Using eDirectory to control access to MediaWiki

From MicroFocusInternationalWiki
Jump to: navigation, search

This page shows how to configure MediaWiki to use eDirectory for user authentication, and how to configure authentication based on eDirectory group membership.

This page is part of the MediaWiki knowledge set.

Prerequisites

This document assumes that you have the following configured:

  • MediaWiki 1.6+ Configured and running on SUSE Linux Enterprise Server 9
  • Novell eDirectory 8.8 installed and configured
    • Other versions may work, but were not tested by the authors
      • Also works with 8.7.3.8
  • MediaWiki's LDAP Authentication plugin 1.e+

Sample Server Configuration

The authors used the following settings for this document. You may choose to use different names:

  • DNS of eDirectory server: edir.wikidemo.org
  • DNS of Wiki server: wiki.wikidemo.org
  • eDirectory configuration
    • User container: ou=users,o=novell
    • eDirectory group for wiki users: wikigroup

Installation

Download the latest version of LDAP Authentication for MediaWiki

Configuration

Overview

The LDAP Authentication module gets its settings from LocalSettings.php, which controls all configuration for MediaWiki.

To add the parameters needed for the LDAP Authentication to work you just need to append them to the end of your existing LocalSettings.php in your wiki directory.

Container-based User Access

The LDAP Authentication module allows MediaWiki to use containers as natural groups within eDirectory.

  • You can assign specific eDirectory containers as authentication contexts for the wiki. Any valid username+password within those containers can then authenticate to the wiki.
  • You can make login contextless or contextful
    • Contextful requires the user to specify containers, such as cn=myuseraccount,ou=users,o=wikidemo
      • Assigning access at a high-level container enables users in all subcontainers to authenticate to the wiki.
      • Be careful: Using high-level containers in a distributed system will cause LDAP to walk the eDirectory tree.
    • Contextless allows users to use simple, common names, such as myuseraccount
      • Users really appreciate contextless login.
      • Be careful: Contextless login in a distributed system will cause LDAP to walk the eDirectory tree.

Changes to localSettings.PHP for Contextful Login

To enable simple user based authentication, append the following to your localSettings.PHP file:

require_once( 'extensions/LdapAuthentication.php' );
$wgAuth = new LdapAuthenticationPlugin();
$wgLDAPDomainNames = array( "{Wiki Identity variable}" );
$wgLDAPServerNames = array( "{Wiki Identity variable}"=>"{IP or DNS of wiki server}"  );
$wgLDAPSearchStrings = array( "{Wiki Identity variable}"=>"cn=USER-NAME,{LDAP name of eDirectory container}" );
#$wgLDAPSearchAttributes = array( "{Wiki Identity variable}"=>"uid" );
$wgLDAPEncryptionType = array( "{Wiki Identity variable}"=>"ssl" );
$wgMinimalPasswordLength = 1;

Example for Contextlful Login

Here is how the authors' LocalSettings.php looks:

require_once( 'extensions/LdapAuthentication.php' );
$wgAuth = new LdapAuthenticationPlugin();
$wgLDAPDomainNames = array( "wikidemo" );
$wgLDAPServerNames = array( "wikidemo"=>"edir.wikidemo.org"  );
$wgLDAPSearchStrings = array( "wikidemo"=>"cn=USER-NAME,ou=users,o=novell" );
#$wgLDAPSearchAttributes = array( "wikidemo"=>"uid" );
$wgLDAPEncryptionType = array( "{Wiki Identity variable}"=>"ssl" );
$wgMinimalPasswordLength = 1;

Changes to LocalSettings.php for Contextless Login

To enable simple user based authentication, append the following to your LocalSettings.php file:

require_once( 'extensions/LdapAuthentication.php' );
$wgAuth = new LdapAuthenticationPlugin();
$wgLDAPDomainNames = array( "{Wiki Identity variable}" );
$wgLDAPServerNames = array( "{Wiki Identity variable}"=>"{IP or DNS of wiki server}"  );
#$wgLDAPSearchStrings = array( "{Wiki Identity variable}"=>"cn=USER-NAME,{LDAP name of eDirectory container}" );
$wgLDAPSearchAttributes = array( "{Wiki Identity variable}"=>"uid" );
$wgLDAPEncryptionType = array( "{Wiki Identity variable}"=>"ssl" );
$wgMinimalPasswordLength = 1;

Example for Contextless Login

Here is how the authors' LocalSettings.php looks:

require_once( 'LdapAuthentication.php' );
$wgAuth = new LdapAuthenticationPlugin();
$wgLDAPDomainNames = array( "wikidemo" );
$wgLDAPServerNames = array( "wikidemo"=>"edir.wikidemo.org"  );
$wgLDAPSearchStrings = array( "wikidemo"=>"cn=USER-NAME,ou=users,o=novell" );
$wgLDAPEncryptionType = array( "{Wiki Identity variable}"=>"ssl" );
$wgMinimalPasswordLength = 1;

Details on Additions to LocalSettings.php

require_once( 'extensions/LdapAuthentication.php' );
$wgAuth = new LdapAuthenticationPlugin();

Tells MediaWiki to load the LdapAuthentication.php module

$wgLDAPDomainNames = array( "wikidemo" );

Sets the LDAPDomainName variable to "wikidemo." The name "wikidemo" will appear on the wiki's login page in the 'Your domain' field

$wgLDAPServerNames = array( "wikidemo"=>"edir.wikidemo.org"  );

Tells MediaWiki where to find the LDAP server. If you use a DNS name, make sure that the server can resolve the name to the right IP address for the eDirectory server.

$wgLDAPSearchStrings = array( "wikidemo"=>"cn=USER-NAME,ou=users,o=novell" );

This determines the context that to search for users. Additional contexts can be added by putting a single space between each context. Example:

  • $wgLDAPSearchStrings = array( "wikidemo"=>"cn=USER-NAME,ou=users,o=novell" "cn=USER-NAME,ou=otherusers,o=novell");

There is no need to change cn=USER-NAME, if uid is used as your naming attribute, it can be specified using the next value: $wgLDAPSearchAttributes

$wgLDAPSearchAttributes = array( "wikidemo"=>"uid" );

This sets the wiki to use contextless login. If your accounts do not have the uid set and all accounts do have unique cn's; the $wgLDAPSearchAttributes can be changed to:

$wgLDAPSearchAttributes = array( "wikidemo"=>"cn" );
  • Note:Experience learns that using 'uid' does create the needed user id for new users in the wiki database, when leveraging ldap for authentication of these (new) users. Otherwise when using 'cn', this does not on the fly create the needed id in the local wiki database.
  • Note:If you enable this, you must disable $wgLDAPSearchStrings = array( "wikidemo"=>"cn=USER-NAME,ou=users,o=novell" );


$wgLDAPEncryptionType = array( "wikidemo"=>"ssl" );

Turns on SSL. SSL or TLS should only be turned off for for testing/troubleshooting. Available options are "ssl", "tls" and "clear"; the default is "tls".

$wgLDAPUseLocal = false;

This allows users to also login with a users name and password that is valid in MediaWiki's own identity store. *The admin user name and password created during the installation of MediaWiki are in this store, so changing this to true can provide a backdoor into the wiki in case of a directory outage. false is the default, so defining this isn't truly needed.

$wgLDAPAddLDAPUsers = array( "wikidemo"=>"false" );

Disables the ability for MediaWiki to create new users via LDAP; false is the default, so defining this isn't truly needed.

  • Many wikis leave this on to make it easy to register and start collaborating
  • Most network administrators with due levels of paranoia think this is insane.



$wgLDAPUpdateLDAP = array( "wikidemo"=>"false" );

Disables the ability for MediaWiki to update existing users (passwords) via LDAP; false is the default, so defining this isn't truly needed. Since MediaWiki does not have policy enforcement for strong passwords, this option is important to eDirectory administrators

$wgLDAPMailPassword = array( "wikidemo"=>"false" );

Disables the ability for MediaWiki to email a temporary password to users; false is the default, so defining this isn't truly needed.

$wgLDAPRetrievePrefs = array( "wikidemo"=>"false" );

Disables the ability for MediaWiki retrieve LDAP preferences; false is the default, so defining this isn't truly needed.

$wgMinimalPasswordLength = 1;

Before MediaWiki will even try and authenticate to eDirectory it will make sure the user entered a password that is at least 'x' characters

  • This can help reduce bogus directory authentication attempts coming from your wiki
  • This absolutely should be a minimum of 1, unless you want anyone to be able to log into your wiki

Group-based Authentication

Group-based authentication restricts access to just the users who are members of a specific group.

Group-based authentication works for either contextful or contextless login.

  • If you use contextful login, you must specify all containers that your users may exist in. (The login simply looks at the user object's "uniquemember" attribute.

To enable group-based authentication for an eDirectory group called "wikigroup" (DN=.wikigroup.users.novell), add the following line to localSettings.PHP:

$wgLDAPGroupDN = "cn=wikigroup,ou=users,o=novell";

The authors could not get more than one group to work. If you do, please update.

See: new-style group login restriction. The method shown above uses the deprecated style of group login restriction.

See Also