Extension:LDAP Authentication

The documentation has been updated to reflect version 1.1c and higher
Some options changed from 1.1b to 1.1c, make sure when configuring a new version that the options you are currently using are still valid. The changelog mentions which options have changed.

Support will no longer be given for version 1.0; the prior version of the documentation can be found here.

Post support questions on the discussion page or on the mediawiki-enterprise list
Please post all support questions on this page's discussion page or on the mediawiki-enterprise list. If a problem needs special attention, I can contact you directly by email. Posting the questions on the discussion page allows everyone to see how the problem was resolved.

Posting anywhere else will usually cause your problem to be ignored, or cause people to get upset with you.

Current version
The current stable version of this plugin is Version 1.2a (for MediaWiki 1.6+)

Features
This plugin should be scalable for use in small to large organizations, and provides the following functionality:


 * Single and multi domain authentication (including local database)
 * Simple bind authentication
 * Proxy bind authentication
 * Smartcard/CAC/PKI Soft Certificate authentication
 * SSL/TLS or non-SSL/TLS binding allowed
 * Nested/Unnested Group based restriction support
 * Filter based restriction support
 * Retrieval of user information from LDAP
 * Email address
 * Real name
 * Nickname
 * Language
 * Synchronization of LDAP groups to MediaWiki security groups (LDAP->MediaWiki only, nested groups not supported)
 * Storing preferences in LDAP
 * Update passwords
 * Mail me a password
 * Update all preferences that are currently retrievable
 * Creation of users in LDAP

Requirements

 * MediaWiki 1.6+ for current version of the plugin (I will no longer be backporting to the 1.5 series)
 * PHP must be compiled with LDAP support for any functionality at all
 * PHP must be compiled with SSL support if you wish to authenticate over SSL (HIGHLY Recommended!!)
 * Your server must trust the LDAP server's Certificate's Root CA for SSL to work (mostly affects you if you are using self signed certificates)
 * The DNS name for your LDAP server must match the name in the LDAP server's certificate for SSL to work
 * Smartcard/CAC authentication requires a PEM encoded list of CAs, proxy or anonymous (if allowed) LDAP credentials, and an SSL enabled webserver
 * If you would like to use LDAP as a backend for MediaWiki (creating users, changing passwords, etc), you must provide a user who has write permissions to specific user attributes (please only give this user the minimum amount of access that is required)

Installation
Please see the options and Configuration Examples pages.

Compatibility
Current Version (1.1) has been tested on:


 * MediaWiki
 * MediaWiki 1.6 (does not work on 1.5, but version 1.0 does!)
 * MediaWiki 1.7
 * MediaWiki 1.8
 * MediaWiki 1.9 (NOTE: there are some bugs here (including a fatal source code bug for 1.9.3), a couple workarounds should be used for the time being, see the talk page)
 * MediaWiki 1.10
 * MediaWiki 1.11
 * MediaWiki 1.12 (NOTE: for SSL (smartcard) authentication or any other type of auto-authentication, you need to use version 1.2, which is currently available in SVN)
 * MediaWiki 1.13 (NOTE: for SSL (smartcard) authentication or any other type of auto-authentication, you need to use version 1.2, which is currently available in SVN)
 * MediaWiki 1.14 (NOTE: for SSL (smartcard) authentication or any other type of auto-authentication, you need to use version 1.2, which is currently available in SVN)
 * Operating Systems
 * Debian GNU/Linux 4.0 ("Etch")
 * Ubuntu 7.04
 * Ubuntu 8.04
 * Red Hat Enterprise Linux v4 AS
 * Red Hat Enterprise Linux v4 ES
 * Red Hat Enterprise Linux v4 WS
 * Red Hat Enterprise Linux v5
 * Fedora Core 6
 * Fedora Core 8
 * Solaris 10
 * Suse Linux Enterprise Server 10
 * Suse Linux Enterprise Server 10 Service-Pack 2
 * Microsoft Windows 2003
 * Gentoo Linux (extension revision 20306)
 * CentOS 4
 * CentOS 5
 * Novell NetWare 6.5 SP7
 * FreeBSD 6.3-STABLE
 * LDAP Directories
 * CA Directory (eTrust Directory)
 * Sun Directory Server 5.2
 * Sun Directory Server Enterprise Edition 6.1, 6.2, and 6.3
 * Active Directory 2003
 * Novell eDirectory (NDS) v8.7.3
 * Novell eDirectory (NDS) v8.8.2
 * OpenLDAP (extension revision 20306)
 * Mac OS X Open Directory v10.4.9
 * Fedora Directory Server 1.0.4
 * ApacheDS 1.5.2
 * Web Servers
 * Apache 2.0
 * Apache 2.2
 * IIS6+PHP ISAPI
 * Combinations
 * Debian 4.0, MediaWiki 1.7, PHP 5.2.0, MySQL 5.0.32, Apache 2.2.3, OpenLDAP
 * Solaris 10, MediaWiki 1.9.x, PHP, MySQL, Apache2, CA Directory
 * RHEL v4 AS, MediaWiki 1.6.8, PHP 4.3.9, MySQL 4.1.12-3, Apache 2.0.52-22, Sun Directory Server 5.2 patch 4
 * Windows 2003, MediaWiki 1.8.3, PHP 5.2.0, MySQL 5.0, IIS6, Microsoft Active Directory
 * Windows 2003, MediaWiki 1.12, PHP 5.2.5, MySQL 5.0, Apache Server 2.2, apacheds 1.5.2
 * Windows Server 2003 SP2, MediaWiki 1.14, PHP 5.2.8,MySQL 5.0.51a, Apache Server 2.2, Microsoft Acrive Directory
 * Gentoo Linux, MediaWiki 1.9.x, PHP, MySQL, Apache 2, OpenLDAP, extension revision 20306, Samba LDAP schema
 * CentOS 5, MediaWiki 1.10.0, PHP 5, MySQL 5, Fedora Directory Server 1.0.4
 * CentOS 5, MediaWiki 1.10.1, PHP 5.1.6, MySQL 5.0.22, Microsoft Active Directory
 * SLES 9, MediaWiki 1.6.7, PHP4, MySQL 5, Novel eDirectory
 * SLES 10, MediaWiki 1.10.0, PHP 5, MySQL 5, Apache 2.2, Openldap
 * SLES 10 Service-Pack 2, MediWiki 1.14.0, PHP 5.2.5, MySQL 5.0.26, Microsoft Active Directory (2003)
 * OpenSuse 10.2, MediaWiki 1.9.x, PHP5, MySQL 5, Microsoft Active Directory
 * Novell NetWare 6.5 SP7, MediaWiki 1.11.0, PHP 5.2.5, MySQL 5.0.45, Apache 2.0.61, Novell eDirectory 8.8.2
 * CentOS 4, MediaWiki 1.11.1, PHP 5.2.5, MySQL 4.1.22, Apache 2.0.26, OpenLDAP 2.2.13
 * Ubuntu 6.06, MediaWiki 1.12.0, PHP 5.1.2-1ubuntu3.10, MySQL 5.0.22-0ubuntu6.06.10, Apache 2.0.55-4ubuntu2.3, Microsoft Active Directory
 * CentOS (vmware on a MAC OS X), MW 1.12.0, PHP 5.1.6 (apache2handler), MySQL 5.0.45, Microsoft Active Directory
 * FreeBSD 6.3-STABLE, MediaWiki 1.12.0 (FreeBSD-Port), PHP 5.2.6 (FreeBSD-Port), MySQL 5.0.51a (FreeBSD-Port), Apache 2.2.9 (FreeBSD-Port), Active Directory 2003
 * Windows XP Professional SP2, MediaWiki 1.13.0, PHP 5.2.6, MySQL 5.0.51a, Apache 2.2.9, Novell eDirectory 8.8.2
 * Ubuntu 8.04.1, MW 1.13.1, PHP 5.2.4, MySQL 5.0.51, Apache 2.2.8, Novell eDirectory
 * Ubuntu 8.10, MW 1.14, PHP 5.2.6.2, MySQL 5.0.67, Apache 2.2.9, Active Directory 2003

If you have a working wiki with a working version of the patch on something not listed above, please add it to the list!

Supporting the extension
Proper support of this extension requires quite a few resources. For a proper testing environment, I need to be able to run multiple directory servers (OpenLDAP, Sun Directory Server, Red Hat Directory Server, Active Directory, etc.), multiple web servers (Apache, and IIS mostly), Kerberos servers (MIT, AD), etc. Due to limited resources, I am unable to test many things concurrently. I am currently unable to test against Active Directory and IIS at all.

If you would like to help support the extension, donation of a good laptop with lots of RAM (Macbook Pro preferably), and/or a license for Windows Server 2003 Enterprise Edition would be greatly appreciated.