MediaWiki LDAP Authentication
MediaWiki is a free web-based application that allows you to run your own Wikipedia styled site. A wiki is usually open to all so groups may collaborate within a project freely. Sometimes an enterprise needs it's wiki locked down to authenticated users only hence the need for an authentication mechanism such as LDAP.
LDAP is the Lightweight Directory Access Protocol and in this example we will be using Windows Server's Active Directory Database to authenticate valid users. The scope of this post only covers how to implement LDAP into an already installed and running MediaWiki with Ubuntu Server 10.10.
First we'll navigate to the MediaWiki directory. The actual location may vary so please keep that in mind.
cd /var/lib/mediawiki
Next we'll edit LocalSettings.php with your favorite text editor.
sudo vi LocalSettings.php
Add the following lines adjusted to fit your domain.
require_once( "$IP/extensions/LdapAuthentication/LdapAuthentication.php" );
$wgAuth = new LdapAuthenticationPlugin();
#### Uncomment this line to see debug messages:
#$wgLDAPDebug = 10;
$wgDebugLogGroups["ldap"] = "/tmp/ldap.log" ;
$wgLDAPDomainNames = array('your_domain.com' );
$wgLDAPServerNames = array('your_domain.com' => 'hostname.your_domain.com' );
$wgLDAPEncryptionType = array('your_domain.com' => 'ssl' );
$wgLDAPUseSSL = array('your_domain.com' => true );
$wgLDAPBaseDNs = array('your_domain.com' => 'dc=your_domain,dc=com' );
$wgLDAPSearchAttributes = array('your_domain.com' => 'sAMAccountName' );
$wgLDAPUseLocal = true;
$wgMinimalPasswordLength = 1;
$wgLDAPProxyAgent = array("your_domain.com" => "CN=LDAP Lookup,CN=Users,DC=your_domain,DC=com" );
$wgLDAPProxyAgentPassword = array("your_domain.com" => "supersecretpassword" );
$wgLDAPUpdateLDAP = array("your_domain.com" => false );
$wgLDAPAddLDAPUsers = array("your_domain.com" => false );
#$wgLDAPRetrievePrefs = array("your_domain.com" => true );
$wgLDAPPPreferences = array("your_domain.com" => true );
$wgLDAPGroupUseFullDN = array("your_domain.com" => true );
$wgLDAPGroupObjectclass = array( "your_domain.com" => "group" );
$wgLDAPGroupAttribute = array( "your_domain.com" => "member" );
$wgLDAPGroupMemberOfAttribute = array( "your_domain.com" => "memberof" );
$wgLDAPGroupSearchNestedGroups = array( "your_domain.com" => true );
$wgLDAPGroupNameAttribute = array( "your_domain.com" => "cn" );
$wgLDAPUseLDAPGroups = array( "your_domain.com" => true );
#$wgLDAPGroupsUseMemberOf = array( "your_domain.com" => true );
#### restrict to logged in users only
#$wgGroupPermissions['*']['edit'] = false;
#$wgGroupPermissions['user']['edit'] = false;
#$wgGroupPermissions['Domain users']['edit'] = true;
#$wgGroupPermissions['*']['read'] = false;
#$wgGroupPermissions['user']['read'] = true;
#$wgGroupPermissions['Domain users']['read'] = true;
#$wgGroupPermissions['*']['createaccount'] = false;
$wgWhitelistRead = array( "Special:Userlogout", "Special:Userlogin" );
# This section defines permissions which allow only logged-in users to edit
#
# Deny access to Anonymous
#
$wgGroupPermissions['*']['createaccount'] = false;
$wgGroupPermissions['*']['read'] = false;
$wgGroupPermissions['*']['edit'] = false;
$wgGroupPermissions['*']['createpage'] = false;
$wgGroupPermissions['*']['createtalk'] = false;
#
# Allow logged in users to do these things
#
$wgGroupPermissions['user']['move'] = true;
$wgGroupPermissions['user']['read'] = true;
$wgGroupPermissions['user']['edit'] = true;
$wgGroupPermissions['user']['createpage'] = true;
$wgGroupPermissions['user']['createtalk'] = true;
$wgGroupPermissions['user']['upload'] = true;
$wgGroupPermissions['user']['reupload'] = true;
$wgGroupPermissions['user']['reupload-shared'] = true;
$wgGroupPermissions['user']['minoredit'] = true;
#
# Allow automated accounts to do these things
#
$wgGroupPermissions['autoconfirmed']['autoconfirmed'] = true;
$wgGroupPermissions['bot']['bot'] = true;
$wgGroupPermissions['bot']['autoconfirmed'] = true;
#
# Allow logged in sysops to do these things
#
$wgGroupPermissions['sysop']['block'] = true;
$wgGroupPermissions['sysop']['createaccount'] = true;
$wgGroupPermissions['sysop']['delete'] = true;
$wgGroupPermissions['sysop']['deletedhistory'] = true;
$wgGroupPermissions['sysop']['editinterface'] = true;
$wgGroupPermissions['sysop']['import'] = true;
$wgGroupPermissions['sysop']['importupload'] = true;
$wgGroupPermissions['sysop']['move'] = true;
$wgGroupPermissions['sysop']['patrol'] = true;
$wgGroupPermissions['sysop']['protect'] = true;
$wgGroupPermissions['sysop']['rollback'] = true;
$wgGroupPermissions['sysop']['upload'] = true;
$wgGroupPermissions['sysop']['reupload'] = true;
$wgGroupPermissions['sysop']['reupload-shared'] = true;
$wgGroupPermissions['sysop']['unwatchedpages'] = true;
$wgGroupPermissions['sysop']['autoconfirmed'] = true;
$wgGroupPermissions['bureaucrat']['userrights'] = true;
require_once( "$IP/extensions/ParserFunctions/ParserFunctions.php" );
Next we'll navigate to the extensions directory and install the necessary extensions.
cd /var/lib/mediawiki/extensions
We'll create two folders.
sudo mkdir LdapAuthentication
sudo mkdir ParserFunctions
Now we'll download the extensions.
cd LdapAuthentication
wget http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_15_1/extensions/LdapAuthentication/LdapAuthentication.php
wget http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_15_1/extensions/LdapAuthentication/LdapAutoAuthentication.php
Change directories and finish downloading the extensions.
cd ../ParserFunctions
wget http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_15_1/extensions/ParserFunctions/Expr.php
wget http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_15_1/extensions/ParserFunctions/ParserFunctions.i18n.magic.php
wget http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_15_1/extensions/ParserFunctions/ParserFunctions.i18n.php
wget http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_15_1/extensions/ParserFunctions/ParserFunctions.php
wget http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_15_1/extensions/ParserFunctions/SprintfDateCompat.php
wget http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_15_1/extensions/ParserFunctions/exprTests.txt
wget http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_15_1/extensions/ParserFunctions/funcsParserTests.txt
wget http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_15_1/extensions/ParserFunctions/testExpr.php
Now we edit the 'ldap.conf'
.cd /etc/ldap
sudo vi ldap.conf
Add the following line.
TLS_REQCERT never
Now we add the LDAPProxyAgent user in Active Directory. In this case we named the user 'LDAP Lookup' and gave it the password of 'supersecretpassword'. 'LDAP Lookup' should be a member of the Domain Users. Browse to your wiki install and you should be prompted to login. Enter a valid domain user account and now you are logged in.