How to configure Mediawiki to authenticate against Active Directory on CentOS

Last modified: [last-modified]

This assumes you’ve got a working install of MediaWiki already and just need to tie it into Active Directory.

1. Make sure php-ldap is installed

2. Configure OpenLDAP on CentOS to ignore your domain controllers certificate validity. We all trust our own domain controllers don’t we?

3. Download and extract the latest LDAPAuthentication extension into your ‘mediawiki/extensions’ directory. I’m going to assume you’ve named the extension directory ‘ldapauthentication’ for the remainder of this documentation.

4. Edit your ‘LocalSettings.php’ found in the root of your MediaWiki directory and add the following substituting the values for your own domains information. Make sure you consistently use the same value for “<YOURDOMAINNAME>” at the start of each “array (” line.

That should be it! If it’s not working check your log files.

 

References

14 thoughts on “How to configure Mediawiki to authenticate against Active Directory on CentOS

  1. You saved my day with this. Let me just one thing from my experience.

    Initially, I used a MySQL account for login. After following your guide, I needed to deal with two more things:

    1) echo -e “TLS_REQCERT\tnever” >> /etc/openldap/ldap.conf
    This was to remove the “incorrect password” lase alarm when trying to log into MediaWiki

    2) php /var/www/html/mediawiki/maintenance/update.php

    This was to get rid of the “PHP Notice:  Uncommitted DB writes (transaction from DatabaseBase::query (LCStore_DB::get))” error message which caused the error message in browser (something like “internal error, check the source code”)

    All the best,

    Ivan

  2. Hi Eric

    im following your sample but i get this error

    Unable to  start TLS: Can’t contact LDAP server in /var/www/html/mediawiki/extensions/LdapAuthentication/LdapAuthentication.php on line 622

    I have also enable debug but dont get a file?

    $wgLDAPDebug = 3; //for debugging LDAP
    $wgShowExceptionDetails = true; //for debugging MediaWiki
    $wgDebugLogGroups[‘ldap’] = ‘/tmp/debug.log’;

    What am i doing wrong?

     

     

     

    • Based on that error I’d guess you are unable to connect to your LDAP server from the server you are running Mediawiki on. That or your LDAP server isn’t listening for SSL connections.

      • I changed it to “Clear” but then i get nothing.

        and i dont get this debug log at all

        $wgLDAPDebug = 3;
        $wgDebugLogGroups[‘ldap’] = ‘/var/www/html/mw/log/debug.log’;

        error_reporting( -1 );
        ini_set( ‘display_errors’, 1 );

  3. Hi,

    I would like to know if it is possible to integrate this plugin for Secure LDAP?

    We are running secure LDAP so I am not sure if it will work with that or not? Can you please confirm. Thank you in advance.

    Kind Regards

    Umair

  4. In media wiki log in page i got new field named as DomainName
    But i cant log in through ldap users

  5. What about authentication? In my previous version os MediaWiki, I had to add a $wgLDAPProxyAgent and $wgLDAPProxyAgentPassword

    • You’re right. In any other AD/LDAP deployment I’ve ever done I’ve needed some kind of bind account to actually connect to AD. Not sure why that’s missing from my post here.

      If it follows common practice and based on their documentation (https://www.mediawiki.org/wiki/Extension:LDAP_Authentication/Examples) you’ll need to also specify the following:

      $wgLDAPProxyAgent = array(
      'openldap_example_com' => 'cn=readonly,dc=example,dc=com',
      );
      $wgLDAPProxyAgentPassword = array(
      'openldap_example_com' => '*****',
      );

      The AD account you use for binding should be unique and only needs to be a ‘Domain User’. No other special privileges.

Leave a Reply

Your email address will not be published. Required fields are marked *