Über mich

E-Mail: <andre DOT somplatzki AT westermann DOT de>

MoinMoin on Windows 2003 (IIS6) with NTLM / Active Directory

install the ldap-package for python from http://python-ldap.sourceforge.net/download.shtml (http://www.agescibs.org/mauro/)
Edit properties of your virtual directory: Directory Security -> Authentication and access control -> uncheck all options except of "Integrated Windows authentication"

edit your MoinMoin-config:

   1     # Authentication ----------------------------------------------------
   2     auth = [auth.http, auth.ldap_login, auth.moin_cookie]
   3 
   4     import ldap
   5     ldap_uri = 'ldap://your_active_directory_server.example.de' # ldap / active directory server URI
   6 
   7     #we can either use some fixed user and password for binding to LDAP
   8     ldap_binddn = 'your_active_directory_query_user@example.de'
   9     ldap_bindpw = 'secret'
  10 
  11     #or we can use the username and password we got from the user:
  12     #ldap_binddn = '%(username)s@example.de' # DN we use for first bind
  13     #ldap_bindpw = '%(password)s'            # password we use for first bind
  14 
  15     ldap_base = 'ou=Users,DC=example,DC=de' # base DN we use for searching
  16     ldap_scope = ldap.SCOPE_SUBTREE         # scope of the search we do
  17     ldap_name_attribute = 'sAMAccountName'  # ldap attribute we get the user name from
  18     ldap_email_attribute = 'mail'           # ldap attribute we get the email address from
  19     ldap_coding = 'utf-8'                   # coding used for ldap queries and result values
  20     ldap_timeout = 10                       # how long we wait for the ldap server [s]
  21     ldap_verbose = False                    # if True, put lots of LDAP debug info into the log
  22                 
  23     ldap_given_attribute = 'givenName'
  24     ldap_surname_attribute = 'sn'
  25                 
  26     cookie_lifetime = 1                     # 1 hour after last access ldap login is required again
  27 
  28     ldap_http_autologin = True              # get username from user_obj; no password required
  29 
  30     user_autocreate = True

hack auth.py from yourwiki_installation\Lib\site-packages\MoinMoin\ Add this lines after "verbose = cfg.ldap_verbose" in function "ldap_login(request, **kw):

   1     # get username from previous auth-method
   2     if cfg.ldap_http_autologin:
   3         username = user_obj.name

Modify the code of second ldap-query (add one line and indent the following three):

   1         try:
   2             if not cfg.ldap_http_autologin or password is not None: # we don't know password on autologin
   3                 if verbose: request.log("LDAP: DN found is %s, trying to bind with pw" % dn)
   4                 l.simple_bind_s(dn, password.encode(coding))
   5                 if verbose: request.log("LDAP: Bound with dn %s (username: %s)" % (dn, username))
   6             
   7             email = ldap_dict.get(cfg.ldap_email_attribute, [''])[0]

Now authentication is done by

getting username from ENV['REMOTE_USER'] (NTLM) and auto-create user if not exists
getting additional data like firstname and email from Active Directory (on login/logout)

To improve

query AD on first request (it's actually just done on logout) and use the cookie to remember; of course you can delete the lines

   1     if not login and not logout:
   2         return user_obj, True

but it results in an ldap query on every page request!

authenticate by NTML-username but use FirstnameSurname as MoinMoin-username

Hints

If you run AD on Windows Server 2003 and you have to query the AD from root-dn (e.g. ldap_base = "DC=example,DC=de") add following line in auth.py in ldap_login after the first "try":

   1         ldap.set_option(ldap.OPT_REFERRALS, 0)

To see debug-informations on IIS from ldap_login set ldap_verbose = True (in wikiconfig.py) and add this line to auth.py in ldap_login:

   1 print "Content-Type: text/html;charset=utf-8\n"

Please post your improvements or comments on this page or send me an email!

Comments

LDAP on Moin 1.6.3, W2K3/IIS6

Hello Andre, I could not manage to get your solution running on Moin 1.6.3, W2K3/IIS6. When I edit my wikiconfig.py like

    from MoinMoin.auth.ldap_login import ldap_login
    from MoinMoin.auth import moin_login,moin_session
    from MoinMoin.auth import http
    auth = [http,ldap_login,moin_session]

I get the following error:

Traceback (most recent call last): 
  File "D:\FileServer\IT\wiki\cytowiki\moin.cgi", line 48, in run(Config)
  File "c:\programme\python25\lib\site-packages\MoinMoin\server\server_cgi.py", line 59, in run request = request_cgi.Request(properties=config.properties)
  File "c:\programme\python25\lib\site-packages\MoinMoin\request\request_cgi.py", line 29, in __init__ self.fail(err)
  File "c:\programme\python25\lib\site-packages\MoinMoin\request\__init__.py", line 1419, in fail failure.handle(self, err)
  File "c:\programme\python25\lib\site-packages\MoinMoin\failure.py", line 153, in handle raise err TypeError: 'module' object is not callable

Could you tell me what I did wrong? -- Cheers, Reinhard.

Use this:

    from MoinMoin.auth.http import http

I edited as described, now I get

CGI-Fehler
Die angegebene CGI-Anwendung hat keinen vollständigen Satz von HTTP-Headern zurückgegeben.

Meaning like: CGI error: The CGI application did not return a complete set of HTTP headers.

Update I disabled LDAP logging (ldap_verbose = False), and ... CGI error is gone -- but authentication is not working and, of course, harder to track. Any idea why logging produces the CGI error? -- Thanks in advance!

I guess it writes to stderr (or even stdout?) and your web server dislikes that. Maybe try logging to a log file. 1.7 will have much better logging configurability, btw.

Update Obviously the problem was in the LDAP config, somehow I managed to succeed. Nevertheless, logging still raises the CGI error. Please drop a line if you see a way to track the problem -- Cheers, Reinhard.