Extension:Windows NTLM LDAP Auto Auth

Introduction
Having seen the fucntionallity of Media WIKI I wanted to use the system as a way of document control within our IT department. We wanted to have the authentication and group security controlled by our Active Directory domain. After messing with the auth plugin's written by others I found that none of them suited our way of working so I decided to write our own, and this is the result.

Feature set
This auth plugin is based on Rusty Burchfield's Extension:AutomaticREMOTE_USER and Ryan Lane's Ldap.


 * Allow Windows Active Directory domain verification of the IIS authenticated user.
 * Creates internal WIKI accounts and imports LDAP fields. (mail,firstname,surname)
 * Connects to Windows Global Catalog to allow support for multiple domains / forests.
 * Permission / Security control of which LDAP groups can access the WIKI.
 * Permission / Security mapping of LDAP groups to internal wiki groups.
 * Nested group support.
 * Automatic creation of internal WIKI groups, and user membership.
 * Removal of Login / Logout access & buttons.
 * No anonymous access.

Permission mapping may also require Extension:Group_Based_Access_Control to provide granular access to pages within the WIKI.

Please note that access control cannot be 100% effective within the WIKI please see Security_issues_with_authorization_extensions

Tested on

 * MediaWIKI 1.13.0rc2
 * PHP 5.2.6 (isapi)
 * MySQL 5.0.67-community-nt
 * IIS 5.1

Installation

 * Configure IIS to do the Authentication (disable anonymous access).
 * Copy WinNTLMLDAPAutoAuth.php in your extension dir.
 * Edit settings within WinNTLMLDAPAutoAuth.php to suit your windows environment.
 * Add the following lines to your LocalSettings.php

LocalSettings additional configuration settings
The following additions are required to lock down the WIKI to prevent basic security issues.

In this configuration the four groups within AD are mapped to sysop, bureaucrat, user and wiki restricted. Below is the config to :-


 * Disable anonymous access.
 * Standard users can only read.
 * Bureaucrats can edit.
 * Remove the login / logout buttons.
 * Prevent anyone from creating accounts as extension uses Windows Active Directory exclusively.
 * Users are by default not 'autoconfirmed' users.

Other recommendations
Whilst developing this auth plugin we also looked at changing the skin to suit a more professional enbvironment. We came across the GuMax Skin which with a few tweaks to the colors then suited our internal look and feel.

Visit Paul Gu's wiki at

Questions
Hi, I can not find how to Email questions to the author of this page, so I directly ask question on this page ... sorry for that

I first installed on a Windows 2k3 Media Wiki ... it took me 1 whole day After, I tried to configure this plugin but it doesn't seem to work :

I just installed the component while installing php, but did not configure anything. I don't know if this is enough, or if there is anything to do. Yes you need to set the php to work via Isapi and add to the php the ldap extension (I added also mysql for my sql server) After setting php to use the isapi you need to set the mediawiki virtual folder to use the isapi filter (direct it to \php5isapi.dll), this is as far as those settings go. I just re installed php, and told it to use ISAPI instead of CGI. I edited php.ini and made the following changes : - fixed path, as said in MediaWiki installation, (upload_tmp_dir="C:\PHP\uploadtemp" & session.save_path="C:\PHP\sessiondata") - Installed : php_ldap + php_mcrypt + php_mhash + php_mysql + php_openssl (all are in php.ini at the bottom) I hope this is the correct installation
 * Question (zamoth) : it is said above that PHP Isapi module is used ... 
 * Answer (crushKing) : it is said above that PHP Isapi module is used ... 
 * '''What I done (zamoth)

Can you help me with it ? I also looked into this parameter and from what I understood this is a php internal parameter so you don't need to change it.
 * Question (zamoth) : I don't know how to fill this line
 * Answer (crushKing) : I don't know how to fill this line

I don't know if the previous question has something to do with this message. I did fill in all informations needed : my config :
 * Question (zamoth) : I keep on having on my log

You need to add the domain name before the user \ it works for me (also there is a spot in the extension itself where you need to insert your server name).
 * Answer (crushKing) : I keep on having on my log

I'm logged on my computer, and the first time i connect to my wiki, I always get a windows authentification pop up window ... this is a stricly IIS logon window. Is there anyway to activate a full SSO ? This is the tricky part which confused me for some time and this is the solution which will also make it all work (If you followed the steps)
 * Question (zamoth) : IIS auth asking pop up before getting to my Wiki page
 * Answer (crushKing) : IIS auth asking pop up before getting to my Wiki page

you should add :

this is all the 3 parts together IN THE RIGHT ORDER (and not as explained).

The above text is quite confusing ... what to change and what to leave.
 * What I done (zamoth)

If I understand ... The WinNTLMLDAPAutoAuth.php should be left as is it said by Martin Siddall ... and all the rest should be inserted in LocalSettings.php. Instructions are not really clear

Answers written by CrushKing
Well I'm not the extension writer but I'm trying to make it work as well so I'll tell you what I found so far. I'm not a php pro as well i just started to work on it about a week ago.