Extension talk:SSL authentication

Support for MW 1.16.0!
I just downloaded and tested this one with mediawiki 1.16.0 - and it seems if there's happening absolutely nothing. I added in front of my LocalSettings.php the Variables + the function call - and a short debug output gives me all variables right. So i think there has to be an error in SSLAuthPlugin.php - but there is neither an errormessage nor login or visual function of this plugin? What is going wrong? I figured it out... there are some changes in AuthPlugin etc... i will publish it if i've proved if it works well.

--Veraldi Fri Jan 14 23:19:53 CET 2011
 * I am afraid to upgrade to 1.16.x because actually I am using version 1.15.x and al my logins are base on X.509 user authentication. Is SSLAuthPlugin now working with 1.16.x versions ?


 * --Pb.marty 12:54, 20 October 2011 (UTC)
 * I just upgraded a mandriva box upto 2010.2 (=> apache = 2.2.15 ; mysql = 5.1.58 ; php = 5.3.6) and then untared mediawiki 1.17.0 and then copy/pasted SSLAuth 1.1.4 (for MW1.15) and it works out-of-the-box ! (just be careful when creating SSLAuth.php file in the extension directory : it should be of course apache-readable ... I had a strict umask hanging around and I wondered for minutes why the hell this white-screen-of-death before I realized the perms problem ;)

SSL Auth and MediaWiki 1.10.0 - new version
Tested with 1.10.0 and works OK but I haven't done many tests (simple usage, auto-login, etc.). Probably wont work with 1.7 and 1.8 (<1.10). Previous error: Original exception: exception 'MWException' with message 'Unstub loop detected on call of $wgUser->getOption from StubUserLang::_newObject (when user did not exist in database) has been fixed.

<?php /** * Version 1.0.2 (Works out of box with MW 1.7.1 and up) * * Authentication Plugin for Apache2 mod_ssl * Derived from AuthPlugin.php and * http://meta.wikimedia.org/wiki/Shibboleth_Authentication * * Much of the commenting comes straight from AuthPlugin.php * * Portions Copyright 2006 Martin Johnson * Portions Copyright 2006, 2007 Regents of the University of California * Portions Copyright 2007 Steven Langenaken * Released under the GNU General Public License * * Changes between 1.0.2 and 1.0.1: * = Merge changes from Shibboleth Authentication: (By DJC) * == More 1.9 compatibility fixes and less ugly code * * Changes between 1.0.1 and 1.0: * = Merge changes from Shibboleth Authentication: (By DJC) * == Compatible with MW 1.9+ again (By DJC) * == Minor fix in loginform handling (By Steven Langenaken) * * Documentation at http://www.mediawiki.org/wiki/Extension:SSL_authentication */ require_once('AuthPlugin.php'); class SSLAuthPlugin extends AuthPlugin { /**     * See AuthPlugin.php for specific information */    function userExists( $username ) { return true; }    /**      * See AuthPlugin.php for specific information */    function authenticate( $username, $password ) { global $ssl_UN; if($username == $ssl_UN) return true; else return false; }    /**      * See AuthPlugin.php for specific information */    function modifyUITemplate( &$template ) { $template->set( 'usedomain', false ); }    /**      * See AuthPlugin.php for specific information */    function setDomain( $domain ) { $this->domain = $domain; }    /**      * See AuthPlugin.php for specific information */    function validDomain( $domain ) { return true; }    /**      * See AuthPlugin.php for specific information */    function updateUser( &$user ) { global $ssl_map_info; global $ssl_email; global $ssl_RN; //Map extra info or not? if($ssl_map_info) {                    //If Email, set info in MW             if($ssl_email) $user->setEmail($ssl_email); //If realName, set info in MW            if($ssl_RN) $user->setRealName($ssl_RN); }       // KK - MediaWiki 1.10.0 $user->setInternalPassword(mt_rand . mt_rand) ; return true; }    /**      * See AuthPlugin.php for specific information */    function autoCreate { return true; }    /**      * See AuthPlugin.php for specific information */   function allowPasswordChange { return false; }

/**     * See AuthPlugin.php for specific information */   function setPassword( $password ) { return false; }    /**      * See AuthPlugin.php for specific information */    function updateExternalDB( $user ) { //Not really, but wiki thinks we did... return true; }    /**      * See AuthPlugin.php for specific information */    function canCreateAccounts { return false; }    /**      * See AuthPlugin.php for specific information */    function addUser( $user, $password ) { return false; }    /**      * See AuthPlugin.php for specific information */    function strict { return false; }    /**      * See AuthPlugin.php for specific information */    function initUser( &$user ) { //Update MW with new user information $this->updateUser($user); }    /**      * See AuthPlugin.php for specific information */    function getCanonicalName( $username ) { return $username; } } /** * End of AuthPlugin Code, beginning of hook code and auth functions */ /** * Some extension information init */ $wgExtensionFunctions[] = 'SSLAuthSetup'; $wgExtensionCredits['other'][] = array(   'name' => 'SSLAuth',    'version' => '1.0.2',    'author' => 'Martin Johnson',    'description' => 'Automagic login with certificates using Apache2 mod_ssl clientside',    'url' => 'http://www.mediawiki.org/wiki/Extension:SSL_authentication' ); /** * Setup extensionfunctions */ function SSLAuthSetup {    global $ssl_UN; global $wgHooks; global $wgAuth; if($ssl_UN != null) {        $wgHooks['AutoAuthenticate'][] = 'SSLAuth'; /* Hook for magical authN */ $wgHooks['PersonalUrls'][] = 'NoLogout'; /* Disallow logout link */ $wgAuth = new SSLAuthPlugin; } /** * Hooks looks funny in Special:Version * Written twice. Whats wrong with this code? */ } /* No logout link in MW */ function NoLogout(&$personal_urls, $title) {    $personal_urls['logout'] = null; } /* Tries to be magical about when to log in users and when not to. */ function SSLAuth(&$user) {    global $ssl_UN; global $wgUser; global $wgContLang; global $wgHooks;

//Temporarily kill The AutoAuth Hook to prevent recursion foreach ($wgHooks['AutoAuthenticate'] as $key => $value) {     if($value == 'SSLAuth') $wgHooks['AutoAuthenticate'][$key] = 'BringBackAA'; }   //Give us a user, see if we're around //$tmpuser = User::LoadFromSession; // MediaWiki < 1.10 $tmpuser = User::newFromSession;// MediaWiki 1.10.0 and up

//They already with us? If so, quit this function. if($tmpuser->isLoggedIn) {        BringBackAA; return; }

//Is the user already in the database? $tmpuser = User::newFromName($ssl_UN) ; //If exists, log them in    if($tmpuser->getID) {         $wgUser = &$tmpuser; $user = &$tmpuser; $user->setupSession; // Session before cookies! $user->setCookies; return; }    //Place the hook back (Not strictly necessarily MW Ver >= 1.9) BringBackAA;

//Okay, kick this up a notch then... $user = &$tmpuser; $user->setName($ssl_UN); // Set users name - Dont use ucfirst...

/*     * Some magic that Shibboleth Authentication does and I just copy */     require_once('SpecialUserlogin.php'); //This section contains a silly hack for MW     global $wgLang; global $wgContLang; global $wgRequest; $wgLangUnset = false; if(!isset($wgLang)) {         $wgLang = $wgContLang; $wgLangUnset = true; }     //Temporarily kill The AutoAuth Hook to prevent recursion foreach ($wgHooks['AutoAuthenticate'] as $key => $value) {       if($value == 'SSLAuth') $wgHooks['AutoAuthenticate'][$key] = 'BringBackAA'; }

//This creates our form that'll do black magic $lf = new LoginForm($wgRequest);

//Place the hook back (Not strictly necessarily MW Ver >= 1.9) BringBackAA;

//And now we clean up our hack if($wgLangUnset == true) {           unset($wgLang); unset($wgLangUnset); }

//Now we _do_ the black magic $lf->mRemember = false; $lf->initUser($user); //Finish it off $user->saveSettings; $user->setupSession; $user->setCookies; }

/* Puts the auto-auth hook back into the hooks array */ function BringBackAA {       global $wgHooks;

foreach ($wgHooks['AutoAuthenticate'] as $key => $value) {           if($value == 'BringBackAA') $wgHooks['AutoAuthenticate'][$key] = 'SSLAuth'; } }

?>

Krzysztof Kozlowski --217.153.130.210 13:04, 12 June 2007 (UTC)

Problems with national characters in CN
Hi, Your extension works, but only when users don't have national characters in CN (altough login is email...). Can You help me with it? (from 217.74.68.2)
 * I used to have that problem in earier versions of MediaWiki (1.7.x) but now when I upgraded to 1.10.0 swedish national characters works fine. Take a look at my LocalSettings.php in http://www.mediawiki.org/w/index.php?title=Extension:SSL_authentication&oldid=99654 to see how I solved it then. MaJoh 09:19, 7 July 2007 (UTC)

Error with mediawiki 1.11.0
Hi, I got an error with 1.11.0 :

MediaWiki internal error. Original exception: exception 'MWException' with message 'Detected bug in an extension! Hook SSLAuth failed to return a value; should return true to continue hook processing or false to abort.' in /var/www/mediawiki-1.11.0/includes/Hooks.php:133 Stack trace: Exception caught inside exception handler: exception 'MWException' with message 'Detected bug in an extension! Hook SSLAuth failed to return a value; should return true to continue hook processing or false to abort.' in var/www/mediawiki-1.11.0/includes/Hooks.php:133 Stack trace:
 * 1) 0 /var/www/mediawiki-1.11.0/includes/StubObject.php(131): wfRunHooks('AutoAuthenticat...', Array)
 * 2) 1 /var/www/mediawiki-1.11.0/includes/StubObject.php(57): StubUser->_newObject
 * 3) 2 /var/www/mediawiki-1.11.0/includes/StubObject.php(31): StubObject->_unstub('isAllowed', 5)
 * 4) 3 /var/www/mediawiki-1.11.0/includes/StubObject.php(122): StubObject->_call('isAllowed', Array)
 * 5) 4 [internal function]: StubUser->__call('isAllowed', Array)
 * 6) 5 /var/www/mediawiki-1.11.0/includes/Title.php(1269): StubUser->isAllowed('read')
 * 7) 6 /var/www/mediawiki-1.11.0/includes/Wiki.php(133): Title->userCanRead
 * 8) 7 /var/www/mediawiki-1.11.0/includes/Wiki.php(43): MediaWiki->preliminaryChecks(Object(Title), Object(StubObject), Object(WebRequest))
 * 9) 8 /var/www/mediawiki-1.11.0/index.php(89): MediaWiki->initialize(Object(Title), Object(StubObject), Object(StubUser), Object(WebRequest))
 * 10) 9 {main}
 * 1) 0 /var/www/mediawiki-1.11.0/includes/StubObject.php(131): wfRunHooks('AutoAuthenticat...', Array)
 * 2) 1 /var/www/mediawiki-1.11.0/includes/StubObject.php(57): StubUser->_newObject
 * 3) 2 /var/www/mediawiki-1.11.0/includes/StubObject.php(31): StubObject->_unstub('getOption', 5)
 * 4) 3 /var/www/mediawiki-1.11.0/includes/StubObject.php(122): StubObject->_call('getOption', Array)
 * 5) 4 [internal function]: StubUser->__call('getOption', Array)
 * 6) 5 /var/www/mediawiki-1.11.0/includes/StubObject.php(92): StubUser->getOption('language')
 * 7) 6 /var/www/mediawiki-1.11.0/includes/StubObject.php(57): StubUserLang->_newObject
 * 8) 7 /var/www/mediawiki-1.11.0/includes/StubObject.php(31): StubObject->_unstub('getCode', 5)
 * 9) 8 /var/www/mediawiki-1.11.0/includes/StubObject.php(87): StubObject->_call('getCode', Array)
 * 10) 9 [internal function]: StubUserLang->__call('getCode', Array)
 * 11) 10 /var/www/mediawiki-1.11.0/includes/MessageCache.php(434): StubUserLang->getCode
 * 12) 11 /var/www/mediawiki-1.11.0/includes/GlobalFunctions.php(467): MessageCache->get('internalerror', true, false)
 * 13) 12 /var/www/mediawiki-1.11.0/includes/GlobalFunctions.php(421): wfMsgGetKey('internalerror', true, false, true)
 * 14) 13 /var/www/mediawiki-1.11.0/includes/GlobalFunctions.php(326): wfMsgReal('internalerror', Array, true)
 * 15) 14 /var/www/mediawiki-1.11.0/includes/Exception.php(57): wfMsg('internalerror')
 * 16) 15 /var/www/mediawiki-1.11.0/includes/Exception.php(125): MWException->getPageTitle
 * 17) 16 /var/www/mediawiki-1.11.0/includes/Exception.php(88): MWException->htmlHeader
 * 18) 17 /var/www/mediawiki-1.11.0/includes/Exception.php(111): MWException->reportHTML
 * 19) 18 /var/www/mediawiki-1.11.0/includes/Exception.php(191): MWException->report
 * 20) 19 /var/www/mediawiki-1.11.0/includes/Exception.php(225): wfReportException(Object(MWException))
 * 21) 20 [internal function]: wfExceptionHandler(Object(MWException))
 * 22) 21 {main}

Tanks for your job !

--Ju


 * As a quick-and-dirty fix, add return values to every hook: "return true;" for NoLogout, SSLAuth and BringBackAA, and change the "return;" in the middle of SSLAuth to a "return false;". Results may vary, since I have no idea how any of this actually works - I chose the return values arbitrarily, and I also don't know if SSLAuthSetup needs a return value. But this seems to work for me. --Meeg

MediaWiki 1.13.0
Does this extension work with MediaWiki 1.13.0? I've added all the strings as needed, but it doesn't authorize me. Can someone help?

Looks like the AutoAuthenticate hook has been replaced in 1.13.

--131.225.80.148 19:15, 8 September 2008 (UTC)

Does anyone have this working? The experimental version below does not work for my stock Ubuntu install. --September 1, 2009

Experimental version for MW 1.13
I made an experimental version of the extension for MW 1.13, based on the latest version of the Shibboleth authentication extension. If you'd like to try it, grab it from the git repo here:

http://github.com/dhess/sslauthplugin/tree/master

Please note that I'm not an experienced MediaWiki extension author, so this version may have bugs or security flaws. So far, anyway, "it works for me."

Please contact me (see my GitHub page) if you have any problems with it or discover any bugs. --Dhess 06:55, 16 September 2008 (UTC)

SSL Authentication extension available for Mediawiki 1.14.0 ?
Hi everyone,

I will know if this extension is available for Mediawiki 1.14.0 ? On the description page nothing about that, maybe it is a forgot ? My configuration is:
 * Mediawiki 1.14.0
 * PHP 5.2.6 (apache2handler)
 * MySQL 5.0.67

Will this be functionnal if I use the version for mw 1.13.x ? Thanks a lot, Enes

How to have both SSL and ordinary logins?
Hello --

Thanks to the developers for creating such a fantastic extension. I am running a wiki on a university where I'd like to automatically allow everyone in the university to view the wiki and make anonymous edits without having to register. But, I'd like to also specific people who are not part of the university (and therefore don't have SSL certificates) to make edits and view if they have a user name.

Does anyone know a way to do this? I know @johnp mentioned something, but I wasn't sure I understood it or if the advice was applicable.

Thanks in advance, Dc321 22:05, 9 September 2011 (UTC)

Underscores in usernames
I am running MW 1.11.2 and the plugin version for that rev. I am having a problem with users that have an underscore in their username. They get various errors when they attempt to log in. Evidently, this is a common issue with any external auth module for MW. Here's what happens when they attempt to log in. I realize I probably just need to undo the automatic changing of the underscore to a space - somewhere, but where exactly?

Initial entry:

Detected bug in an extension! Hook SSLAuth failed to return a value; should return true to continue hook processing or false to abort.

Backtrace:


 * 1) 0 /var/www/sfsintranet/includes/StubObject.php(131): wfRunHooks('AutoAuthenticat...', Array)
 * 2) 1 /var/www/sfsintranet/includes/StubObject.php(57): StubUser->_newObject
 * 3) 2 /var/www/sfsintranet/includes/StubObject.php(31): StubObject->_unstub('isAllowed', 5)
 * 4) 3 /var/www/sfsintranet/includes/StubObject.php(122): StubObject->_call('isAllowed', Array)
 * 5) 4 [internal function]: StubUser->__call('isAllowed', Array)
 * 6) 5 /var/www/sfsintranet/includes/Title.php(1269): StubUser->isAllowed('read')
 * 7) 6 /var/www/sfsintranet/includes/Wiki.php(133): Title->userCanRead
 * 8) 7 /var/www/sfsintranet/includes/Wiki.php(43): MediaWiki->preliminaryChecks(Object(Title), Object(OutputPage), Object(WebRequest))
 * 9) 8 /var/www/sfsintranet/index.php(89): MediaWiki->initialize(Object(Title), Object(OutputPage), Object(User), Object(WebRequest))
 * 10) 9 {main}

Subsequent entry attempts:

A database query syntax error has occurred. This may indicate a bug in the software. The last attempted database query was: (SQL query hidden) from within function "User::addToDatabase". MySQL returned error "1062: Duplicate entry 'Mj_p' for key 2 (localhost)".

hiding logout button slightly broken with MW-1.19
I've just installed mediawiki-1.19.0beta1 and added the 1.19 version of SSLAuthPlugin.php. End result: working well except that the logout button has been replaced with "AMPlt;0AMPgt;" (I replaced the ampersands with AMP as I don't know what would happen to them in this editor).

Must be a slight bug in something? Also, MW still asks to confirm the email address - can the code also take that into account? i.e. a cert with an email address should be treated as validated?

Thanks - this was VERY easy to get up and running!

Jason

--Paran7 (talk) 21:52, 23 March 2012 (UTC)
 * The logout link problem exists with 1.18 as well. The problem is that the logout url is set to null rather than being removed. The following patch fixed the problem for me:


 * Would be great if somebody else could test this. If it works then I guess I should just change the code in the main article.

how to map USER_PRINCIPAL_NAME under X509_EXTENSION with AD - UserPrincipalName attribute
I am able to implement this extension. After that, I need to map USER_PRINCIPAL_NAME to AD UserPrincipalName to get more data back from Active Directory. Do you have some example code I could reference?