Sunday, September 9, 2007


Recently I started implementing a wiki for my company, specifically for the HR department. They addressed the need to have a system that would allow them to edit pages seamlessly, upload pdf's which contain sensitive information only visible to certain groups on an internal server and authenticating against MS Active Directory.

I installed the latest mediawiki release and selected Paul Gu's mediawiki skin which is rewrite of Monobook default wiki skin. Thanks Paul.

Next I installed the LDAP extension for mediawiki. It was a bit of a pain to configure the first time, but after reading their wiki a few times and trying out different settings, the debugging option will also help in determining the problem.

All the settings are applied in LocalSettings.php which makes it convenient to edit.

#Beginning of LDAP settings======================================
require_once( "includes/LdapAuthentication.php" );
$wgAuth = new LdapAuthenticationPlugin();
$wgLDAPDomainNames = array( "exampleDomain" );
$wgLDAPServerNames = array( "exampleDomain"=>"IPofADserver" );
$wgLDAPSearchStrings = array("exampleDomain"=>"exampleDomain\\USER-NAME" );
$wgLDAPEncryptionType = array( "exampleDomain"=>"false" );
#$wgLDAPUseLocal = true; //allow use of local user DB $wgMinimalPasswordLength = 1;
$wgLDAPRetrievePrefs = array( "exampleDomain"=>"true" );
#$wgLDAPUpdateLDAP = array( "exampleDomain"=>"false" ); //disables mediawiki from updating LDAP
#$wgLDAPAddLDAPUsers = array("exampleDomain"=>"false");


#DNs in $wgLDAPRequiredGroups must be lowercase, as search result attribute values are...
$wgLDAPBaseDNs = array( "exampleDomain"=>"dc=otn,dc=local" );
$wgLDAPSearchAttributes = array( "exampleDomain"=>"sAMAccountName" );

#Allo two groups to log in tech team and HR
$wgLDAPRequiredGroups = array(
"OTN"=>array("cn=technical_team,ou=global security groups,ou=otn,dc=otn,dc=local",
cn=hr_team,ou=global security groups,ou=otn,dc=otn,dc=local"
) );

$wgLDAPGroupUseFullDN = array( "exampleDomain"=>true );
$wgLDAPGroupObjectclass = array( "exampleDomain"=>"group" );
$wgLDAPGroupAttribute = array( "exampleDomain"=>"member" );
$wgLDAPGroupSearchNestedGroups = array( "exampleDomain"=>true );
//Pull LDAP groups a user is in, and update local wiki security group.
$wgLDAPUseLDAPGroups = array( "exampleDomain"=>"true");
$wgLDAPGroupNameAttribute = array( "exampleDomain"=>"cn" );

$wgShowExceptionDetails = true;

After that grant specific access to certain groups:

#Restrict access to non logged in users========================
#Restrict edit to logged in users

$wgGroupPermissions['user']['read'] = false;
$wgGroupPermissions['user']['edit'] = false;
$wgGroupPermissions['user']['createpage'] = false;
$wgGroupPermissions['user']['createtalk'] = false;
$wgGroupPermissions['user']['upload'] = false;
$wgGroupPermissions['user']['userrights'] = false;

$wgGroupPermissions['technical_team']['read'] = true;
$wgGroupPermissions['technical_team']['edit'] = true;
$wgGroupPermissions['technical_team']['createpage'] = true;
$wgGroupPermissions['technical_team']['createtalk'] = true;
$wgGroupPermissions['technical_team']['upload'] = true;
$wgGroupPermissions['technical_team']['userrights'] = true;

$wgGroupPermissions['hr_team']['read'] = true;
$wgGroupPermissions['hr_team']['edit'] = true;
$wgGroupPermissions['hr_team']['createpage'] = true;
$wgGroupPermissions['hr_team']['createtalk'] = true;
$wgGroupPermissions['hr_team']['upload'] = true;

#Prevent new registrations from anonymous users(Sysops can still create accounts
$wgGroupPermissions['*']['createaccount'] = false;

#Define the pages un-authenticate users can see. This is crucial. Otherwise, there's
#no way for people to login
$wgWhitelistRead = array( "Main Page", "Special:Userlogout", "Special:Userlogin", "-", "MediaWiki:Monobook.css" );
$wgGroupPermissions['*']['read']= false;

Many companies are running their intranet on wiki technology and it gives non-technical people a short learning curve on how to create and edit pages.
For the new group of BSD students taking DPS909 you will learn a lot about wikis and its a valuable resource to have.