User:Super Jamie/LDAP HOWTO

From mediawiki.org
Jump to navigation Jump to search

These are the steps I took to get MediaWiki working with LDAP on Active Directory 2003.

Notes[edit]

  • AD will allow clear text passwords to be sent, this is good for testing, but you should use SSL for security in production, as any network user could potentially sniff passwords.
  • This config uses a server called adserver.mycompany.com (older-style domain MYCOMPANY), and I wish to add users to a group called WikiUsers in the OU Groups \ IT on mycompany.com, nobody else on the domain will have Wiki access, except to the Login page.
  • I also wish to add groups to this group, so I've turned on nested group searching.
  • I have another wiki (PmWiki) which does LDAP lookups, it uses Apache's mod_ldap and mod_auth_ldap, so I have included the steps I've used to get it authing to AD as well. LdapAuthentication.php does its' auth with PHP's php_ldap, I believe the only config it pays attention to is /etc/openldap/ldap.conf, but I've included everything I have setup just in case.
  • I use a corporate-controlled AD, so I can't add a self-signed cert to it, but I can obtain the root cert of the CA which has signed our domain's SSL cert, which is how I've done this.
  • You do not need to use ldaps:// when addressing an AD server through php_ldap, whereas you do with a non-Microsoft LDAP server.
  • I am (luckily) able to do anonymous searches over my Active Directory, I could never get Proxy Binding working.
 - try to browse from a console first:
   ldapsearch -b "DC=domain,DC=com" -h <AD server> -x -W 
    -D "CN=d-name,OU=whatever,OU=your,OU=units,DC=domain,DC=com" -LLL "(sAMAccountName=<userid-to-check>)"
   
   the trick is to use the distinguished name, not userid in the CN you use to bind.
   
   of course, looking at the code (1.2a):
   to use Proxy binding, you must not set $wgLDAPSearchStrings as it then performs a simple search,
   which ignores the proxy variables.
  • You're best to use lowercase when addressing anything to do with AD
  • This works fine on my rPath Linux LAMP server, which has Apache with mod_ssl, mod_ldap, mod_auth_ldap installed. As well as PHP with php_ldap.

Troubleshooting[edit]

If you're having dramas, don't try to do everything at once. I'd suggest trying to get things working in this order, which is basically most simple to most complex.

  • Turn on error reporting by placing this line in MediaWiki's LocalSettings.php
 $wgLDAPDebug = 99
  • Change auth to cleartext with this like
 $wgLDAPEncryptionType = array('mycompany.com'=>'clear');
  • Get straight binds to MYCOMPANY\\USER-NAME working
  • Get straight binds with Search Strings working
  • Get straight binds with Search Strings looking in a group
  • Get SSL working

Also, Microsoft's AD Users & Computers does not give you a whole heap of info about the LDAP naming conventions in AD (cn, sAMAccountName, ou, group, etc) and the info you can draw out of it. I'd suggest using these two tools to get your addressing right

HOWTO[edit]

  • Obtain root certificate for domain certifier
    • Ensure your certs are x509 PEM encoded, use this line to convert between DER and PEM if required
 openssl x509 -in certname.der -inform DER -out certname.pem -outform PEM
  • Root certs also need to have the file extension .crt, i have called mine certname.crt
  • Copy root certs to folder /etc/httpd/conf/ssl.crt/ (this may be in /etc/apache2/ instead)
  • In Apache conf file /etc/httpd/conf/httpd.conf (this may be in /etc/apache2/ instead), add:
 LDAPTrustedCA /etc/httpd/conf/ssl.crt/certname.crt
 LDAPTrustedCAType BASE64_FILE
  • In SSL config file /etc/httpd/conf.d/ssl.conf (this may be in /etc/apache2/ instead) ensure that:
  #SSLCACertificateFile

is commented, and add the line

  SSLCACertificatePath /etc/httpd/conf/ssl.crt/
  • Create a symlink at /etc/openldap/ldap.conf pointing to /etc/ldap.conf
  • In /etc/ldap.conf add
 TLS_CACERTDIR /etc/httpd/conf/ssl.crt/
 TLS_REQCERT allow
  • Install MediaWiki and setup
  • Copy LdapAuthentication.php (I used version 1.1g) to extensions/includes/
  • In MediaWiki settings file LocalSettings.php add this:
 #
 ### LDAP Authentication Plugin
 #
 require_once( 'extensions/LdapAuthentication.php' );
 $wgAuth = new LdapAuthenticationPlugin();
 #
 ### Identify server
 #
 $wgLDAPDomainNames = array('mycompany.com');
 $wgLDAPServerNames = array('mycompany.com'=>'adserver',);
 $wgLDAPEncryptionType = array('mycompany.com'=>'ssl');
 $wgMinimalPasswordLength = 1;
 #
 ### Uncomment this for troubleshooting
 #
 # $wgLDAPDebug = 99;
 #
 ### Straight bind with Search Strings
 #
 $wgLDAPSearchStrings = array('mycompany.com'=>'MYCOMPANY\\USER-NAME');
 $wgLDAPSearchAttributes = array('mycompany.com'=>'sAMAccountName');
 $wgLDAPBaseDNs  = array('mycompany.com'=>'dc=mycompany,dc=com');
 #
 ### New-style group lookup, needs to be lowercase
 #
 $wgLDAPRequiredGroups = array('mycompany.com'=>array('cn=wikiusers,ou=it,ou=groups,dc=mycompany,dc=com'));
 $wgLDAPGroupUseFullDN = array('mycompany.com'=>true);
 $wgLDAPGroupObjectclass = array('mycompany.com'=>'group');
 $wgLDAPGroupAttribute = array('mycompany.com'=>'member');
 $wgLDAPGroupSearchNestedGroups = array('mycompany.com'=>true);
 $wgLDAPGroupNameAttribute = array('mycompany.com'=>'cn');
  • I also use these in my config, to keep the Wiki relatively private, these have nothing to do with LDAP, but are handy to have to lock down your Wiki, which is why I assume you'd want Auth setup on it anyway.
 # This section defines permissions which allow only logged-in users to edit
 #
 # Deny access to Anonymous
 #
 $wgGroupPermissions['*']['createaccount']      = false;
 $wgGroupPermissions['*']['read']               = false;
 $wgGroupPermissions['*']['edit']               = false;
 $wgGroupPermissions['*']['createpage']         = false;
 $wgGroupPermissions['*']['createtalk']         = false;
 #
 # But allow Anonymous to login
 #
 $wgWhitelistRead = array ("Special:Userlogin");
 #
 # Allow logged in users to do these things
 #
 $wgGroupPermissions['user']['move']            = true;
 $wgGroupPermissions['user']['read']            = true;
 $wgGroupPermissions['user']['edit']            = true;
 $wgGroupPermissions['user']['createpage']      = true;
 $wgGroupPermissions['user']['createtalk']      = true;
 $wgGroupPermissions['user']['upload']          = true;
 $wgGroupPermissions['user']['reupload']        = true;
 $wgGroupPermissions['user']['reupload-shared'] = true;
 $wgGroupPermissions['user']['minoredit']       = true;
 #
 # Allow automated accounts to do these things
 #
 $wgGroupPermissions['autoconfirmed']['autoconfirmed'] = true;
 $wgGroupPermissions['bot']['bot']             = true;
 $wgGroupPermissions['bot']['autoconfirmed']   = true;
 #
 # Allow logged in sysops to do these things
 #
 $wgGroupPermissions['sysop']['block']           = true;
 $wgGroupPermissions['sysop']['createaccount']   = true;
 $wgGroupPermissions['sysop']['delete']          = true;
 $wgGroupPermissions['sysop']['deletedhistory']  = true;
 $wgGroupPermissions['sysop']['editinterface']   = true;
 $wgGroupPermissions['sysop']['import']          = true;
 $wgGroupPermissions['sysop']['importupload']    = true;
 $wgGroupPermissions['sysop']['move']            = true;
 $wgGroupPermissions['sysop']['patrol']          = true;
 $wgGroupPermissions['sysop']['protect']         = true;
 $wgGroupPermissions['sysop']['rollback']        = true;
 $wgGroupPermissions['sysop']['upload']          = true;
 $wgGroupPermissions['sysop']['reupload']        = true;
 $wgGroupPermissions['sysop']['reupload-shared'] = true;
 $wgGroupPermissions['sysop']['unwatchedpages']  = true;
 $wgGroupPermissions['sysop']['autoconfirmed']   = true;
 $wgGroupPermissions['bureaucrat']['userrights'] = true;

I hope someone finds this useful.

I can be contacted at jamie (at) superjamie (dot) net, if you have any suggestions for improving this page.