Extension:LDAP Authentication/FAQ

Where do I download the extension?
See the download section of the infobox on any of the pages of this documentation.

Problem
If your server happens to use Solaris LDAP client instead of OpenLDAP (determiend through phpinfo) then you will be unable to connect to LDAP servers. The cause is the expected Host name passed to ldap_connect. The example below illustrates the issue.

Example
Works on OpenLDAP, bombs on Solaris CLient 

The cause is the ldap:// portion

Works with Solaris Client 

The code within LDAAuthenticationPlugin.php adds ldap://, ldapi://, or ldaps:// for server names. This will cause it to fail.

Remedy
Remove the $serverpre value for the block below; $servers = ""; $tmpservers = $wgLDAPServerNames[$_SESSION['wsDomain']]; $tok = strtok( $tmpservers, " " ); while ( $tok ) { $servers = $servers. " " . $serverpre. $tok; $tok = strtok( " " ); }		$servers = rtrim($servers);

LdapAuthentication.php up to 1.1c (>=1.1d can skip this)
I've added a bug into MediaWiki's bugzilla to get part of this fixed. One part of the workaround is in my code (which will be fixed and released soon), and the other is in MediaWiki's code. So, to make it work, please change the following in LdapAuthentication.php in the initUser function (if using 1.1c or below):

$user->setPassword( '' );

to:

$user->mPassword = '' ;

and add the following function to LdapAuthentication.php:

/**        * Can the wiki change passwords in LDAP? * Return true if yes. *        * @return bool * @access public */           function allowPasswordChange { global $wgLDAPUpdateLDAP, $wgLDAPMailPassword;

if ( isset($wgLDAPUpdateLDAP[$_SESSION['wsDomain']]) ) { $updateLDAP = $wgLDAPUpdateLDAP[$_SESSION['wsDomain']]; }               if ( isset($wgLDAPMailPassword[$_SESSION['wsDomain']]) ) { $mailPassword = $wgLDAPMailPassword[$_SESSION['wsDomain']]; }               if ( $updateLDAP || $mailPassword ) { return true; } else { return false; }              }

SpecialUserlogin.php (all Versions MediaWiki 1.9.x)
And in includes/SpecialUserlogin.php you can use the following patch (you probably want to patch by hand since this patch is against SVN):

--- SpecialUserlogin.php       (revision 19677) +++ SpecialUserlogin.php       (working copy) @@ -307,13 +307,18 @@        * @private */       function initUser( $u ) { +              global $wgAuth; +               $u->addToDatabase; -              $u->setPassword( $this->mPassword ); + +              if ( $wgAuth->allowPasswordChange ) { +                      $u->setPassword( $this->mPassword ); +              } +                $u->setEmail( $this->mEmail ); $u->setRealName( $this->mRealName ); $u->setToken; -              global $wgAuth; $wgAuth->initUser( $u ); $u->setOption( 'rememberpassword', $this->mRemember ? 1 : 0 );

How do I install the extension?
See the install section of the about page.

How do I configure the extension?
See the configuration pages.

How do I configure PHP with LDAP on Windows?
Could the statement "PHP must be compiled with LDAP support for any functionality at all" be explained further? I'm not a developer and simply downloaded php5 from php.net and followed config instructions to get mediawiki running. I never compiled php. According to php.net I would need some development tools to compile php? What is needed to change the default version of php5.1.2 windows package to be 'compiled' for LDAP? Can I just configure some extension from php.ini? my specific situation is Windows2003/IIS/php/mysql.
 * There is quite a bit of documentation on how to get LDAP working with PHP, and specifically with windows. I believe someone even posted some info on the content page of this article. I believe this is probably beyond the scope of this documentation. --Ryan Lane

Authentication fails for usernames with underscores; how do I fix this?
This is currently unsupported in the extension. MediaWiki replaces underscores with spaces in usernames, and the extension therefore, gets the username with the underscores replaced.

Here is a user submitted hack for getting this to work:

I added a line at the beginning of the function "getSearchString":

This replaces the space with an underscore when it creates the user username that is sent to the LDAP server. As far as MediaWiki is concerned it will still use the space in the name. --JoeD July 7th 2007


 * You might also have to do the same str_replace in the function "authenticate".--80.179.206.193 16:47, 23 April 2009 (UTC)

Can I use one attribute to authenticate users, but use another as the username?
You can do this using the 'SetUsernameAttributeFromLDAP' hook. For instance, in the following configuration, authentication is done with the "cn" attribute, but the username is being set with the "uid" attribute:

I installed the extension, but now I don't have a Sysop user; how do I give myself Sysop rights?
There are a few ways of doing this; however, the easiest method is:


 * 1) Log in with your regular account (to ensure your account is created)
 * 2) Disable the extension
 * 3) Log in as WikiSysop
 * 4) Go to Special:Userrights and add the sysop group to your regular account
 * 5) Re-enable the extension

How do I remove the domain list from Special:Userlogin?
You can hide this with CSS; edit MediaWiki:Common.css, and add the following:

display: none !important; }
 * 1) mw-user-domain-section {