Extension:IIS REMOTE USER AD-LDAP
 Release status: beta |
|
|---|---|
| Implementation | User identity |
| Description | Login users via REMOTE_USER and gets Attributes from AD LDAP. |
| Author(s) | Björn Andersen |
| Last version | 0.1 |
| MediaWiki | 1.10 |
| License | No license specified |
| Download | Download Version 0.1 |
| Check usage and version matrix | |
Contents |
What can this extension do? [edit]
This auth plugin is based on Rusty's Extension:AutomaticREMOTE_USER, but optimized for Microsoft IIS (6) environments with active directory configuration. It automatically logs users in using the IIS REMOTE_USER environment variable. Then it gets the user's real name and email via LDAP from MS active directory. As this works only in non-anonymous Webs, it is most useful in Intra- and extranet environments. It is prepared for multiple active directory domain controller (for failover) and also multiple domains.
Installation [edit]
- Configure IIS to do the Authentication (disable anonymous access).
- Copy Auth_remoteuser_iis.php in your extension dir.
- Make the necessary changes to the LocalSettings.php
Changes to LocalSettings.php [edit]
Of course you also need to set some parameters in the local settings. One drawback is, due to the fact that the password for the user isn't passed on to PHP, you'll have to configure a domain user plus password to authenticate against LDAP. It is not nice to have passwords in plaintext in configfiles, but I can't think of a better way to do it. So I recommend to set up a special user with no rights except the ones required to execute readonly LDAP queries. The concept and syntax is borrowed from the LDAP auth plugin.
Here is the big setup with 2 different domains and 2 LDAP servers per domain. DOM1 and DOM2 are your simple domain names with the full domain names dom1.de and dom2.com. If $wgLDAPServerNames is not set, this extension should not do any LDAP stuff and behave like Extension:AutomaticREMOTE_USER.
# Remote_User Auth with MS AD LDAP enhancements
require_once("$IP/extensions/Auth_remoteuser_iis.php");
$wgLDAPDomainNames = array( "DOM1", "DOM2" );
$wgLDAPServerNames = array( "DOM1"=>"adserver1.dom1.de adserver2.dom1.de",
"DOM2"=>"msadserver1.dom2.com msadserver2.dom2.com");
$wgLDAPBindUsers = array( "DOM1"=>"ldaptecuser1@dom1.de password",
"DOM2"=>"ldaptecuser1@dom2.com password" );
$wgLDAPBaseDNs = array( "DOM1"=>"DC=dom1,DC=de",
"DOM2"=>"DC=dom2,DC=com" );
$wgLDAPDebug = 0;
$wgAuth = new Auth_remoteuser();
To Do [edit]
Please feel free to test and improve this extension. I'm sure there are many things that won't work in non-standard environment yet. As J. Kimmel pointed out, there might still be a typecast issue in this implementation. But I didn't see it jet in our environments. Here is my first wishlist for improvements. I'm new to Mediawiki extensions, so maybe these are very simple to do. Feel free to contribute.
- Find a way to suppress the logout button (without changing the skin)
- Find a way to have the real name displayed instead of the REMOTE_USER (without changing the skin)
- Port more functionality from Extension:LDAP_Authentication like the "Group based restrictions"
- Get more Information from the AD to use in the MediaWiki.
- Fix the typecast Issue.
- ...
