How to configure Mediawiki to authenticate against Active Directory on CentOS

Last modified: [last-modified]

This assumes you’ve got a working install of MediaWiki already and just need to tie it into Active Directory.

1. Make sure php-ldap is installed

yum install php-ldap.x86_64

2. Configure OpenLDAP on CentOS to ignore your domain controllers certificate validity. We all trust our own domain controllers don’t we?

vim /etc/openldap/ldap.conf

# -------- Make the following edits --------

 TLS_REQCERT     never

# -------- Save and close the file --------

3. Download and extract the latest LDAPAuthentication extension┬áinto your ‘mediawiki/extensions’ directory. I’m going to assume you’ve named the extension directory ‘ldapauthentication’ for the remainder of this documentation.

4. Edit your ‘LocalSettings.php’ found in the root of your MediaWiki directory and add the following substituting the values for your own domains information. Make sure you consistently use the same value for “<YOURDOMAINNAME>” at the start of each “array (” line.

vim LocalSettings.php

# -------- Make the following edits --------
require_once( "$IP/extensions/ldapauthentication/LdapAuthentication.php" );
$wgAuth = new LdapAuthenticationPlugin();

$wgLDAPDomainNames = array( "<YOURDOMAINNAME>" );

$wgLDAPServerNames = array( "<YOURDOMAINNAME>" => "<DOMAIN CONTROLLER FQDN>" );
# I recommend using a Global Catalog server for this.

$wgLDAPSearchStrings = array( "<YOURDOMAINNAME>" => "<YOURDOMAINNAME>\\USER-NAME" );
$wgLDAPEncryptionType = array( "<YOURDOMAINNAME>" => "tls" );
$wgLDAPUseLocal = false;
$wgMinimalPasswordLength = 1;

$wgLDAPBaseDNs = array( "<YOURDOMAINNAME>" => "dc=<YOURDOMAIN>,dc=<SOMEPLACE>,dc=<COM>" );
# Example: If your domain is mydomain.internet.ca then you want to put in "dc=mydomain,dc=internet,dc=ca".

$wgLDAPSearchAttributes = array( "<YOURDOMAINNAME>" => "sAMAccountName" );
$wgLDAPRetrievePrefs = array( "<YOURDOMAINNAME>" => "true" );

$wgLDAPPreferences = array('<YOURDOMAINNAME>' => array( 'email' => 'mail','realname' => 'displayname'));
# This will automatically map the users e-mail address and full name from Active Directory to their account in MediaWiki

$wgLDAPDebug = 3; //for debugging LDAP
$wgShowExceptionDetails = true; //for debugging MediaWiki

# -------- Save and close the file --------

That should be it! If it’s not working check your log files.

 

References