Manual:Active Directory Integration

PluggableAuth with Active-Directory LDAP
With the evolution of Extension:PluggableAuth and LDAP Stack, getting integrated with Active-Directory LDAP is possible, but somewhat complex for new-comers.

A configuration example is provided here, to ease the setup process for those wishing to integrate with MS-AD via LDAP.

Objectives / Aims

 * Configure Mediawiki to use LDAP settings from a single location - ldap.json
 * Users will login with NT-Logon Username, also known as SAMAccountName attribute in a standard AD-schema.

Method

 * LDAP Stack extensions use a number of LDAP attributes to auto-configure the Mediawiki User: SAMAccountName, DisplayName, Mail.
 * LDAP Stack extensions use memberof attribute values to determine if any Security-Groups / Distribution-Lists map to Mediawiki Groups

Versioning

 * LDAP Stack extensions should all be at the same version - Long Term Support (LTS) versions are recommended (e.g. 1.35)
 * Direct downloads can be performed from:  https://extdist.wmflabs.org/dist/extensions/ 

Required Extensions

 * Extension:LDAPAuthorization
 * Extension:LDAPAuthentication2
 * Extension:LDAPGroups
 * Extension:LDAPProvider
 * Extension:LDAPUserInfo
 * Extension:PluggableAuth - NOTE: PluggableAuth 6.0+ does not yet support LDAPAuthentication2. Use PluggableAuth 5.7 until this is resolved.

Required AD Bind-Account

 * Mediawiki uses an LDAP Bind-User / Bind-Password for communications with Active-Directory.
 * Ensure an AD user is provisioned, and grab the LDAP Distinguished Name for the User
 * Sample: CN=MediawikiAuthenticator,OU=Users,DC=acme,DC=com

LDAP Environment
The important configuration entities are detailed below - replace the default-values with your own when tuning ldap.json

Configuration Example: LDAP Configuration with 1 Group-Mapping
This example works for a small single-domain forest, or multi-domain forest (by using the parent domain).

Install Mediawiki and Extensions

 * 1) Install PHP, and the php-ldap module (usually available on the same package-manager as PHP)
 * 2) Install Mediawiki, perform install and update routines.
 * 3) Install all extensions listed above (Required Extensions) into /extensions/

Prepare ldap.json
Create an LDAP configuration file. For simplicity, we place this new file at /var/www/ldap.json then protect it for reading by the web-server.


 * A critical piece of configuration is the acme.com key in line #2 of the JSON.
 * Replace this with your AD Domain
 * Replace the following values in connection
 * server
 * user
 * pass
 * basedn
 * userbasedn
 * Replace the groupsync -> mapping values with some valid Group-DNs taken from MS "Domains and Trusts" console.
 * This allows you to specify a DN which provides sysop privileges

Run update.php and test LDAP login

 * After configuring LocalSettings.php and browsing to your Wiki, you should be able to load the public index / Main Page.
 * LDAP login will fail until you run: php /.../mediawiki/maintenance/update.php
 * This is because the LDAP extensions require some new SQL tables.
 * After running update.php, start a fresh browser session and perform a test login.

Debugging

 * If you encounter problems, enable debug and review the output during login.
 * Validate config values and system connectivity using ldapsearch
 * Validate config files and PHP Connectivity to LDAP using CheckLogin and ShowUserInfo located in extensions/LDAPProvider/maintenance/
 * If running SELinux check to see if webserver (Apache) is allowed to connect to LDAP
 * Also see Manual:How to debug/Login problems