Cool Solution - Setting up MediaWiki with LDAP authentication

From Univention Wiki

Revision as of 13:08, 20 April 2016 by Rehberg (talk | contribs)
Jump to: navigation, search
Produktlogo UCS Version 4.1

Note: Cool Solutions are articles documenting additional functionality based on Univention products. Not all of the shown steps in the article are covered by Univention Support. For questions about your support coverage contact your contact person at Univention before you want to implement one of the shown steps.

Also regard the legal notes at Terms of Service.


This article describes the installation and setup of MediaWiki 1.26.2 in UCS 4.1.

Prerequisites

Install needed packages:

univention-install php5 php5-ldap mysql-server mysql-client php5-mysql

Download MediaWiki and extract it to the webserver directory:

cd /var/www
wget https://releases.wikimedia.org/mediawiki/1.26/mediawiki-1.26.2.tar.gz
tar -xf mediawiki-1.26.2.tar.gz
mv mediawiki-1.26.2 <MEDIAWIKI FOLDER>

Hint: Change <MEDIAWIKI FOLDER> to a name of your choice

Setting up a database

Create MySQL database and corresponding user for MediaWiki:

mysql -uroot -p$(cat /etc/mysql.secret)

create user '<DATABASE USER>'@'localhost' identified by '<DATABASE USER PASSWORD>';

create database <DATABASE NAME>;

grant all on <DATABASE NAME>.* to '<DATABASE USER>'@'localhost';

quit

Installing MediaWiki

Now the actual installation of MediaWiki is in order. Open this address in your browser and change <FQDN or IP> to the FQDN or IP of your server. The FQDN can be obtained with

hostname -f

<FQDN or IP>/<MEDIAWIKI FOLDER>/mw-config/index.php


Pick the language for the actual wiki and for the installation process, click Continue.


MediaWiki performs environmental checks now. If it finds any issues, they will be listed on this page. If everything is alright, the page will display a text saying The environment has been checked. You can install MediaWiki.. If so, click Continue, otherwise adress the issues and reload the page.

The next page asks for database credentials create in the steps above. Provide MediaWiki with the database host, database name, prefix (if wanted), database username and password and click Continue.

Now you have to tell MediaWiki what kind of database shall be created. We recommend applying the default values:

Option Value
Storage engine InnoDB
Database character set Binary

If you want to extract text information from the MySQL database later, you should choose UTF-8, since information e.g. the content of pages for the search index is stored in binary otherwise and thus not simply usable for other applications. Click Continue.


On the following page you have to give your wiki a name and create an admin user. Provide MediaWiki with all required data and choose whether you want the wizard to ask more questions (this includes user permissions, the wiki's license, extensions, the wiki's logo, available UIs, file upload configuration) or you are bored already, just install the wiki and click Continue.


If you chose to apply further configuration settings provide the wizard with them now and click Continue. If not continue with the next step.


Start the installation by clicking Continue.


The next page provides you with information about what has been done and if all operations succeded. Click Continue.

The installation is finished. MediaWiki asks and prompts you to download LocalSettings.php now. Download the file immediately, because it's just temporary and gone once the installation is completed. Copy LocalSettings.php to MediaWiki's directory, which is /var/www/mediawiki in this case.

After having copied the file, click on enter your wiki.

You can also restart the whole installation by clicking on the link Restart installation on the right.

Setting up LDAP authentication

The most recent version of the LDAP authentication plugin can be found in the MediaWiki wiki.

You can download snapshots of the extension for various versions including 1.26 here.

Extract the archive to MediaWiki's folder:

tar -xzf LdapAuthentication-REL1_26-70ab129.tar.gz -C /var/www/<MEDIAWIKI FOLDER>/extensions

Hint: Change <MEDIAWIKI FOLDER> to the folder you installed MediaWiki in.

To setup the plugin as authentication provider, echo a basic configuration to LocalSettings.php. This configuration uses TLS and ldaps:// to obtain information.

Hint: Change <BIND USER DN> and <BIND USER PASSWORD> in the following code section to the credentials you want the system to bind to LDAP with.

echo "require_once \"\$IP/extensions/LdapAuthentication/LdapAuthentication.php\";
\$wgAuth = new LdapAuthenticationPlugin();

\$wgLDAPDomainNames = array(
  '$(dnsdomainname)'
);
\$wgLDAPServerNames = array(
  '$(dnsdomainname)' => '$(ucr get ldap/master)'
);
# Only allow LDAP users
\$wgLDAPUseLocal = false;

\$wgLDAPEncryptionType = array(
  \"$(dnsdomainname)\"=>\"tls\"
);
# User to bind as
\$wgLDAPProxyAgent =  array(
  '$(dnsdomainname)' => '<BIND USER DN>'
);
\$wgLDAPProxyAgentPassword = array(
  '$(dnsdomainname)' => '<BIND USER PASSWORD>'
);

\$wgLDAPBaseDNs = array(
  '$(dnsdomainname)' => '$(ucr get ldap/base)'
);
\$wgLDAPUserBaseDNs= array(
  '$(dnsdomainname)' => 'cn=users,$(ucr get ldap/base)'
);
\$wgLDAPGroupBaseDNs= array(
  '$(dnsdomainname)' => 'cn=users,$(ucr get ldap/base)'
);

\$wgLDAPSearchAttributes = array(
  '$(dnsdomainname)' => 'uid'
);

\$wgLDAPGroupObjectclass = array(
  \"$(dnsdomainname)\"=>\"univentionGroup\"
);
# attribute defining a group
\$wgLDAPGroupNameAttribute = array(
  \"$(dnsdomainname)\" => \"cn\"
);

\$wgLDAPGroupAttribute = array(
  \"$(dnsdomainname)\" => \"uniqueMember\"
);

\$wgLDAPGroupUseFullDN = array(
  \"$(dnsdomainname)\" => true
);

\$wgLDAPLowerCaseUsername = array(
  \"$(dnsdomainname)\" => true
);

\$wgLDAPGroupsUseMemberOf = array(
  \"$(dnsdomainname)\" => false
);" >> /var/www/<MEDIAWIKI FOLDER>/LocalSettings.php

Hint: Change <MEDIAWIKI FOLDER> to the folder you installed MediaWiki in

Run the following command once, to make sure that the needed database table is created, before testing the login.

php /var/www/<MEDIAWIKI FOLDER>/maintenance/update.php

Further LDAP settings

If you want to force MediaWiki to deny access to users who are not in one or more specific group(s), execute the following command and change <GROUP DN> to the DN of the your desired group:

echo "\$wgLDAPRequiredGroups = array(
  \"$(dnsdomainname)\"=>array(
    \"<GROUP DN>\"
  )
);" >> /var/www/<MEDIAWIKI FOLDER>/LocalSettings.php

If you do not want to use TLS to connect to LDAP, you need to edit LocalSettings.php. Open the plugin file:

vim /var/www/<MEDIAWIKI FOLDER>/LocalSettings.php

search for the LDAPEncryptionType variable

/LDAPEncryption 
<Enter>

Vim should find this section

$wgLDAPEncryptionType = array(
  "<your domain name>"=> "tls"
);

Just change tls to ssl

$wgLDAPEncryptionType = array(
  "<your domain name>"=> "ssl"
);

To enable MediaWiki and LDAP logging to /var/log/mediawiki/mw-debug.log, create a log file and folder with permissions first:

mkdir /var/log/mediawiki/
touch /var/log/mediawiki/mw-debug.log
chown www-data:www-data /var/log/mediawiki/*
chmod -R 640 /var/log/mediawiki/*

Then put some code into LocalSettings.php:

echo "\$wgDebugLogFile = \"/var/log/mediawiki/mw-debug.log\";

\$wgLDAPDebug = 4;
\$wgDebugLogGroups = array(
  'ldap' => '/var/log/mediawiki/mw-debug.log',
);" >> LocalSettings.php

Hint: $wgLDAPDebug describes the loglevel for the LDAP extension. 4 is rather verbose, but a good choice for debugging, when setting up the connection. You may change this value as you like to change the loglevel.

Add MediaWiki to web services

ucr set \
ucs/web/overview/entries/service/mediawiki/description="MediaWiki" \
ucs/web/overview/entries/service/mediawiki/icon="/<MEDIAWIKI FOLDER>/resources/assets/mediawiki.png" \
ucs/web/overview/entries/service/mediawiki/label/de="MediaWiki" \
ucs/web/overview/entries/service/mediawiki/label="MediaWiki" \
ucs/web/overview/entries/service/mediawiki/link="/<MEDIAWIKI FOLDER>"
Personal tools