Extension:Windows NTLM LDAP Auto Auth

Introduction
Having seen the fucntionallity of Media WIKI I wanted to use the system as a way of document control within our IT department. We wanted to have the authentication and group security controlled by our Active Directory domain. After messing with the auth plugin's written by others I found that none of them suited our way of working so I decided to write our own, and this is the result.

Feature set
This auth plugin is based on Rusty Burchfield's Extension:AutomaticREMOTE_USER and Ryan Lane's Ldap.


 * Allow Windows Active Directory domain verification of the IIS authenticated user.
 * Creates internal WIKI accounts and imports LDAP fields. (mail,firstname,surname)
 * Connects to Windows Global Catalog to allow support for multiple domains / forests.
 * Permission / Security control of which LDAP groups can access the WIKI.
 * Permission / Security mapping of LDAP groups to internal wiki groups.
 * Nested group support.
 * Automatic creation of internal WIKI groups, and user membership.
 * Removal of Login / Logout access & buttons.
 * No anonymous access.

Permission mapping may also require Extension:Group_Based_Access_Control to provide granular access to pages within the WIKI.

Please note that access control cannot be 100% effective within the WIKI please see Security_issues_with_authorization_extensions

Tested on

 * MediaWIKI 1.13.0rc2
 * PHP 5.2.6 (isapi)
 * MySQL 5.0.67-community-nt
 * IIS 5.1

Installation

 * Configure IIS to do the Authentication (disable anonymous access).
 * Copy WinNTLMLDAPAutoAuth.php in your extension dir.
 * Edit settings within WinNTLMLDAPAutoAuth.php to suit your windows environment.
 * Add the following lines to your LocalSettings.php

LocalSettings additional configuration settings
The following additions are required to lock down the WIKI to prevent basic security issues.

In this configuration the four groups within AD are mapped to sysop, bureaucrat, user and wiki restricted. Below is the config to :-


 * Disable anonymous access.
 * Standard users can only read.
 * Bureaucrats can edit.
 * Remove the login / logout buttons.
 * Prevent anyone from creating accounts as extension uses Windows Active Directory exclusively.
 * Users are by default not 'autoconfirmed' users.

Other recommendations
Whilst developing this auth plugin we also looked at changing the skin to suit a more professional enbvironment. We came across the GuMax Skin which with a few tweaks to the colors then suited our internal look and feel.

Visit Paul Gu's wiki at

Questions
Hi, I can not find how to Email questions to the author of this page, so I directly ask question on this page ... sorry for that

I first installed on a Windows 2k3 Media Wiki ... it took me 1 whole day After, I tried to configure this plugin but it doesn't seem to work :

I just installed the component while installing php, but did not configure anything. I don't know if this is enough, or if there is anything to do.
 * Question 1 : it is said above that PHP Isapi module is used ... 

Can you help me with it ?
 * Question 2 : I don't know how to fill this line

I don't know if the question 2 has something to do with this message. I did fill in all informations needed : my config :
 * Question 3 : I keep on having on my log

I'm logged on my computer, and the first time i connect to my wiki, I always get a windows authentification pop up window ... this is a stricly IIS logon window. Is there anyway to activate a full SSO ?
 * Question 4 : IIS auth asking pop up before getting to my Wiki page

Answers
Well I'm not the extension writer but I'm trying to make it work as well so I'll tell you what I found so far. I'm not a php pro as well i just started to work on it about a week ago.

Yes you need to set the php to work via Isapi and add to the php the ldap extension (I added also mysql for my sql server) After setting php to use the isapi you need to set the mediawiki virtual folder to use the isapi filter (direct it to \php5isapi.dll), this is as far as those settings go.
 * Question 1 : it is said above that PHP Isapi module is used ... 


 * Question 2 : I don't know how to fill this line

I also looked into this parameter and from what I understood this is a php internal parameter so you don't need to change it.

You need to add the domain name before the user \ it works for me (also there is a spot in the extension itself where you need to insert your server name).
 * Question 3 : I keep on having on my log

This is the tricky part I haven't found a way to make the SSO work yet.
 * Question 4 : IIS auth asking pop up before getting to my Wiki page

and I'll add a question of my own:

after the user being authenticated and directed to the right group the user still doesn't have any permissions.
 * Question 5 : After the user being authenticated

If anyone have a solution to this (especially question 4 and 5) please post it here or email me to : crushking+mediawiki@gmail.com

thanks from ahead to anyone that will help, CrushKing.