Extension:AuthDrupal

Overview
Signin integration for MediaWiki as slave of Drupal.

Reported to work using Drupal 4.7.x and 5.x, MediaWiki 1.9, 1.10.

This code supports single signin for users of a Drupal site and a MediaWiki site. It is set up so that users sign in to the Drupal site, and as a result they automatically become logged in to the wiki.

The code replaces the wiki's own log in/register/logout links with links to the drupal front page to to force users to go through Drupal. (See below.)

User entries are still created in the wiki's user table and are kept up to date on each login with email and real name.

The login integration works as follows: when the user signs in to Drupal, an extra cookie is created containing their identity. When the user visits the wiki, the wiki extension sees the cookie, extracts the username, and logs the user in. When the user logs out of the Drupal site, both the special cookie and any of the wiki's session cookies are removed so the user is also signed out of the wiki.

'''If you use this code and get it to work, please let me know. If you had to make changes other than database settings, please let me know that, too. Thanks!'''

Credits

 * This implementation started with the code written by TazzyTazzy (Mitch Schwenk)  available at: DCCwiki.


 * The code has changed a fair bit from the original. Modifications by Maarten van Dantzich.


 * Support for separate databases is based on Auth_phpBB.


 * For the rewrite, I looked at (and borrowed code from):
 * Auth_Shibboleth (ShibAuth) http://shibboleth.internet2.edu, /Shibboleth_Authentication
 * LdapAuthentication.php by Ryan Lane  LDAP_Authentication


 * Testing with Drupal 5.1 by Paul Coghlan


 * Testing with Drupal 5.1 and MediaWiki 1.10.1 by Michael Joseph

Bugs

 * Login/Logout links are modified based on the existence of the DRXtrArgs cookie, should instead be based on the actual user login status. To do this, the two login_link/logout_link hook functions should be combined, and inside the hook check for the cookie and/or $wgUser->getId != 0. Thinkling 21:08, 1 April 2007 (UTC)


 * Should not keep the cookie domain setting in two places. It's currently in LocalSettings.php and in Mediawiki.module.


 * Currently there's logout code in both Mediawiki.module and in AuthDrupal.php. The code is now the same, need to test if doing it in both places is truly redundant.


 * Passwords are currently not copied into the MW database. If you use this extension and then decide the run the wiki as a standalone app with its own login system, you'll have to have passwords reset/emailed for everyone. When MW 1.10 ships, should change code to use $wgUser->setInternalPassword


 * It's been reported that creating a new account in Drupal may log you in to the Drupal site, but does not call the hook function that sets the cookie necessary to log in to Mediawiki. If someone can confirm this and/or suggest a fix, please leave a note on the discussion page.


 * Users are matched based on usernames only. If you rename a user on the Drupal site, they will not be connected with their existing login in Mediawiki. If you delete a user and create a new one by the same name, Mediawiki will connect the new user with the old account of that name on the wiki side.

Missing Features

 * I have code implemented to disable editing of Real name and Email address in My Preferences but haven't gotten the patch in shape to be released yet.


 * No support for user groups yet. (I'd be very interested in patches that bring Drupal roles across.)


 * Does NOT handle someone changing their username on the Drupal end. That user will be regarded as a new user by the wiki next time they sign in.


 * Should replace the "You have to log in to edit pages" message from code; the right way to do this would be to create a file with localizable messages and load those into the message cache, as e.g. Extension:Linksearch does.


 * When user clicks over to the Drupal page to log in, there's no mechanism to bring them back to the wiki page they came from. If anyone has tips on how to implement this, please leave a note on the talk page.

Comments or Feedback?
If you have comments, questions, or improvements, please drop me a note via the discussion page, or email me via my user page.

Files
Please download the necessary files from

Instructions
If you are reading this in an INSTALL.txt file, then these instructions are for the version of the files you have.

The latest version of these instructions and of the code can be found at.

phpinfo; you should find "--with-mcrypt" and/or an mcrypt section. If you don't find it, see section below on mcrypt.
 * Check whether PHP on your server supports mcrypt. Look at the output of

sudo apt-get install php5-mcrypt
 * On recent Ubuntu releases installing mcrypt is as easy as:

wiki/extensions/AuthDrupal/
 * download the AuthDrupal files and save or unpack them into

(look for $key = )
 * edit the key string in crypto.php to be something unique to your site

drupal/modules (yes, you want crypto.php in both places).
 * put Mediawiki.module, Mediawiki.info, and a copy of crypto.php into

file. Change the database settings to match your setup. Change the cookie domain name to the domain under which your Drupal and wiki are hosted. If drupal and mediawiki use the same database, just set $wgAuthDrupal_UseExtDatabase = false and ignore most of the _MySQL_ settings.
 * Add code in AddToLocalSettings.php to the end of your wiki/LocalSettings.php

what you have set in LocalSettings.php. If you have multiple wikis sharing the same Drupal login, create a block of settings for each wiki. If you only have one wiki, delete the second example settings.
 * Edit the settings at the top of Mediawiki.module so that each item matches

user clicks the Edit tab, do the following:
 * To get rid of the "You must log in to edit pages" notice when a non-logged-in

** Go to the article called "MediaWiki:Whitelistedittext". ** The edit box should be preloaded with this text: "You have to $1 to edit    pages." ** Change this to the following (replace the url with whatever you've set for    $wgAuthDrupal_LoginURL):

You have to log in to edit pages.


 * go into Drupal admin pages and enable the Mediawiki module

Things should work at this point. If behavior is funny at first, delete the cookies for your domain, and try it again with a fresh start.

Optional parts:

/wiki/index.php?title=Special:Userlogin&type=signup (TODO: document how to turn off account creation)
 * you may want to ensure that account creation is blocked. Try going to

that does not stop a savvy user from going to Special:Userlogin directly. You may want to edit .htaccess to redirect that URL. There are instructions for this at the bottom of this page: 
 * even though the extension can change the login/logout link to point to Drupal,

Replacing mcrypt
AuthDrupal uses the mcrypt encryption package to make sure that the communication between Drupal and Mediawiki can't trivially be forged. (If it could be forged, anyone could make up a cookie and log in to the wiki as anyone else.)

If you don't have mcrypt installed, GNUpg may be a replacement? I haven't chased after this yet, would be interested to hear.

Controlling behavior
These are global variables you CAN set in LocalSettings.php to control how AuthDrupal behaves:

Edits to LocalSettings.php
Please see the file AddToLocalSettings.php in the tarball for code to add to your LocalSettings.php.

Edits for Drupal 5.3 and MediaWiki 1.11
To auto Authenticate into MW from drupal 5.3, I had to add 2 lines of code to AuthDrupal.php:

Find  and add   to the bottom line in the function. Add the same line to

And possibly also to

Change History

 * 0.4: Added support to allow multiple wikis sharing the same Drupal login front page; user is always logged in to all at the same time and logged out from all at the same time. Thinkling 23:12, 29 July 2007 (UTC)


 * 0.3.2: Fix for MW 1.10.1 and some code reformatting.


 * IP address check removed. Code used to check that user's IP address has remained the same between login to Drupal and visit to the wiki. This meant e.g. if you moved to another wifi network with your laptop, the authentication would fail such that the login/logout links at the op were in an inconsistent state. Thinkling 21:11, 1 April 2007 (UTC)