Extension:Plexcel

=Plexcel MediaWiki Plugin=

Note: This Plugin requires a commercial PHP extension that does not run on Windows at this time. Please review the Requirements section carefully.

The Plexcel MediaWiki Plugin seamlessly adds Active Directory authentication to MediaWiki. This plugin has the following features.


 * Active Directory Single Sign-On (SSO)
 * User Information Populated from Active Directory
 * Explicit Login with Username and Password
 * Windows Group Based Access Control Lists (ACLs)
 * Automatic Directory Location
 * No setup on Windows side required
 * Superior Security of Kerberos
 * Internationalization (I18N)

Authentication
The Plexcel MediaWiki Plugin can authenticate clients against Active Directory using Single Sign-On (SSO) or by explicit login using the standard login form.

The default behavior is to authenticate clients using SSO. Users will not need to repeatedly enter their username and password. Just visiting the site will trigger the browser to automatically authenticate the client and pass the user's information to the web server.

Alternatively they may also use the standard login form. If the client does not support SSO (e.g. because they are not logged into the domain) authentication will fall-back to the login form.

Windows Group Based Access Control List (ACL)
Restrict access to your Wiki to specific Windows groups. The full range of Windows group name forms may be used. These access checks are also very fast. Once the group names in the Wiki ACL have been resolved, no communication with the domain is required for subsequent requests.

NOTICE: Prior to version 2.6.0, this plugin used a 'page_acls' array that tried to restrict access to individual pages. That functionality has been replaced with a single 'wiki_acl' that restricts access to the entire Wiki. It was brought to our attention that, due to design limitations, it is currently not possible to safely implement content specific access controls in MediaWiki. If you are using one of these old versions of the plugin, please update to properly protect your Wiki content.

Automatic Directory Location
Plexcel will automatically locate AD servers. No configuration of the Plexcel module is necessary. If you have multiple AD servers, Plexcel will load balance between them (unless DNS is configured to do otherwise).

Easy Installation
Plexcel comes with an easy to use installer that will locate your AD server, create the necessary HTTP service account and set it's password. After restarting Apache, just copy the PlexcelAuth directory into the MediaWiki extensions directory and add two lines to LocalSettings.php. No modifications on the Windows side are necessary. Installation takes only a few minutes.

=Installation=

Requirements
The following requirements must be satisfied for the Plexcel MediaWiki extension to work.
 * MediaWiki 1.9.3 or newer (older versions should work but they have not been tested)
 * The Plexcel PHP extension version 2.5.0 or later also from IOPLEX Software. Plexcel has the following requirements.
 * Linux or FreeBSD on i386 or x86_64
 * PHP 4, 5.0, 5.1 or 5.2
 * Browsers that support Kerberos SSO (e.g. Internet Explorer)
 * Operator must have sufficient AD privileges to create the HTTP service account
 * Web server must have valid entires in DNS
 * Apache must support SSL if the login form is to be properly protected
 * Apache must run in a UTF-8 locale to support internationalized text
 * Time and date differences on all machines must nominal (usually within 5 minutes)

For detailed Plexcel requirements and installation instructions please see the Plexcel Operator's Manual on the IOPLEX Software Support page.

Install Prerequisites
Install Apache (with SSL if you want the login form to be protected), PHP and any other prerequisites for MediaWiki. These packages should be installable from your package manager (e.g. yum on Red Hat Linux, apt-get on Ubuntu, /usr/ports on FreeBSD, etc).

Install Plexcel. See the Plexcel Operator's Manual for details.

Install MediaWiki.

Install the Extension
Download the plexcel-mediawiki-2.6.0.tar.gz file. Unpack the file and copy the PlexcelAuth directory into the MediaWiki extensions directory. This procedure is illustrated by the example command dialog below:

$ wget http://www.ioplex.com/d/plexcel-mediawiki-2.6.0.tar.gz $ tar -xvzf plexcel-mediawiki-2.6.0.tar.gz $ cp -a plexcel-mediawiki-2.6.0/PlexcelAuth mediawiki-1.9.3/extensions

Modifying LocalSettings.php
To activate the Plexcel MediaWiki plugin, add the following to the end of the MediaWiki LocalSettings.php file:

require_once('extensions/PlexcelAuth/PlexcelAuth.php'); $wgAuth = new PlexcelAuth; $wgAuth->wiki_acl['Domain Users'] = true;

The plugin should now be fully functional. Try visiting a page with a suitable Kerberos enabled browser. The user should automatically login. Try clicking “log out” and manually enter alternative credentials. Then logout again and click on any page to resume SSO behavior. If any of this does not work, verify that the Plexcel examples still work and review the Plexcel Operator's Manual if they do not. If the Plexcel examples do not work, the MediaWiki plugin will not work.

Why doesn't the login form work?
If you have not setup SSL for Apache, trying to use the login form will not work by default. Either setup SSL for Apache or use the disable_encrypted_login option as shown below.

$wgAuth = new PlexcelAuth(NULL, array('disable_encrypted_login' => TRUE));

Note that this has no impact on SSO - Kerberos always encrypts sensitive data.

Group Based Access Control
To prevent users from accessing your Wiki add Windows groups to the wiki_acl array in your LocalSettings.php like the following simple example:

require_once('extensions/PlexcelAuth/PlexcelAuth.php'); $wgAuth = new PlexcelAuth; $wgAuth->wiki_acl['Domain Admins'] = true;

The above example restricts access to the Wiki to only users in the Domain Admins group. See the Plexcel MediaWiki Plugin Manual for detailed instructions regarding access controls.