Difference between revisions of "MediaWiki/Auth"

From Freephile Wiki
Jump to navigation Jump to search
m (adds explicit NOTOC since it's being generated despite HeaderTabs config in LocalSettings and default value (subpage problem?))
(basic config info for LDAP extension)
(3 intermediate revisions by the same user not shown)
Line 1: Line 1:
__NOTOC__
 
Starting with MediaWiki 1.27, there are new authentication and session management frameworks in core<ref>https://lists.wikimedia.org/pipermail/wikitech-l/2016-May/085725.html</ref><ref>[[mw:Manual:SessionManager and AuthManager]]</ref>
 
= New School =
 
If you're running at least [[MediaWiki]] 1.27<ref name="wikireport">Check your version, and more, for free at https://freephile.org/wikireport</ref>, you can take advantage of Cindy Cicalese's [[mw:Extension:PluggableAuth|Extension:PluggableAuth]] and [[mw:Extension:OpenID_Connect|Extension:OpenID_Connect]].  Using these extensions, you can have people login to your wiki using their Google account; and other '''Single Sign-On''' setups.
 
= Old School =
 
If you're running an older version<ref name="wikireport"></ref> of [[MediaWiki]] (<1.27) you probably can't run the (unmaintained) [[mw:Extension:OpenID]].  As a workaround, you could switch over to an LDAP based auth.  Or, just upgrade already! 
 
 
 
Google deprecated it's support for OpenID 2.0 support.  They now implement "[[wp:OpenID Connect|OpenID Connect]]" (official site: http://openid.net/connect/)  Unfortunately, Evan Prodromou's MediaWiki [[mw:Extension:OpenID|Extension:OpenID]] extension is written for OpenID 2.0  So, to wiki's that used Google as an Identity/Auth provider must now switch to LDAP or other means.  Fortunately, there isn't too much work to do if you have an [[LDAP]] server in place.
 
Google deprecated it's support for OpenID 2.0 support.  They now implement "[[wp:OpenID Connect|OpenID Connect]]" (official site: http://openid.net/connect/)  Unfortunately, Evan Prodromou's MediaWiki [[mw:Extension:OpenID|Extension:OpenID]] extension is written for OpenID 2.0  So, to wiki's that used Google as an Identity/Auth provider must now switch to LDAP or other means.  Fortunately, there isn't too much work to do if you have an [[LDAP]] server in place.
  
Line 81: Line 74:
  
 
</source>
 
</source>
<headertabs/>
 
{{References}}
 
 
[[Category:Wiki]]
 

Revision as of 17:06, 14 May 2015

Google deprecated it's support for OpenID 2.0 support. They now implement "OpenID Connect" (official site: http://openid.net/connect/) Unfortunately, Evan Prodromou's MediaWiki Extension:OpenID extension is written for OpenID 2.0 So, to wiki's that used Google as an Identity/Auth provider must now switch to LDAP or other means. Fortunately, there isn't too much work to do if you have an LDAP server in place.

In LocalSettings.php[edit | edit source]

  1. set $wgOpenIDLoginOnly = false; (so we can login with a wiki account)
  1. The OpenID extension creates Special:OpenIDLogin as a substitute/replacement for Special:Login. Once we set $wgOpenIDLoginOnly to false, we can access the Special:Login again.
  1. Disable or delete the 'include' for the OpenID extension
  2. modify the $wgWhitelistRead list
  1. remove all the options related to the OpenID extension
  2. include the LDAP extension
  3. run update.php
  1. add all the LDAP extension configurations

General[edit | edit source]

  1. ensure that you have php-ldap (sudo yum -y install php-ldap or sudo apt-get install php-ldap)
  1. test your login and view the log file
  2. promote your LDAP user grundlett@wiki:/var/www/html/wiki/maintenance$ php createAndPromote.php --force --bureaucrat --sysop Grundlett
  1. find and edit the interface messages for login
  2. find and edit the Help: content for login

Note[edit | edit source]

You can see the list of existing users at Special:ListUsers

Configuration[edit | edit source]

Here's a sample configuration for an Active Directory LDAP server

$wgAuth = new LdapAuthenticationPlugin();
$wgLDAPDomainNames = array('example');
//$wgLDAPServerNames = array('example' => 'ad.example.net');
$wgLDAPServerNames = array('example' => '192.168.0.67 192.168.0.68');
$wgLDAPEncryptionType          = array( 'example' =>"clear" ); // default: tls
$wgLDAPGroupUseFullDN          = array( 'example'=>true );
$wgLDAPGroupObjectclass        = array( 'example'=>"group" );
$wgLDAPGroupAttribute          = array( 'example'=>"member" );
$wgLDAPGroupSearchNestedGroups = array( 'example'=>true );
$wgLDAPGroupNameAttribute      = array( 'example'=>"cn" );
$wgLDAPBaseDNs = array( 'example'=>"dc=ad,dc=example,dc=net" );
$wgLDAPActiveDirectory         = array( 'example'=>true );
# using AD-style straight binds (DOMAIN\\USER-NAME or USER-NAME@DOMAIN),
# you'll need one more option to make this work correctly:
$wgLDAPSearchAttributes        = array( 'example'=>"sAMAccountName" );
$wgLDAPPreferences = array( 'example' => array( 'email' => 'mail','realname' => 'cn','nickname' => 'samaccountname'));
$wgLDAPProxyAgent =  array( 'example' => "cn=wikiservice,ou=Service,ou=Accounts,dc=ad,dc=example,dc=net");
$wgLDAPProxyAgentPassword = array('example'=> 'SomeLongRandomPassword');
# add in a debug log file
$wgLDAPDebug = 3; // default is 0, highest is 3
$wgDebugLogGroups['ldap'] = '/tmp/wiki-ldap-debug.log';

// This hook is called by the LdapAuthentication plugin. It is a configuration hook. Here we
// are specifying what attibute we want to use for a username in the wiki.
// Note that this hook is NOT called on a straight bind.
// The hook calls the function defined below.
$wgHooks['SetUsernameAttributeFromLDAP'][] = 'SetUsernameAttribute';
// This function allows you to get the username from LDAP however you need to do it.
// This is the username MediaWiki will use.
function SetUsernameAttribute(&$LDAPUsername, $info) {
        $LDAPUsername = $info[0]['samaccountname'][0];
        return true;
}
// Allow the use of the local database as well as the LDAP database.
// Mostly for transitional purposes. Unless you *really* know what you are doing,
// don't use this option. It will likely cause you annoying problems, and
// it will cause me annoying support headaches.
// Warning: Using this option will allow MediaWiki to leak LDAP passwords into
// its local database. It's highly recommended that this setting not be used for
// anything other than transitional purposes.
// Default: false
$wgLDAPUseLocal = false;