Active Directory Authentication in MediaWiki

This is a bit random, but since it took me an embarrassing number of attempts to get this to work I thought I’d post a quick how-to on getting MediaWiki to authenticate to Microsoft Active Directory.

First you’ll need to grab the LDAP Authentication extension for MediaWiki. Place the unzipped LdapAuthentication folder in your MediaWiki installation’s extensions directory.

Next, you’ll need to enable LDAP for PHP in your php.ini file. If you’re running PHP in *SAPI mode make sure to bounce the web server when you’re done, or if you’re running FastCGI just kill all the php instances.

[crayon lang=”default”]
;extension=php_interbase.dll
extension=php_ldap.dll
;extension=php_mbstring.dll
;extension=php_ming.dll

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31

You'll need to know your AD domain name and at least one AD server name. You can use <a href="http://stackoverflow.com/questions/749268/how-can-i-find-out-which-server-hosts-ldap-on-my-windows-domain">nslookup</a> to find that stuff out. Now head to your LocalSettings.php configuration file in your main MediaWiki directory and add a section like so:

``` php
/* Grab the extension and create a new object. */
require_once( "$IP/extensions/LdapAuthentication/LdapAuthentication.php" );
$wgAuth = new LdapAuthenticationPlugin();

/* Pick a name for your domain
(it can be anything, and you can have more than one). */
$wgLDAPDomainNames = array( 'mydomain' );

/* Give it a list of AD servers. Note it won't do tree parsing, so you need
the actual server name(s). */
$wgLDAPServerNames = array( 'mydomain' => 'server1 server2' );

/* Give it a search string. You'll need your actual domain name here.
Leave USER-NAME alone - it's a place holder. */
$wgLDAPSearchStrings = array( 'mydomain' => 'domain\\USER-NAME' );

/* Encryption type. 'clear' worked for me, but if it doesn't, try 'ssl'. */
$wgLDAPEncryptionType = array( 'mydomain' => 'clear' );

/* The first setting here allows you to also use MediaWiki logins. The dev docs
say this could cause problems, but I haven't run into any. Set it to false if you
don't already have mediawiki logins to support.
The second setting is really only necessary if you set the first one to true. It
won't allow local users to login as domain users (domain passwords are not stored
by MediaWiki). */
$wgLDAPUseLocal = true;
$wgMinimalPasswordLength = 1;

Finally, if you only want logged in users to be able to edit, drop this in there too:

1
2
/* Allow only logged in users to edit. */
$wgGroupPermissions['*']['edit'] = false;

Hopefully that will save somebody some swearing. YMMV.