Open main menu

MediaWiki/Auth

< MediaWiki
Revision as of 15:27, 1 December 2016 by Freephile (talk | contribs) (introductory reference and manual pages)

Starting with MediaWiki 1.27, there are new authentication and session management frameworks in core[1][2]

If you're running at least MediaWiki 1.27[3], you can take advantage of Cindy Cicalese's Extension:PluggableAuth and Extension:OpenID_Connect. Using these extensions, you can have people login to your wiki using their Google account; and other Single Sign-On setups.

If you're running an older version[3] of MediaWiki (<1.27) you probably can't run the (unmaintained) mw:Extension:OpenID. As a workaround, you could switch over to an LDAP based auth. Or, just upgrade already!

Google deprecated it's support for OpenID 2.0 support. They now implement "OpenID Connect" (official site: http://openid.net/connect/) Unfortunately, Evan Prodromou's MediaWiki Extension:OpenID extension is written for OpenID 2.0 So, to wiki's that used Google as an Identity/Auth provider must now switch to LDAP or other means. Fortunately, there isn't too much work to do if you have an LDAP server in place.

In LocalSettings.php

  1. set $wgOpenIDLoginOnly = false; (so we can login with a wiki account)
  1. The OpenID extension creates Special:OpenIDLogin as a substitute/replacement for Special:Login. Once we set $wgOpenIDLoginOnly to false, we can access the Special:Login again.
  1. Disable or delete the 'include' for the OpenID extension
  2. modify the $wgWhitelistRead list
  1. remove all the options related to the OpenID extension
  2. include the LDAP extension
  3. run update.php
  1. add all the LDAP extension configurations

General

  1. ensure that you have php-ldap (sudo yum -y install php-ldap or sudo apt-get install php-ldap)
  1. test your login and view the log file
  2. promote your LDAP user grundlett@wiki:/var/www/html/wiki/maintenance$ php createAndPromote.php --force --bureaucrat --sysop Grundlett
  1. find and edit the interface messages for login
  2. find and edit the Help: content for login

Note

You can see the list of existing users at Special:ListUsers

Configuration

Here's a sample configuration for an Active Directory LDAP server

$wgAuth = new LdapAuthenticationPlugin();
$wgLDAPDomainNames = array('example');
//$wgLDAPServerNames = array('example' => 'ad.example.net');
$wgLDAPServerNames = array('example' => '192.168.0.67 192.168.0.68');
$wgLDAPEncryptionType          = array( 'example' =>"clear" ); // default: tls
$wgLDAPGroupUseFullDN          = array( 'example'=>true );
$wgLDAPGroupObjectclass        = array( 'example'=>"group" );
$wgLDAPGroupAttribute          = array( 'example'=>"member" );
$wgLDAPGroupSearchNestedGroups = array( 'example'=>true );
$wgLDAPGroupNameAttribute      = array( 'example'=>"cn" );
$wgLDAPBaseDNs = array( 'example'=>"dc=ad,dc=example,dc=net" );
$wgLDAPActiveDirectory         = array( 'example'=>true );
# using AD-style straight binds (DOMAIN\\USER-NAME or USER-NAME@DOMAIN),
# you'll need one more option to make this work correctly:
$wgLDAPSearchAttributes        = array( 'example'=>"sAMAccountName" );
$wgLDAPPreferences = array( 'example' => array( 'email' => 'mail','realname' => 'cn','nickname' => 'samaccountname'));
$wgLDAPProxyAgent =  array( 'example' => "cn=wikiservice,ou=Service,ou=Accounts,dc=ad,dc=example,dc=net");
$wgLDAPProxyAgentPassword = array('example'=> 'SomeLongRandomPassword');
# add in a debug log file
$wgLDAPDebug = 3; // default is 0, highest is 3
$wgDebugLogGroups['ldap'] = '/tmp/wiki-ldap-debug.log';

// This hook is called by the LdapAuthentication plugin. It is a configuration hook. Here we
// are specifying what attibute we want to use for a username in the wiki.
// Note that this hook is NOT called on a straight bind.
// The hook calls the function defined below.
$wgHooks['SetUsernameAttributeFromLDAP'][] = 'SetUsernameAttribute';
// This function allows you to get the username from LDAP however you need to do it.
// This is the username MediaWiki will use.
function SetUsernameAttribute(&$LDAPUsername, $info) {
        $LDAPUsername = $info[0]['samaccountname'][0];
        return true;
}
// Allow the use of the local database as well as the LDAP database.
// Mostly for transitional purposes. Unless you *really* know what you are doing,
// don't use this option. It will likely cause you annoying problems, and
// it will cause me annoying support headaches.
// Warning: Using this option will allow MediaWiki to leak LDAP passwords into
// its local database. It's highly recommended that this setting not be used for
// anything other than transitional purposes.
// Default: false
$wgLDAPUseLocal = false;

References