Here's what I'm working with:
Windows Server 2008 R2 (AD environment)
IIS 7.5
OpenLDAP (for the CA certificate handling)
Mediawiki 1.17
PHP 5.3.8
MySQL 5.1.50
LDAPAuthentication v.1.2h
Everything is working fine, except I'm unable to figure out how to go about having domain users automatically authenticate to Mediawiki using my current setup. Is there anything special that I should do when using IIS, since all documentation I've seen heavily favors Apache? Thanks.
-Chris
Nevermind. I seem to have gotten auto-authentication working with IIS. If anyone is interested, I'll post what I did later.
Here's what I did to get my setup working...
##LDAP Authentication Plugin
require_once( "$IP/extensions/LdapAuthentication/LdapAutoAuthentication.php" );
require_once( "$IP/extensions/LdapAuthentication/LdapAuthentication.php" );
$wgLDAPDomainNames = array("DOMAIN");
$wgLDAPGroupBaseDNs = array("DOMAIN"=>"ou=groups,dc=domain,dc=org");
$wgLDAPAutoAuthDomain = "DOMAIN";
$wgLDAPGroupUseFullDN = array( "DOMAIN"=>true );
$wgLDAPServerNames = array("DOMAIN"=>"vw2k8-adfsmo2.domain.org");
$wgLDAPSearchStrings = array( "DOMAIN" => "DOMAIN\USER-NAME" );
$wgLDAPSearchAttributes = array("DOMAIN"=>"sAMAccountName");
$wgLDAPBaseDNs = array("DOMAIN"=>"dc=domain,dc=org");
$wgLDAPEncryptionType = array( "DOMAIN" => "ssl" );
$wgMinimalPasswordLength = 1;
#Configure LDAP Group settings
$wgLDAPUseLDAPGroups = array( "DOMAIN"=>true );
$wgLDAPGroupObjectclass = array( "DOMAIN"=>"group" );
$wgLDAPGroupAttribute = array( "DOMAIN"=>"member" );
$wgLDAPGroupNameAttribute = array( "DOMAIN"=>"cn" );
#Restrict anonymous users
$wgGroupPermissions['*' ]['createaccount'] = false;
$wgGroupPermissions['*' ]['read'] = false;
$wgGroupPermissions['*' ]['edit'] = false;
#Remove the domain portion of the displayed username. Example: "DOMAIN\username" to "username"
list($dom,$userid) = split('[\]',$_SERVER['REMOTE_USER']);
$wgLDAPAutoAuthUsername = $userid;
AutoAuthSetup();
Note: Absent from the config are $wgLDAPProxyAgent and $wgLDAPProxyAgentPassword. You will probably need these. I didn't for some reason, so I omitted them.
Helpful link: http://technet.microsoft.com/en-us/library/cc754628(WS.10).aspx
Important Quote from TechNet: The default setting for Windows authentication is Negotiate. This setting means that the client can select the appropriate security support provider. To force NTLM authentication, you must change the value of the <Provider> element under the <windowsAuthentication> element in the ApplicationHost.config file.
I changed my ApplicationHost.config file to look like this:
<windowsAuthentication enabled="false">
<providers>
<add value="NTLM" />
<!-- <add value="Negotiate" /> -->
</providers>
</windowsAuthentication>
Read the following link for requesting an SSL certificate for IIS: http://support.microsoft.com/kb/299875
Helpful link: http://www.ashleyknowles.net/2011/07/iis-php-and-ldaps-with-active-directory/
C:\OpenLDAP\sysconf\ldap.conf
#ldap.conf contains the following TLS_REQCERT never TLS_CACERT C:\openldap\sysconf\webcert.crt
Okay. That's all I can think of at the moment. If I feel I missed anything, I'll update this post.
Thank you very much for this! I do have one question if you don't mind, in the line "$wgLDAPSearchStrings = array( "DOMAIN" => "DOMAIN\USER-NAME" );" what does "USER-NAME" represent?
USER-NAME should be left unchanged This acts as a placeholder variable in the program
Thanks for your code. May I ask if this will work with Apache too? I am also trying to implement SSO with mediawiki.
What's the expected behaviour of ldap auto authentication? Does the user do not need to login?
Meaning that once they go to example.com/wiki , they will be auto redirected to the main page with their windows credentials without logging in?
Thanks for your assistance! I really appreciated it.