Extension:Windows NTLM LDAP Auto Auth

Introduction
Having seen the fucntionallity of Media WIKI I wanted to use the system as a way of document control within our IT department. We wanted to have the authentication and group security controlled by our Active Directory domain. After messing with the auth plugin's written by others I found that none of them suited our way of working so I decided to write our own, and this is the result.

Feature set
This auth plugin is based on Rusty Burchfield's Extension:AutomaticREMOTE_USER and Ryan Lane's Ldap.


 * Allow Windows Active Directory domain verification of the IIS authenticated user.
 * Creates internal WIKI accounts and imports LDAP fields. (mail,firstname,surname)
 * Connects to Windows Global Catalog to allow support for multiple domains / forests.
 * Permission / Security control of which LDAP groups can access the WIKI.
 * Permission / Security mapping of LDAP groups to internal wiki groups.
 * Nested group support.
 * Automatic creation of internal WIKI groups, and user membership.
 * Removal of Login / Logout access & buttons.
 * No anonymous access.

Permission mapping may also require Extension:Group_Based_Access_Control to provide granular access to pages within the WIKI.

Please note that access control cannot be 100% effective within the WIKI please see Security_issues_with_authorization_extensions

Tested on

 * MediaWIKI 1.13.0rc2
 * PHP 5.2.6 (isapi)
 * MySQL 5.0.67-community-nt
 * IIS 5.1

Installation

 * Configure IIS to do the Authentication (disable anonymous access).
 * Copy WinNTLMLDAPAutoAuth.php in your extension dir.
 * Edit settings within WinNTLMLDAPAutoAuth.php to suit your windows environment.
 * Add the following lines to your LocalSettings.php

LocalSettings additional configuration settings
The following additions are required to lock down the WIKI to prevent basic security issues.

In this configuration the four groups within AD are mapped to sysop, bureaucrat, user and wiki restricted. Below is the config to :-


 * Disable anonymous access.
 * Standard users can only read.
 * Bureaucrats can edit.
 * Remove the login / logout buttons.
 * Prevent anyone from creating accounts as we use Windows AD exclusivly.
 * Users are by default not 'autoconfirmed' users.

Other recommendations
Whilst developing this auth plugin we also looked at changing the skin to suit a more professional enbvironment. We came across the GuMax Skin which with a few tweaks to the colors then suited our internal look and feel.

Visit Paul Gu's wiki at