Extension:LDAP Authentication/FAQ

Where do I download the extension?
See the download section of the infobox on any of the pages of this documentation.

Problem
If your server happens to use Solaris LDAP client instead of OpenLDAP (determiend through phpinfo) then you will be unable to connect to LDAP servers. The cause is the expected Host name passed to ldap_connect. The example below illustrates the issue.

Example
Works on OpenLDAP, bombs on Solaris CLient 

The cause is the ldap:// portion

Works with Solaris Client 

The code within LDAAuthenticationPlugin.php adds ldap://, ldapi://, or ldaps:// for server names. This will cause it to fail.

Remedy
Remove the $serverpre value for the block below; $servers = ""; $tmpservers = $wgLDAPServerNames[$_SESSION['wsDomain']]; $tok = strtok( $tmpservers, " " ); while ( $tok ) { $servers = $servers. " " . $serverpre. $tok; $tok = strtok( " " ); }		$servers = rtrim($servers);

Problem with autocreated users
Dangerous code snipped


 * You need to figure out what your real problem is. If there is some incompatibility between 1.10 and the plugin, I'll be happy to track down the problem and fix it (either in the core code, or the plugin). --Ryan lane 19:49, 6 August 2007 (UTC)


 * Exactly same issue as above! $wgLDAPUpdateLDAP, $wgLDAPMailPassword and $wgEmailAuthentication == false.
 * -- 22:11, 15 August 2007 (UTC)


 * ... I need more information than "it isn't working." Please post your configuration, and your debug info, with sensitive stuff snipped out. I've heard multiple reports of this working fine with 1.10. --Ryan lane 01:05, 16 August 2007 (UTC)


 * Oh, btw, all three of those are false by default, and use domain (array) style configuration. I'm betting it is pretty likely your configuration is messed up. --Ryan lane 01:07, 16 August 2007 (UTC)


 * I too was having difficulties with LDAPAuthentication for new AD users. You can view the history of this article for all my configuration settings and debugging output, but the crux of it was a "external authentication database error or you are not allowed to update your external account" error when trying to use LDAPAuthentication 1.0h on new Active Directory users and a "Login incorrect" error for all users when trying to upgrade to LDAPAuthentication 1.1g.


 * In the end I suspect it was because LDAPAuthentication 1.0h used plain LDAP binding to authenticate by default whereas the newer 1.1g uses TLS by default. By setting $wgLDAPDebug = 3 I was able to see both TLS and SSL options failing suggesting that I first need to learn about these protocols and why my server doesn't seem to support them. Setting $wgLDAPEncryptionType = array("DOMAIN"=>"clear") in conjunction with using LDAPAuthentication 1.1g allowed login via straight LDAP binding, but it would be good to get some info about the security issues of using clear binding on a semi-private wiki (internal server, accessible to outside world, logins required).
 * -- 210.23.133.248 00:14, 4 December 2007 (UTC)

Verified to work with 1.10
I've tested this pretty throughly, and I have yet to have issues with MediaWiki 1.10; if anyone has problems that can be linked to 1.10, let me know. --Ryan lane 13:25, 20 August 2007 (UTC)

LdapAuthentication.php up to 1.1c (>=1.1d can skip this)
I've added a bug into MediaWiki's bugzilla to get part of this fixed. One part of the workaround is in my code (which will be fixed and released soon), and the other is in MediaWiki's code. So, to make it work, please change the following in LdapAuthentication.php in the initUser function (if using 1.1c or below):

$user->setPassword( '' );

to:

$user->mPassword = '' ;

and add the following function to LdapAuthentication.php:

/**        * Can the wiki change passwords in LDAP? * Return true if yes. *        * @return bool * @access public */           function allowPasswordChange { global $wgLDAPUpdateLDAP, $wgLDAPMailPassword;

if ( isset($wgLDAPUpdateLDAP[$_SESSION['wsDomain']]) ) { $updateLDAP = $wgLDAPUpdateLDAP[$_SESSION['wsDomain']]; }               if ( isset($wgLDAPMailPassword[$_SESSION['wsDomain']]) ) { $mailPassword = $wgLDAPMailPassword[$_SESSION['wsDomain']]; }               if ( $updateLDAP || $mailPassword ) { return true; } else { return false; }              }

SpecialUserlogin.php (all Versions MediaWiki 1.9.x)
And in includes/SpecialUserlogin.php you can use the following patch (you probably want to patch by hand since this patch is against SVN):

--- SpecialUserlogin.php       (revision 19677) +++ SpecialUserlogin.php       (working copy) @@ -307,13 +307,18 @@        * @private */       function initUser( $u ) { +              global $wgAuth; +               $u->addToDatabase; -              $u->setPassword( $this->mPassword ); + +              if ( $wgAuth->allowPasswordChange ) { +                      $u->setPassword( $this->mPassword ); +              } +                $u->setEmail( $this->mEmail ); $u->setRealName( $this->mRealName ); $u->setToken; -              global $wgAuth; $wgAuth->initUser( $u ); $u->setOption( 'rememberpassword', $this->mRemember ? 1 : 0 );

Please let me know if this fixes the problem
I don't currently have the ability to test MediaWiki 1.9 w/ LDAP authentication, please let me know if this fixes your problem. --Ryan Lane 18:16, 13 February 2007 (UTC)

With a config very similar to Robert, above, and applying you fixes everything seems to be working fine for me. -- sterling 144.92.220.30 20:30, 15 February 2007 (UTC)

The above config changes together with LDAPAuthentication 1.1d fixing the problem with MediaWiki 1.9.2 and LDAP authentication against Novell eDirectory. Thanx a lot! -- Günther Rasch 07:35, 22 February 2007 (UTC)

Shit yeah! I've been trying to make this work for 2 days straight and I missed this last step. Works like a charm. :) -- Jonathan Puddle

This is exactly what i was searching for. Now every LDAP-user ist automaticaly registered while logging in at the first time, and authenticates with LDAP-password. Thanx a lot! -- Jens Vieler, 21 March 2007

This worked for me. Against both AD and Linux LDAP. Thanks much! -- John Harris, 23 March 2007 (Virginia Tech, ECE)

This fix stopped me to sweat over the ldap issue I have been having. Thanks!!!! - Mutuk March 27 2007.

It fixes for me. Thanks!!! -- Carlos Alarcón, 4th May 2009

PHP errors in allowPasswordChange
This fix produces PHP errors because your local variables $updateLDAP and $mailPassword are not properly scoped. (Enable onscreen PHP errors to see them.) You have defined these variables inside the IF statements, but your final test is outside. So these error messages are produced for the if ( $updateLDAP || $mailPassword ) test:

Notice: Undefined variable: updateLDAP in ....\extensions\LdapAuthentication.php on line 596

Notice: Undefined variable: mailPassword in ....\extensions\LdapAuthentication.php on line 596

To fix, just set both variables to the empty string just below the "global" line. Maiden taiwan 02:29, 1 March 2007 (UTC)


 * Well, they aren't errors, just warnings. Another user has pointed this out (I'm too lazy to find it now), and it'll be fixed in the next release. Ryan Lane 14:30, 1 March 2007 (UTC)

allowPasswordChange doesn't check for $wgLDAPUseLocal
This fix causes another bug. If $wgLDAPUseLocal is set to true and no LDAP user with write permission is specified, then when someone tries to create a new account and the wiki attempts to add the user's password to the database, it first checks with $wgAuth->allowPasswordChange which returns false. This causes the user to be added to the database fine but with no password. The user is logged in, but once they log out their account has no password so they can never get back in. --Christian 15:57, 17 April 2007 (UTC)

if ( 'local' == $_SESSION['wsDomain'] ) { return true; }


 * You can fix this by adding the above to the beginning of the function allowPasswordChange --Christian 16:13, 17 April 2007 (UTC)


 * Thanks for the report and fix; this will be in the next release. Ryan lane 02:45, 18 April 2007 (UTC)


 * This is fixed in svn right now if it is causing you any issues. Ryan lane 02:45, 18 April 2007 (UTC)


 * After overwriting 1.1d with 1.1e on 1.9.3, my password is no longer accepted. I'm using AD 2003.  Are there any additional tweaks that need to be done?  163.252.39.78 14:56, 18 April 2007 (UTC)


 * 1.1d to 1.1e was essentially just bug fixes. It shouldn't have broken anything. I'll need debugging info from you, and your configuration with anything sensitive snipped out. --Ryan lane 15:04, 18 April 2007 (UTC)


 * I just tried to apply this fix to the top of allowPasswordChange but it had no effect. I had to simply put "return true;" at the top of the function for my logins to work.  This was with $wgLDAPUseLocal set to 'true'.  (Setting it to 'false' caused the same password-change-forbidden error before I applied my hack, though).  This is on mw 1.9.3 and plugin 1.1e.  --138.26.64.50 15:35, 24 April 2007 (UTC)


 * I just checked this using the SVN version. It seems to be working for me. I'm working on the plugin right now, so don't use HEAD, try revision 24891 (or you can wait for the release of 1.1f) --Ryan lane 01:39, 18 August 2007 (UTC)


 * I installed this and am getting the same error message "password-change-forbidden". I get the same error regardless of what $wgLDAPUseLocal is set equal to.  Is it trying to set the password in Active Directory, or in the MySQL Database?  I am using the 1.1g version.  Thanks, Shane.


 * Are you using MediaWiki 1.9? If so, upgrade MediaWiki, or follow the instructions posted on how to fix the problem. I won't actively support issues with versions of MediaWiki that are out of support (with the exception of 1.6, until PHP5 is readily available most places). --Ryan lane 14:11, 5 November 2007 (UTC)


 * Thank you, I was using 1.9, I upgraded to 1.11 and it logged in without any issues.

How do I install the extension?
See the install section of the about page.

How do I configure the extension?
See the configuration pages.

How do I configure PHP with LDAP on Windows?
Could the statement "PHP must be compiled with LDAP support for any functionality at all" be explained further? I'm not a developer and simply downloaded php5 from php.net and followed config instructions to get mediawiki running. I never compiled php. According to php.net I would need some development tools to compile php? What is needed to change the default version of php5.1.2 windows package to be 'compiled' for LDAP? Can I just configure some extension from php.ini? my specific situation is Windows2003/IIS/php/mysql.
 * There is quite a bit of documentation on how to get LDAP working with PHP, and specifically with windows. I believe someone even posted some info on the content page of this article. I believe this is probably beyond the scope of this documentation. --Ryan Lane

Authentication fails for usernames with underscores; how do I fix this?
This is currently unsupported in the extension. MediaWiki replaces underscores with spaces in usernames, and the extension therefore, gets the username with the underscores replaced.

Here is a user submitted hack for getting this to work:

I added a line at the beginning of the function "getSearchString":

This replaces the space with an underscore when it creates the user username that is sent to the LDAP server. As far as MediaWiki is concerned it will still use the space in the name. --JoeD July 7th 2007


 * You might also have to do the same str_replace in the function "authenticate".--80.179.206.193 16:47, 23 April 2009 (UTC)

Can I use one attribute to authenticate users, but use another as the username?
You can do this using the 'SetUsernameAttributeFromLDAP' hook. For instance, in the following configuration, authentication is done with the "cn" attribute, but the username is being set with the "uid" attribute: