mediawiki on debian etch with AD LDAP Authentication

Installing media with on debian etch against Windows Server 2003 R2 Active Directory

A braindump:

  1. Installed the ‘mediawiki’ and ‘php5-ldap’ packages.
  2. Hit ‘http://hostname/mediawiki’ and ran through the configuration
  3. mv /var/lib/mediawiki1.7/config/LocalSettings.php /var/lib/mediawiki1.7/config/
  4. Added the latest LdapAuthentication.php extension to /var/lib/mediawiki1.7/config/extensions
  5. Edited the LocalSettings.php to add:

    # Additions for LDAP Auth
    require_once ‘extensions/LdapAuthentication.php’;

    $wgAuth = new LdapAuthenticationPlugin();

    $wgLDAPDomainNames = array(
    ‘AD’
    );

    $wgLDAPServerNames = array(
    ‘AD’ => ‘dc01.example.com’
    );

    $wgLDAPSearchStrings = array(
    ‘AD’ => ‘uid=USER-NAME,dc=corp,dc=example,dc=com’
    );

    $wgLDAPEncryptionType = array(
    ‘AD’ => ‘clear’
    );

    $wgLDAPProxyAgent =  array(
    ‘AD’ => ‘CN=LDAP User,CN=Users,DC=corp,DC=example,DC=com’
    );

    $wgLDAPProxyAgentPassword = array(
    ‘AD’ => ‘password’
    );

    $wgMinimalPasswordLength = 1;

    # Prevent new user registrations except by sysops
    $wgGroupPermissions[‘*’][‘createaccount’] = false;

    Trying to log in just gave me a blank white page and no LDAP traffic on the DC. I had seen talk of configuring ssl via openldap so I wasn’t sure I had all the right packages since I lacked /etc/openldap.

  6. I installed the ‘libldap-2.3-0’ package which notably said ‘Replacing files in old package libldap2 …’ but with no change.
  7. I restarted apache2 and then on login I got an invalid password error and saw LDAP traffic.
  8. I noticed in the traffic that it was logging in as ‘uid=Username,dc=corp,dc=example,dc=com’
  9. In the changelog for 1.7f there is “Added function in for changing usernames to lowercase to fix: Extension Talk:LDAP_Authentication Username_modified_.28capital_letter.29.2C_authentication_fails (only works in versions 1.6+)” (Link was broken, added spaces). So I added ‘$wgLDAPGroupLowerCaseUsername = true;’ to LocalSettings.php. This made no difference.
  10. I tried ‘$wgLDAPLowerCaseUsername = true;’ which made no difference.
  11. I realized that it was trying to bind to ‘uid=user,dc=corp,dc=example,dc=com’ and went back to take out the SearchString entry and replaced it with:

    $wgLDAPSearchAttributes = array(
    ‘AD’ => ‘sAMAccountName’
    );

  12. I tried both SAMAccountName and uid, both showing “No Such Objects” errors in the LDAP query (via the wireshark traffic dump).
  13. Parsing through the source for LdapAuthentication.php I found the $wgLDAPDebug variable. It’s compared against a debugVal integer, so I set ‘$wgLDAPDebug = 10;’ and got a bunch of text output printed on the login page when I tried to log in.
  14. Looking at the source between ‘Connected successfully’ and ‘Entering getSearchString’ I should have been seeing ‘Lowercasing the username: $username’, but I wasn’t.
  15. I stared at the LdapAuthentication.php code for a while and figured out I need this instead:

    $wgLDAPLowerCaseUsername = array(
    ‘AD’ => true
    );

  16. Finally thinking about the whole references mess, I looked for BaseDN settings in the code and added this:

    $wgLDAPBaseDNs = array(
    ‘AD’ => ‘dc=corp,dc=example,dc=com’
    );

  17. And that worked. So I flipped ‘clear’ to ‘ssl’, and all login attempts started giving me a download for an empty index.php file.
  18. I went to my CA server, grabbed the CA’s cert in DER format
  19. Ran ‘openssl x509 -inform der -in myca.cer -out myca.pem -outform pem’, put this in /etc/ssl/certs
  20. Then I added the following to /etc/ldap/ldap.conf, despite many warnings that openssl/php didn’t read this (I <3 Debian though):

    TLS_REQCERT never
    TLS_CACERT /etc/ssl/certs/myca.pem
    TLS_CACERTDIR /etc/ssl/certs

  21. Then bits started basically timing out this sort of trash in the apache2 error.log:

    apache2: cyrus.c:468: ldap_int_sasl_open: Assertion `lc->lconn_sasl_ctx == ((void *)0)’ failed.
    [Wed Aug 13 12:00:05 2008] [notice] child pid 6139 exit signal Aborted (6)

  22. I remembered that /etc/ssl/certs had lots of certificates in it, so I commented out the last line, and then everything worked!
  23. After you login you’ll get settings populated for your user in the ‘user’ table. You’ll want to grab your UID (likely 1) and run the SQL command:
    INSERT INTO `user_groups` ( `ug_user` , `ug_group` ) VALUES ( ‘1’, ‘sysop’);
    You may need to add a prefix to user_groups if you set your DB up that way.
  24. I used this to basically get rid of the extra URL stuff.
  25. You’ll have no help pages, use this technique to change all of your help links to go to the mediawiki help links.

2 thoughts on “mediawiki on debian etch with AD LDAP Authentication

  1. Pingback: The action specified by the URL is not recognized by the wiki at btm.geek

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload the CAPTCHA.