Extension:IIS REMOTE USER AD-LDAP

What can this extension do?
This auth plugin is based on Rusty's Extension:AutomaticREMOTE_USER, but optimized for Microsoft IIS (6) environments with active directory configuration. It automatically logs users in using the IIS REMOTE_USER environment variable. Then it gets the user's real name and email via LDAP from MS active directory. It is prepared for multiple active directory domain controller (for failover) and also multiple domains.

Installation

 * Configure IIS to do the Authentication (disable anonymous access).
 * Copy Auth_remoteuser_iis.php in your extension dir.
 * Make the necessary changes to the LocalSettings.php

Changes to LocalSettings.php
Of course you also need to set some parameters in the local settings. One drawback is, due to the fact that the password for the user isn't passed on to PHP, you'll have to configure a domain user plus password to authenticate against LDAP. It is not nice to have passwords in plaintext in configfiles, but I can't think of a better way to do it. So I recommend to set up a special user with no rights except the ones required to execure readonly LDAP queries. The concept and syntax is borrowed from the LDAP auth plugin.

Here is the big setup with 2 different domains and 2 LDAP servers per domain. DOM1 and DOM2 are your simple domain names with the full domain names dom1.de and dom2.com. If $wgLDAPServerNames is not set, this extension should not do any LDAP stuff and behave like Extension:AutomaticREMOTE_USER.

To Do
Please feel free to test and improve this extension. I'm sure there are many things that won't work in non-standard environment jet. Here is my first wishlist. I'm new to Mediawiki extensions, so maybe these are very simple to do.


 * Find a way to suppress the logout button (without changing the skin)
 * Find a way to have the real name displayed instead of the REMOTE_USER (without changing the skin)
 * Port more functionality from Extension:LDAP_Authentication like the "Group based restrictions"