Extension:Auth remoteuser

PUBLIC LAW 104-201—SEPT. 23, 1996 110 STAT. 2519 "3963. Highest grade held satisfactorily: Reserve enlisted members reduced in grade not as a result of the member's misconduct.". (b) NAVY AND MARINE CORPS. —(1) Chapter 571 of title 10, United States Code, is amended by adding at the end the following new section: §6336. Highest grade held satisfactorily: Reserve enlisted members reduced in grade not as a result of the member's misconduct "(a) A member of the Naval Reserve or Marine Corps Reserve described in subsection (b) who is transferred to the Fleet Reserve or the Fleet Marine Corps Reserve under section 6330 of this title shall be transferred in the highest enlisted grade in which the member served on active duty satisfactorily, as determined by the Secretary of the Navy. "(b) This section applies to a Reserve enlisted member who— Applicability. "(1) at the time of transfer to the Fleet Reserve or Fleet Marine Corps Reserve is serving on active duty in a grade lower than the highest enlisted grade held by the member while on active duty; and "(2) was previously administratively reduced in grade not as a result of the member's own misconduct, as determined by the Secretary of the Navy. "(c) This section applies with respect to enlisted members of Applicability. the Naval Reserve and Marine Corps Reserve who are transferred to the Fleet Reserve or the Fleet Marine Corps Reserve after September 30, 1996.". (2) The table of sections at the beginning of such chapter is amended by adding at the end the following new item: "6336. Highest grade held satisfactorily: Reserve enlisted members reduced in grade not as a result of the member's misconduct.". (c) AIR FORCE.— (1) Chapter 869 of title 10, United States Code, is amended by inserting after section 8962 the following new section: §8963. Highest grade held satisfactorily: Reserve enlisted members reduced in grade not as a result of the member's misconduct "(a) A Reserve enlisted member of the Air Force described in subsection (b) who is retired under section 8914 of this title shall be retired in the highest enlisted grade in which the member served on active duty satisfactorily (or, in the case of a member of the National Guard, in which the member served on full-time National Guard duty satisfactorily), as determined by the Secretary of the Air Force. "(b) This section applies to a Reserve enlisted member who— Applicabihty. "(1) at the time of retirement is serving on active duty (or, in the case of a member of the National Guard, on fulltime National Guard duty) in a grade lower than the highest enlisted grade held by the member while on active duty (or full-time National Guard duty); and "(2) was previously administratively reduced in grade not as a result of the member's own misconduct, as determined by the Secretary of the Air Force. "(c) This section applies with respect to Reserve enlisted mem- Applicability. bers who are retired under section 8914 of this title after September 30, 1996.".

The Auth remoteuser extension automatically logs-in users if they are already authenticated by an arbitrary remote source. The extension maps the given remote user name to an existing user name in the local wiki database (or creates it first if it has the permissions to do so). The external source takes total responsibility in authenticating that user.

This allows integration with the web server's built-in authentication system (for example via the  environment variable, which is set through HTTP-Auth, LDAP, CAS, PAM, etc.) or any other type of external authentication (SSL client auth, user accounts provided by different forum software, etc.).

Configuration
Take account of MediaWikis global permissions for account creation ( or  ) inside your. At least one of them must be  for anonymous users to let this extension create accounts for users as of yet unknown to the wiki database. If you set this to, then automatic login works only for users who have a wiki account already.


 * Examples



Parameters
Add some of the following global variables to your  to adjust the extensions behaviour to your specific needs. Default values for each global are marked with the " " comment in the examples section.

Legacy parameters
You can still use all legacy parameters from versions prior, but their usage is deprecated in favour of the new parameters:

Provided hooks
When you need to process your remote user name before it can be used as an identifier into the wiki user list, for example to strip a Kerberos principal from the end, replacing invalid characters, or blacklisting some names, use the hook  provided by this extension. Just have a look at MediaWikis Hook documentation on how to register additional functions to this hook. It provides as first parameter the remote user name by reference to the hook function. If the function returns, the remote user name will be ignored for automatic login. (See parameters,   or   for predefined filters which utilizing this hook.)

Configuring different remote sources

 * Setup  environment variable

This environment variable can be set by many different authentication systems and the configuration of these is heavily dependent on which one you are using. You can always use  to check the contents of   and to troubleshoot your setup. What follows are examples of different webserver environments and how to put a username into this environment variable.

Apache
Consult the Apache documentation for details. You can use,  ,  ,  ,   or any other authentication module that utilizes. Once you have verified that the  environment variable is being set to the proper username, continue with installation/configuration of the extension. Some examples:
 * For simple HTTP authentication add this :
 * The  environment variable is getting evaluated by default from the extension, so the following code is all you need in your  :
 * Setup HTTP SPNEGO with Vintella/Quest Authentication Services for your heterogeneous network, using :
 * Now the  environment variable contains the full principal name, so remove the realm from the username inside your   with:
 * Setup HTTP SPNEGO with Vintella/Quest Authentication Services for your heterogeneous network, using :
 * Now the  environment variable contains the full principal name, so remove the realm from the username inside your   with:
 * Now the  environment variable contains the full principal name, so remove the realm from the username inside your   with:

Kerberos SSO AD
Prerequisites:


 * 1) mod_auth_kerb
 * 2) mod_auth_ldap
 * 3) mod_authnz_ldap

To install & enable them in Devuan:



Configure Kerberos in the OS (long story short):
 * 1) Join to AD domain:
 * 2) realm join corp.ds.company.net -U domain_user_with_rights_to_join --computer-ou="use dsquery computer in windows cmd domain joined machine to get the value" --verbose
 * 3) Generate keytab on Windows AD server cmd:
 * 4) ktpass -princ HTTP/en.mediawiki.company.net@CORP.DS.COMPANY.NET -mapuser mediawiki_windows_domain_user@CORP.DS.COMPANY.NET -pass mediawiki_windows_domain_user_secret_password -crypto all -ptype KRB5_NT_PRINCIPAL -out C:\Temp\en-mediawiki.keytab
 * 5) setspn -A HTTP/en.mediawiki.company.net@CORP.DS.COMPANY.NET mediawiki_windows_domain_user@CORP.DS.COMPANY.NET

Apache con file:



It is required to use LDAP authorization together with Kerberos SSO if you want to get user information (email, real name) from AD.

The info from LDAP must be published to AUTHORIZE_ environment variables, so make sure you use it, not AUTHENTICATE_ in LocalSettings.php.

Using ldap-group did not publish environment variables for me, using ldap-attribute did (a bug in apache?).

IIS
Depending on your version of Internet Information Services (IIS) Manager, your navigation may be slightly different. The instructions below are specified for a corporate server running IIS v7.5 on Windows Server 2008 R2 Enterprise. (Trust me, I wanted Linux and Apache but IT wont allow it)

To enable simple authentication navigate to the following paths.
 * 1) IIS
 * 2) (Server Name) > Sites > Default Web Site
 * 3) From "Features View" double click, "Authentication"
 * 4) Disable - "Anonymous Authentication"
 * 5) Enable - "Windows Authentication"  (HTTP 401 Challenge)

Known issues
This extension gets managed as a project on Phabricator. There you can see a list of all known and still open issues. If there is no open task related to the problem/error you've encountered, then have a look on howto report errors.

Howto debug
Read the MediaWiki manual on debugging or take the following as a start:
 * 1) Enable logging by setting the  inside your   to a file to which your webserver has write access to.
 * 2) Request your MediaWiki installation like you did when the error occurred. This extension logs all its output to the  channel into your log file.
 * 3) Inspect the log file and search for all lines starting with.
 * 4) Decide if you can fix the error by yourself or if it is related to how this extension works. If so, then have a look on howto report errors.

Report errors
Assemble relevant debugging information (relevant in terms of others can reproduce the error) and:
 * Either read MediaWiki's howto on reporting bugs, or
 * create a new task on this extensions Phabricator project (if you have a Phabricator account), or
 * write an email to members of the Phabricator project, or
 * use this extensions talk page.

Contribute
You're welcome to enhance this extension. Read How_to_become_a_MediaWiki_hacker, grab one of the open issues from the Phabricator project (or create a new task) and upload your patch to this extensions Gerrit project. There you can also see:
 * a list of current extension maintainers with write access (if you have a Gerrit account),
 * a list of uploaded patch sets.

Feature requests
Just use the same workflow as with error reporting.