Author Topic: [Howto] Mediawiki with LDAP authentication  (Read 15578 times)

G2LOQ

  • Zen Apprentice
  • *
  • Posts: 12
  • Karma: +1/-0
    • View Profile
[Howto] Mediawiki with LDAP authentication
« on: April 15, 2011, 11:28:56 am »
Hi,


This quick howto will help you to restrict the access of your Mediwiki to known Zentyal users.

In this sample, the user must be member of any Zentyal Group1 or Group2 (cf. $wgLDAPRequiredGroups).

First, you need to install the mediawiki-extensions:
Code: [Select]
sudo aptitude install mediawiki-extensions
Edit: Enable the module with:
Code: [Select]
$ mwenext LdapAuthentication.php
Append the following code to /etc/mediawiki/LocalSettings.php and change all "dc=domain,dc=lan" with your Base DN:
Code: [Select]
#######################
# LDAP Authentication #
#######################
$wgAuth = new LdapAuthenticationPlugin();

//The names of one or more domains you wish to use
$wgLDAPDomainNames = array("zentyal");

//The fully qualified name of one or more servers per domain you wish to use.
$wgLDAPServerNames = array("zentyal"=>"localhost");

//The type of encryption you would like to use when connecting to the LDAP server.
//Available options are "tls", "ssl", and "clear"
//Default: tls
$wgLDAPEncryptionType = array("zentyal"=>"clear");

//Base DNs. Group and User base DNs will be used if available; if they are not defined, the search
//will default to $wgLDAPBaseDNs
$wgLDAPBaseDNs = array("zentyal"=>"dc=domain,dc=lan");

//The search string to be used for straight binds to the directory; USER-NAME will be
//replaced by the username of the user logging in.
$wgLDAPSearchStrings = array("zentyal"=>"uid=USER-NAME,ou=Users,dc=domain,dc=lan");

//Munge the case of the username to lowercase when doing searches in groups
//Default: false
$wgLDAPLowerCaseUsername = array("zentyal"=>true);

//The objectclass of the groups we want to search for
$wgLDAPGroupObjectclass = array("zentyal"=>"eboxGroup");

//The attribute used for group members
$wgLDAPGroupAttribute = array("zentyal"=>"memberUid");

//The naming attribute of the group
$wgLDAPGroupNameAttribute = array("zentyal"=>"cn");

//An array of the groups the user is required to be a member of.
$wgLDAPRequiredGroups = array(
    "zentyal"=>array(
        "cn=Group1,ou=Groups,dc=domain,dc=lan",
        "cn=Group2,ou=Groups,dc=domain,dc=lan")
  );

//Option for getting debug output from the plugin. 1-3 available. 1 will show
//non-sensitive info, 2 will show possibly sensitive user info, 3+ will show
//sensitive system info. Setting this on a live public site is probably a bad
//idea.
//Default: 0
$wgLDAPDebug = 0;
$wgDebugLogGroups["ldap"] = "/tmp/mediawiki-debug.log" ;

//Don't automatically create an account for a user if the account exists in LDAP
//but not in MediaWiki.
//Default: false.
$wgLDAPDisableAutoCreate = array("zentyal"=>false);

# Disable reading by anonymous users
$wgGroupPermissions['*']['read']            = false;
$wgGroupPermissions['*']['createaccount']   = false;
$wgGroupPermissions['*']['edit']            = false;
$wgGroupPermissions['*']['createpage']      = false;
$wgGroupPermissions['*']['createtalk']      = false;
$wgGroupPermissions['*']['createaccount']   = false;

# But allow them to access the login page or else there will be no way to log in!
# NOTE: You also need to provide access here to the .css and .js files that the
# allowed pages attempt to load; otherwise, users will get errors on the page
# when they attempt to load it (IE will complain about the errors;
# FF will show them in its error console)
# [You also might want to add access to "Main Page", "Wikipedia:Help", etc.)
$wgWhitelistRead = array ("Special:Userlogin", "MediaWiki:Common.css", "MediaWiki:Common.js", "MediaWiki:Monobook.css", "MediaWiki:Monobook.js", "-", "Main Page");

That's all.
« Last Edit: May 03, 2011, 08:27:02 pm by G2LOQ »

mordor

  • Zen Apprentice
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
Re: [Howto] Mediawiki with LDAP authentication
« Reply #1 on: April 21, 2011, 05:21:53 pm »
Hi @G2LOQ,

I've added this code at the end of LocalSettings.php (in my Zentyal is on /var/www/wiki/) but seems that does not work properly.

I know that this is a very quickly howto, but I have some questions based on this code 'cause I've tryied many things but I'm lost... ;)


1.- About array("zentyal"==>....) lines: Do I have to change "zentyal" word to my PDC ebox domain name?

2.- I tried to change to my Base DN and mediawiki does not work at all: As you typed, I've changed all "dc=domain,dc=lan" to my Base DN dc=server,dc=testdomain,dc=com  as showed on Zentyal's admin webpage.

I need to solve this doubts...

Thanks in advance  ;)


G2LOQ

  • Zen Apprentice
  • *
  • Posts: 12
  • Karma: +1/-0
    • View Profile
Re: [Howto] Mediawiki with LDAP authentication
« Reply #2 on: April 21, 2011, 06:15:28 pm »
Hi mordor,


First of all, be sure to have the LDAP Authentication Plugin loaded in Mediawiki. Check the special page http://.../index.php/Special:Version. You should see the LDAP module indicated below Installed extensions.

If not, do:
Code: [Select]
$ mwenext LdapAuthentication.php
This will enable the LDAP Authentication Plugin. That's something I've forgot in my too quick howto...  :-\

@+

G2LOQ

  • Zen Apprentice
  • *
  • Posts: 12
  • Karma: +1/-0
    • View Profile
Re: [Howto] Mediawiki with LDAP authentication
« Reply #3 on: May 03, 2011, 08:26:38 pm »
Another small error in the howto:

$wgLDAPDisableAutoCreate must be set at false

Code: [Select]
//Don't automatically create an account for a user if the account exists in LDAP
//but not in MediaWiki.
//Default: false.
$wgLDAPDisableAutoCreate = array("zentyal"=>false);

mordor

  • Zen Apprentice
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
Re: [Howto] Mediawiki with LDAP authentication
« Reply #4 on: October 26, 2011, 04:45:41 pm »
IT WORKS!! I don't know how... but works!!! hehehe

Now, another tricky question...
¿could I combine LDAP users authentication & local wiki database using the combo box shown?

The main reason is to be able for using WikiSysop user...

Kind regards & Thanks!!
« Last Edit: October 26, 2011, 05:23:07 pm by mordor »