A A A

Scalable Enterprise IT Services

MediaWiki OpenLDAP Authentication


                                                        Patrick Ni
                                                        RedAnt IT Support Inc.
                                                        November, 2009


              How to configure mediawiki to authenticate 
                          against OpenLDAP
					   

					   
Status of this memo
    
    Operating system:        Debian Lenny 
    mediawiki:               1.12.0-2
    mediawiki-extension:     1.4

	
Abstract

    This document is to share my experiences and hopefully it helps make 
    mediawiki LDAP authentication work at your site	

	
1. Background

1.1 Whenever you do a search, add, update, or delete operation, LDAP
   is very clearly aware of who you are, what you are doing, what you
   can do and what you can not do.
	
   "who you are" is the authentication process through the bind operation.
   If you do not bind as anyone, that is anonymous bind.
	
   What you can do and what you can not is the authorization process. 
	
   For example, 

       access to attrs=userPassword,shadowLastChange
       by anonymous auth
       by * none

   means an anonymous user, can authenticate against the "userPassword" 
   attribute, all others have no access.
	
   Note: the owner of the DN entry, and rootdn can always write and
   update the entry. You do not have to specify their privileges.
	 
1.2 RFC 4532, the "who am I?" operation can help you understand this 
   concept. On Linux, the command is "ldapwhoami" 
	
1.3 $wgLDAPDomainNames is a mediawiki thing, not a LDAP thing.  Here 
   "Domain Name" has nothing to do with DNS (RFC 1034 and RFC 1035). 
   Maybe, the term realm as that in Kerberos is more appropriate.
	
   $wgLDAPDomainNames actual effect is to have a HTML drop-down option
   list control.  It is designed for collaboration use by a big 
   organization. For example, some users might come from ou=lab, dc=
   redant,dc=ca, others might come from ou=corporate,dc=redant,dc=ca, 
   where "ou=lab" container is likely managed by the R&D department, 
   and "ou=corporate" is likely managed by the corporate IT department. 
   In this case, one can create two realms or domains, i.e., 
   $wgLDAPDomainNames = array('lab', 'corporate').

                     
          
   RedAntWiki LDAP login screen with domain RedAnt
   


1.4 $wgLDAPDisableAutoCreate 

   Do not set it to 'true'. If you do, you will not be able to login
   no matter whether your login ID is there in the backend MySQL 
   database or not.
 
   you can see the login process logic in SpecialUserlogin.php and 
   User.php in /var/lib/mediawiki/includes.

	
2. Configuration

   There are two ways to configure mediawiki LDAP authentication, 
   "bind" or "auth". Please note: 'USER-NAME' is literal, do not change
   it.

2.1 Direct login, in other words, non-anonymous bind 

   $wgAuth = new LdapAuthenticationPlugin();
   $wgLDAPDomainNames = array('RedAnt');
   $wgLDAPServerNames = array('RedAnt' => 'ldap.redant.ca');
   $wgLDAPEncryptionType = array('RedAnt' => 'clear');
   $wgLDAPSearchStrings = array('RedAnt' => 'uid=USER-NAME,ou=Accounts,
   dc=redant,dc=ca');      

2.2 Anonymous bind, then "auth" against the "userPassword" attribute

   $wgAuth = new LdapAuthenticationPlugin();
   $wgLDAPDomainNames = array('RedAnt');
   $wgLDAPServerNames = array('RedAnt' => 'ldap.redant.ca');
   $wgLDAPBaseDNs = array('RedAnt' => 'dc=redant,dc=ca' );
   $wgLDAPGroupBaseDNs = array('RedAnt' => 'ou==Group,dc=redant,dc=ca');
   $wgLDAPUserBaseDNs = array('RedAnt' => 'ou=Accounts,dc=redant,dc=ca');
   $wgLDAPEncryptionType = array('RedAnt' => 'clear');
   $wgLDAPSearchAttributes = array('RedAnt' => 'uid');


Author's Address

   Patrick Ni
   RedAnt IT Support Inc.
   
   Phone: 778 988 3178
   E-mail: Patrick.Ni@RedAnt.ca