sys-blog.net

WikiMedia Active Directory Group membership as a log in permission requirement

After setting up wikimedia with LDAP support one of the requested tasks was to have access control on who’s allowed to do what in the system.

exploring the web brought me to the available option of requiring a user whom attempts to log in to be a member of an Active Directory security group, that in my case, I created just for the wiki users.

there are 2 (and more) options but I found these handy:

1. require members to be a part of a security Active Directory group in order for them to be able to log in

2. members who are a part of a specific group – let’s say – “Wiki Prohibited users” – cannot log in at all.

I picked the first one as I wanted to have a central location and view of who I’m allowing to see the wikimedia content of my organisation.

navigate to your wiki directory, edit your LocalSettings file.php and add the required strings:

$wgLDAPGroupUseFullDN = array( “yourdomain”=>true );
$wgLDAPBaseDNs = array( ‘yourdomain’ => ‘dc=your,dc=domain,dc=com’);
$wgLDAPSearchAttributes = array( ‘yourdomain’ => ‘sAMAccountName’ );
$wgLDAPUseLDAPGroups = array( “yourdomain” => true );
$wgLDAPGroupObjectclass = array ( “yourdomain” => “group” );
$wgLDAPGroupAtrribute = array( “yourdomain” => “member” );
$wgLDAPGroupNameAttribute = array ( “yourdomain” => “cn” );
$wgLDAPRequiredGroups = array( “yourdomain” => array(“cn=My Domain Wiki Users,ou=yourOU,OU=yourOU,dc=your,dc=your domain,dc=com”) );
$wgLDAPGroupsUseMemberOf = array( “yourdomain” => true );
$wgGroupPermissions['My Domain Wiki Users]['edit'] = true;

restart httpd daemon to re-read the newmodified settings

/etc/init.d/httpd restart

Add a test user to the Active Directory security group made for wiki to check integrity and ability to login, at this point – it should be working (considering you already have LDAP authentication working with your domain controller)

* note: for troubleshooting check the wiki logs for any errors (if enabled)

Had to setup an internal wikimedia page, and I wanted it to be LDAP based, so I won’t have to create new users for each and every person.

This is how I got mine done:

Operating System: Red Hat 6 Update 3

Database: SQLite (MySQL/PostgreSQL are optional as well

WikiMedia Version: 1.19.1

Extracted Directory: /var/www/wiki

Additional Requirements: LdapAuthenticationPlugin, php-ldap package, Domain Controller Certificate

.After installing SQLite, Wikimedia and PHP, wiki must have a stored certificate file from a domain controller in order to make it LDAP Integrated

NOTICE: once it is LDAP you will ONLY be able to login with Active Directory credentials

:There are 2 methods to obtain a certificate

1. Exporting the certification from a CA server, import it via WinSCP to the wiki server.  And convert it to .pem .
2. Querying a CA server / DC server for the certificate, and copy the output to a file.

Method 1:

To convert an exported certificate, type:

openssl x509 -inform der -in certificatefile.cer -out certificatefile.pem

1. Store the converted file at /etc/pki/tls/certs.
2. Edit /etc/openldap/ldap.conf and change TLS_CACERT  & TLS_CACERTFILE  entries with the converted file name.

Method 2:

Querying a server for its certificate:

1. openssl s_client –connect my.domain.com:636
2. copy everything in between and including —-START CERTIFICATE— and —– END CERTIFICATE to a filename.cer  and place it at /etc/pki/lts/certs
3. Edit /etc/openldap/ldap.conf and change the TLS_CACERT  & TLS_CACERTFILE  entries.

:Enable troubleshooting logs and add LDAP modules entries

1.  mkdir –p /var/log/wiki
2.  touch /var/log/wiki/wiki.log
3.  chown apache:apache /var/log/wiki/wiki.log
4. chmod 644 /var/log/wiki/wiki.log

:Wikimedia and LDAP Authentication

Download  LdapAuthenticationPlugin from here and store the file at /var/www/wiki/extension/LdapAuthentication

:Edit the file: /var/www/wiki/LocalSettings.php , And append the following lines at the end

require_once( “/var/www/wiki/extensions/LdapAuthentication/LdapAuthentication.php” );

$wgAuth = new LdapAuthenticationPlugin();

$wgLDAPDomainNames = array( “example” );

$wgLDAPServerNames = array( “example” => “DCServer.example.com”  );

$wgLDAPSearchStrings = array( “example” => “USER-NAME@EXAMPLE” );

$wgLDAPEncryptionType = array( “example” => “ssl” );

$wgLDAPDebug = 3;

$wgDebugLogGroups["ldap"] = “/var/log/wiki/wiki.log” ;

:Restart apache service

• Restart apache daemon to check integrity /etc/init.d/httpd restart

Logging with your Active Directory credentials should be possible by now. If it isn’t, consider troubleshooting the log we enabled:

tail –f /var/log/wiki/wiki.log

This will show you any upcoming errors in real time, while you try to authenticate with your AD credentials.