting domain as: mydomain.com Entering getCanonicalName Username isn't empty. Munged username: MyloginName Entering userExists Entering authenticate Entering Connect Using TLS or not using encryption. Using servers: ldap://ldap.mydomain.com Connected successfully Entering getSearchString Doing a straight bind userdn is: uid=MyloginName,ou=Accounts,o=ORG,dc=mydomain,dc=com Binding as the user Bound successfully Authentication passed

Then, the error above - from last posting......

LocalSettings.php

require_once( 'extensions/LdapAuthentication.php' ); $wgAuth = new LdapAuthenticationPlugin;

$wgLDAPDomainNames = array( "mydomain.com" ); // worked but didn't -> $wgLDAPSearchStrings = array( "mydomain.com"=>"uid=".$_POST['wpName'].",ou=Accounts,o=ORG,dc=mydomain,dc=com" );

// possible login fix $wgLDAPSearchStrings = array( "mydomain.com"=>"uid=USER-NAME,ou=Accounts,o=ORG,dc=mydomain,dc=com" );

$wgLDAPServerNames = array( "mydomain.com"=>"ldap.mydomain.com" );

$wgLDAPEncryptionType = array( "mydomain.com"=>"clear" ); $wgMinimalPasswordLength = 1; // made this "1" $wgLDAPDebug = 0; $wgLDAPUseLocal = true;

$wgSitename        = "SomeWiki";

$wgScriptPath      = ""; $wgScript          = "$wgScriptPath/index.php"; $wgRedirectScript  = "$wgScriptPath/redirect.php";

Thanks so much.

SmoothGallery 1.1d and 1.1e on newest version of Mediawiki (1.15/1.16)
We cannot get the extension (version Version 1.1d, working with the 2.0 version from working on MW 1.15 or MW 1.16. We tried all the different options. Do you have any pointers seeing the way the images are displayed, what may be going wrong? Many thanks! --G.Hagedorn 13:12, 28 May 2009 (UTC)


 * I just updated the extension to work with 1.14; I don't see any reason it shouldn't be working with 1.15 or 1.16. Your problem is that the javascript isn't being found. $wgSmoothGalleryExtensionPath should be set to the relative url path for the javascript, not the path on your filesystem.
 * --Ryan lane 13:37, 28 May 2009 (UTC)


 * Many thanks for looking into this, I confirm this was the problem. The "path" in the variable confused me; but it is a stupid error nevertheless, since I should have realized that this must be accessible from the browser. --G.Hagedorn 18:15, 1 June 2009 (UTC)


 * At the moment my finding on 1.1d is: it works great without image captions, but not with captions. This works:


 * This does not (Template:! is defined as a single vertical bar ("|") on that wiki):


 * With the latter, the top of the page shows a php error: "Warning: Wrong parameter count for implode in ....extensions/SmoothGallery/SmoothGalleryClass.php on line 37" and the following message displays at the place of embedding: "SmoothGallery error:No images were found in this gallery. Make sure all images requested exist. The following images were not found:"


 * Similarly, without captions works, whereas with captions:

File:Aconitum-napellus 4435.jpg|Aconitum napellus, Infloreszenz File:Aconitum_napellus2_ies.jpg|Aconitum napellus, Blüte von der Seite File:Aconitum_napellus3_ies.jpg|Aconitum napellus, Blüte von innen File:Aconitum_napellus8_ies.jpg|Aconitum napellus, Blätter


 * The error: "Fatal error: Call to a member function getText on a non-object in ....extensions/SmoothGallery/SmoothGalleryParser.php on line 271" is displayed.


 * (All images are from commons, works on any wiki linked to mediawikifoundation commons.) Sorry to bother you again. Any ideas? Captions are critical for us. --G.Hagedorn 19:59, 1 June 2009 (UTC)


 * I'm pretty sure captions are broken. I had an issue with this as well when I last tested the extension. I haven't had a chance to track down the problem. I'll try to get to this soon. --Ryan lane 20:28, 1 June 2009 (UTC)


 * Good news, I fixed the caption problems in 1.1e. Notice also that you are putting above instead of | in your above examples; the former will not work, only the latter will. --Ryan lane 00:00, 4 June 2009 (UTC)


 * Thanks a lot for fixing this, it works great with descriptions now. The | instead of ! was a stupid extra error; I corrected above should anyone look here. --G.Hagedorn 13:14, 7 June 2009 (UTC)
 * ... but maybe not without descriptions?

 stack5.jpg | test stack2.jpg | test stack4.jpg | test


 * works, but it seems

 stack5.jpg stack2.jpg stack4.jpg


 * results in: "Fatal error: Call to a member function getText on a non-object in /usr/share/mediawiki/extensions/SmoothGallery/SmoothGalleryParser.php on line 247". --G.Hagedorn 13:46, 8 June 2009 (UTC)


 * This works for me. See the examples on my sandbox. --Ryan lane 17:10, 8 June 2009 (UTC)


 * It seems to be 1.16-specific. I have submitted a bug report for this: https://bugzilla.wikimedia.org/show_bug.cgi?id=19148. Thanks for all your great work! --G.Hagedorn 16:32, 10 June 2009 (UTC)

Memorize extension
Hello, I have just downloaded this extension some days ago to test it by Wikiversity community. But unfortunately now I see it was set unstable and it is no longer maintained. So I would like to ask you, what is the problem and if we can offer any help? We were willing to implement this extension to Czech Wikiversity.--Juan de Vojníkov 10:49, 7 January 2010 (UTC)
 * OK, you replied me already at a talk page of that Extension. So do you have a contact to an author? Is he that one written in the comment?--Juan de Vojníkov 11:27, 7 January 2010 (UTC)
 * I didn't try to contact the author. I'll try that tonight. Maybe he/she'll have a change of heart and re-open the source. --Ryan lane 15:36, 7 January 2010 (UTC)
 * So whats new?--Juan de Vojníkov 13:32, 11 January 2010 (UTC)

Smooth Gallery 2.0
Ryan,

I am at loss at what to do because I have followed your instructions and I get an graphic error when I use your gallery.

I see a link of the pic above the main pic then I see a TINY pic below it.

Here are the steps I did, perhaps I did something wrong,

Downloaded the extension snapshot 1.16 and unzipped it to wiki/extensions/SmoothGallery folder

Added to LocalSetting.php require_once( "$IP/extensions/SmoothGallery/SmoothGallery.php" ); $wgSmoothGalleryExtensionPath = "/mediawiki/extensions/smoothgallery"; $wgSmoothGalleryDelimiter = "\n";

So where did I go wrong??

Here is an example of what it is doing 


 * Well, I notice that you unzipped it to "wiki/extensions/SmoothGallery", and then have the following set:

$wgSmoothGalleryExtensionPath = "/mediawiki/extensions/smoothgallery";


 * Most web servers care about case.


 * Also, did you download the smoothgallery javascript and put it into the directory as well? --Ryan lane 14:55, 24 February 2010 (UTC)

OpenLDAP with Kerberos Authentication
Hi Ryan,

My system spec:

OS: CentOS 5.4 OpenLDAP 2.3.43 MIT Kerberos 1.6.1 Apache 2.2.3 MediaWiki 1.5.1

I have MediaWiki setup in a family; LDAP and Kerberos provides POSIX login to all users on our network. I would like all users with accounts on LDAP to be able to login and authenticate via Kerberos on this wiki only, i.e. I have other wikis in the family which I do not want to include in the SSO setup.

So far, in Apache Vhost configuration I have this block:  <--- Is this the correct location I should be aiming for? SSLRequireSSL <--- Do I have to setup my Vhost with  as well? AuthType Kerberos AuthName "Kerberos Login" KrbMethodNegotiate On   KrbMethodK5Passwd Off KrbAuthRealms MY.DOMAIN.COM Krb5KeyTab /path/to/keytab <--- I created this file on my krb5-server with "kadmin.local addprinc -randkey http/host.my.domain.com" then scp'd it over to my MediaWiki host and chgrp to apache and chmod 640, is this correct? require valid-user  In the LocalSettings.php I have this section concerning your LDAP Authentication extension: require_once( "$IP/extensions/LdapAuthentication/LdapAutoAuthentication.php" ); require_once( "$IP/extensions/LdapAuthentication/LdapAuthentication.php" ); $wgAuth = new LdapAuthenticationPlugin;
 * 1) Settings for LDAP Authentication

$wgLDAPDomainNames = array( "myAuthName" ); $wgLDAPServerNames = array( "myAuthName"=>"host.my.domain.com" ); $wgLDAPSearchStrings = array("myAuthName"=>"uid=USER-NAME,ou=people,dc=my,dc=domain,dc=com");


 * 1) $wgLDAPAutoAuthDomain = "myAuthName";


 * 1) REMOTE_USER will be in the form username@EXAMPLE.COM, if we
 * 2) just chop off @EXAMPLE.COM, we have the username. You can change
 * 3) this as needed.
 * 4) $wgLDAPAutoAuthUsername = preg_replace( '/@.*/', '', $_SERVER["REMOTE_USER"] );

AutoAuthSetup; So far it doesn't work so I know it's wrong. There is a drop down box on the login page with LDAP in it, which I assume is the $wgLDAPDomainNames array. I found some information on here through Google, but it wasn't linked from your main project pages. I also checked your Options page and blog, but now I'm confused. I notice that there's a very similar setup to mine that works:
 * 1) After we set all configuration options, we want to tell the extension to enable auto-authentication.
 * 2) This will create an instance of LdapAuthentication as $wgAuth.

CentOS 5, MediaWiki 1.15.0, PHP 5.1.6, MySQL 5.0.45, Apache 2.2.3, OpenLDAP 2.3.43, extension v1.2a (rev 43434)

Please could you advise me how to proceed or even tell me which combination of options in LocalSettings.php I need?

Many thanks...

Bert

2 general Questions about your Sandboxpage
Hi there, i found your test-wiki/sandbox and there are 2 things i would realy like to know how you solved that. 1. How did you get that foldable sidebar? I searched and searched but found nothing about.. and the 2. on your Userpage on that test-wiki you have a "view form"-button. How you build this button and the form behind? Thanks a lot! Hopefully you can answer me that questions :) --Heinoth 01:00, 9 April 2010 (UTC)

"memberOf" attribute name
Hey there,

I don't know how much you can have for this, but on my setup I needed LDAPAuthentication to read an attribute containing the user's groups with a name other than the usual "memberOf" (I am using dynamic groups), so I edited your extension to read that attribute name from the configuration file. It's quite a simple modification and I don't know how many people could benefit from it, but I decided to share it with you, in case you're interested in using it.

I downloaded the extension from the trunk a couple of weeks ago so I can't its exact version, but I made a diff file containing the lines I changed. Luckily they're not so many, so it should be easy to patch. Here's the patch file:

--- LdapAuthentication.php.original    2010-04-09 10:53:23.000000000 +0100 +++ LdapAuthentication.php     2010-04-09 10:49:53.000000000 +0100 @@ -1283,6 +1284,14 @@               global $wgLDAPGroupsPrevail; global $wgLDAPGroupsUseMemberOf;

+              //Name of the attribute which defines which groups the user belongs to. +              //If its undefined, we assume the default value of "memberOf". +              global $wgLDAPGroupsMemberOfAttName; +              if ($wgLDAPGroupsMemberOfAttName == NULL) { +                      $wgLDAPGroupsMemberOfAttName = array; +                      $wgLDAPGroupsMemberOfAttName[$_SESSION['wsDomain']] = 'memberof'; +              } +                $this->printDebug("Entering getGroups", NONSENSITIVE);

//Find groups @@ -1303,14 +1312,18 @@                       }

if ( isset( $wgLDAPGroupsUseMemberOf[$_SESSION['wsDomain']] ) && $wgLDAPGroupsUseMemberOf[$_SESSION['wsDomain']] ) { -                              $this->printDebug( "Using memberOf", NONSENSITIVE ); +                              $memberOfAttName = $wgLDAPGroupsMemberOfAttName[$_SESSION['wsDomain']]; +                              $this->printDebug( "Using '$memberOfAttName' as the attribute containing the user's groups", NONSENSITIVE ); +                               $this->userInfo = $this->getUserInfo; if ( is_null( $this->userInfo ) ) { $this->printDebug("Failed to get memberOf attribute", NONSENSITIVE); } -                              if ( isset( $this->userInfo[0]["memberof"] ) ) { + +                              if ( isset( $this->userInfo[0][$memberOfAttName] ) ) { # The first entry is always a count -                                      $memberOfMembers = $this->userInfo[0]["memberof"]; +                                      $memberOfMembers = $this->userInfo[0][$memberOfAttName]; +                                       array_shift( $memberOfMembers ); $groups = array( "dn"=> array, "short"=>array ); foreach( $memberOfMembers as $mem ) {

For a "example.com" domain holding the user's groups on the "userroles" attribute, the following LocalSettings.php config would then be used:

$wgLDAPGroupsMemberOfAttName = array( "example.com"=>'userroles'  );

Hope this can help some people out there!

Cheers and keep up the good work!

Unable to start TLS
Since I've enabled the LdapAuthentication.php extension I'm facing everytime a valid LDAP user logs on the errormsg in /var/log/httpd/error_log ldap_start_tls: Unable to start TLS: Protocol error in /home/zuul/www/wiki/extensions/LdapAuthentication/LdapAuthentication.php on line 228, referer: http://declips.fritz.box/~zuul/wiki/index.php/Spezial:Anmelden Actually I'm not yet using any TLS/SSL

I was trying to get somewhat more debug information by setting $wgLDAPDebug = 3 (before require_once ...LdapAuthetication.php) but couldn't get any more debug output.

My configuration Fedora Core 12 / 64bit OpenLDAP 2.4 MediaWiki 1.15

Any help is appreciated. Zuul