0

I have Mediawiki setup on a fedora machine and am attempting to get it working with our AD credentials. It is successfully connecting to our AD server and you can log into mediawiki fine with them. However now I am trying to restrict it so that only our IT department users can logon. I cant seem to get the setup correct though, the relevant section to my LocalSettings file is below:

require_once("/directo/LdapAuthentication.php");
$wgAuth = new LdapAuthenticationPlugin();
$wgLDAPDomainNames = array("MYDOMAIN");
$wgLDAPServerNames = array("MYDOMAIN" => "DOMAINIP");
$wgLDAPSearchStrings = array("MYDOMAIN" => "MYDOMAIN\\USER-NAME);
$wgLDAPEncryptionType = array("MYDOMAIN" => "ssl");

$wgLDAPBaseDNs = array("MYDOMAIN" => "dc=MYDOMAIN","dc=com");
$wgLDAPSearchAttributes = array("MYDOMAIN"=>"sAMAccountName");
$wgLDAPRetrievePrefs = array("MYDOMAIN" =>true);
$wgLDAPPreferences = array("MYDOMAIN" =>array('email' => 'mail','realname'=>'displayname'));
$wgLDAPDebug =3;
$wgLDAPExceptionDetails = true;

$wgLDAPRequiredGroups = array("MYDOMAIN" => array("OU=Users,OU=IT,OU=Admin,DC=MYDOMAIN,DC=com"));

If I remove that last line about required groups i can log in fine. Our setup in AD for folders is as follows from top to bottom MYDOMAIN-> Admin -> IT ->Users ->John Doe. But like i said if i implement that last line no one can log in to our mediawiki.

justin
  • 13
  • 3
  • do you want that only members of that group can use the wiki? So not logged in users should not even be able to read the wiki? – natxo asenjo Sep 07 '16 at 15:17
  • @natxoasenjo Yeah, we want the wiki to be closed so that only those that belong to IT can access/read the wiki. – justin Sep 07 '16 at 20:07
  • If you are using 1.27 note that authentication has been [completely rewritten](https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_27/RELEASE-NOTES-1.27;6045afb69f773a4e2ddce72a203c2d1fca7d1e1b$138) and that [did not work out so well](https://github.com/wikimedia/mediawiki-extensions-LdapAuthentication/commit/b9d994b85c25d57c94d0b962dda7b6982f585ef9) for LdapAuthentication. – Tgr Sep 08 '16 at 06:23

1 Answers1

0

As stated in the comment the wiki should only be accessed (read/written) by a group.

The way we have solved this is using a combination of apache basic authentication first. So in the vhost of the wiki you set a Directory directive:

    <Directory /srv/apacheprod/html/mediawiki >
    AllowOverride All
    AuthBasicProvider ldap
    AuthType Basic
    AuthzLDAPAuthoritative off
    AuthName "Wiki Operations"

    AuthLDAPUrl "ldap://domain.local:3268/DC=DOMAIN,DC=LOCAL?sAMAccountName?sub?(objectClass=*)" NONE

    # bind as wiki user
    AuthLDAPBindDN "cn=wiki,ou=service_accounts,dc=domain,dc=local"
    AuthLDAPBindPassword pwd

    # members of these groups may log in
    # do not use inverted comma's in the group distinguished name or it won't work!
    require ldap-group CN=ICT - Operations,OU=Security Groepen,DC=domain,DC=local
    require ldap-group CN=ICT - devs,ou=security groepen,DC=domain,DC=local

</Directory>

This protects the wiki from users not belonging to those groups, but we want that once logged in, the users already have a mediawiki account. That's the next step using the ldap authentication extension for mediawiki

So download the extension and modify your LocalSettings.php. Ours looks like this:

##### LdapAuth plugin #####

## load the library
require_once( "$IP/extensions/LdapAuthentication/LdapAuthentication.php" );
require_once( "$IP/extensions/LdapAuthentication/LdapAutoAuthentication.php" );

## create an object
$wgAuth = new LdapAuthenticationPlugin();

# we are using AD, so define it here
$wgLDAPDomainNames = array(
    "AD",
);

# ldap servers for AD
$wgLDAPServerNames = array(
    "AD" => "dc01.domain.local dc02.domain.local dc03.domain.local"
);

$wgLDAPEncryptionType = array(
    "AD" => "clear"
);

$wgLDAPProxyAgent = array(
    "AD" => "CN=mediawiki,OU=Service_accounts,DC=domain,DC=local"
);

$wgLDAPProxyAgentPassword = array(
    "AD" => "pwd"
);

$wgLDAPBaseDNs = array(
    "AD" => "dc=domain,dc=local"
);

$wgLDAPSearchAttributes = array(
    "AD" => "sAMAccountName",
);

//Option for allowing the retrieval of user preferences from LDAP.
//Only pulls a small amount of info currently.
//Default: false
//DEPRECATED in 1.2a
$wgLDAPRetrievePrefs = array(
    "AD"=>false
);

//Option for pulling specific preferences. Available options
//are "email", "realname", "nickname", "language"
//Ensure all attribute names given are in lower case.
//Default: none; disabled
//Available in 1.2a
$wgLDAPPreferences = array(
    "AD"=>array( "email"=>"mail","realname"=>"displayname","nickname"=>"cn","language"=>"preferredlanguage")
);

$wgLDAPAutoAuthUsername = preg_replace( '/@.*/', '', $_SERVER["REMOTE_USER"] );

$wgLDAPAutoAuthDomain = "AD" ;

# debugging this extension, uncomment if needed
#$wgLDAPDebug = 1;
#$wgDebugLogGroups['ldap'] = '/srv/apacheprod/html/mediawiki/tmp/ldap_debug.log';

AutoAuthSetup();

With these settings we achieve what you intend to do.

natxo asenjo
  • 5,739
  • 2
  • 26
  • 27
  • Thanks for the help. However when i set mine up this way I get a endless loop of a pop-up saying "Authentication Required https://myurl requires you to log in" but when i log in it just comes back up and the page never loads, no matter how many times i login. If i exit out of the pop up i get a 401 unauthorized page. – justin Sep 09 '16 at 19:01
  • so the basic auth part is not working, it seems (otherwise you would not get the 401). Take a look at your web server logs – natxo asenjo Sep 09 '16 at 21:31