Extension:LDAP Authentication/Requirements

Overview

 * MediaWiki 1.6+ for current version of the plugin
 * PHP must be compiled with LDAP support for any functionality at all
 * PHP must be compiled with SSL support if you wish to authenticate over SSL (highly recommended!)
 * Your server must trust the LDAP server's Certificate's Root CA for SSL to work (mostly affects you if you are using self signed certificates)
 * The DNS name for your LDAP server must match the name in the LDAP server's certificate for SSL to work
 * This support should be included with your distribution's PHP
 * Smartcard/CAC authentication requires a PEM encoded list of CAs, proxy or anonymous (if allowed) LDAP credentials, and an SSL enabled webserver
 * If you would like to use LDAP as a backend for MediaWiki (creating users, changing passwords, etc), you must provide a user who has write permissions to specific user attributes (please only give this user the minimum amount of access that is required)

Meeting requirements per platform
If you have instructions for any of these sections, don't hesitate to add them.

Certificate trusts
First, place your CA certificates in /etc/pki/tls/certs. If you do not have the CA certificate, you can fetch it using openssl:

The above example pulls CA certificates from a web server (particularly google.com:443), but the example would work the same on an LDAP server. You'd want to use :636 instead of google.com:443.

To pull the CA certificates, you'll want to save all certificates returned greater than 0 (as certificate 0 is the server's certificate). To do so, copy all text in between and including -BEGIN CERTIFICATE- and -END CERTIFICATE-, and place them into a file called .crt.

You can ensure the certificate was copied properly by testing it with openssl:

Next, create hash links to the certificates:

Next, create a CA bundle, as some applications only work properly with a bundled file of CAs (notice that *.crt is assumed be your CA certificates):

Finally, add the trust to openldap's client configuration:


 * 1) Edit /etc/openldap/ldap.conf
 * 2) Add the following lines:

Certificate trusts
Extract your custom CA-certificates same way as above (Red Hat Enterprise Linux and Fedora) but put .crt-file in /usr/local/share/ca-certificates

Automatically update certificate directory and Ubuntus bundled CA-file using the following command:

Ignore the warning.

Finally, add the trust to openldap's client configuration:


 * 1) Edit /etc/ldap/ldap.conf
 * 2) Add the following lines:

Usually, the TLS_CACERTDIR statement only should be sufficient, but due to a bug (probably in libgnutls26) this doesn't work. Another (risky) workaround is to replace the two lines with the following:

The communication with the ldap server is still encrypted, but the client will not compare the server URL with the name in the servers' certificate, thus there is no protection from man-in-the-middle attacks.

SUSE
TODO -- still not complete


 * I use the following steps to manually compile PHP with the required openssl and ldap support for Apache2 module:
 * download PHP 5.4.12 from http://www.php.net to /usr/local/src ; tar -xzf ... ; cd ...
 * ./configure --prefix=/usr --datadir=/usr/share/php --mandir=/usr/share/man --bindir=/usr/bin --libdir=/usr/share --includedir=/usr/include --sysconfdir=/etc --with-libdir=lib64 --with-config-file-path=/etc --with-exec-dir=/usr/lib64/php/bin --with-apxs2=/usr/sbin/apxs2-prefork --with-openssl --with-bz2 --with-zlib --with-curl --with-ldap --with-mysql --enable-soap --enable-mbstring x86_64-suse-linux --with-xsl --with-xsl --enable-calendar
 * make
 * sudo make install
 * (detailed explanantion follows) --Wikinaut 14:21, 18 December 2009 (UTC)

Solaris 10 and OpenSolaris
TODO.

PHP LDAP support
If you're fortunate enough to be running WAMP, enable the LDAP extension via the WAMP Manager.

If not, see the FAQ entry for this.

Certificate trusts
First, see the example of how to get CA certificates using openssl to get the CA certificates needed for the trusts.

Next, create the file and directories: C:\openldap\sysconf\ldap.conf. ldap.conf must be at that exact location, as it is compiled into PHP in the Windows installer.

Next, concatenate all certificates you got using openssl, and place them into: C:\openldap\sysconf\certs.pem.

Next, edit ldap.conf and add:

Finally, restart IIS/Apache.

Mac OS X
Follow the directions for RedHat Linux but put the certificates in the /System/Library/OpenSSL/certs directory and create a combined CA. You shouldn't need the has links.

vi /etc/openldap/ldap.conf and add:

TLS_CACERTDIR /System/Library/OpenSSL/certs TLS_CACERT /System/Library/OpenSSL/certs/CA.crt