Difference between revisions of "MediaWiki/Auth"
(introductory reference and manual pages) |
m (adds explicit NOTOC since it's being generated despite HeaderTabs config in LocalSettings and default value (subpage problem?)) |
||
Line 1: | Line 1: | ||
+ | __NOTOC__ | ||
Starting with MediaWiki 1.27, there are new authentication and session management frameworks in core<ref>https://lists.wikimedia.org/pipermail/wikitech-l/2016-May/085725.html</ref><ref>[[mw:Manual:SessionManager and AuthManager]]</ref> | Starting with MediaWiki 1.27, there are new authentication and session management frameworks in core<ref>https://lists.wikimedia.org/pipermail/wikitech-l/2016-May/085725.html</ref><ref>[[mw:Manual:SessionManager and AuthManager]]</ref> | ||
= New School = | = New School = |
Latest revision as of 15:30, 1 December 2016
Starting with MediaWiki 1.27, there are new authentication and session management frameworks in core[1][2]
If you're running at least MediaWiki 1.27[3], you can take advantage of Cindy Cicalese's Extension:PluggableAuth and Extension:OpenID_Connect. Using these extensions, you can have people login to your wiki using their Google account; and other Single Sign-On setups.
If you're running an older version[3] of MediaWiki (<1.27) you probably can't run the (unmaintained) mw:Extension:OpenID. As a workaround, you could switch over to an LDAP based auth. Or, just upgrade already!
Google deprecated it's support for OpenID 2.0 support. They now implement "OpenID Connect" (official site: http://openid.net/connect/) Unfortunately, Evan Prodromou's MediaWiki Extension:OpenID extension is written for OpenID 2.0 So, to wiki's that used Google as an Identity/Auth provider must now switch to LDAP or other means. Fortunately, there isn't too much work to do if you have an LDAP server in place.
In LocalSettings.php[edit | edit source]
- set
$wgOpenIDLoginOnly = false;
(so we can login with a wiki account)
- The OpenID extension creates Special:OpenIDLogin as a substitute/replacement for Special:Login. Once we set
$wgOpenIDLoginOnly
to false, we can access the Special:Login again.
- Disable or delete the 'include' for the OpenID extension
- modify the
$wgWhitelistRead
list
- remove all the options related to the OpenID extension
- include the LDAP extension
- run
update.php
- add all the LDAP extension configurations
General[edit | edit source]
- ensure that you have php-ldap (
sudo yum -y install php-ldap
orsudo apt-get install php-ldap
)
- test your login and view the log file
- promote your LDAP user
grundlett@wiki:/var/www/html/wiki/maintenance$ php createAndPromote.php --force --bureaucrat --sysop Grundlett
- find and edit the interface messages for login
- find and edit the Help: content for login
Note[edit | edit source]
You can see the list of existing users at Special:ListUsers
Configuration[edit | edit source]
Here's a sample configuration for an Active Directory LDAP server
$wgAuth = new LdapAuthenticationPlugin();
$wgLDAPDomainNames = array('example');
//$wgLDAPServerNames = array('example' => 'ad.example.net');
$wgLDAPServerNames = array('example' => '192.168.0.67 192.168.0.68');
$wgLDAPEncryptionType = array( 'example' =>"clear" ); // default: tls
$wgLDAPGroupUseFullDN = array( 'example'=>true );
$wgLDAPGroupObjectclass = array( 'example'=>"group" );
$wgLDAPGroupAttribute = array( 'example'=>"member" );
$wgLDAPGroupSearchNestedGroups = array( 'example'=>true );
$wgLDAPGroupNameAttribute = array( 'example'=>"cn" );
$wgLDAPBaseDNs = array( 'example'=>"dc=ad,dc=example,dc=net" );
$wgLDAPActiveDirectory = array( 'example'=>true );
# using AD-style straight binds (DOMAIN\\USER-NAME or USER-NAME@DOMAIN),
# you'll need one more option to make this work correctly:
$wgLDAPSearchAttributes = array( 'example'=>"sAMAccountName" );
$wgLDAPPreferences = array( 'example' => array( 'email' => 'mail','realname' => 'cn','nickname' => 'samaccountname'));
$wgLDAPProxyAgent = array( 'example' => "cn=wikiservice,ou=Service,ou=Accounts,dc=ad,dc=example,dc=net");
$wgLDAPProxyAgentPassword = array('example'=> 'SomeLongRandomPassword');
# add in a debug log file
$wgLDAPDebug = 3; // default is 0, highest is 3
$wgDebugLogGroups['ldap'] = '/tmp/wiki-ldap-debug.log';
// This hook is called by the LdapAuthentication plugin. It is a configuration hook. Here we
// are specifying what attibute we want to use for a username in the wiki.
// Note that this hook is NOT called on a straight bind.
// The hook calls the function defined below.
$wgHooks['SetUsernameAttributeFromLDAP'][] = 'SetUsernameAttribute';
// This function allows you to get the username from LDAP however you need to do it.
// This is the username MediaWiki will use.
function SetUsernameAttribute(&$LDAPUsername, $info) {
$LDAPUsername = $info[0]['samaccountname'][0];
return true;
}
// Allow the use of the local database as well as the LDAP database.
// Mostly for transitional purposes. Unless you *really* know what you are doing,
// don't use this option. It will likely cause you annoying problems, and
// it will cause me annoying support headaches.
// Warning: Using this option will allow MediaWiki to leak LDAP passwords into
// its local database. It's highly recommended that this setting not be used for
// anything other than transitional purposes.
// Default: false
$wgLDAPUseLocal = false;
References[edit source]
- ↑ https://lists.wikimedia.org/pipermail/wikitech-l/2016-May/085725.html
- ↑ mw:Manual:SessionManager and AuthManager
- ↑ 3.0 3.1 Check your version, and more, for free at https://freephile.org/wikireport