Extension:LDAP Authentication/Kerberos Configuration Examples

The LdapAuthentication extension 1.2+ supports generic web server authentication in MediaWiki 1.6+; this allows for Kerberos authentication. For those in a transitional period, the extension supports a mixture of web server and password authentication if needed. This article will describe a few different ways to configure Apache, and a few different ways to configure the extension.

If you do not need LDAP support, and only need Kerberos support, this is not the extension for you; please see the HttpAuth extension. Note that the HttpAuth extension only does generic web server authentication; Kerberos specific configuration is up to you.

Parts of this extension are based upon the work of the SSL Authentication extension and the Shibboleth Authentication extension.

General configuration
The Apache setup will require mod_auth_kerb. The wiki setup will require that you use a proxyagent and proxyagent password (anonymous searching is also supported). You cannot rely on user's credentials as the user never actually binds to the LDAP server.

Knowledge of how to use/configure Kerberos and how to receive a keytab are out of the scope of this document, and will be considered a prerequisite. Only directives that are mod_auth_kerb specific will be discussed. For detailed mod_auth_kerb documentation, see the mod_auth_kerb site.

Apache configuration
We will discuss two ways of configuring Apache for Kerberos login. The first is to protect the entire wiki, the second is to only protect a single page so that we can still allow password login.

These configurations assume that the mod_auth_kerb module is being loaded elsewhere.

Apache configuration for Kerberos protecting the entire wiki
The following can be configured at the global or virtual host level:

 SSLRequireSSL AuthType Kerberos AuthName "Kerberos Login" KrbMethodNegotiate On KrbMethodK5Passwd Off KrbAuthRealms EXAMPLE.COM Krb5KeyTab /etc/httpd/conf/keytab require valid-user 

Apache configuration for allowing Kerberos login without protecting an entire wiki
The following configuration will only log a user in automatically when a user visits a wiki article called "Kerberos Login". This can allow you to mix password authentication domains and a Kerberos authentication domain.

 SSLRequireSSL AuthType Kerberos AuthName "Kerberos Login" KrbMethodNegotiate On KrbMethodK5Passwd Off KrbAuthRealms EXAMPLE.COM Krb5KeyTab /etc/httpd/conf/keytab require valid-user 

Basic LDAP extension configuration
The following example uses Active Directory.

require_once( "$IP/extensions/LdapAutoAuthentication.php" ); require_once( "$IP/extensions/LdapAuthentication.php" );

$wgLDAPDomainNames = array("exampleADDomain"); $wgLDAPServerNames = array("exampleADDomain"=>"example.adserver.com");

$wgLDAPAutoAuthDomain = "exampleADDomain";

$wgLDAPProxyAgent = array("exampleADDomain"=>"CN=proxy agent,OU=Domain_Users,DC=example,DC=com"); $wgLDAPProxyAgentPassword = array("exampleADDomain"=>"password"); $wgLDAPBaseDNs = array("exampleADDomain"=>"DC=example,DC=com");

$wgLDAPSearchAttributes = array("exampleADDomain"=>"samaccountname");

// REMOTE_USER will be in the form username@EXAMPLE.COM, if we // just chop off @EXAMPLE.COM, we have the username. You can change // this as needed. $wgLDAPAutoAuthUsername = preg_replace( '/@.*/', '', $_SERVER["REMOTE_USER"] );

// After we set all configuration options, we want to tell the extension to enable auto-authentication. // This will create an instance of LdapAuthentication as $wgAuth. AutoAuthSetup;

Advanced LDAP extension configuration
The following will configure three domains: one domain pointing to OpenLDAP, another pointing to Active Directory, and a third using Kerberos authentication pointing to the same Active directory.

The OpenLDAP domain will use straight binds, and the Active Directory domain will use proxy authentication.

This configuration assumes we are only Kerberos protecting a single page, like the last Apache configuration above.

require_once( "$IP/extensions/LdapAutoAuthentication.php" ); require_once( "$IP/extensions/LdapAuthentication.php" );

$wgLDAPDomainNames = array("exampleOLDomain","exampleADDomain", "exampleADDomain-smartcard); $wgLDAPServerNames = array("exampleOLDomain"=>"example.olserver.com", "exampleADDomain"=>"example.adserver.com", "exampleADDomain-kerberos"=>"example.adserver.com");

$wgLDAPSearchStrings = array("exampleOLDomain"=>"uid=USER-NAME,ou=people,dc=example,dc=oldomain,dc=com");

$wgLDAPAutoAuthDomain = "exampleADDomain-kerberos";

$wgLDAPProxyAgent = array("exampleADDomain"=>"CN=proxy agent,OU=Domain_Users,DC=example,DC=addomain,DC=com", "exampleADDomain-kerberos"=>"CN=proxy agent,OU=Domain_Users,DC=example,DC=addomain,DC=com"); $wgLDAPProxyAgentPassword = array("exampleADDomain"=>"password", "exampleADDomain-kerberos"=>"password"); $wgLDAPBaseDNs = array("exampleADDomain"=>"DC=example,DC=addomain,DC=com", "exampleADDomain-kerberos"=>"DC=example,DC=addomain,DC=com");

$wgLDAPSearchAttributes = array("exampleADDomain"=>"samaccountname", "exampleADDomain-kerberos"=>"samaccountname");

// REMOTE_USER will be in the form username@EXAMPLE.COM, if we // just chop off @EXAMPLE.COM, we have the username. You can change // this as needed. $wgLDAPAutoAuthUsername = preg_replace( '/@.*/', '', $_SERVER["REMOTE_USER"] );

// After we set all configuration options, we want to tell the extension to enable auto-authentication. // This will create an instance of LdapAuthentication as $wgAuth. AutoAuthSetup;

Configuration steps for article based Kerberos login

 * 1) Create an article called "Kerberos Login"
 * 2) Add " #REDIRECT Main Page "
 * 3) Protect the article
 * 4) Edit loginprompt in Special:Allmessages and add:
 * Click here to use your Single Sign On credentials.