Talk:Using eDirectory to control access to MediaWiki

From CoolSolutionsWiki

Contents

[edit]

Problems

[edit]

MediaWiki 1.10

[edit]

Problem with autocreated users

I had a problem with automatically creating users that existed in the LDAP directory (Novell eDirectory in my case), but not in the MediaWiki DB. The following was occurring:

  • If user exists in directory (LDAP)
    • If user exists in MediaWiki DB
      • If user had a password set in MediaWiki DB
        • If user entered correct LDAP password
          • User authenticated
        • Else (user entered incorrect LDAP password or correct MediaWiki DB password)
          • Wrong password text displayed; user not authenticated
      • Else (user exists in LDAP and MediaWiki DB, but with empty password in MediaWiki DB)
        • Wrong password text displayed; user not authenticated
    • Else (user exists in LDAP, but not MediaWiki DB)
      • User was created in MediaWiki DB with empty password. Authentication would follow, result according to flow above: Wrong password text displayed; user not authenticated
  • Else (user doesn't exist in LDAP)
    • User doesn't exist text displayed; user not authenticated

This was caused by some conflicting checks that were done in the MediaWiki code. I made 2 changes to correct this.

In includes/SpecialUserlogin.php, line 367: 

if (!$u->checkPassword( $this->$mPassword )) {

changed to: 

if (!$u->checkPassword( $this->$mPassword ) && !($wgAuth->authenticate( $u->getName(), $this->mPassword ))) {

In extensions/LdapAuthentication.php, line 604: 

if ($updateLDAP || $mailPassword ) {

changed to: 

if ($updateLDAP == false || $mailPassword == false) {

This last change changes the logic from what I believe was intended, but it works for me. After this, everything works as it should (LDAP user is locally created with empty password, and is able to authenticate using only the LDAP password).

Versions used: 

MediaWiki 1.10
PHP 5.1.2
Apache 2.2.0
MySQL 5.0.18
LdapAuthentication 1.1d
SLES 10
Novell eDirectory 8.7.3.9


[edit]

MediaWiki 1.9

When attempting to add more than one context MediaWiki no longer functions. Remove the second context and everything works fine. 

$wgLDAPSearchStrings = array( "wikidemo"=>"cn=USER-NAME,ou=users,o=novell" "cn=USER-NAME,ou=users,o=novell");
  • SLES 10
  • eDirectory 8.7.3.7
  • MediaWiki: 1.9.3
  • PHP: 5.1.2 (apache2handler)
  • MySQL: 5.0.18

One thing I found that worked. 

$wgLDAPDomainNames = array( 
        "wikidemo-1",
        "wikidemo-2",
        "wikidemo-3" 
          );
$wgLDAPServerNames = array( 
        "wikidemo-1"=>"edir.wikidemo.org",
        "wikidemo-2"=>"edir.wikidemo.org", 
        "wikidemo-3"=>"edir.wikidemo.org"  
          );
$wgLDAPSearchStrings = array( 
        "wikidemo"=>"cn=USER-NAME,ou=users-1,o=novell",
        "wikidemo"=>"cn=USER-NAME,ou=users-2,o=novell",
        "wikidemo"=>"cn=USER-NAME,ou=users-3,o=novell" 
         );

This adds the three options to the drop down menu at the login page.

Not as convenient as just searching all three. But it seems to work.



I'm following these instructions but my environment is slightly different

  • Mediawiki 1.90
  • SLES 10
  • eDirectory 8.7.3.9

It looks like the login actually does an LDAP lookup (because I can get a wrong password) but I get. 

Internal error
There was either an external authentication database error or you are not allowed to update your external account.
Backtrace:
#0 /srv/www/htdocs/techiwiki/includes/SpecialUserlogin.php(311): User->setPassword('xxxxxxxx')
#1 /srv/www/htdocs/techiwiki/includes/SpecialUserlogin.php(352): LoginForm->initUser(Object(User))
#2 /srv/www/htdocs/techiwiki/includes/SpecialUserlogin.php(407): LoginForm->authenticateUserData()
#3 /srv/www/htdocs/techiwiki/includes/SpecialUserlogin.php(103): LoginForm->processLogin()
#4 /srv/www/htdocs/techiwiki/includes/SpecialUserlogin.php(19): LoginForm->execute()
#5 /srv/www/htdocs/techiwiki/includes/SpecialPage.php(625): wfSpecialUserlogin(NULL, Object(SpecialPage))
#6 /srv/www/htdocs/techiwiki/includes/SpecialPage.php(431): SpecialPage->execute(NULL)
#7 /srv/www/htdocs/techiwiki/includes/Wiki.php(182): SpecialPage::executePath(Object(Title))
#8 /srv/www/htdocs/techiwiki/includes/Wiki.php(47): MediaWiki->initializeSpecialCases(Object(Title), Object(OutputPage), Object(WebRequest))
#9 /srv/www/htdocs/techiwiki/index.php(48): MediaWiki->initialize(Object(Title), Object(OutputPage), Object(User), Object(WebRequest))
#10 {main}

Any clues where to look?

Terry Booth 07:57, 31 January 2007 (MST)

[edit]

Fixed!

Solution is actually posted in Meta wiki

Edit the LDAAuthentication.php script

  1. change $user->setPassword( ); to $user->mPassword =  ;
  2. change return false; to return true; in the else if path in the setPassword() function.

Both required. http://meta.wikimedia.org/wiki/LDAP_Authentication_Configuration_Examples#SSL_Configuration_with_MediaWiki_1.9

Terry Booth

Retrieved from "http://wiki.novell.com/index.php/Talk:Using_eDirectory_to_control_access_to_MediaWiki"