Comments for Ryan Lane's Blog http://ryandlane.com/blog Wed, 25 Aug 2010 16:09:57 +0000 hourly 1 http://wordpress.org/?v=3.0.1 Comment on Using the LDAP Authentication Plugin for MediaWiki – The Basics (Part 1) by Ryan Lane http://feedproxy.google.com/~r/CommentsForRyanLanesBlog/~3/3BjkOuA3bfM/ Ryan Lane Wed, 25 Aug 2010 16:09:57 +0000 http://ryandlane.com/wprdl/?p=41#comment-1978 It is used for automatic authentication. It does what you are looking for, but you'll need to read the docs to set it up. It is used for automatic authentication. It does what you are looking for, but you’ll need to read the docs to set it up.

]]> http://ryandlane.com/blog/2009/03/23/using-the-ldap-authentication-plugin-for-mediawiki-the-basics-part-1/comment-page-1/#comment-1978 Comment on Using the LDAP Authentication Plugin for MediaWiki – The Basics (Part 1) by Ryan Lane http://feedproxy.google.com/~r/CommentsForRyanLanesBlog/~3/XzXOi0iLuCI/ Ryan Lane Wed, 25 Aug 2010 16:09:04 +0000 http://ryandlane.com/wprdl/?p=41#comment-1977 Yes, this is possible using Kerberos. See the following documentation: http://www.mediawiki.org/wiki/Extension:LDAP_Authentication/Kerberos_Configuration_Examples Yes, this is possible using Kerberos. See the following documentation:

http://www.mediawiki.org/wiki/Extension:LDAP_Authentication/Kerberos_Configuration_Examples

]]> http://ryandlane.com/blog/2009/03/23/using-the-ldap-authentication-plugin-for-mediawiki-the-basics-part-1/comment-page-1/#comment-1977 Comment on Using the LDAP Authentication Plugin for MediaWiki – The Basics (Part 1) by dvn http://feedproxy.google.com/~r/CommentsForRyanLanesBlog/~3/ckBgfv3kLP4/ dvn Wed, 25 Aug 2010 13:55:51 +0000 http://ryandlane.com/wprdl/?p=41#comment-1976 by the way what does LdapAutoAuthentication.php file is for? by the way what does LdapAutoAuthentication.php file is for?

]]> http://ryandlane.com/blog/2009/03/23/using-the-ldap-authentication-plugin-for-mediawiki-the-basics-part-1/comment-page-1/#comment-1976 Comment on Using the LDAP Authentication Plugin for MediaWiki – The Basics (Part 1) by dvn http://feedproxy.google.com/~r/CommentsForRyanLanesBlog/~3/wn3rHTKUon8/ dvn Wed, 25 Aug 2010 13:53:26 +0000 http://ryandlane.com/wprdl/?p=41#comment-1975 Setup my wiki using LDAP followed this instruction worked perfectly. I like to know if it is posible using this ldapauthentication, can i set up so that the user will be logged-in automatically when he or she launch my wiki site? Thank you Setup my wiki using LDAP followed this instruction worked perfectly. I like to know if it is posible using this ldapauthentication, can i set up so that the user will be logged-in automatically when he or she launch my wiki site?
Thank you

]]> http://ryandlane.com/blog/2009/03/23/using-the-ldap-authentication-plugin-for-mediawiki-the-basics-part-1/comment-page-1/#comment-1975 Comment on Using the LDAP Authentication Plugin for MediaWiki – The Basics (Part 3) by Ryan Lane http://feedproxy.google.com/~r/CommentsForRyanLanesBlog/~3/De2e2zL9M9o/ Ryan Lane Thu, 19 Aug 2010 03:45:30 +0000 http://ryandlane.com/wprdl/?p=148#comment-1973 No worries. Glad to hear it is working for you ;). No worries. Glad to hear it is working for you ;).

]]> http://ryandlane.com/blog/2009/07/09/using-the-ldap-authentication-plugin-for-mediawiki-%e2%80%93-the-basics-part-3/comment-page-1/#comment-1973 Comment on Using the LDAP Authentication Plugin for MediaWiki – The Basics (Part 3) by JimS http://feedproxy.google.com/~r/CommentsForRyanLanesBlog/~3/KxHQN4B44zY/ JimS Wed, 18 Aug 2010 13:43:30 +0000 http://ryandlane.com/wprdl/?p=148#comment-1972 Thanks for pointing out my typo Ryan. Its working ok now. I feel like an idiot and sorry for wasting your time. I owe you a beer. No, two beers. Good beer too, not that lite stuff, and in pints like good beer was meant to be served. Thanks for pointing out my typo Ryan. Its working ok now. I feel like an idiot and sorry for wasting your time. I owe you a beer. No, two beers. Good beer too, not that lite stuff, and in pints like good beer was meant to be served.

]]> http://ryandlane.com/blog/2009/07/09/using-the-ldap-authentication-plugin-for-mediawiki-%e2%80%93-the-basics-part-3/comment-page-1/#comment-1972 Comment on Using the LDAP Authentication Plugin for MediaWiki – The Basics (Part 3) by Ryan Lane http://feedproxy.google.com/~r/CommentsForRyanLanesBlog/~3/4_U34IXYzgM/ Ryan Lane Tue, 17 Aug 2010 21:01:32 +0000 http://ryandlane.com/wprdl/?p=148#comment-1970 Notice in the output that it is searching for your cn in the member=field: Search string: (&(member=Me)(objectclass=group)) It should be searching for your DN; your configuration is slightly off... Change: $wgLDAPUseFullDN to: $wgLDAPGroupUseFullDN Notice in the output that it is searching for your cn in the member=field:

Search string: (&(member=Me)(objectclass=group))

It should be searching for your DN; your configuration is slightly off…

Change: $wgLDAPUseFullDN to: $wgLDAPGroupUseFullDN

]]> http://ryandlane.com/blog/2009/07/09/using-the-ldap-authentication-plugin-for-mediawiki-%e2%80%93-the-basics-part-3/comment-page-1/#comment-1970 Comment on Using the LDAP Authentication Plugin for MediaWiki – The Basics (Part 3) by JimS http://feedproxy.google.com/~r/CommentsForRyanLanesBlog/~3/uZgFKuT6RSY/ JimS Tue, 17 Aug 2010 19:08:52 +0000 http://ryandlane.com/wprdl/?p=148#comment-1969 The segfault made me realize I may have a bad extension installation. I'm running Mediawiki 1.16.0 with php 5.2.10 and mysql 5.0.84 on centos5. I had installed version 1.2c of the extension. Not sure where I got that from. I replaced it with 1.2b(alpha) from the download site and I no longer get a segfault and it appears that nested groups are being searched, but no groups are found. MemberOf is off. Here is the configuration and log. Thanks for looking into this, I seriously appreciate it. require_once( "$IP/extensions/LdapAuthentication/LdapAuthentication.php" ); $wgAuth = new LdapAuthenticationPlugin(); $wgLDAPDomainNames = array( "domain" ); $wgLDAPServerNames = array( "domain" => "dc1.foo.bar dc2.foo.bar" ); $wgLDAPEncryptionType = array( "domain" => "ssl" ); $wgMinimalPasswordLength = 1; # LDAP Straight bind with search strings $wgLDAPSearchStrings = array( "domain" => "USER-NAME@foo.bar" ); $wgLDAPSearchAttributes = array( "domain" => "sAMAccountName" ); $wgLDAPBaseDNs = array( domain=> "dc=foo,dc=bar" ); # Group lookup $wgLDAPRequiredGroups = array( "domain" => array( "CN=GROUP-ALL,OU=Distribution Lists,OU=branch,OU=domain,OU= AD,DC=foo,DC=bar" ) ); $wgLDAPUseFullDN = array( "domain" => true ); #$wgLDAPGroupsUseMemberOf = array( "domain" => true ); $wgLDAPLowerCaseUsername = array( "domain" => true ); $wgLDAPGroupUseRetrievedUsername = array( "domain" => true ); $wgLDAPGroupObjectclass = array( "domain" => "group" ); $wgLDAPGroupAttribute = array( "domain" => "member" ); $wgLDAPGroupNameAttribute = array( "domain" => "cn" ); $wgLDAPGroupSearchNestedGroups = array( "domain" => true ); $wgLDAPRetrievePrefs = array( domain=> true ); $wgLDAPPreferences = array( "domain" => array( "email"=>"mail","realname"=>"displayname","nickname"=>"displayname" ) ); $wgLDAPDebug = 4; $wgDebugLogGroups["ldap"] = "/home/me/wiki/ldapdebug.log"; Entering validDomain User is using a valid domain. Setting domain as: domain Entering getCanonicalName Username isn't empty. Munged username: Me Entering authenticate Entering Connect Using SSL Using servers: ldaps://dc1.foo.bar ldaps://dc2.foo.bar Connected successfully Lowercasing the username: Me Entering getSearchString Doing a straight bind userdn is: me@foo.bar Binding as the user Bound successfully Entering getUserDN Created a regular filter: (sAMAccountName=Me) Entering getBaseDN basedn is not set for this type of entry, trying to get the default basedn. Entering getBaseDN basedn is dc=foo,dc=bar Using base: dc=foo,dc=bar Fetched username is not a string (check your hook code...). This message can be safely ignored if you do not have the SetUsernameAttributeFromLDAP hook defined. Pulled the user's DN: CN=me,OU=Users,OU=branch,OU=domain,OU=AD,DC=foo,DC=bar Entering getGroups Retrieving LDAP group membership Searching for the groups Entering searchGroups Entering getBaseDN basedn is not set for this type of entry, trying to get the default basedn. Entering getBaseDN basedn is dc=foo,dc=bar Search string: (&(member=Me)(objectclass=group)) Returned groups: Entering searchNestedGroups No more groups to search. Got the following nested groups: Entering checkGroups Checking for (new style) group membership Required groups: cn=group-all,ou=distribution lists,ou=branch,ou=domain,ou=ad,dc=foo,dc=bar Couldn't find the user in any groups. Entering strict. Returning true in strict(). Entering allowPasswordChange Entering modifyUITemplate The segfault made me realize I may have a bad extension installation. I’m running Mediawiki 1.16.0 with php 5.2.10 and mysql 5.0.84 on centos5. I had installed version 1.2c of the extension. Not sure where I got that from. I replaced it with 1.2b(alpha) from the download site and I no longer get a segfault and it appears that nested groups are being searched, but no groups are found. MemberOf is off. Here is the configuration and log. Thanks for looking into this, I seriously appreciate it.

require_once( “$IP/extensions/LdapAuthentication/LdapAuthentication.php” );
$wgAuth = new LdapAuthenticationPlugin();
$wgLDAPDomainNames = array( “domain” );
$wgLDAPServerNames = array( “domain” => “dc1.foo.bar dc2.foo.bar” );
$wgLDAPEncryptionType = array( “domain” => “ssl” );
$wgMinimalPasswordLength = 1;
# LDAP Straight bind with search strings
$wgLDAPSearchStrings = array( “domain” => “USER-NAME@foo.bar” );
$wgLDAPSearchAttributes = array( “domain” => “sAMAccountName” );
$wgLDAPBaseDNs = array( domain=> “dc=foo,dc=bar” );
# Group lookup
$wgLDAPRequiredGroups = array( “domain” => array( “CN=GROUP-ALL,OU=Distribution Lists,OU=branch,OU=domain,OU=
AD,DC=foo,DC=bar” ) );
$wgLDAPUseFullDN = array( “domain” => true );
#$wgLDAPGroupsUseMemberOf = array( “domain” => true );
$wgLDAPLowerCaseUsername = array( “domain” => true );
$wgLDAPGroupUseRetrievedUsername = array( “domain” => true );
$wgLDAPGroupObjectclass = array( “domain” => “group” );
$wgLDAPGroupAttribute = array( “domain” => “member” );
$wgLDAPGroupNameAttribute = array( “domain” => “cn” );
$wgLDAPGroupSearchNestedGroups = array( “domain” => true );
$wgLDAPRetrievePrefs = array( domain=> true );
$wgLDAPPreferences = array( “domain” => array( “email”=>”mail”,”realname”=>”displayname”,”nickname”=>”displayname” ) );
$wgLDAPDebug = 4;
$wgDebugLogGroups["ldap"] = “/home/me/wiki/ldapdebug.log”;

Entering validDomain
User is using a valid domain.
Setting domain as: domain
Entering getCanonicalName
Username isn’t empty.
Munged username: Me
Entering authenticate

Entering Connect
Using SSL
Using servers: ldaps://dc1.foo.bar ldaps://dc2.foo.bar
Connected successfully
Lowercasing the username: Me
Entering getSearchString
Doing a straight bind
userdn is: me@foo.bar

Binding as the user
Bound successfully
Entering getUserDN
Created a regular filter: (sAMAccountName=Me)
Entering getBaseDN
basedn is not set for this type of entry, trying to get the default basedn.
Entering getBaseDN
basedn is dc=foo,dc=bar
Using base: dc=foo,dc=bar
Fetched username is not a string (check your hook code…). This message can be safely ignored if you do not have the SetUsernameAttributeFromLDAP hook defined.
Pulled the user’s DN: CN=me,OU=Users,OU=branch,OU=domain,OU=AD,DC=foo,DC=bar
Entering getGroups
Retrieving LDAP group membership
Searching for the groups
Entering searchGroups
Entering getBaseDN
basedn is not set for this type of entry, trying to get the default basedn.
Entering getBaseDN
basedn is dc=foo,dc=bar
Search string: (&(member=Me)(objectclass=group))
Returned groups:
Entering searchNestedGroups
No more groups to search.
Got the following nested groups:
Entering checkGroups
Checking for (new style) group membership
Required groups: cn=group-all,ou=distribution lists,ou=branch,ou=domain,ou=ad,dc=foo,dc=bar
Couldn’t find the user in any groups.
Entering strict.
Returning true in strict().
Entering allowPasswordChange
Entering modifyUITemplate

]]> http://ryandlane.com/blog/2009/07/09/using-the-ldap-authentication-plugin-for-mediawiki-%e2%80%93-the-basics-part-3/comment-page-1/#comment-1969 Comment on Using the LDAP Authentication Plugin for MediaWiki – The Basics (Part 3) by JimS http://feedproxy.google.com/~r/CommentsForRyanLanesBlog/~3/f-KgPk60zKI/ JimS Tue, 17 Aug 2010 17:40:51 +0000 http://ryandlane.com/wprdl/?p=148#comment-1968 I also found out that according to the httpd log there was a Segmemtation Fault. I also found out that according to the httpd log there was a Segmemtation Fault.

]]> http://ryandlane.com/blog/2009/07/09/using-the-ldap-authentication-plugin-for-mediawiki-%e2%80%93-the-basics-part-3/comment-page-1/#comment-1968 Comment on Using the LDAP Authentication Plugin for MediaWiki – The Basics (Part 3) by JimS http://feedproxy.google.com/~r/CommentsForRyanLanesBlog/~3/Cao3jrKdT_g/ JimS Tue, 17 Aug 2010 14:45:26 +0000 http://ryandlane.com/wprdl/?p=148#comment-1967 I commented out both lines from LocalSettings.php as you suggested. I then tried to login and on my browser got a "Page is unavailable" message after attempting to login. The ldap log (below) seems to show it stopping right before searching for group memberships. I added back the wgLDAPLowerCaseUsername but it made no difference. Getting rid of wgLDAPGroupsUseMemberOf seems to break any searching of groups. LDAP log: Entering validDomain User is not using a valid domain. Setting domain as: invaliddomain Entering allowPasswordChange Entering modifyUITemplate Entering validDomain User is using a valid domain. Setting domain as: domain Entering getCanonicalName Username isn't empty. Munged username: Me Entering authenticate Entering Connect Using SSL Using servers: ldaps://domaindc.foo.bar Connected successfully Entering getSearchString Doing a straight bind userdn is: domain\Me Binding as the user Bound successfully Entering getUserDN Created a regular filter: (sAMAccountName=Me) Entering getBaseDN basedn is not set for this type of entry, trying to get the default basedn. Entering getBaseDN basedn is dc=foo,dc=bar Using base: dc=foo,dc=bar Fetched username is not a string (check your hook code...). This message can be safely ignored if you do not have the SetUsernameAttributeFromLDAP hook defined. Pulled the user's DN: CN=me,OU=Users,OU=branch,OU=domain,OU=AD,DC=foo,DC=bar Entering getGroups Retrieving LDAP group membership Searching for the groups Entering searchGroups Entering getBaseDN basedn is not set for this type of entry, trying to get the default basedn. Entering getBaseDN basedn is dc=foo,dc=bar User Filter: (&(distinguishedName=Me)(objectclass=user)) I commented out both lines from LocalSettings.php as you suggested. I then tried to login and on my browser got a “Page is unavailable” message after attempting to login. The ldap log (below) seems to show it stopping right before searching for group memberships. I added back the wgLDAPLowerCaseUsername but it made no difference. Getting rid of wgLDAPGroupsUseMemberOf seems to break any searching of groups.

LDAP log:

Entering validDomain
User is not using a valid domain.
Setting domain as: invaliddomain
Entering allowPasswordChange
Entering modifyUITemplate
Entering validDomain
User is using a valid domain.
Setting domain as: domain
Entering getCanonicalName
Username isn’t empty.
Munged username: Me
Entering authenticate

Entering Connect
Using SSL
Using servers: ldaps://domaindc.foo.bar
Connected successfully
Entering getSearchString
Doing a straight bind
userdn is: domain\Me

Binding as the user
Bound successfully
Entering getUserDN
Created a regular filter: (sAMAccountName=Me)
Entering getBaseDN
basedn is not set for this type of entry, trying to get the default basedn.
Entering getBaseDN
basedn is dc=foo,dc=bar
Using base: dc=foo,dc=bar
Fetched username is not a string (check your hook code…). This message can be safely ignored if you do not have the SetUsernameAttributeFromLDAP hook defined.
Pulled the user’s DN: CN=me,OU=Users,OU=branch,OU=domain,OU=AD,DC=foo,DC=bar
Entering getGroups
Retrieving LDAP group membership
Searching for the groups
Entering searchGroups
Entering getBaseDN
basedn is not set for this type of entry, trying to get the default basedn.
Entering getBaseDN
basedn is dc=foo,dc=bar
User Filter: (&(distinguishedName=Me)(objectclass=user))

]]> http://ryandlane.com/blog/2009/07/09/using-the-ldap-authentication-plugin-for-mediawiki-%e2%80%93-the-basics-part-3/comment-page-1/#comment-1967