Hi
I´m trying to get a fresh Mediawiki installation running on a windows server with automatic logon via Active Directory. My wiki server is a Windows 2008R2 Standard, IIS 7.5, PHP 5.3.17, MySQL 5.5.22. I want to authenticate against our company Active Directory 2008 R2 Domain.
After reading all the documentation and hints i could found via Google search i could get it to work with a modification on the LdapAuthentication.php file from which i think it is not the best way. (In fact i think it´s a very bad hack. :-) )
My poor Mediawiki/PHP debugging knowledge tells me that somehow the Domain and the Username, which is collected in LocalSettings.php, is not passed to LdapAuthentication.php. After LocalSettings.php is calling "AutoAuthSetup()" the following part of LdapAuthentication.php is executed:
function AutoAuthSetup() {
global $wgHooks;
global $wgAuth;
$wgAuth = new LdapAuthenticationPlugin();
I was not able to follow in deep what happens when a new instance of LdapAuthenticationPlugin is created. But what i realized, is that the next line in LdapAuthentication.php is never executed although i had debug logging activated.
$wgAuth->printDebug( "Entering AutoAuthSetup.", NONSENSITIVE );
The debug log tells me that domain and username variables are empty.
While trying to understand the next lines in LdapAuthentication.php, i see that they are only executed if "AutoAuthUsername" is not set. As far i understand it, this variable is set via LocalSettings.php. Therefore this lines are never executed. Because nothing seems to help, i comment out the line with the if clause so that the next lines are always executed.
#if ( !$wgAuth->getConf( 'AutoAuthUsername' ) ) {
$wgAuth->printDebug( "wgLDAPAutoAuthUsername is not null, adding hooks.", NONSENSITIVE );
$wgHooks['UserLoadAfterLoadFromSession'][] = 'LdapAutoAuthentication::Authenticate';
$wgHooks['PersonalUrls'][] = 'LdapAutoAuthentication::NoLogout'; /* Disallow logout link */
#}
After doing that, automatic logon seems to work. But i really have a bad feeling about this. Although it works i think this is terribly wrong.
My configuration is as follows:
On IIS i activated windows logon and standard logon. Anonymous logon is deactivated. I did this because we have windows and linux clients and i want to provide authentication mechanism for both.
My LocalSettings.php contains the following entries regarding the LdapAuthentication PlugIn:
require_once( "$IP/extensions/LdapAuthentication/LdapAuthentication.php" );
require_once( "$IP/extensions/LdapAuthentication/LdapAutoAuthentication.php" );
$wgLDAPDebug = 3;
$wgDebugLogGroups["ldap"] = "D:\wwwroot\logs\debug.log" ;
$wgLDAPUseLocal = false;
$wgMinimalPasswordLength = 1;
$wgLDAPDomainNames = array("MyAdDomain");
$wgLDAPServerNames = array("MyAdDomain" => "dc1.mydomain.local dc2.mydomain.local");
$wgLDAPEncryptionType = array("MyAdDomain" => "clear");
$wgLDAPProxyAgent = array('MyAdDomain' => 'proxyuser@mydomain.local');
$wgLDAPProxyAgentPassword = array('MyAdDomain' => 'NoYouWillNotGetIt');
$wgLDAPSearchAttributes = array("MyAdDomain" => "sAMAccountName");
$wgLDAPBaseDNs = array("MyAdDomain" => "dc=mydomain,dc=local");
#Switch wether REMOTE_USER contains a backslash
if (strpos($_SERVER['REMOTE_USER'],"\\"))
{
#REMOTE_USER contains a backslash, assuming that this comes from windows authentication in Format "DOMAIN\USER-NAME"
list($dom,$userid) = split('[\]',$_SERVER['REMOTE_USER']);
$wgLDAPAutoAuthDomain = $dom;
$wgLDAPAutoAuthUsername = strtolower($userid);
}
else
{
#REMOTE_USER contains no backslahs, assuming that this comes from standard authentication in Format "USER-NAME".
#Therefore the wgLDAPAutoAuthDomain has to be set static.
$wgLDAPAutoAuthDomain = "MYDOMAIN";
$wgLDAPAutoAuthUsername = strtolower($_SERVER['REMOTE_USER']);
}
AutoAuthSetup();
I hope someone can push me in the right direction.
Many thanks in advance... Michael Mueller