Using LDAPAuthentication.php with AD on IIS

I had a request for more information about integrating MediaWiki and AD. 

Actually there’s not a lot to it if you are using MediaWiki 1.5.x. You need to get hold of the LDAPAuthenication.php script and drop that in your includes folder and then define a whole set of variables in LocalSettings.php. It really is that simple.

Get LDAPAuthentication.php from here. Just right-click on Version 1.0c and Save As…. I wouldn’t bother reading the rest of that page.

For information on configuration check out these examples.

The one gottcha I had is that we use the sAMAccountName attribute and I wanted to restrict access to an AD group. If you want to do both of these then you must define:

$wgLDAPSearchAttributes = array( “Domain”=>”sAMAccountName” );
$wgLDAPBaseDNs  = array( “domain”=>”dc=domain,dc=com” );
$wgLDAPGroupDN = “cn=groupname,ou=groups,dc=domain,dc=com”;
$wgLDAPProxyAgent = “cn=proxy,ou=adminstration,dc=groups,dc=domain,dc=com”;
$wgLDAPProxyAgentPassword = “”;

Then you probably want to do things like turning off edit rights for not authenticated users etc. which you do using the wgGroupPermissions array. These groups are not associated with the AD groups. I don’t think it is possible to integrate right through to AD at this level. AD integration is merely sign on permissions.

 

Advertisements

4 responses to “Using LDAPAuthentication.php with AD on IIS

  1. Hi,

    I’m going through a simmilar install of MediaWiki 1.5.8 IIS6 etc. Qucik question abotu the LDAP php you used. Do you still have to authenticate to the wiki or does it do passthough authentication for you, ie no logon box.

  2. No, you still have to logon. I’ve been toying with the idea of trying to do SSO. There are sites that talk about doing that with Apache. I’m guessing that it will be very similar under IIS, but I haven’t had the time to try. I have blogged about that idea here >> https://myity.wordpress.com/2006/01/12/playing-with-mediawiki/

  3. I have it under IIS. Read the playing-with-mediawiki comments

  4. I got this working, but first time a user logs in (the user exists in LDAP, but not in the mediawiki user table), I get

    Fatal error: Call to a member function on a non-object in /opt/mediawiki/includes/SpecialUserlogin.php on line 314

    Next time that person logs in, it works.
    I’ve verified this by removing the user from user table in mediawiki, and the error comes up again.

    Has anyone else had this problem?

    I’ve read some of the code, but can’t say I get everything! 🙂

    /Thomas

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s