First

We've applied the patch on an fresh installation of the wiki. We're athentication vs. a Novell eDirectory (LDAP).

User is going to log in, the following message apears:

Fatal error: Call to a member function on a non-object in /srv/www/htdocs/wiki-test/includes/SpecialUserlogin.php
on line 291

When I click on the "back" button in my browser an try again to authenticate, it works fine. Any hints where to look further?

This seems like a strange bug. I don't even modify code around this area. Did you manually add the patch in? Like I say above, I'm not terribly familiar with making patches. It'll go a lot easier if you patch by hand (its pretty small).
Ryan Lane

It came up sometimes when playing around with Wiki and patch. It's coming up right now. Freshly installed 1.4.0 with your patch 8.14. Using the patch-command there was no error.

I just installed 1.5.0 today (Oct 13, 2005) and the LdapAuthentication.php 1.0+, i got the same error message except the line number is 314 (no patching occurred, i just dropped in the LdapAuthentication.php file). I also did the back button thing and it started working. Weird.
--Alex

We are also facing the same problem. But, we have changed "$u =& $this->initUser($u);" to just "$this->initUser($u);" in includes/SpecialUserlogin.php and it is working fine now.
-- Rahul Upakare and Cyril Chacko

Strange thing is, I just tested this on a brand new install (mediawiki 1.5.2, RHEL4, Sun Directory Server 5.2, Ldap Authentication plugin 1.0b), and I don't seem to have this problem. I don't see how doing this change fixes the problem. What enviroment are you using, and what line number is the bug reporting for you?
--Ryan Lane

We are on a Suse Linux 9 Enterprise Server, we are using mediawiki 1.5.2, LdapAuthentication.php version 1.0c, php version is 4.3.4 and Zend engine 1.3.0.
The function initUser takes the address of the User object. So, any change in the User variables in the function will be reflected in the original object.
The error was on line number 314, but this change was made on line no 301 of the SpecialUserlogin.php file. The funny part is this error occurs after the user is added to the database and just before logging in. It seemed as if the call in line 301 was somehow breaking the object.
--Rahul Upakare and Cyril Chacko

We get the same problem sometimes. I explain: we've installed LdapAuthentication.php (1.0c) with Mediawiki 1.5.2 on several servers (dev. , proof of concept, and so on), but we don't have bug on all of them. We have noticed bug are occuring when profil is being created (i.e. profil is recorded in DB) and only with RHAS 3.0 platform (i.e PHP: 4.3.2 (apache2filter) MySQL: 3.23.58). Just do a refresh and it's Ok. Directory is a Oracle Internet Directory.
-- Marc DeXeT

I am getting similar problems

  Warning: Missing argument 1 for inituser() in \wiki\includes\LdapAuthentication.php on line 482
  Fatal error: Call to a member function on a non-object in wiki\includes\LdapAuthentication.php on line 489

I have installed a fresh version of Media Wiki 1.5 and LDAP Authentication 1.0. I wish there were more of an explanation on the different variables that need to be added to LocalSettings.php. I am not sure what exactly it is asking for. Could someone please give some clear instructions on how to use this? Please!

Second

Athentification via SSL doesn't seem to work. The answer is: "bad password". Any hints?

THX KNEBB

Authentication with SSL should work with no problems. Does the system you are running this from trust the certificate on the LDAP server? If not, SSL will fail. There are a couple settings in "ldap.conf" that can you set to ignore the fact that you don't trust the certificate (this bypasses a security measure, but it is still more secure than not using SSL). One is "tls_checkpeer no" the other is "TLSREQCERT never". Check "man ldap.conf" to be sure those are right.
Ryan Lane

Ok, also my fault. As written above, we're playing around with eDirectory. There is SSL enabled, by on out OPENLDAP it isn't- so it couldn't work. I'll try to test it only with eDirectory.

Another question

I've installed the wiki on the new Novell OpenEnterpriseServer (OES). It's an SuSE Linux Enterprise Server 9 with Novell components.

I installed my wiki (1.4.0) an could log in as WikiSysop. Good.

Now I applied the LDAP-Patches (for testing not on eDir an no SSL). When I try to login I run in an blank page after clicking on the login-button an can't edit any pages. It doesn't matter if I try to login with an existing or non-existing user or the wrong or right password. Even if the pwd is empty, there's a feedback.

Any hint's why I can't log-in? The URL is: path_to_wiki/index.php?title=Spezial:Userlogin&action=submit&returnto=Hauptseite (Haupseite means Mainpage)

THX KNEBB

I had a similar problem with a blank page while I was hacking LdapAuthentication.php a bit and screwed something up. After replacing it with the original, the blank page problem was fixed. Getting it to authenticate against eDirectory was much more fun, though.
--Bone

It's over my head, but the authors may be interested in this user's findings:

• http://mail.wikipedia.org/pipermail/mediawiki-l/2005-September/006985.html
• http://mail.wikipedia.org/pipermail/mediawiki-l/2005-September/006997.html

-- Sy / ^(talk) 12:30, 15 September 2005 (UTC)Reply

Ah, good to know. I'm probably not checking the password limit when creating users. This will have to be an outstanding bug for a while. I'm currently evacuated from new orleans, and have no ability to work on the patch.
-- Ryan Lane

This bug is unfortunately in the core code, and not in my plugin. I have submitted a bug (and a patch correcting the problem) into the bugzilla at: http://bugzilla.wikipedia.org/show_bug.cgi?id=4081

--Ryan Lane

Can anyone provide a simple README that would describe how to apply these LDAP patches? They're not patching cleanly for me, and I'm not enough of a guru to figure out what's going wrong. --Tim

For version 1.5, you don't need to patch, you just need to drop "LdapAuthentication.php" into the "includes" directory. The rest of the patch has been merged into the core code. If you are using version 1.4, you'll need to merge the patch. Unfortunately, I do not have a version that will merge cleanly with the newest version of 1.4, so you'll have to merge it by hand using an editor. I am no longer supporting 1.4, only focusing my attention on 1.5.
-- Ryan Lane

Why do we need both the $wgLDAPSearchStrings and $wgLDAPSearchAttributes? Seems like we only really need one of them.

I have made a few updates to just use $wgLDAPSearchAttributes, and be able to use a search for binding rather than an exact bind with $wgLDAPSearchStrings. I updated the getUserDN() to find the proper userdn, then use that userdn to bind and authenticate in authenticate().

function getUserDN($ldapconn, $username) {
       global $wgLDAPProxyAgent, $wgLDAPProxyAgentPassword;
       global $wgLDAPSearchAttributes, $wgLDAPBaseDNs;
       if (isset($wgLDAPProxyAgent)) {
           $bind = @ldap_bind( $ldapconn, $wgLDAPProxyAgent, $wgLDAPProxyAgentPassword );
           $searchString = $this->getSearchString($username);
       } else {
           $bind = @ldap_bind( $ldapconn );
           $searchString = $wgLDAPBaseDNs[$_SESSION['wsDomain']];
       }
       if (!$bind) {
           return ;
       }
       $filter = "(" . $wgLDAPSearchAttributes[$_SESSION['wsDomain']] . "=$username)";
       //we need to do a subbase search for the entry
       $entry = @ldap_search($ldapconn, $searchString, $filter);
       if (!$entry) {
           return ;
       }
       $info = @ldap_get_entries($ldapconn, $entry);
       $userdn = $info[0]["dn"];
       return $userdn;
   }

Any thoughts on just having one search criteria instead of two? or am I missing something.

- Chris Chan, cchan@spikesource.com

Not everyone searches for users, and binds with the found user. Some people need to do direct binds, or prefer to do direct binds. In this case, the script only requires $wgLDAPSearchStrings and not $wgLDAPSearchAttributes. To search for a user, you either have to allow anonymous searches, or you have to use a proxyagent. Many people (including myself) authenticate against the directory using straight binds. Maybe my logic is screwed up. I'll review this a little more and get back to you.

--Ryan Lane

I'm trying to apply your patch to mediawiki 1.5.0_rc4-r1 but all diff files seem to fail:

turtle includes # patch -p3 -b <AuthPlugin.diff
patching file AuthPlugin.php
Hunk #1 FAILED at 65.
Hunk #2 FAILED at 133.
Hunk #3 FAILED at 210.
3 out of 3 hunks FAILED -- saving rejects to file AuthPlugin.php.rej

Are there any changes not considered for this Version of mediawiki?

--Have a look a couple of questions up - you don't need to patch 1.5, just drop ldapauthentication.php in your includes dir

I'm playing around with Authentication agains a W2K AD with these settings. (tried lots of variations already). But I keep getting ("Password wrong or missing")

For testing I use a user:

distinguishedName = "dn=Kyle Katarn,OU=Test,dc=ams,dc=com"
samAccountName = "KatK"

require_once( "includes/LdapAuthentication.php" );
$wgAuth = new LdapAuthenticationPlugin();
$wgUseLDAP = true;
$wgLDAPDomainNames = array( "AMS" );
$wgLDAPServerNames = array( "AMS"=>"$fqdnOfDC" );
$wgLDAPSearchStrings = array( "AMS"=>"AMS\\$wpName" );
$wgLDAPUseSSL = false; 
$wgLDAPUseLocal = false; 
//$wgLDAPAddLDAPUsers = false; 
//$wgLDAPUpdateLDAP = false;  
//$wgLDAPWriterDN = "uid=priviledgedUser,ou=people,dc=LDAP,dc=example,dc=com"; 
//$wgLDAPWriterPassword = "{SHA}KqYKj/f81HPTIeAUav2eJt85UUc=";
//$wgLDAPProxyAgent =  "";
//$wgLDAPProxyAgentPassword = ""; 
// if you cannot do direct binds based upon $wgLDAPSearchStrings, then you'll need these two
//$wgLDAPSearchAttributes = array( "AMS"=>"AMS\\$wpName" );
//$wgLDAPBaseDNs = array( "AMS"=>"dc=ams,dc=com" );
//This requires $wgLDAPWriterDN and $wgLDAPWriterPassword to be set!
//$wgLDAPMailPassword = true;
$wgLDAPRetrievePrefs = false;

Neither loging in with "KatK" or "Kyle Katarn" works. The LDAP server connection is opened the Authentication in WIKI fails.

LDAP itself works fine:

ldapsearch -s sub -x -b "dc=ams,dc=com" -D "AMS\KatK" -h 172.21.0.100 -p 389 -W

This works perfect!

By default, AD will not let you authenticate users over LDAP. Only over LDAPS. So you'll need to either tell AD not to require signed communications, or you'll need to install an SSL certificate. You can also install the certificate server software that comes with AD, which will install a self signed certificate. Make sure that the client trusts the CA (in this case it'll be your AD server).

--Ryan Lane

I did some debugging and what i found out is: In my LocalSettings.php I've added

$wgLDAPSearchStrings = array( "AMS"=>"AMS\$wpName"

But after doing some debug output I see that the $wpName variable is not set (it's empty) So in includes/LdapAuthentication.php when it comes to bind to the LDAP server

includes/LdapAuthentication.php
...
$bind = @ldap_bind($ldapconn, $userdn, $password)

The $userdn variable only contains "AMS\"

So I only need to get the $wpName from the Login-Dialog then it whould work. (I tried it with hardcoded strings)

Ohhhhhhhhh.... Ok. I see what the problem is now then. You should be using:

$wgLDAPSearchStrings = array ( "AMS"=>"AMS\USER-NAME" )

This is how the patch is set to work. In LocalSettings.php $wpName doesn't exist, so it is substituting the variable with "AMS\"

--Ryan Lane

--Reinhard Brandstädter

I've figured this out and added an example to the documentation but someone removed it again. i think many more people run into the same problem because in my opinion Active directory is not well documented. Can you add the example again?

I agree that other people may find this useful. The example wasn't removed, just moved. It is now on the examples page I created recently.

--Ryan Lane

• I'm using Windows 2003 and IIS.
• PHP installed fine.
  • After installation I was sure to uncomment the include php_ldap.dll line in php.ini
• MySQL installed fine.
• MediaWiki installed fine.

To install LDAP Authentication I went to your bugs page, and copied then pasted the source from LdapAuthentication.php 1.0a into includes/LdapAuthentication.php

I then tried entering virtually every ldap for Active Directory configuration I could find into LocalSettings.php. None of them work. None of them spit out any errors apart from the usual "There is no user by the name 'usernameIenter'" Wiki error.

If I change the include path to LdapAuthentication.php php complains it cant find the file so I know it works. If I add a print statement into the top of LdapAuthentication I get the print and a ton of expected headers already sent errors. So I know it's actually being read. However it's like NONE of the functions inside the file are actually being used by the wiki.

I even tried using some of the GUI tips and they don't have any effect.

Example: I added the two lines that are supposed to remove the send email button and create account options from the login screen into modifyUITemplate.

$template->set( 'create', false );
$template->set( 'useemail', false );

They don't have any effect what-so-ever. Here's the entire function so you can be sure I'm adding them correctly.

function modifyUITemplate( &$template ) {
   global $wgLDAPDomainNames, $wgLDAPUseLocal;
   $template->set( 'usedomain', true );
   $template->set( 'create', false );
   $template->set( 'useemail', false );
   $tempDomArr = $wgLDAPDomainNames;
   if ( $wgLDAPUseLocal ) {
      array_push( $tempDomArr, 'local' );
   }
   $template->set( 'domainnames', $tempDomArr );
}

What is going on here? I'm at a total loss. Pointing in any direction here would be great.

Have you checked the permissions on LdapAuthentication.php?

Have you had a look at the examples page? What does your LocalSettings.php look like?

Unfortunately, this patch really hasn't been tested much using IIS. I'd imagine it should work fine, but I can't promise that.

--Ryan Lane

In reply to Ryan:

I've used and applied all examples for active directory authentication and it simply doesn't fly. What I mean by it seems as if nothing is being read is that even though I have the create and useemail set as false I still see this as my login screen: http://img181.imageshack.us/my.php?image=ldapnoeffect7ii.gif

For testing purposes I just gave full control to IUSR to the entire mediawiki directory. It makes no difference. Here's my relavent settings in LocalSettings.php Note: This is .local instead of .com or .net to ensure this ___domain never goes public. That is the actual extension and works fine for everything active directory, but could that be part of the issue here?

<?php

#
##
###
####Ldapauthentication mod START

require_once( "includes/LdapAuthentication.php" );
$wgAuth = new LdapAuthenticationPlugin();
$wgLDAPDomainNames = array( "USCOMP" );
$wgLDAPServerNames = array( "USCOMP"=>"server1.uscomp.local" );
$wgLDAPSearchStrings = array( "USCOMP"=>"USER-NAME@uscomp.local" );
$wgLDAPUseSSL = false; //not recommended but OK for testing
$wgLDAPUseLocal = false;
$wgMinimalPasswordLength = 1;
$wgLDAPRetrievePrefs = false;

####Ldapauthentication mod STOP
###
##
#

# This file was automatically generated by the MediaWiki installer.
... the rest of the file below

Any ideas here?

Ok, a bit more information here. I was getting concerned if PHP was even using LDAP correctly on IIS so I found and tested this set of tools: http://adldap.sourceforge.net/download.php

The examples work great. It is able to search out a user and reply with their full name, what group they're a part of, and correctly identify virtually every aspect of their active directory settings.

So it seems like everything is walking and talking together nicely. One of the variables they asked for in their script was a specific 'bind' user. Apparently Windows Server 2003 doesn't support clear text passwords or anonymous searching. Are either of these being applied in your script using the settings I have above? It doesn't appear so, but I guess you could be using the username/pass supplied to try and search AD instead if having a user specified in the source.

Ryan, I'm going to go ahead and send you an e-mail so we can be in more direct contact. I would love to have this work out for my situation, and I hope to help you advance your script however I can. If you can work with me a bit to get this done at the very least I can create a complete HowTo for anybody looking to start from the very beginning. A complete rundown of installing iis/php/mysql/mediawiki/ and finally ldapauthentication on Server 2003. I just have to get mine working first ;)

Quick note to any other AD guys that try to use their script to test everything out. A line of their code is typo'd until the next version, so be sure you read https://sourceforge.net/forum/forum.php?thread_id=1370601&forum_id=358759 before scratching your head on why the correct group for your user is listed, and yet the user is said not to be part of that very same group when it's actually tested.

Great patch, Thanks!

My understanding, please correct me if I'm wrong is that you can either authenticate against an entire directory tree, or against a group. Is that right?

Is there a way to get more granularity? Can I specify individual USER-NAMES that are allowed to authenticate? Or individual USER-NAMES in addition to a group? Or more than one group?

--mark

Well, if you want to get fancy with the search filter, I'm sure you can limit to individual users. It would probably be better to use the role or group feature though. Multiple roles/groups is not supported for now. I may add that in later though (and hopefully support for nested groups/roles).

--Ryan Lane

Thanks, Ryan - not sure what you mean by "roles"

I have a situation where there is a support group and student workers who use the same wiki for IT group documentation. The students are not a part of the support group, and shouldn't be. Creating another group with both support and the student workers isn't a good solution as many in the support group have hit the 16 group limit in UNIX already.

Currently using apache + mod_auth_ldap via .htaccess to restrict the wiki directory to the individual users, but then they have to log into the wiki itself as well. Be nice to have one login instead of two.

I am very new to php AND ldap so I wouldn't be surprised if this is a result of my incompetence, but I cannot get ldap authentication to work whatsoever. I installed MediaWiki 1.5 and got it up and running. I then put LdapAuthentication.php into my includes directory. Next i put the following at the bottom of LocalSettings.php before the >?

require_once( 'LdapAuthentication.php' );
$wgAuth = new LdapAuthenticationPlugin();
$wgLDAPDomainNames = array( "comair.com" );
$wgLDAPServerNames = array( "exampleNonADDomain"=>"ldap.comair.com"  );
$wgLDAPSearchStrings = array( "exampleNonADDomain"=>"cn=USER-NAME,ou=CVG,o=Comair"  );
$wgLDAPUseSSL = false;
$wgLDAPUseLocal = false;
$wgLDAPAddLDAPUsers = false;
$wgLDAPUpdateLDAP = false;
$wgLDAPMailPassword = false;
$wgLDAPRetrievePrefs = false;
$wgMinimalPasswordLength = 1;

For the life of me, I can not get it to authenticate. Everytime I try, I get the wrong password error and am kind of baffled. To add a user in our portal software, this is the ldap notation we use: cn=username,ou=CVG,o=Comair

Any ideas on what I can do to further troubleshoot? The Apache error_log doesn't show a thing and I can't just turn up the verbosity like I can with Tomcat. By the way, i installed mediawiki 1.5 stable on SUSE Enterprise Linux 9. I made sure that php4-ldap is installed.

Change the following:

$wgLDAPServerNames = array( "exampleNonADDomain"=>"ldap.comair.com" );

$wgLDAPSearchStrings = array( "exampleNonADDomain"=>"cn=USER-NAME,ou=CVG,o=Comair" );

to:

$wgLDAPServerNames = array( "comair.com"=>"ldap.comair.com" );

$wgLDAPSearchStrings = array( "comair.com"=>"cn=USER-NAME,ou=CVG,o=Comair" );

You may also want to change "comair.com" to just "comair".

Also, Are your user's entries in "ou=CVG,o=Comair"?

-- Ryan Lane

I'm not really sure what the "___domain" is. This is not Active Directory, so I don't really understand why I need a "___domain". The users I want are all in ou=CVG,o=Comair. In our portal software, adding cn=jschroed,ou=CVG,o=Comair will give me access to that page. Can the ___domain be any name whatsoever, or does it actually matter? I'll try this out tomorrow and let you know.

Worked like a charm, Thanks! So you know, changing comair.com to comair would not allow me to authenticate, but keeping it comair.com works.

Whether you use AD or not, you always have a ___domain. In the case of non-AD ldap, generally people refer to the basedn as the ___domain, so for instance, you are using o=Comair, so your ___domain would be comair. It doesn't really matter what you call the ___domain however, in this patch you can call the ___domain "sonofcthulu" as long as you used that ___domain name everywhere else in LocalSettings.php.

-- Ryan Lane

Hi folks hi Ryan Lane,

hey Ryan you did a really good job with the Ldap Authentication. But i have question about AD groups to import in wiki(table usergroups). Is it possible to import all groups(cn), ou() and dc, so they can be selected from Spezial:Userrights? And is it possible to restrict people the access to articel where are not in

cn=IT, dc=office, dc=air, dc=com

for example.

I posted an answer to this question in the bugzilla, but I guess this is really a better place for the answer. Currently, this is not possible. It is possible to write code for this functionality, but it wouldn't be easy, and it would cause a LDAP hit every time someone accessed the wiki. I'm interested in this functionality myself, and will look into it, but I'm really busy right now, and don't have reliable internet access at home. If someone else wants to look into getting this working, I'd be happy to accept a patch.

-- Ryan Lane

The sample Group Based Restrictions is not working for me error:

Warning: ldap_get_entries(): supplied argument is not a valid ldap result resource in /var/www/html/dewiki/includes/LdapAuthentication.php on line 567 

thx

Bernhard Schuller

Unfortunately, I didn't write the group access restrictions, so it is hard for me to troubleshoot this part for you. I can try though. I'd need to see your setup in LocalSettings.php (with sensitive information edited of course).

-- Ryan Lane

Hello,

I'm attempting to try out the LDAP and the files are supposedly at bugzilla.wikipedia.org but all I see there is a chunk of code. No sign of the ldapauthentication.php file I'm seeking. Any help appreciated.

Ummm.... The plugin is listed as an attachment. If you click on the link, it'll open the code up in your browser. You need to right click and do "Save as...". Otherwise, I think the instructions for this patch are pretty good at this point.
-- Ryan Lane

I've installed the patch in the includes folder. I get the appropriate login form. However I get a password wrong or missing error. I'm pretty sure I'm using the right password, I use it for a number of other web applications linked to the same LDAP server.

In the file LdapAuthentication.php I looked at a number of things.

In function connect() I echoed $ldapconn. A resource ID showed up, so I assume there is a connection to the LDAP server. I also removed the @ from before ldap_connect( $servers ); No errors there.

Then I moved on to function authenticate() I added an echo statement right after $bind=@ldap_bind($ldapconn, $userdn, $password); echo "*1*".$ldapconn."*2*".$userdn."*3*".$password; This shows me that the connection resource is still available, and the login ($userdn) and password are available to the script.

Now that I look carefully, I see that my username has been modified somewhere in the process. The first letter is turned into a capital letter. I assume this is why authentication fails on my LDAP.

the 'damage' is done before the username is passed to this function: getSearchString($username). I'm guessing the change occurs before the LdapAuthentication.php script is called. I'll keep on looking, but any help would be grately appreciated.

Hanne 13:16, 23 December 2005 (UTC)Reply

I find it strange that your directory really cares what case your username is in... Isn't it standard for LDAP to be case insensitive for usernames? You shouldn't be getting failed authentication.
-- Ryan Lane

The fix for this is documented. For now you'll have to modify the core code. I've looked at the latest version of AuthenticationPlugin.php in cvs, and it offers a solution. So in the future my plugin with handle this problem.
-- Ryan Lane

I have posted this mail to the wikitech-l@wikipedia.org. But got Ryan's instruction to post it here.

I have just started hacking mediawiki. I am trying to apply the LDAP authentication plugin to mediawiki-1.5.2 in a FC-4. I'm using openldap-2.2.23-5. I have read the documentation at : http://meta.wikimedia.org/wiki/LDAP_Authentication and downloaded the plugin from :http://bugzilla.wikipedia.org/attachment.cgi?id=1042&action=view

I have dropped the above file in /includes and changed Localsettings.php accordingly. Luckily everything seems to be working fine. But everything crashed when I tried to Group based authentication in mediawiki. I have added group entry to the ldap server, restarted it and then inlcuded the configuration parameters for group basedauthentication. Now my Localsettings.php looks like this:

require_once( 'LdapAuthentication.php' );
$wgAuth = new LdapAuthenticationPlugin();
$wgLDAPDomainNames = array( "libregeek" );
$wgLDAPServerNames = array( "libregeek"=>"localhost" );
$wgLDAPSearchStrings = array(
"libregeek"=>"uid=USER-NAME,ou=People,dc=libregeek,dc=net" );
$wgLDAPUseSSL = false;
$wgLDAPUseLocal = false;
$wgLDAPAddLDAPUsers = false;
$wgLDAPUpdateLDAP = false;
$wgLDAPMailPassword = false;
$wgLDAPRetrievePrefs = false;
$wgMinimalPasswordLength = 1;

$wgLDAPGroupDN = "cn=itpeople,ou=Groups,dc=libregeek,dc=net";
$wgLDAPProxyAgent = "cn=root,dc=libregeek,dc=net";
$wgLDAPProxyAgentPassword = "secret"; //this should work with hashes btw
$wgLDAPBaseDNs = array("libregeek"=>"dc=libregeek,dc=net");
$wgLDAPSearchAttributes =
array("libregeek"=>"(uid=USER-NAME)(wikiAccess=TRUE)");

With this configuration I can't login . It simply says "The password you entered is incorrect (or missing). Please try again.". is there any missing configuration items ?? I just tried to print the global variables corresponding to Proxies in LdapAuthentication.php and it gives nothing. One more thing I didn't got the correct idea of Proxy. is it like the "Manager" account who has read permission to all the directory entries.

what may have gone wrong?
please help
regards

Manilal

You are using both proxy style binding, and straight binds at the same time. This is a clash in configuration options. Remove everything after $wgLDAPGroupDN

-- Ryan Lane

By --203.99.211.41 12:19, 13 January 2006 (UTC)Reply

Hi I have developed a site using mediawiki on windows environment, its working nice.

Now I am trying to use LDAP authentication .I have read the documentation at : http://meta.wikimedia.org/wiki/LDAP_Authentication and downloaded the plugin from :http://bugzilla.wikipedia.org/attachment.cgi?id=1042&action=view

I have dropped the above file in /includes and changed Localsettings.php accordingly. but after clicking log in button I am getting a blank page.

pls help me

It is possible that your php windows install doesn't have LDAP enabled (as it isn't enabled by default on windows installs). Look through directions on how to do this on php.net. It may be just as easy as uncommenting the module in your php.ini, or you may have to install the DLLs, and then uncomment the module in php.ini. If you are getting a blank screen, it is because of php errors (any other problems would result in the wiki telling you that you are giving it a bad password).

The next issue you are sure to run into is using SSL. Unfortunately, I haven't been successful in helping anyone troubleshoot that problem on windows systems, as I don't know how to test it on windows systems (I always use ldapsearch on linux/unix systems, and mess with the ldap.conf until I've figured out the problem, but these don't come with windows...).

-- Ryan Lane

Hi! I too am getting a blank screen. I can cope with the LDAP not being configured correctly just yet, so I have $wgLDAPUseLocal = true; in my LocalSettings.php. Unfortunately, even logging in locally gets me a blank screen at the login page <___domain>/wiki/index.php?title=Special:Userlogin&action=submitlogin . Is this still likely to be caused by LDAP not being a part of PHP regardless of the lack of usage of the include? --Barthax 16:54, 15 February 2006 (UTC)Reply

Are you trying to log in with an already created user, or does the user not exist yet? If the user doesn't exist, the wiki will try to create the user. When it tries to create the user, it'll check with the authentication plugin to see if the user exists, and if it does not, it will try to authenticate. This isn't a bug per se. If you are using local, you should be creating an account before you try to log in.
Even if the user does exist, it looks like it still tries to hit the LDAP server first. This looks like a bug. The authenticate method in the ldap plugin should be returning false if the ___domain is local, otherwise it'll try to hit the LDAP server first. This is what is causing the problem. This is only causing a blank page because PHP doesn't have LDAP support, but this is a bug either way (although a fairly benign one). I'll fix it as soon as I can (and make sure my changes won't cause a security problem).

-- Ryan Lane

--Justin Grote 20:39, 29 January 2006 (UTC)Reply
Hi Ryan, great job with this module. I was able to get the Active Directory group-based authentication modifications working (eventually). I do have a customer however who is interested in both nested group support and per-___domain group restrictions. I've already sketched out how to do this with the module and it's very possible while only adding 2+n (n for the level of recursion of the nested groups) LDAP queries. I just wanted to check if you were already working on this before I get started. Thanks.

Nope, not working on it currently. I haven't had much time lately. I'd love to get a patch for this (please send it in unified diff format).

-- Ryan Lane

Hello all! Need some help :-) I have setup LDAP authentication from OpenLDAP. Authentication works well, but preferences pulling doesn't work :-( Of course, i have all necessary attributes in LDAP and $wgLDAPRetrievePrefs is set to true. I use $wgLDAPProxyAgent, because i need auth users from several OU's. Maybe, problem is related with ProxyAgent schema use?

-- Sergey Sholokh

Hmmm... It doesn't look like using a proxyagent would cause this problem as the plugin pulls preferences after it binds as the user. After the plugin binds as the user, it pulls the user's entry, and gets the associated preferences. What part of preferences pulling doesn't work? Does it not update the user's preferences? Do you get a php error? In function "authenticate", in the if statement "if ($wgLDAPRetrievePrefs) {", after the information is pulled, try echoing out some of the values. Does it echo anything when you log in? Try a "print_r($info)", is the plugin accessing the array correctly? I'll need to make sure this is still working with the newest version of the wiki, but looking at the code, I couldn't see why it wouldn't be working.

-- Ryan Lane

Update. I tested this using a proxy search, and it is working for me.

-- Ryan Lane