Mediawiki Active Directory Authentication

The World before the Deluge - caption: 'Dinosaurs fighting'

Installing LDAP_Authentication AD authentication extension for mediawiki was a nightmare.

Installing LDAP_Authentication Extension

cd into the wiki’s extensions directory.

Clone the extension’s git master:


git clone https://gerrit.wikimedia.org/r/p/mediawiki/extensions/LdapAuthentication.git

MySQL Configuration

Normally you need to run the update.php script after installing an extension. However, this extension errors out.

After reading the source, all it does is create a new database table. So just copy and paste the .sql file in the extension’s directory into a mysql console.

CREATE TABLE /*_*/ldap_domains (
        -- IF for domain
        domain_id int not null primary key auto_increment,

        -- domain itself
        domain varchar(255) binary not null,

        -- User to which this domain belongs
        user_id int not null

) /*$wgDBTableOptions*/;

CREATE INDEX /*i*/user_id on /*_*/ldap_domains (user_id);

Extension Configuration

As with all things openldap adapted to work with AD, configuration was a major PITA.

Open up LocalSettings.php and paste in the following:


/* Grab the extension and create a new object. */
require_once( "$IP/extensions/LdapAuthentication/LdapAuthentication.php" );
$wgAuth = new LdapAuthenticationPlugin();

/* Pick a name for your domain
 (it can be anything, and you can have more than one). */
$wgLDAPDomainNames = array(  'xxx.edu' );

/* Give it a list of AD servers. Note it won't do tree parsing, so you need
 the actual server name(s). */

$wgLDAPServerNames = array(  'xxx.edu' => 'xxx.xxx.edu' );

/* Give it a search string. You'll need your actual domain name here.
 Leave USER-NAME alone - it's a place holder. */
$wgLDAPSearchStrings = array(
  'gemini.edu' => 'USER-NAME@xxx.edu',
  'exampleNonADDomain' => 'CN=USER-NAME,CN=Users,DC=xxx,DC=edu'
 );

$wgLDAPSearchAttributes = array(
  'xxx.edu' => 'sAMAccountName'
);

$wgLDAPBaseDNs = array(
  'xxx.edu' => 'CN=users,DC=xxx,DC=edu'
);


/* Encryption type. 'clear' worked for me, but if it doesn't, try 'ssl'. */
$wgLDAPEncryptionType = array( 'xxx.edu' => 'clear' );

$wgLDAPUseLocal = true;
$wgMinimalPasswordLength = 1;

$wgLDAPProxyAgent =  array(
  'exampleNonADDomain' => 'CN=srv_account,OU=Service Accounts,DC=xxx,DC=edu'
);

$wgLDAPProxyAgentPassword = array(
  'exampleNonADDomain' => 'xxxxpass'
);