MediaWiki/Auth

From Freephile Wiki
Jump to navigation Jump to search

Starting with MediaWiki 1.27, there are new authentication and session management frameworks in core[1][2]

If you're running at least MediaWiki 1.27[3], you can take advantage of Cindy Cicalese's Extension:PluggableAuth and Extension:OpenID_Connect. Using these extensions, you can have people login to your wiki using their Google account; and other Single Sign-On setups.

If you're running an older version[3] of MediaWiki (<1.27) you probably can't run the (unmaintained) mw:Extension:OpenID. As a workaround, you could switch over to an LDAP based auth. Or, just upgrade already!

Google deprecated it's support for OpenID 2.0 support. They now implement "OpenID Connect" (official site: http://openid.net/connect/) Unfortunately, Evan Prodromou's MediaWiki Extension:OpenID extension is written for OpenID 2.0 So, to wiki's that used Google as an Identity/Auth provider must now switch to LDAP or other means. Fortunately, there isn't too much work to do if you have an LDAP server in place.

In LocalSettings.php[edit | edit source]

  1. set $wgOpenIDLoginOnly = false; (so we can login with a wiki account)
  1. The OpenID extension creates Special:OpenIDLogin as a substitute/replacement for Special:Login. Once we set $wgOpenIDLoginOnly to false, we can access the Special:Login again.
  1. Disable or delete the 'include' for the OpenID extension
  2. modify the $wgWhitelistRead list
  1. remove all the options related to the OpenID extension
  2. include the LDAP extension
  3. run update.php
  1. add all the LDAP extension configurations

General[edit | edit source]

  1. ensure that you have php-ldap (sudo yum -y install php-ldap or sudo apt-get install php-ldap)
  1. test your login and view the log file
  2. promote your LDAP user grundlett@wiki:/var/www/html/wiki/maintenance$ php createAndPromote.php --force --bureaucrat --sysop Grundlett
  1. find and edit the interface messages for login
  2. find and edit the Help: content for login

Note[edit | edit source]

You can see the list of existing users at Special:ListUsers

Configuration[edit | edit source]

Here's a sample configuration for an Active Directory LDAP server

$wgAuth = new LdapAuthenticationPlugin();
$wgLDAPDomainNames = array('example');
//$wgLDAPServerNames = array('example' => 'ad.example.net');
$wgLDAPServerNames = array('example' => '192.168.0.67 192.168.0.68');
$wgLDAPEncryptionType          = array( 'example' =>"clear" ); // default: tls
$wgLDAPGroupUseFullDN          = array( 'example'=>true );
$wgLDAPGroupObjectclass        = array( 'example'=>"group" );
$wgLDAPGroupAttribute          = array( 'example'=>"member" );
$wgLDAPGroupSearchNestedGroups = array( 'example'=>true );
$wgLDAPGroupNameAttribute      = array( 'example'=>"cn" );
$wgLDAPBaseDNs = array( 'example'=>"dc=ad,dc=example,dc=net" );
$wgLDAPActiveDirectory         = array( 'example'=>true );
# using AD-style straight binds (DOMAIN\\USER-NAME or USER-NAME@DOMAIN),
# you'll need one more option to make this work correctly:
$wgLDAPSearchAttributes        = array( 'example'=>"sAMAccountName" );
$wgLDAPPreferences = array( 'example' => array( 'email' => 'mail','realname' => 'cn','nickname' => 'samaccountname'));
$wgLDAPProxyAgent =  array( 'example' => "cn=wikiservice,ou=Service,ou=Accounts,dc=ad,dc=example,dc=net");
$wgLDAPProxyAgentPassword = array('example'=> 'SomeLongRandomPassword');
# add in a debug log file
$wgLDAPDebug = 3; // default is 0, highest is 3
$wgDebugLogGroups['ldap'] = '/tmp/wiki-ldap-debug.log';

// This hook is called by the LdapAuthentication plugin. It is a configuration hook. Here we
// are specifying what attibute we want to use for a username in the wiki.
// Note that this hook is NOT called on a straight bind.
// The hook calls the function defined below.
$wgHooks['SetUsernameAttributeFromLDAP'][] = 'SetUsernameAttribute';
// This function allows you to get the username from LDAP however you need to do it.
// This is the username MediaWiki will use.
function SetUsernameAttribute(&$LDAPUsername, $info) {
        $LDAPUsername = $info[0]['samaccountname'][0];
        return true;
}
// Allow the use of the local database as well as the LDAP database.
// Mostly for transitional purposes. Unless you *really* know what you are doing,
// don't use this option. It will likely cause you annoying problems, and
// it will cause me annoying support headaches.
// Warning: Using this option will allow MediaWiki to leak LDAP passwords into
// its local database. It's highly recommended that this setting not be used for
// anything other than transitional purposes.
// Default: false
$wgLDAPUseLocal = false;

References[edit | edit source]