How to configure Mediawiki to authenticate against Active Directory on CentOS

Last modified: [last-modified]

This assumes you’ve got a working install of MediaWiki already and just need to tie it into Active Directory.

1. Make sure php-ldap is installed

yum install php-ldap.x86_64

2. Configure OpenLDAP on CentOS to ignore your domain controllers certificate validity. We all trust our own domain controllers don’t we?

vim /etc/openldap/ldap.conf

# -------- Make the following edits --------

 TLS_REQCERT     never

# -------- Save and close the file --------

3. Download and extract the latest LDAPAuthentication extension into your ‘mediawiki/extensions’ directory. I’m going to assume you’ve named the extension directory ‘ldapauthentication’ for the remainder of this documentation.

4. Edit your ‘LocalSettings.php’ found in the root of your MediaWiki directory and add the following substituting the values for your own domains information. Make sure you consistently use the same value for “<YOURDOMAINNAME>” at the start of each “array (” line.

vim LocalSettings.php

# -------- Make the following edits --------
require_once( "$IP/extensions/ldapauthentication/LdapAuthentication.php" );
$wgAuth = new LdapAuthenticationPlugin();

$wgLDAPDomainNames = array( "<YOURDOMAINNAME>" );

$wgLDAPServerNames = array( "<YOURDOMAINNAME>" => "<DOMAIN CONTROLLER FQDN>" );
# I recommend using a Global Catalog server for this.

$wgLDAPSearchStrings = array( "<YOURDOMAINNAME>" => "<YOURDOMAINNAME>\\USER-NAME" );
$wgLDAPEncryptionType = array( "<YOURDOMAINNAME>" => "tls" );
$wgLDAPUseLocal = false;
$wgMinimalPasswordLength = 1;

$wgLDAPBaseDNs = array( "<YOURDOMAINNAME>" => "dc=<YOURDOMAIN>,dc=<SOMEPLACE>,dc=<COM>" );
# Example: If your domain is mydomain.internet.ca then you want to put in "dc=mydomain,dc=internet,dc=ca".

$wgLDAPSearchAttributes = array( "<YOURDOMAINNAME>" => "sAMAccountName" );
$wgLDAPRetrievePrefs = array( "<YOURDOMAINNAME>" => "true" );

$wgLDAPPreferences = array('<YOURDOMAINNAME>' => array( 'email' => 'mail','realname' => 'displayname'));
# This will automatically map the users e-mail address and full name from Active Directory to their account in MediaWiki

$wgLDAPDebug = 3; //for debugging LDAP
$wgShowExceptionDetails = true; //for debugging MediaWiki

# -------- Save and close the file --------

That should be it! If it’s not working check your log files.

 

References

23 thoughts on “How to configure Mediawiki to authenticate against Active Directory on CentOS”

  1. You saved my day with this. Let me just one thing from my experience.

    Initially, I used a MySQL account for login. After following your guide, I needed to deal with two more things:

    1) echo -e “TLS_REQCERT\tnever” >> /etc/openldap/ldap.conf
    This was to remove the “incorrect password” lase alarm when trying to log into MediaWiki

    2) php /var/www/html/mediawiki/maintenance/update.php

    This was to get rid of the “PHP Notice:  Uncommitted DB writes (transaction from DatabaseBase::query (LCStore_DB::get))” error message which caused the error message in browser (something like “internal error, check the source code”)

    All the best,

    Ivan

    Reply
  2. Hi Eric

    im following your sample but i get this error

    Unable to  start TLS: Can’t contact LDAP server in /var/www/html/mediawiki/extensions/LdapAuthentication/LdapAuthentication.php on line 622

    I have also enable debug but dont get a file?

    $wgLDAPDebug = 3; //for debugging LDAP
    $wgShowExceptionDetails = true; //for debugging MediaWiki
    $wgDebugLogGroups[‘ldap’] = ‘/tmp/debug.log’;

    What am i doing wrong?

     

     

     

    Reply
    • Based on that error I’d guess you are unable to connect to your LDAP server from the server you are running Mediawiki on. That or your LDAP server isn’t listening for SSL connections.

      Reply
      • I changed it to “Clear” but then i get nothing.

        and i dont get this debug log at all

        $wgLDAPDebug = 3;
        $wgDebugLogGroups[‘ldap’] = ‘/var/www/html/mw/log/debug.log’;

        error_reporting( -1 );
        ini_set( ‘display_errors’, 1 );

        Reply
  3. Hi,

    I would like to know if it is possible to integrate this plugin for Secure LDAP?

    We are running secure LDAP so I am not sure if it will work with that or not? Can you please confirm. Thank you in advance.

    Kind Regards

    Umair

    Reply
  4. In media wiki log in page i got new field named as DomainName
    But i cant log in through ldap users

    Reply
  5. What about authentication? In my previous version os MediaWiki, I had to add a $wgLDAPProxyAgent and $wgLDAPProxyAgentPassword

    Reply
    • You’re right. In any other AD/LDAP deployment I’ve ever done I’ve needed some kind of bind account to actually connect to AD. Not sure why that’s missing from my post here.

      If it follows common practice and based on their documentation (https://www.mediawiki.org/wiki/Extension:LDAP_Authentication/Examples) you’ll need to also specify the following:

      $wgLDAPProxyAgent = array(
      'openldap_example_com' => 'cn=readonly,dc=example,dc=com',
      );
      $wgLDAPProxyAgentPassword = array(
      'openldap_example_com' => '*****',
      );

      The AD account you use for binding should be unique and only needs to be a ‘Domain User’. No other special privileges.

      Reply
  6. Hello

    My Mediawiki version is 1.16.4, does this document still work?

    I did all configuration you wrote but still I get wrong password .

    Reply
    • I honestly don’t know. We’ve abandoned MediaWiki at work. With passwords you might try, for testing, dropping any symbols and special characters and only be alpha/num.

      Also test the domain account by logging into any domain workstation.

      Reply
      • Thanks Eric ,
        I don’t have access to create an account without symbol in the password .
        I am sure that my password works , it is my own account .

        Thanks

        Reply
  7. Hello, do you have any idea, how to restrict access to my Wiki only for members of specific AD group please? Now all AD users are able to log in.
    Thanks in advance ;)

    Reply
      • Hello Eric, I have found solution, following should be part of ldan.json ;)
        “authorization”: {
        “rules”: {
        “groups”: {
        “required”: [“CN=,OU=,DC=,DC=”]
        }}},

        Reply

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.