Extension:LDAP Authentication/Smartcard Configuration Examples

The LdapAuthentication extension 1.1+ supports smartcard (SSL client) authentication in MediaWiki 1.6+. For those in a transitional period, the plugin supports a mixture of smartcard and password authentication if needed. This article will describe a few different ways to configure Apache, and a few different ways to configure the extension.

If you do not need LDAP support, and only need Smartcard/SSL authentication support, this is not the extension for you; please see the SSL Authentication extension.

Parts of this extension are based upon the work of the SSL Authentication extension and the Shibboleth Authentication extension.

What the extension does
The LDAP Authentication extension will do the following steps when using smartcard login:


 * 1) Apache verifies the smartcard is signed by a trusted CA, and pulls information from the card
 * 2) The LDAP extension gets the information about the card from Apache
 * 3) The LDAP extension then takes information from the card and searches the LDAP directory for the user, using proxy or anonymous credentials
 * 4) The LDAP extension gets the user entry, and uses an attribute from the entry to use as a MediaWiki username
 * 5) The extension then either pulls the user from the database and logs him/her in, or creates the user

When searching for the user, it is possible to add extra search string/attributes to ensure the user isn't disabled, or has any roles/attributes you require for the user to be logged in. It is also possible to check for group membership.

After the user is authenticated, it is possible to pull preference and other user/group information from LDAP. All features supported by password authentication should work for smartcard authentication.

General configuration
The Apache configuration will require mod_ssl or mod_nss. The LDAP extension configuration will require that you use a proxyagent and proxyagent password (anonymous searching is also supported). You cannot rely on user's credentials as the user never actually binds to the LDAP server.

For smartcard authentication to work at all, Apache must be setup to trust certain Certificate Authorities (CAs) for client authentication using the "SSLCACertificateFile" and "SSLCARevocationFile" directives. This may be a limiting factor if you are in a hosted environment as this can only be defined at the server or VirtualHost level.

Knowledge of how to setup https using mod_ssl/mod_nss is out of the scope of this document, and will be considered a prerequisite. Only directives that are smartcard specific will be discussed.

Apache configuration
In the below two Apache configurations, when a user accesses your wiki, they will automatically be logged in. With these configurations, you cannot mix password and smartcard authentication. The user will be required to have a smartcard.

Apache configuration for smartcard-protecting the entire server or virtual host
If your mod_ssl configuration is at the global or virtual host level, add the following directives after your other mod_ssl directives:

SSLVerifyClient require SSLVerifyDepth 1

SSLRequireSSL SSLCACertificateFile /path/to/CA.crt SSLCARevocationFile /path/to/CRLs.crl

Apache configuration for smartcard-protecting a wiki by directory
This will be *very* slow, as Apache will check the user's smartcard every time the user accesses any page below this location/directory. The following can be placed at the global, or virtual host level:

SSLCACertificateFile /path/to/CA.crt SSLCARevocationFile /path/to/CRLs.crl

 Options None AllowOverride None Order allow,deny Allow from all SSLRequireSSL SSLVerifyClient require SSLVerifyDepth 1 

Apache configuration for allowing smartcard login without protecting an entire server, virtual host or wiki
The following configuration will only log a user in automatically when a user visits a wiki article called "Smartcard Login". This allows you to mix password authentication domains and a smartcard authentication domain, or allows you to allow smart card login to a specific wiki without the overhead of the Location/Directory approach above.

SSLCACertificateFile /path/to/CA.crt SSLCARevocationFile /path/to/CRLs.crl

 SSLRequireSSL SSLVerifyClient require SSLVerifyDepth 10 

Basic LDAP extension configuration
The following example uses Active Directory.

Advanced LDAP extension configuration
The following will configure three domains: one domain pointing to openldap, another pointing to Active Directory, and a third using smartcard authentication pointing to the same Active directory.

The openldap domain will use straight binds, and the Active Directory domain will use proxy authentication.

This configuration requires SSLVerifyClient to be set in a location directive (the third apache setup above).

Configuration steps for article based smartcard login

 * 1) Create an article called "Smartcard Login"
 * 2) Add " #REDIRECT Main Page "
 * 3) Protect the article
 * 4) Edit loginprompt in Special:Allmessages and add:
 * Click here to log in with your smartcard.