Extension:Windows NTLM LDAP Auto Auth

Introduction
Having seen the fucntionallity of Media WIKI I wanted to use the system as a way of document control within our IT department. We wanted to have the authentication and group security controlled by our Active Directory domain. After messing with the auth plugin's written by others I found that none of them suited our way of working so I decided to write our own, and this is the result.

Feature set
This auth plugin is based on Rusty Burchfield's Extension:AutomaticREMOTE_USER and Ryan Lane's Ldap.


 * Allow Windows Active Directory domain verification of the IIS authenticated user.
 * Creates internal WIKI accounts and imports LDAP fields. (mail,firstname,surname)
 * Connects to Windows Global Catalog to allow support for multiple domains / forests.
 * Permission / Security control of which LDAP groups can access the WIKI.
 * Permission / Security mapping of LDAP groups to internal wiki groups.
 * Nested group support.
 * Automatic creation of internal WIKI groups, and user membership.
 * Removal of Login / Logout access & buttons.
 * No anonymous access.

Permission mapping may also require Extension:Group_Based_Access_Control to provide granular access to pages within the WIKI.

Please note that access control cannot be 100% effective within the WIKI please see Security_issues_with_authorization_extensions

Tested on

 * MediaWIKI 1.13.0rc2
 * PHP 5.2.6 (isapi)
 * MySQL 5.0.67-community-nt
 * IIS 5.1

Installation

 * Configure IIS to do the Authentication (disable anonymous access).
 * Copy WinNTLMLDAPAutoAuth.php in your extension dir.
 * Edit settings within WinNTLMLDAPAutoAuth.php to suit your windows environment.
 * Add the following lines to your LocalSettings.php

LocalSettings additional configuration settings
The following additions are required to lock down the WIKI to prevent basic security issues.

In this configuration the four groups within AD are mapped to sysop, bureaucrat, user and wiki restricted. Below is the config to :-


 * Disable anonymous access.
 * Standard users can only read.
 * Bureaucrats can edit.
 * Remove the login / logout buttons.
 * Prevent anyone from creating accounts as extension uses Windows Active Directory exclusively.
 * Users are by default not 'autoconfirmed' users.

Other recommendations
Whilst developing this auth plugin we also looked at changing the skin to suit a more professional enbvironment. We came across the GuMax Skin which with a few tweaks to the colors then suited our internal look and feel.

Visit Paul Gu's wiki at

Questions
Hi, I can not find how to Email questions to the author of this page, so I directly ask question on this page ... sorry for that

I first installed on a Windows 2k3 Media Wiki ... it took me 1 whole day After, I tried to configure this plugin but it doesn't seem to work :

I just installed the component while installing php, but did not configure anything. I don't know if this is enough, or if there is anything to do.
 * Question 1 : it is said above that PHP Isapi module is used ... 

Can you help me with it ?
 * Question 2 : I don't know how to fill this line

I don't know if the question 2 has something to do with this message. I did fill in all informations needed : my config :
 * Question 3 : I keep on having on my log

I'm logged on my computer, and the first time i connect to my wiki, I always get a windows authentification pop up window ... this is a stricly IIS logon window. Is there anyway to activate a full SSO ?
 * Question 4 : IIS auth asking pop up before getting to my Wiki page