Difference between revisions of "Using eDirectory to control access to MediaWiki"

From MicroFocusInternationalWiki
Jump to: navigation, search
(Detailed explanation of localSettings.PHP)
(Detailed explanation of localSettings.PHP)
Line 65: Line 65:
 
  $wgLDAPUseSSL = true;
 
  $wgLDAPUseSSL = true;
 
*Turn on or off SSL.  
 
*Turn on or off SSL.  
** You really Should use SSL Only turn off for testing
+
** You really Should use SSL - Only turn off for testing
 
  $wgLDAPUseLocal = false;
 
  $wgLDAPUseLocal = false;
 
*This allows users to also login with a users name and password that is valid in MediaWiki itself (I.E. The admin user name and password created during the installation of MediaWiki)
 
*This allows users to also login with a users name and password that is valid in MediaWiki itself (I.E. The admin user name and password created during the installation of MediaWiki)

Revision as of 16:18, 17 March 2006

This page is part of the MediaWiki knowledge set.

The goal of this page is to configure MediaWiki to use eDirectory for user authentication. I will also explain how to configure authentication based on group membership.

Prerequisites

Before we begin I am going to assume that you have the following configured:

  • MediaWiki 1.5+ Configured and running on a Server (I'm working on another wiki right now that will detail the steps needed to get MediaWiki running on SLES 9
  • eDirectory installed and configured (I'm using eDirectory 8.8)

Here is how my servers are configured for reference

  • eDirectory Server has a DNS name of edir.wikidemo.org
  • wiki server has a DNS name of wiki.wikidemo.org
  • eDirectory configuration
    • users are in ou=users,o=novell
    • created a group called wiki in the users OU

Installation

Download the latest version of the MediaWiki LDAP module from http://meta.wikimedia.org/wiki/LDAP

The module is called LDAP_Authentication and is saved into your MediWiki directory.

I'm running on SLES, so my directory is /srv/www/htdocs/wiki

Configuration

The LDAP_Authentication receives parameters from your localSettings.PHP to tell it how it should be configured and behave. The localSettings.PHP is the file that controls all configuration for MediaWiki. To add the parameters needed for the LDAP_Authentication to work you just need to append them to the end of your existing localSettings.PHP in you wiki directory.

Simple User Based Authentication

In simple user based authentication, any user that has a valid username and password in eDiectory will be authenticated to the wiki

Here are my updates to my localSettings.PHP

require_once( 'LdapAuthentication.php' );
$wgAuth = new LdapAuthenticationPlugin();
$wgLDAPDomainNames = array( "wikidemo" );
$wgLDAPServerNames = array( "wikidemo"=>"edir.wikidemo.org"  );
$wgLDAPSearchStrings = array( "wikidemo"=>"cn=USER-NAME,ou=users,o=novell" );
$wgLDAPUseSSL = true;
$wgLDAPUseLocal = false;
$wgLDAPAddLDAPUsers = false;
$wgLDAPUpdateLDAP = false;
$wgLDAPMailPassword = false;
$wgLDAPRetrievePrefs = false;
$wgMinimalPasswordLength = 1;


Detailed explanation of localSettings.PHP

require_once( 'LdapAuthentication.php' );
  • Tells MediaWiki to load the LdapAuthentication.php module
$wgAuth = new LdapAuthenticationPlugin();
$wgLDAPDomainNames = array( "wikidemo" );
  • Sets the LDAPDomainName variable to wikidemo
  • This name 'wikidemo' will appear on my Wiki Login page as the 'System Name'
$wgLDAPServerNames = array( "wikidemo"=>"edir.wikidemo.org"  );
  • Tells MediaWiki how to access my LDAP server. This address of edir.wikidemo.org works because I have a DNS entry or a hosts entry that points this address to the actuall IP address of my eDirectory server
$wgLDAPSearchStrings = array( "wikidemo"=>"cn=USER-NAME,ou=users,o=novell" );
  • The user context that will be searched for users. I can add additional contexts if I wish by just placing a space (' ') between the contexts
    • $wgLDAPSearchStrings = array( "wikidemo"=>"cn=USER-NAME,ou=users,o=novell" cn=USER-NAME,ou=otherusers,o=novell );
$wgLDAPUseSSL = true;
  • Turn on or off SSL.
    • You really Should use SSL - Only turn off for testing
$wgLDAPUseLocal = false;
  • This allows users to also login with a users name and password that is valid in MediaWiki itself (I.E. The admin user name and password created during the installation of MediaWiki)
$wgLDAPAddLDAPUsers = false;
  • Disables the ability for MediaWiki to create new users via LDAP
$wgLDAPUpdateLDAP = false;
  • Disables the ability for MediaWiki to update users (passwords) via LDAP
$wgLDAPMailPassword = false;
  • Disables the ability for MediaWiki to email the users LDAP password to them
$wgLDAPRetrievePrefs = false;
  • Disables the ability for MediaWiki retrieve LDAP preferences
$wgMinimalPasswordLength = 1;
  • Before MediaWiki will even try and authenticate to eDirectory it will make sure the user entered a password that is at least 'x' characters

Group Based Authentication

In Group based authentication user must have a valid username and password in the specified eDirectory tree and be a member of a specified group.

  • In this example the group is wiki.users.novell

Here are my updates to my localSettings.PHP

$wgLDAPGroupDN = "cn=wiki,ou=users,o=novell";