Extension:LDAP Authentication/Kerberos Configuration Examples
About - Requirements - Examples - Configuration Options - Changelog - Roadmap - Suggestions - User provided info - FAQ - Support
Group and Preferences Examples - Generic LDAP Examples - Active Directory Examples - Smartcard Examples - Kerberos Examples
 Release status: stable |
|
|---|---|
| Implementation | User identity |
| Description | Provides LDAP authentication, and some authorization functionality for MediaWiki |
| Author(s) | Ryan Lane (Ryan lanetalk) |
| Latest version | 2.1.0 (2018-10-11) |
| Compatibility policy | master |
| MediaWiki | 1.19-1.26 |
| Database changes | Yes |
| License | GNU General Public License 2.0 or later |
| Download | |
| Translate the LDAP Authentication extension if it is available at translatewiki.net | |
| Check usage and version matrix. | |
| Issues | Open tasks · Report a bug |
The LdapAuthentication extension 1.2+ supports generic web server authentication in MediaWiki 1.6+; this allows for Kerberos authentication. For those in a transitional period, the extension supports a mixture of web server and password authentication if needed. This article will describe a few different ways to configure Apache, and a few different ways to configure the extension.
If you do not need LDAP support, and only need Kerberos support, this is not the extension for you; please see the HttpAuth extension. Note that the HttpAuth extension only does generic web server authentication; Kerberos specific configuration is up to you.
Parts of this extension are based upon the work of the SSL Authentication extension and the Shibboleth Authentication extension.
General configuration[edit]
The Apache setup will require mod_auth_kerb. The wiki setup will require that you use a proxyagent and proxyagent password (anonymous searching is also supported). You cannot rely on user's credentials as the user never actually binds to the LDAP server.
Knowledge of how to use/configure Kerberos and how to receive a keytab are out of the scope of this document, and will be considered a prerequisite. Only directives that are mod_auth_kerb specific will be discussed. For detailed mod_auth_kerb documentation, see the mod_auth_kerb site.
Apache configuration[edit]
We will discuss two ways of configuring Apache for Kerberos login. The first is to protect the entire wiki, the second is to only protect a single page so that we can still allow password login.
These configurations assume that the mod_auth_kerb module is being loaded elsewhere.
Apache configuration for Kerberos protecting the entire wiki[edit]
The following can be configured at the global or virtual host level:
<Location /wiki> SSLRequireSSL AuthType Kerberos AuthName "Kerberos Login" KrbMethodNegotiate On KrbMethodK5Passwd Off KrbLocalUserMapping On #Implemented in 5.4, strips @REALM from username KrbAuthRealms EXAMPLE.COM Krb5KeyTab /etc/httpd/conf/keytab require valid-user </Location>
Apache configuration for allowing Kerberos login without protecting an entire wiki[edit]
The following configuration will only log a user in automatically when a user visits a wiki article called "Kerberos Login". This can allow you to mix password authentication domains and a Kerberos authentication domain.
<Location /wiki/index.php/Kerberos_Login> SSLRequireSSL AuthType Kerberos AuthName "Kerberos Login" KrbMethodNegotiate On KrbMethodK5Passwd Off KrbLocalUserMapping On #Implemented in 5.4, strips @REALM from username KrbAuthRealms EXAMPLE.COM Krb5KeyTab /etc/httpd/conf/keytab require valid-user </Location>
Basic LDAP extension configuration[edit]
The following example uses Active Directory.
require_once( "$IP/extensions/LdapAuthentication/LdapAutoAuthentication.php" );
require_once( "$IP/extensions/LdapAuthentication/LdapAuthentication.php" );
$wgLDAPDomainNames = array("exampleADDomain");
$wgLDAPServerNames = array("exampleADDomain"=>"example.adserver.com");
$wgLDAPAutoAuthDomain = "exampleADDomain";
$wgLDAPProxyAgent = array("exampleADDomain"=>"CN=proxy agent,OU=Domain_Users,DC=example,DC=com");
$wgLDAPProxyAgentPassword = array("exampleADDomain"=>"password");
$wgLDAPBaseDNs = array("exampleADDomain"=>"DC=example,DC=com");
$wgLDAPSearchAttributes = array("exampleADDomain"=>"samaccountname");
// REMOTE_USER will be in the form username@EXAMPLE.COM, if we
// just chop off @EXAMPLE.COM, we have the username. You can change
// this as needed.
// I've added if condition because of Apache logging: PHP Notice: Undefined index: REMOTE_USER in /var/www/mediawiki
//$wgLDAPAutoAuthUsername = preg_replace( '/@.*/', '', $_SERVER["REMOTE_USER"] );
// If you are using mod_auth_kerb 5.4, use KrbLocalUserMapping instead of this.
if (isset($_SERVER["REMOTE_USER"])) $wgLDAPAutoAuthUsername = preg_replace( '/@.*/', '', $_SERVER["REMOTE_USER"]);
// After we set all configuration options, we want to tell the extension to enable auto-authentication.
// This will create an instance of LdapAuthentication as $wgAuth.
AutoAuthSetup();
Advanced LDAP extension configuration[edit]
The following will configure three domains: one domain pointing to OpenLDAP, another pointing to Active Directory, and a third using Kerberos authentication pointing to the same Active directory.
The OpenLDAP domain will use straight binds, and the Active Directory domain will use proxy authentication.
This configuration assumes we are only Kerberos protecting a single page, like the last Apache configuration above.
require_once( "$IP/extensions/LdapAuthentication/LdapAutoAuthentication.php" );
require_once( "$IP/extensions/LdapAuthentication/LdapAuthentication.php" );
$wgLDAPDomainNames = array("exampleOLDomain","exampleADDomain", "exampleADDomain-kerberos");
$wgLDAPServerNames = array("exampleOLDomain"=>"example.olserver.com", "exampleADDomain"=>"example.adserver.com", "exampleADDomain-kerberos"=>"example.adserver.com");
$wgLDAPSearchStrings = array("exampleOLDomain"=>"uid=USER-NAME,ou=people,dc=example,dc=oldomain,dc=com");
$wgLDAPAutoAuthDomain = "exampleADDomain-kerberos";
$wgLDAPProxyAgent = array("exampleADDomain"=>"CN=proxy agent,OU=Domain_Users,DC=example,DC=addomain,DC=com", "exampleADDomain-kerberos"=>"CN=proxy agent,OU=Domain_Users,DC=example,DC=addomain,DC=com");
$wgLDAPProxyAgentPassword = array("exampleADDomain"=>"password", "exampleADDomain-kerberos"=>"password");
$wgLDAPBaseDNs = array("exampleADDomain"=>"DC=example,DC=addomain,DC=com", "exampleADDomain-kerberos"=>"DC=example,DC=addomain,DC=com");
$wgLDAPSearchAttributes = array("exampleADDomain"=>"samaccountname", "exampleADDomain-kerberos"=>"samaccountname");
// REMOTE_USER will be in the form username@EXAMPLE.COM, if we
// just chop off @EXAMPLE.COM, we have the username. You can change
// this as needed.
// If you are using mod_auth_kerb 5.4, use KrbLocalUserMapping instead of this.
$wgLDAPAutoAuthUsername = preg_replace( '/@.*/', '', $_SERVER["REMOTE_USER"] );
// After we set all configuration options, we want to tell the extension to enable auto-authentication.
// This will create an instance of LdapAuthentication as $wgAuth.
AutoAuthSetup();
Configuration steps for article based Kerberos login[edit]
- Create an article called "Kerberos Login"
- Add "#REDIRECT [[Main Page]]"
- Protect the article
- Edit loginprompt in Special:Allmessages and add:
- [[Kerberos Login|Click here to use your Single Sign On credentials.]]
- GPL licensed extensions
- Stable extensions
- Extensions without an image
- User identity extensions
- Extensions in Wikimedia version control
- BlockIpComplete extensions
- UnblockUserComplete extensions
- LoadExtensionSchemaUpdates extensions
- UserSaveSettings extensions
- UserLoggedIn extensions
- LocalUserCreated extensions
- All extensions
