Extension talk:AutomaticREMOTE USER
If you have errors, please check m:User talk:Otheus/Auto Login via REMOTE USER for potential solution.
Mediawiki 1.9.3 would not automatically create users until I changed setPassword() and allowPasswordChange() to return true.
Sciurus 18:20, 27 April 2007 (UTC)
[edit] Random blank page
This extension works perfectly with the 1.15.1 version. However, I have randomly a blank page when accessing the wiki. It happens only when this particular extension is enabled. Does anyone know how to fix that? Thanks!
[edit] $_SERVER['REDIRECT_REMOTE_USER']
Seemed to work under 1.12pre, once I added near the top of Auth_remoteuser.php:
if (!isset($_SERVER['REMOTE_USER'])) $_SERVER['REMOTE_USER'] = $_SERVER['REDIRECT_REMOTE_USER'];
Jlerner 00:55, 11 December 2007 (UTC)
[edit] How does the extension know who to login?
I like this program and think it could be used very well with my website. We have a PHPBB forum and a localized login script for that on our site. What I would like is for users who login using the localized form to automatically be logged into PHPBB AND the wiki. However I am confused as to where the users login info fits into all of this? Any help will be appreciated. Thanks :P
[edit] Auto login locally?
Hi, I want to implement a Wiki internally at the company I work for and an auto-login function would be very welcome. We're using WinXP machines on DNS and would like a way to automatically pass across winodws credentials of users retrieving any details needed from AD. Is this possible and if so how would I go about doing it? Bear in mind that it is not public facing so convenience can come before security here.
- You're looking for "Single Signon" functionality. If your web server can provide this - then this extension will use the authentication info from the server to log you into the wiki. This extension would be part of your solution... but there may be other options available.
- Although i am using my own extension, this might be helpful. I am using LDAP to fill in the Real Name and Mail fields. Still if i want users to authenticate against NTLM (SSPI) i either have to save their password as their wiki password, to fill the user prefs or i need to have a dummy query user for calling LDAP. I am still not sure which solution is better. Passwords may change and a global user is a potential security risk.
- This extension can be used in conjuction with Windows Authentication on IIS to allow a user access the wiki from IE on a domain local machine to be automatically authenticated with the wiki. VibroAxe 10:33, 10 December 2009 (UTC)
[edit] Apache, Windows and mod_auth_sspi
If you are using this extension with Apache on Windows, and are using mod_auth_sspi to populate REMOTE_USER, make sure that you use 1.0.3 of the module and not 1.0.4. The later version strips POSTed information.
I confirme : With the 1.0.4 version of the mod_auth_sspi module i had a blanck page when i made a preview. With the 1.0.3 version, all is OK.
[edit] Cached Pages showing wrong user name
I had to turn off the server side cache to make this work properly with 1.9.3. Otherwise the user name shown at the top of the screen would sometimes be correct, and sometimes show the previous user's name, if the previous user had accessed the given page. This doesn't happen with normal user logout/login, so I assume it is to do with the AutomaticREMOTE_USER logout/login cycle. When I try to edit a page showing the wrong user name, (and the previous user hasn't tried to edit it also), the the correct user name shows on the edit page. Disabling the cache probably isn't the best solution. Any clues?
[edit] login problems with wrong REMOTE_USER
The plugin doesnt work on our system (IIS 6, Win2k3 AD, MW 1.13.2). It changed REMOTE_USER from foo_bar\username to foo bar\username. After removing foo_bar\ from username by substr($_SERVER['REMOTE_USER'],10) it works fine for us.
[edit] SunAM Authentication and authorization
I'm using the extension with Mediawiki 1.15.1 and Apache 2.2.11 with SunAM authentication.
[edit] Problems with name normalization and patch
For Mediawiki 0.13 (and above, I presume), I found I needed to do the following to allow users with underscores in their name to login:
--- remoteuser.php.orig 2009-09-14 11:41:25.000000000 -0400
+++ remoteuser.php 2009-09-14 11:39:21.000000000 -0400
@@ -229,7 +229,8 @@
return false;
return isset($_SERVER['REMOTE_USER']) &&
- (strtolower($username) == strtolower($_SERVER['REMOTE_USER']));
+ (strtolower($username) ==
+ strtolower(User::getCanonicalName($_SERVER['REMOTE_USER'])));
}
/**
[edit] Implementation?
How exactly is this extension used? Are there examples?
[edit] Gotcha: WikiSysop login
If you created a WikiSysop account during Mediawiki installation, you won't be able to use that account unless it authenticates with whatever mechanism you're using to set REMOTE_USER. Keep that in mind.
[edit] OK with LDAP for me
Just because the notice on the main page is so scary... I got this going under Apache 2.2 on CentOS with the mod_authnz_ldap extension with no particular problems. The only note would be that I didn't need to worry about REMOTE_USER in my case, it was all set up already.
[edit] Active Directory SSO
Has anyone managed to get this extension working with an Active Directory SSO configuration? Specifically, retrieving HTTP headers, and automatically creating users.
I've tried setting allowPasswordChange and setPassword to true, but auto account creation doesn't seem to work.
--Enterprise user 21:15, 20 December 2010 (UTC)
-
- Never mind, resolved the problem.
-
- I just replaced the phrase 'REMOTE_USER' in Auth_remoteuser.php with 'HTTP_USERNAME'. User account is automatically generated now.
-
- --Enterprise user 22:02, 20 December 2010 (UTC)
[edit] E-mail address as User Name
Does anyone know if using an e-mail address as a MediaWiki username is problematic? The e-mail address follows the following convention:
first.lastname@domain.com
--Enterprise user 22:04, 20 December 2010 (UTC)
[edit] Active Directory integration with Apache & Groups support
I've made some modifications to this extension that along with a bit of configuration on the Apache server allow AD users to login with full group information copied over to the auto-created MediaWiki account. Setup instructions are in the header comments of the file below. (Sorry for the full paste instead of a diff, but I haven't had any luck applying diff's to copy/paste code from wiki pages.)
<?php // vim:sw=2:softtabstop=2:textwidth=80 // // This program is free software: you can redistribute it and/or modify it // under the terms of the GNU General Public License as published by the Free // Software Foundation, either version 2 of the License, or (at your option) // any later version. // // This program is distributed in the hope that it will be useful, but WITHOUT // ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or // FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for // more details. // // You should have received a copy of the GNU General Public License along with // this program. If not, see <http://www.gnu.org/licenses/>. // // Copyright 2006 Otheus Shelling // Copyright 2007 Rusty Burchfield // Copyright 2009 James Kinsman // Copyright 2010 Daniel Thomas // Copyright 2010 Ian Ward Comfort // Copyright 2011 Zachary Bedell <zac at the bedells dot org> // // In 2009, the copyright holders determined that the original publishing of this code // under GPLv3 was legally and logistically in error, and re-licensed it under GPLv2. // // See http://www.mediawiki.org/wiki/Extension:AutomaticREMOTE_USER // // Adapted by Rusty to be compatible with version 1.9 of MediaWiki // Optional settings from Emmanuel Dreyfus // Adapted by VibroAxe (James Kinsman) to be compatible with version 1.16 of MediaWiki // Adapted by VibroAxe (James Kinsman) to allow domain substitution for Integrated Windows Authentication // Adapted by drt24 (Daniel Thomas) to add the optional $wgAuthRemoteuserMailDomain and remove hardcoding // of permissions for anonymous users. // Adapted by Ian Ward Comfort to detect mismatches between the session user and REMOTE_USER // Adapted by Zachary Bedell to replicate LDAP groups from webserver environment variables. // // Add these lines to your LocalSettings.php // // /* Optional settings */ // $wgAuthRemoteuserAuthz = true; /* Your own authorization test */ // $wgAuthRemoteuserName = $_SERVER["AUTHENTICATE_CN"]; /* User's name */ // $wgAuthRemoteuserMail = $_SERVER["AUTHENTICATE_MAIL"]; /* User's Mail */ // $wgAuthRemoteuserNotify = false; /* Do not send mail notifications */ // $wgAuthRemoteuserDomain = "NETBIOSDOMAIN"; /* Remove NETBIOSDOMAIN\ from the beginning or @NETBIOSDOMAIN at the end of a IWA username */ // /* User's mail domain to append to the user name to make their email address */ // $wgAuthRemoteuserMailDomain = "example.com"; // // // Setup replication of LDAP groups from the webserver (requires server configuration -- see below) // $wgAuthRemoteuserGroups = $_SERVER['AUTHENTICATE_MEMBEROF']; // Web server environment variable containing list of LDAP groups // $wgAuthRemoteuserGroupRegex = '/CN=([^,]+),[^;]*;?/'; // Regular expression to extract simple group names from LDAP DN's // $wgAuthRemoteuserOverwriteLocalGroups = true; // to remove existing groups from wm database when they're removed from AD. // // // Don't let anonymous people do things... // $wgGroupPermissions['*']['createaccount'] = false; // $wgGroupPermissions['*']['read'] = false; // $wgGroupPermissions['*']['edit'] = false; // // /* This is required for Auth_remoteuser operation // require_once('extensions/Auth_remoteuser.php'); // $wgAuth = new Auth_remoteuser(); // // The constructor of Auth_remoteuser registers a hook to do the automatic // login. Storing the Auth_remoteuser object in $wgAuth tells mediawiki to use // that object as the AuthPlugin. This way the login attempts by the hook will // be handled by us. // // You probably want to edit the initUser function to set the users real name // and email address properly for your configuration. // // // LDAP Group Replication Support // // This exension can optionally extract LDAP groups from an environment variable provided by your web server. This will // usually require some degree of server-level configuration and has currently only been tested on Apache against Active Directory. // // $wgAuthRemoteuserGroups specifies the list of groups, usually extracted from a $_SERVER[] scope variable. Format of this // string is relatively flexible and can be dealt with using a regular expression. // // $wgAuthRemoteuserGroupRegex is an optional regular expression which extracts simple group names from full // Distinguished Names provided by LDAP. The regex should contain one grouping expression (parenthesis) which should match the // simple name of the group as will be used in MediaWiki's database. There are some potential problems with this approach in // that it assumes your group simple names are equivalent to some portion of the DN. This may not be the case; but this may also // not be a problem so long as the identifiers are unique and meaningul enough to exist in MediaWiki's database. // These extracted simple names will only be used in the MW database, and the association back to LDAP will always // be done by the full DN (assuming that's what your server puts in this field to begin with). // // It's also possible that a server might just put simple names into this wgAuthRemoteuserGroups field OR that you // might write some code to populate wgAuthRemoteuserGroups with a more intelligent algorithm. If wgAuthRemoteuserGroups // contains a comma separated list of simple names, then you can omit the regex completely. // // If the regex is omitted, the following behavior is used: If the contents of wgAuthRemoteuserGroups include any semicolons, // it is assumed to be a list of LDAP DN's. The strings are split on the semicolons, trimmed, and used as-is (IE full DN's // for group names). If no semicolons are present, then the string is split on commas and treated as is. // // wgAuthRemoteuserOverwriteLocalGroups controls whether exiting groups will be REMOVED from the MW database if they're // not found in LDAP. This can be handy to allow removing people from groups via AD, but it makes it impossible to store // any group information locally to MW that differs from AD. // // Apache Configuration: // // Assuming using Apache and Active Directory, the following Apache configuration should allow group replication: // // <Directory /path/to/mediawiki> # Could do "<Location /mediawiki>" instead // AuthBasicProvider ldap // AuthUserFile /dev/null // AuthName "HTTP Auth Realm Name" // AuthLDAPBindDN "user-who-can-search-ldap@my.domain.com" // AuthLDAPBindPassword userspassword // AuthLDAPURL ldaps://ldap-server:636/DC=my,DC=domain,DC=com?sAMAccountName,displayName,givenName,sn,mail,memberOf?sub?(objectClass=user) // # The extra attributes (displayName...memberOf) after sAMAccountName tell Apache to populate environment // # variables with the contents of those LDAP attributes. That lets this extension access those values without // # requiring additional LDAP queries. // AuthLDAPGroupAttribute member // AuthLDAPGroupAttributeIsDN on // AuthType Basic // // Require valid-user // // # Optionally require all MediaWiki users to be present in some LDAP group or be denied completely: // Require ldap-group CN=WikiUsers,OU=Groups,DC=my,DC=domain,DC=com // // # Optionally force SSL to protect AD passwords: // RewriteEngine On // RewriteCond %{HTTPS} off // RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=permanent,L] // </Directory> // // The following LocalSettings.php configuration coupled with the above should work against ActiveDirectory: // $wgAuthRemoteuserGroups = $_SERVER['AUTHENTICATE_MEMBEROF']; // $wgAuthRemoteuserGroupRegex = '/CN=([^,]+),[^;]*;?/'; // Uses the CN portion of the DN as the simple name // $wgAuthRemoteuserOverwriteLocalGroups = true; // // Assuming you had an LDAP group like the following for wiki administrators: // CN=WikiAdmins,OU=Groups,DC=my,DC=domain,DC=com // The regex would result in any members of that group in AD being added to a MediaWiki group named 'WikiAdmins' on login. // You then might want to include something like the following in your LocalSettings.php to grant them admin rights: // // $wgAddGroups['WikiAdmins'] = true; // $permsSysop = array( // 'block', 'createaccount', 'editinterface', 'editusercss', 'edituserjs', 'importupload', // 'move-rootuserpages', 'proxyunbannable', 'ipblock-exempt', 'blockemail', 'apihighlimits', // 'noratelimit', 'versiondetail', 'mergehistory', 'userrights', 'siteadmin', // 'delete', 'bigdelete', 'undelete', 'import', 'move', 'move-subpages', 'patrol', 'autopatrol', // 'protect', 'rollback', 'trackback', 'reupload', 'reupload-shared', 'movefile', 'editprotected', // 'deletedhistory', 'deletedtext', 'upload', 'reupload-own', 'unwatchedpages', 'upload_by_url', // 'browsearchive', 'edit', 'createpage', 'createtalk', 'minoredit', // 'autoconfirmed', 'emailconfirmed' // ); // foreach($permsSysop as $perm) { // $wgGroupPermissions['WikiAdmins'][$perm] = true; // } // // You can also assign different combinations of rights to (for example) a WikiEditors group. // //Extension credits that show up on Special:Version $wgExtensionCredits['other'][] = array( 'name' => 'AutomaticREMOTE USER', 'version' => '1.1.3', 'author' => array('Otheus Shelling', 'Rusty Burchfield', 'James Kinsman', 'Daniel Thomas', 'Ian Ward Comfort', "Zachary Bedell"), 'url' => 'http://www.mediawiki.org/wiki/Extension:AutomaticREMOTE_USER', 'description' => 'Automatically logs users using the REMOTE_USER environment variable.', ); //We must allow zero length passwords. This extension does not work in MW 1.16 without this. $wgMinimalPasswordLength = 0; // The Auth_remoteuser class is an AuthPlugin so make sure we have this // included. require_once('AuthPlugin.php'); /** * This hook is registered by the Auth_remoteuser constructor. It will be * called on every page load. It serves the function of automatically logging * in the user. The Auth_remoteuser class is an AuthPlugin and handles the * actual authentication, user creation, etc. * * Details: * 1. Check to see if the user has a session and is not anonymous. If this is * true, check whether REMOTE_USER matches the session user. If so, we can * just return; otherwise we must logout the session user and login as the * REMOTE_USER. * 2. If the user doesn't have a session, we create a login form with our own * fake request and ask the form to authenticate the user. If the user does * not exist authenticateUserData will attempt to create one. The login form * uses our Auth_remoteuser class as an AuthPlugin. * * Note: If cookies are disabled, an infinite loop /might/ occur? */ function Auth_remote_user_hook() { global $wgUser; global $wgRequest; global $_REQUEST; global $wgAuthRemoteuserDomain; // For a few special pages, don't do anything. $title = $wgRequest->getVal('title'); if (($title == Title::makeName(NS_SPECIAL, 'UserLogout')) || ($title == Title::makeName(NS_SPECIAL, 'UserLogin'))) { return; } //Process the username if required if (!isset($_SERVER['REMOTE_USER'])){ return; } if (isset($wgAuthRemoteuserDomain) && strlen($wgAuthRemoteuserDomain)) { $username = str_replace("$wgAuthRemoteuserDomain\\","",$_SERVER['REMOTE_USER']); $username = str_replace("@$wgAuthRemoteuserDomain","",$username); } else { $username = $_SERVER['REMOTE_USER']; } // Check for valid session $user = User::newFromSession(); if (!$user->isAnon()) { if ($user->getName() == Auth_remoteuser::getCanonicalName($username)) { return; // Correct user is already logged in. } else { $user->doLogout(); // Logout mismatched user. } } // Copied from includes/SpecialUserlogin.php if(!isset($wgCommandLineMode) && !isset($_COOKIE[session_name()])) { wfSetupSession(); } // If the login form returns NEED_TOKEN try once more with the right token $tryagain=false; $trycount=0; $token = ''; do { $tryagain=false; // Submit a fake login form to authenticate the user. $params = new FauxRequest(array( 'wpName' => $username, 'wpPassword' => '', 'wpDomain' => '', 'wpLoginToken' => $token, 'wpRemember' => '' )); // Authenticate user data will automatically create new users. $loginForm = new LoginForm($params); $result = $loginForm->authenticateUserData(); switch ($result) { case LoginForm :: SUCCESS : $wgUser->setOption('rememberpassword', 1); $wgUser->setCookies(); break; case LoginForm :: NEED_TOKEN: $token = $loginForm->getLoginToken(); $tryagain=($trycount==0); break; case LoginForm :: WRONG_TOKEN: $errormessage = 'WrongToken'; break; case LoginForm :: NO_NAME : $errormessage = 'NoName'; break; case LoginForm :: ILLEGAL : $errormessage = 'Illegal'; break; case LoginForm :: WRONG_PLUGIN_PASS : $errormessage = 'WrongPluginPass'; break; case LoginForm :: NOT_EXISTS : $errormessage = 'NotExists'; break; case LoginForm :: WRONG_PASS : $errormessage = 'WrongPass'; break; case LoginForm :: EMPTY_PASS : $errormessage = 'EmptyPass'; break; default: $errormessage = 'Unknown'; break; } if ($result != LoginForm::SUCCESS && $result != LoginForm::NEED_TOKEN ) { error_log('Unexpected REMOTE_USER authentication failure. Login Error was:'.$errormessage); } $trycount++; } while ($tryagain); return; } class Auth_remoteuser extends AuthPlugin { function Auth_remoteuser() { // Register our hook function. This hook will be executed on every page // load. Its purpose is to automatically log the user in, if necessary. if (isset($_SERVER['REMOTE_USER']) && strlen($_SERVER['REMOTE_USER'])) { global $wgExtensionFunctions; if (!isset($wgExtensionFunctions)) { $wgExtensionFunctions = array(); } else if (!is_array($wgExtensionFunctions)) { $wgExtensionFunctions = array( $wgExtensionFunctions ); } array_push($wgExtensionFunctions, 'Auth_remote_user_hook'); } return; } /** * Disallow password change. * * @return bool */ function allowPasswordChange() { return false; } /** * This should not be called because we do not allow password change. Always * fail by returning false. * * @param $user User object. * @param $password String: password. * @return bool * @public */ function setPassword($user, $password) { return false; } /** * We don't support this but we have to return true for preferences to save. * * @param $user User object. * @return bool * @public */ function updateExternalDB($user) { return true; } /** * We can't create external accounts so return false. * * @return bool * @public */ function canCreateAccounts() { return false; } /** * We don't support adding users to whatever service provides REMOTE_USER, so * fail by always returning false. * * @param User $user * @param string $password * @return bool * @public */ function addUser($user, $password) { return false; } /** * Pretend all users exist. This is checked by authenticateUserData to * determine if a user exists in our 'db'. By returning true we tell it that * it can create a local wiki user automatically. * * @param $username String: username. * @return bool * @public */ function userExists($username) { return true; } /** * Check whether the given name matches REMOTE_USER. * The name will be normalized to MediaWiki's requirements, so * lower it and the REMOTE_USER before checking. * * @param $username String: username. * @param $password String: user password. * @return bool * @public */ function authenticate($username, $password) { global $_SERVER; global $wgAuthRemoteuserAuthz; global $wgAuthRemoteuserDomain; if (isset($wgAuthRemoteuserAuthz) && $wgAuthRemoteuserAuthz != true) return false; if (!isset($_SERVER['REMOTE_USER'])) { return false; } if (isset($wgAuthRemoteuserDomain) && strlen($wgAuthRemoteuserDomain)>0) { $usertest = str_replace("$wgAuthRemoteuserDomain\\","",$_SERVER['REMOTE_USER']); $usertest = str_replace("@$wgAuthRemoteuserDomain","",$usertest); } else { $usertest = $_SERVER['REMOTE_USER']; } return (strtolower($username) == strtolower($usertest)); } /** * Check to see if the specific domain is a valid domain. * * @param $domain String: authentication domain. * @return bool * @public */ function validDomain($domain) { return true; } /** * When a user logs in, optionally fill in preferences and such. * For instance, you might pull the email address or real name from the * external user database. * * The User object is passed by reference so it can be modified; don't * forget the & on your function declaration. * * @param User $user * @public */ function updateUser(&$user) { global $_SERVER; global $wgAuthRemoteuserName; global $wgAuthRemoteuserMail; global $wgAuthRemoteuserMailDomain; global $wgAuthRemoteuserNotify; global $wgAuthRemoteuserDomain; global $wgAuthRemoteuserGroups; // = $_SERVER['AUTHENTICATE_MEMBEROF']; global $wgAuthRemoteuserGroupRegex; // = '/CN=([^,]+),[^;]*;?/'; global $wgAuthRemoteuserOverwriteLocalGroups; // true to remove existing groups from wm database if (isset($wgAuthRemoteuserName)) $user->setRealName($wgAuthRemoteuserName); else $user->setRealName(''); if (isset($wgAuthRemoteuserMail)) $user->setEmail($wgAuthRemoteuserMail); elseif (isset($wgAuthRemoteuserMailDomain)) $user->setEmail($username . '@' . $wgAuthRemoteuserMailDomain); else $user->setEmail($username . "@example.com"); $user->mEmailAuthenticated = wfTimestampNow(); $user->setToken(); //turn on e-mail notifications if (isset($wgAuthRemoteuserNotify) && $wgAuthRemoteuserNotify) { $user->setOption('enotifwatchlistpages', 1); $user->setOption('enotifusertalkpages', 1); $user->setOption('enotifminoredits', 1); $user->setOption('enotifrevealaddr', 1); } // See if we want groups if (isset($wgAuthRemoteuserGroups) ) { if (isset($wgAuthRemoteuserGroupRegex) ) { // We've got a regex to split on preg_match_all($wgAuthRemoteuserGroupRegex, $wgAuthRemoteuserGroups, $groupMatches); if(count($groupMatches) == 2 && count($groupMatches[1]) > 0) { $groupMatches = $groupMatches[1]; } else { // Didn't find any groups at all. Should we log an error or just ignore? $groupMatches = array(); } } else { /* No regex, so let's be a bit tricky. If the string contains semi-colon's, it's * probably a list of DN's from LDAP, so we should split on that and give the full DN's. * If not, let's assume it's just a comma separated list and run with it. * And if it's not either of those, you'd better set a regex... */ if(FALSE === strstr($wgAuthRemoteuserGroups, ';')) { // No semi's $groupMatches = explode(',', $wgAuthRemoteuserGroups); } else { $groupMatches = explode(';', $wgAuthRemoteuserGroups); } } // Remove existing groups that user is no longer in (if so configured.) if ($wgAuthRemoteuserOverwriteLocalGroups) { $curGroups = $user->getGroups(); foreach($curGroups as $group) { if(FALSE === in_array($group, $groupMatches)) { // No longer in this group, so remove it. $user->removeGroup($group); } } } // Add in any new groups that aren't already present. $curGroups = $user->getGroups(); foreach($groupMatches as $group) { if(FALSE === in_array($group, $curGroups)) { $user->addGroup($group); } } } $user->saveSettings(); return true; } /** * Return true because the wiki should create a new local account * automatically when asked to login a user who doesn't exist locally but * does in the external auth database. * * @return bool * @public */ function autoCreate() { return true; } /** * Return true to prevent logins that don't authenticate here from being * checked against the local database's password fields. * * @return bool * @public */ function strict() { return false; } /** * When creating a user account, optionally fill in preferences and such. * For instance, you might pull the email address or real name from the * external user database. * * @param $user User object. * @public */ function initUser(&$user) { global $_SERVER; global $wgAuthRemoteuserDomain; if (isset($wgAuthRemoteuserDomain) && strlen($wgAuthRemoteuserDomain)) { $username = str_replace("$wgAuthRemoteuserDomain\\","",$_SERVER['REMOTE_USER']); $username = str_replace("@$wgAuthRemoteuserDomain","",$username); } else { $username = $_SERVER['REMOTE_USER']; } $user->setName($this->getCanonicalName($username)); $user->saveSettings(); // Do we need to call this? $this->updateUser($user); } /** * Modify options in the login template. This shouldn't be very important * because no one should really be bothering with the login page. * * @param $template UserLoginTemplate object. * @public */ function modifyUITemplate(&$template) { //disable the mail new password box $template->set('useemail', false); //disable 'remember me' box $template->set('remember', false); $template->set('create', false); $template->set('domain', false); $template->set('usedomain', false); } /** * Normalize user names to the MediaWiki standard to prevent duplicate * accounts. * * @param $username String: username. * @return string * @public */ function getCanonicalName($username) { // lowercase the username $username = strtolower($username); // uppercase first letter to make MediaWiki happy $username = ucfirst($username); return $username; } } ?>
[edit] Wiki Admin
When enabling this extension, the Wiki Admin account, which exists out of my LDAP authentication environment, cannont be accessed due to the absence of a login form. Is there a method by which I can access this account while the extension is active? --Enterprise user 19:51, 24 January 2011 (UTC)
- Facing the same problem, I enabled the extension, had my account auto-created, and then disabled it. Then I logged in as sysop, granted my newly-created acount Beurocreat and sysop permissions, and re-enabled the extension. Would this work for you as well? Ethan1701 17:11, 30 January 2011 (UTC)
- Don't see why that wouldn't work; thanks! The only issue I see with this solution is that modifications made by me to the Wiki won't appear with the username Admin; I suppose I could live with that. --Enterprise user 17:38, 31 January 2011 (UTC)
[edit] Full name (AUTHENTICATE_CN) not getting populated
I installed this extension without a hitch. Works well. However, it's not populating the Real Name field for the user. The segment of code that's meant to do it, as best I can tell, is
if (isset($wgAuthRemoteuserName))
$user->setRealName($wgAuthRemoteuserName);
else
$user->setRealName('');
Though I can confirm that $_SERVER["AUTHENTICATE_CN"] does in fact have a value, it's not being passed through. Might the fact it's in Hebrew affect things?
Is there any way I can remove the user in order to modify and test the code? Ethan1701 17:17, 30 January 2011 (UTC)
- How do you find out if the $_SERVER["AUTHENTICATE_CN"] variable is being populated? it's not in my phpinfo(). I'm using iis7 as my web server, is there any way to configure it to populate the variable
- Thanks for any help - Boozelclark 07:00, 20 May 2011 (UTC)
[edit] Problem with the Extension
When enabling this extension I get the following ErrorMessage:
Fatal error: Cannot make non static method AuthPlugin::getCanonicalName() static in class Auth_remoteuser in /var/www/wiki/extensions/Auth_remoteuser/Auth_remoteuser.php on line 202
What can I Do to make it work?--Bayano 14:48, 23 March 2011 (UTC)
[edit] Require Once issue
The LocalSettings.php require line is out of date and should be updated to this
require_once($IP . '/extensions/Auth_remoteuser/Auth_remoteuser.php');
--16:48, 6 April 2011 (UTC)
[edit] Unable to modify username
This extension worked beautifully right out of the box. Thank you. I'm now trying to modify the automatically generated usernames. Right now, usernames are defaulting to name@domain.com. (I've noticed that the extension tries to strip out the @domain.com, but it's not working.) Having the domain in there creates a few problems, so I'm trying to truncate the username to "name". I've tried:
$username = strstr( $username, '@', true);
in both the Auth_remote_user_hook and initUser functions, but it did nothing. If I log out and visit another page, it logs me back in as name@domain. Any suggestions? MatthewBurton 21:48, 1 July 2011 (UTC)
- Fixed. I hadn't changed my $wgAuthRemoteuserDomain value from NETBIOSDOMAIN (line 80). Once I replaced that with my own domain, everything worked perfectly. MatthewBurton 21:29, 6 July 2011 (UTC)
[edit] Solved: $wgAuthRemoteuserName and $wgAuthRemoteuserMail inappropriately set:
Line 71 sets the variable during a ternary check even if $_SERVER["AUTHENTICATE_CN] is NOT set:
$wgAuthRemoteuserName = isset( $_SERVER["AUTHENTICATE_CN"] ) ? $_SERVER["AUTHENTICATE_CN"] : '';
The ternary check should set $wgAuthRemoteuserName to 'null' when $_SERVER["AUTHENTICATE_CN] is not set:
$wgAuthRemoteuserName = isset( $_SERVER["AUTHENTICATE_CN"] ) ? $_SERVER["AUTHENTICATE_CN"] : null;
Otherwise, the later check in initUser line 374 succeeds where it should fail:
if ( isset( $wgAuthRemoteuserName ) ) {
$user->setRealName( $wgAuthRemoteuserName );
} else {
$user->setRealName( );
}
This is also true of $wgAuthRemoteuserMail check. --Secmanz 02:43, 8 October 2011 (UTC)
[edit] Error messages as of MediaWiki 1.18
Date: 8 january 2012
The following errors turn up in the Apache log file after installing MediaWiki 1.18.0 although everything works fine:
PHP Strict Standards: Declaration of Auth_remoteuser::modifyUITemplate() should be compatible with that of AuthPlugin::modifyUITemplate() in /volume1/web/w/extensions/Auth_remoteuser/Auth_remoteuser.php on line 202, referer: https://MyServer/MyWikiPage
PHP Strict Standards: Declaration of Auth_remoteuser::addUser() should be compatible with that of AuthPlugin::addUser() in /volume1/web/w/extensions/Auth_remoteuser/Auth_remoteuser.php on line 202, referer: https://MyServer/MyWikiPage
PHP Strict Standards: Declaration of Auth_remoteuser::initUser() should be compatible with that of AuthPlugin::initUser() in /volume1/web/w/extensions/Auth_remoteuser/Auth_remoteuser.php on line 202, referer: https://MyServer/MyWikiPage
I use the following versions:
MediaWiki 1.18.0 (r108167)
PHP 5.3.3 (apache2handler)
MySQL 5.1.49
AutomaticREMOTE USER 1.1.4 (r108355)
