Extension:Windows NTLM LDAP Auto Auth

Introduction
Having seen the functionallity of Media WIKI I wanted to use the system as a way of document control within our IT department. We wanted to have the authentication and group security controlled by our Active Directory domain. After messing with the auth plugin's written by others I found that none of them suited our way of working so I decided to write our own, and this is the result.

Feature set
This auth plugin is based on Rusty Burchfield's Extension:AutomaticREMOTE_USER and Ryan Lane's Ldap.


 * Allow Windows Active Directory domain verification of the IIS authenticated user.
 * Creates internal WIKI accounts and imports LDAP fields. (mail,firstname,surname)
 * Connects to Windows Global Catalog to allow support for multiple domains / forests.
 * Permission / Security control of which LDAP groups can access the WIKI.
 * Permission / Security mapping of LDAP groups to internal wiki groups.
 * Nested group support.
 * Automatic creation of internal WIKI groups, and user membership.
 * Removal of Login / Logout access & buttons.
 * No anonymous access.

Permission mapping may also require Extension:Group_Based_Access_Control to provide granular access to pages within the WIKI.

Please note that access control cannot be 100% effective within the WIKI please see Security_issues_with_authorization_extensions

Tested on

 * MediaWIKI 1.13.0rc2
 * PHP 5.2.6 (isapi)
 * MySQL 5.0.67-community-nt
 * IIS 5.1

Installation

 * Install Php using isapi feature (CGI not needed)
 * Configure IIS to use php5isapi.dll for .php extentions
 * Configure IIS to do the Authentication (disable anonymous access).
 * Edit settings within LocalSettings.php to suit your windows environment.
 * Add the following lines to your LocalSettings.php
 * Copy WinNTLMLDAPAutoAuth.php in your extension dir.

Add this if you want to disable anonymous access OPTIONAL
The following additions are required to lock down the WIKI to prevent basic security issues.

In this configuration the four groups within AD are mapped to sysop, bureaucrat, user and wiki restricted. Below is the config to :-


 * Disable anonymous access.
 * Standard users can only read.
 * Bureaucrats can edit.
 * Remove the login / logout buttons.
 * Prevent anyone from creating accounts as extension uses Windows Active Directory exclusively.
 * Users are by default not 'autoconfirmed' users.

Make a new file in extensions/WinNTLMLDAPAutoAuth.php
Just paste in the following lines

1.16 Installation notes

 * Replace /includes/specials/SpecialUserLogin.php with the file from Mediawiki 1.15.2 (see Honza's note on the Talk/Discussion page)
 * As the extension does not use passwords, you must set $wgMinimalPasswordLength = 0; in LocalSettings.php

Other recommendations
Whilst developing this auth plugin we also looked at changing the skin to suit a more professional environment. We came across the GuMax Skin which with a few tweaks to the colors then suited our internal look and feel.

Visit Paul Gu's wiki at

Question (zamoth) : it is said above that PHP Isapi module is used ...
I just installed the component while installing php, but did not configure anything. I don't know if this is enough, or if there is anything to do.

Answer (crushKing) : it is said above that PHP Isapi module is used ...
Yes you need to set the php to work via Isapi and add to the php the ldap extension (I added also mysql for my sql server) After setting php to use the isapi you need to set the mediawiki virtual folder to use the isapi filter (direct it to \php5isapi.dll), this is as far as those settings go.

What I Did (zamoth)
I just re installed php, and told it to use ISAPI instead of CGI. I edited php.ini and made the following changes : - fixed path, as said in MediaWiki installation, (upload_tmp_dir="C:\PHP\uploadtemp" & session.save_path="C:\PHP\sessiondata") - Installed : php_ldap + php_mcrypt + php_mhash + php_mysql + php_openssl (all are in php.ini at the bottom) I hope this is the correct installation - I copied php.ini to my %windir% directory ... else it was not working

Answer (zamoth) : this is the original ldap search request :
$filter = "(&(|(mail=" . $NTLMusername . "*)(anr=" . $NTLMusername . "))(mailnickname=*)(objectCategory=person)(objectClass=user))"; The search query is kind of awekward. I changed it by using sAMAccountName, wich is more accurate ... It has also the benefit of having only one answer in an Active Directory architecture $filter = "(&(sAMAccountName=". $NTLMusername. ")(objectCategory=person)(objectClass=user))";

Question (zamoth) : unsing media Wiki 1.14 + this plugin only ... I have groups problems

 * Groups don't get updated ... if I change AD rights, wikimedia do not update rights
 * groups:permissions does not work anymore. I get a Enter a user name but it does not work afterwards ...

Note (zamoth)
I do not experience these problemes anymore ... and I have done noting !!?!!

Minor bug fix
you should change the line: header("Location: http://" . $_SERVER['SERVER_NAME'] . "/index.php?title=Main_Page"); to: header("Location: http://" . $_SERVER['SERVER_NAME'] . $_SERVER['PHP_SELF']);

this path was invalid in my configuration. this should, and does in mine, go back to whatever the default home page is in whatever folder its in.

Question (nim278) : Usernames without domain
I need to set this up so that the domain does not pass through to the username. Any suggestions how I could modify the code so that the user in the wiki is "username" rather than "DOMAIN\username"?

67.97.209.36 20:04, 4 June 2009 (UTC)

Answer (tomv564)
You will need to make the following changes to WinNTLMLDAPAutoAuth.php: $pos = strpos($temp, '\\'); $username = substr($temp, $pos); You can remove line 426: $pos = strpos($username, chr(92)) - 1; And use 0 for $pos on the following lines: for ($i = 0; $i < (strlen($username) - 1); $i++) { if ($i <= 0) { $username[$i] = strtoupper($username[$i]); } else { $username[$i] = strtolower($username[$i]); } }
 * In the hook, before a FauxRequest is created for the LoginForm (line 63) you will want to remove the domain from $username - something like:
 * The extension's getCanonicalName function (line 391) reformats the $username once again to title case (eg. FLastname -> Flastname).

Question (nvr8981) : All users considered a Restricted User
I have configured the LDAP settings just as the directions have asked, however the site does not pick up the AD rights of any of the groups. They are all considered Restricted Users. Anyone have any ideas?