Extension:LDAP Authentication/Kerberos Configuration Examples

The LdapAuthentication plugin 1.2+ supports generic web server authentication in MediaWiki 1.6+; this allows for Kerberos authentication. For those in a transitional period, the plugin supports a mixture of web server and password authentication if needed. This article will describe a few different ways to configure apache, and a few different ways to configure the plugin.

If you do not need LDAP support, and only need Kerberos support, this is not the plugin for you; please see the See also section instead.

Parts of this plugin are based upon the work of the SSL Authentication plugin and the Shibboleth Authentication plugin. Links to those plugins are in the See also section.

General setup
The Apache setup will require mod_auth_kerb. The wiki setup will require that you use a proxyagent and proxyagent password (anonymous searching is also supported). You cannot rely on user's credentials as the user never actually binds to the LDAP server.

Knowledge of how to use/configure Kerberos and how to receive a keytab are out of the scope of this document, and will be considered a prerequisite. Only directives that are mod_auth_kerb specific will be discussed. For detailed mod_auth_kerb documentation, see the mod_auth_kerb site.

Apache setup
We will discuss two ways of configuring Apache for Kerberos login. The first is to protect the entire wiki, the second is to only protect a single page so that we can still allow password login.

These configurations assume that the mod_auth_kerb module is being loaded elsewhere.

Apache configuration for Kerberos protecting the entire wiki
The following can be configured at the global or virtualhost level:

 SSLRequireSSL AuthType Kerberos AuthName "Kerberos Login" KrbMethodNegotiate On KrbMethodK5Passwd Off KrbAuthRealms EXAMPLE.COM Krb5KeyTab /etc/httpd/conf/keytab require valid-user 

Apache setup for allowing Kerberos login without protecting an entire wiki
The following setup will only log a user in automatically when a user visits a wiki article called "Kerberos Login". This can allow you to mix password authentication domains and a Kerberos authentication domain.

 SSLRequireSSL AuthType Kerberos AuthName "Kerberos Login" KrbMethodNegotiate On KrbMethodK5Passwd Off KrbAuthRealms EXAMPLE.COM Krb5KeyTab /etc/httpd/conf/keytab require valid-user 

General MediaWiki configuration
The following example uses Active Directory.

require_once( "$IP/extensions/LdapAutoAuthentication.php" ); require_once( "$IP/extensions/LdapAuthentication.php" );

$wgLDAPDomainNames = array("exampleADDomain"); $wgLDAPServerNames = array("exampleADDomain"=>"example.adserver.com");

$wgLDAPAutoAuthDomain = "exampleADDomain";

$wgLDAPProxyAgent = array("exampleADDomain"=>"CN=proxy agent,OU=Domain_Users,DC=example,DC=com"); $wgLDAPProxyAgentPassword = array("exampleADDomain"=>"password"); $wgLDAPBaseDNs = array("exampleADDomain"=>"DC=example,DC=com");

$wgLDAPSearchAttributes = array("exampleADDomain"=>"samaccountname");

// REMOTE_USER will be in the form username@EXAMPLE.COM, if we // just chop off @EXAMPLE.COM, we have the username. You can change // this as needed. $wgLDAPAutoAuthUsername = preg_replace( '/@.*/', '', $_SERVER["REMOTE_USER"] );

// After we set all configuration options, we want to setup the Auto Auth plugin. This will // create an instance of LdapAuthentication as $wgAuth AutoAuthSetup;

Advanced Mediawiki configuration
The following will set up three domains: one domain pointing to openldap, another pointing to Active Directory, and a third using Kerberos authentication pointing to the same Active directory.

The openldap domain will use straight binds, and the Active Directory domain will use proxy authentication.

This configuration assumes we are only Kerberos protecting a single page, like the last Apache configuration above.

require_once( "$IP/extensions/LdapAutoAuthentication.php" ); require_once( "$IP/extensions/LdapAuthentication.php" );

$wgLDAPDomainNames = array("exampleOLDomain","exampleADDomain", "exampleADDomain-smartcard); $wgLDAPServerNames = array("exampleOLDomain"=>"example.olserver.com", "exampleADDomain"=>"example.adserver.com", "exampleADDomain-kerberos"=>"example.adserver.com");

$wgLDAPSearchStrings = array("exampleOLDomain"=>"uid=USER-NAME,ou=people,dc=example,dc=oldomain,dc=com");

$wgLDAPAutoAuthDomain = "exampleADDomain-kerberos";

$wgLDAPProxyAgent = array("exampleADDomain"=>"CN=proxy agent,OU=Domain_Users,DC=example,DC=addomain,DC=com", "exampleADDomain-kerberos"=>"CN=proxy agent,OU=Domain_Users,DC=example,DC=addomain,DC=com"); $wgLDAPProxyAgentPassword = array("exampleADDomain"=>"password", "exampleADDomain-kerberos"=>"password"); $wgLDAPBaseDNs = array("exampleADDomain"=>"DC=example,DC=addomain,DC=com", "exampleADDomain-kerberos"=>"DC=example,DC=addomain,DC=com");

$wgLDAPSearchAttributes = array("exampleADDomain"=>"samaccountname", "exampleADDomain-kerberos"=>"samaccountname");

// REMOTE_USER will be in the form username@EXAMPLE.COM, if we // just chop off @EXAMPLE.COM, we have the username. You can change // this as needed. $wgLDAPAutoAuthUsername = preg_replace( '/@.*/', '', $_SERVER["REMOTE_USER"] );

// After we set all configuration options, we want to setup the Auto Auth plugin. This will // create an instance of LdapAuthentication as $wgAuth AutoAuthSetup;

Configuration steps for article based Kerberos login

 * 1) Create an article called "Kerberos Login"
 * 2) Add " #REDIRECT Main Page "
 * 3) Protect the article
 * 4) Edit loginprompt in Special:Allmessages and add:
 * Click here to use your Single Sign On credentials.