Extension:LDAP Authentication

Bugzilla enhancement feature
This enhancement feature is listed as http://bugzilla.wikipedia.org/show_bug.cgi?id=814 --Tom Gries mail 18:43, 4 Nov 2004 (UTC)

Tested On
Current version has been tested on:


 * Mediawiki 1.4 and 1.5
 * Red Hat Enterprise Linux v3 AS
 * Fedora Core 3
 * OpenLDAP 2.2
 * Sun Directory Server (5.1 and 5.2)
 * Active Directory 2003

Old version has been tested on:


 * Mediawiki 1.3.9
 * Red Hat Enterprise Linux v3 AS
 * Sun Directory Server (5.1 and 5.2)
 * Active Directory 2003

Requirements

 * Mediawiki 1.4 or 1.5 for new version of the patch (I will no longer be backporting to the 1.3 series)
 * PHP must be compiled with LDAP support for any functionality at all
 * PHP must be compiled with SSL support if you with to authenticate over SSL (HIGHLY Recommended!!)

Current version (version .80)
For the time being this patch is intended mostly for smaller or internal sites that wish to manage their user accounts solely through LDAP. In this current patch version, users cannot add themselves, change their own password, or get a new password mailed to them (through ldap, they can locally).

UPDATE: The plugin now pulls email addresses, real name, nickname, and language from the LDAP server. If these fields are blank on the LDAP server, the wiki will ignore them and use local settings.

UPDATE: The plugin can now add users, update settings, and change passwords on the LDAP server.

Future version
Support for Active Directory, and ability for users to use "Mail me a password" with this extension.

Summary of Extension
I've added options LocalSettings.php which are the following when used by an admin:

LocalSettings.php (example):

require_once( 'LdapAuthentication.php' ); $wgAuth = new LdapAuthenticationPlugin; $wgLDAPDomainNames = array( "testADdomain","testLDAPdomain"  ); $wgLDAPServerNames = array( "testADdomain"=>"testADserver.example.com",  "testLDAPdomain"=>"testLDAPserver.example.com testLDAPserver2.example.com"  ); $wgLDAPSearchStrings = array( "testADdomain"=>"TDOMAIN\\USER-NAME",  "testLDAPdomain"=>"uid=USER-NAME,ou=people,dc=example,dc=com"  ); $wgLDAPUseSSL = true; $wgLDAPUseLocal = true; $wgMinimalPasswordLength = 1; #If using mediawiki 1.5. Note: 1 is the minimum, feel free to go higher //*These are for use in version 0.8+ $wgLDAPAddLDAPUsers = true; $wgLDAPUpdateLDAP = true; $wgLDAPWikiDN = "uid=priviledgedUser,ou=people,dc=test,dc=com"; //Please use a user with limited access, NOT your directory manager $wgLDAPWikiPassword = "{SHA}KqYKj/f81HPTIeAUav2eJt85UUc="; //You are able to use clear text passwords, but please try not to

In this example, there are three different domains, one is local, one is an Active Directory domain, and the other is a normal LDAP domain (Sun directory server, openLDAP, etc). The user must provide the search string for a user's distinguished name (USER-NAME is substituted in SpecialUserLogin.php with the actual user's loginname). Using SSL is optional and so is using the local domain.

When using LDAP, passwords are not stored in the database (unless users create accounts on the local domain). Blank passwords are no longer allowed since we wouldn't want people using the local domain logging in as domain users.

The interface for logging in is slightly different when using LDAP as well. I have added a selection box that will allow users to choose which domain they wish to authenticate against (in the above example, the options would be "testADdomain", "testLDAPdomain", and "local").

The newest patch allows the wiki to create LDAP users, change user settings on the LDAP server, change user passwords, and pull information from the server. In the above example, users are allowed to create new users in LDAP, and update their settings in LDAP. Please, for security's sake, do NOT use your directory manager to make these changes, and use an encrypted password instead of a clear text password.

For the time being, updating user info, and adding users does not work on Active Directory. Support for this is planned, but may not be implemented for quite a while. Also, for the time being, "Mail me a new password" probably does not work. Impementation for that will likely require changes to the core code, and may not be implemented for a while.

LDAP Attributes
The following four attributes can be set in LDAP on a user for the wiki to use as user preferences:


 * mail (email address)
 * displayName (nickname)
 * cn (real name)
 * preferredLanguage (language)

preferredLanguage must use the language code as it would be found in "languages/Names.php"

Modification of Current Core Code Required
This extension does modify the core code slightly. The core code allows people to create accounts with blank passwords, and allows people to login with blank passwords. As this would be a serious security flaw when using external and internal authentication methods, it was necessary.

Suggestions

 * The mail password problem could be solved by emailing a link to a temporary URL that allows a password change. Not sure if this would be easier or harder to impliment than the temporary local password idea (though maybe a tiny bit less hackish). --Dack 20:55, 19 Jan 2005 (UTC)
 * Good idea. We could also probably use the email authentication plugin as well... It may need modification to work, but since Thomas is merging his code with mine, it should be a pretty easy addition. --Laner