Extension:LDAP Authentication/Kerberos Configuration Examples

**MediaWiki extensions manual**
LDAP Authentication; Release status: unmaintained
Implementation	User identity
Description	Provides LDAP authentication, and some authorization functionality for MediaWiki
Author(s)	Ryan Lane (Ryan lanetalk)
Latest version	2.1.0 (2018-10-11)
Compatibility policy	Snapshots releases along with MediaWiki. Master is not backward compatible.
MediaWiki	1.19-1.26
Database changes	Yes
License	GNU General Public License 2.0 or later
Download	Download extension ; Git [?]: Download Git master; browse repository (GitHub); commit history; repository contributors (GitHub); code review;
	Parameters $wgAutoAuthUsername; $wgGroupsUseMemberOf; $wgDomainNames; $wgEncryptionType; $wgSearchAttributes; $wgGroupUseFullDN; $wgPort; $wgWriterPassword; $wgUserBaseDNs; $wgGroupBaseDNs; $wgUseLDAPGroups; $wgAutoAuthDomain; $wgWriteLocation; $wgProxyAgentPassword; $wgUseLocal; $wgLockPasswordPolicy; $wgLockOnBlock; $wgLocallyManagedGroups; $wgAddLDAPUsers; $wgProxyAgent; $wgServerNames; $wgPasswordHash; $wgAuthAttribute; $wgGroupSearchNestedGroups; $wgExcludedGroups; $wgGroupNameAttribute; $wgRequiredGroups; $wgBaseDNs; $wgGroupAttribute; $wgOptions; $wgGroupsPrevail; $wgDisableAutoCreate; $wgGroupObjectclass; $wgLowerCaseUsername; $wgUpdateLDAP; $wgDebug; $wgMailPassword; $wgSearchStrings; $wgPreferences; $wgActiveDirectory; $wgGroupUseRetrievedUsername; $wgGroupSearchPosixPrimaryGroup; $wgWriterDN;
	Hooks used BlockIpComplete; LoadExtensionSchemaUpdates; UnblockUserComplete;
	Hooks provided ChainAuth; LDAPSetCreationValues; LDAPRetrySetCreationValues; LDAPUpdateUser; SetUsernameAttributeFromLDAP;
	Check usage and version matrix.
Issues	Open tasks · Report a bug

About - Requirements - Examples - Configuration Options - Changelog - Roadmap - Suggestions - User provided info - FAQ - Support

Group and Preferences Examples - Generic LDAP Examples - Active Directory Examples - Smartcard Examples - Kerberos Examples

Warning: The extension has not been fully updated for MediaWiki 1.27+ (AuthManager); LdapAutoAuthentication will not work with that version. See gerrit:286705 for details.

The LdapAuthentication extension 1.2+ supports generic web server authentication in MediaWiki 1.6+; this allows for Kerberos authentication. For those in a transitional period, the extension supports a mixture of web server and password authentication if needed. This article will describe a few different ways to configure Apache, and a few different ways to configure the extension.

If you do not need LDAP support, and only need Kerberos support, this is not the extension for you.

Parts of this extension are based upon the work of the SSL Authentication extension and the Shibboleth Authentication extension.

General configuration[edit]

The Apache setup will require mod_auth_kerb. The wiki setup will require that you use a proxyagent and proxyagent password (anonymous searching is also supported). You cannot rely on user's credentials as the user never actually binds to the LDAP server.

Knowledge of how to use/configure Kerberos and how to receive a keytab are out of the scope of this document, and will be considered a prerequisite. Only directives that are mod_auth_kerb specific will be discussed. For detailed mod_auth_kerb documentation, see the mod_auth_kerb site.

Apache configuration[edit]

We will discuss two ways of configuring Apache for Kerberos login. The first is to protect the entire wiki, the second is to only protect a single page so that we can still allow password login.

These configurations assume that the mod_auth_kerb module is being loaded elsewhere.

Apache configuration for Kerberos protecting the entire wiki[edit]

The following can be configured at the global or virtual host level:

<Location /wiki>
  SSLRequireSSL
  AuthType Kerberos
  AuthName "Kerberos Login"
  KrbMethodNegotiate On
  KrbMethodK5Passwd Off
  KrbLocalUserMapping On #Implemented in 5.4, strips @REALM from username
  KrbAuthRealms EXAMPLE.COM
  Krb5KeyTab /etc/httpd/conf/keytab
  require valid-user
</Location>

Apache configuration for allowing Kerberos login without protecting an entire wiki[edit]

The following configuration will only log a user in automatically when a user visits a wiki article called "Kerberos Login". This can allow you to mix password authentication domains and a Kerberos authentication domain.

<Location /wiki/index.php/Kerberos_Login>
  SSLRequireSSL
  AuthType Kerberos
  AuthName "Kerberos Login"
  KrbMethodNegotiate On
  KrbMethodK5Passwd Off
  KrbLocalUserMapping On #Implemented in 5.4, strips @REALM from username
  KrbAuthRealms EXAMPLE.COM
  Krb5KeyTab /etc/httpd/conf/keytab
  require valid-user
</Location>

Basic LDAP extension configuration[edit]

The following example uses Active Directory.

require_once( "$IP/extensions/LdapAuthentication/LdapAutoAuthentication.php" );
require_once( "$IP/extensions/LdapAuthentication/LdapAuthentication.php" );

$wgLDAPDomainNames = array("exampleADDomain");
$wgLDAPServerNames = array("exampleADDomain"=>"example.adserver.com");

$wgLDAPAutoAuthDomain = "exampleADDomain";

$wgLDAPProxyAgent = array("exampleADDomain"=>"CN=proxy agent,OU=Domain_Users,DC=example,DC=com");
$wgLDAPProxyAgentPassword = array("exampleADDomain"=>"password");
$wgLDAPBaseDNs = array("exampleADDomain"=>"DC=example,DC=com");

$wgLDAPSearchAttributes = array("exampleADDomain"=>"samaccountname");

// REMOTE_USER will be in the form username@EXAMPLE.COM, if we
// just chop off @EXAMPLE.COM, we have the username. You can change
// this as needed.
// I've added if condition because of Apache logging: PHP Notice:  Undefined index: REMOTE_USER in /var/www/mediawiki
//$wgLDAPAutoAuthUsername = preg_replace( '/@.*/', '', $_SERVER["REMOTE_USER"] );
// If you are using mod_auth_kerb 5.4, use KrbLocalUserMapping instead of this.
if (isset($_SERVER["REMOTE_USER"])) $wgLDAPAutoAuthUsername = preg_replace( '/@.*/', '', $_SERVER["REMOTE_USER"]);

// After we set all configuration options, we want to tell the extension to enable auto-authentication.
// This will create an instance of LdapAuthentication as $wgAuth.
AutoAuthSetup();

Advanced LDAP extension configuration[edit]

The following will configure three domains: one domain pointing to OpenLDAP, another pointing to Active Directory, and a third using Kerberos authentication pointing to the same Active directory.

The OpenLDAP domain will use straight binds, and the Active Directory domain will use proxy authentication.

This configuration assumes we are only Kerberos protecting a single page, like the last Apache configuration above.

require_once( "$IP/extensions/LdapAuthentication/LdapAutoAuthentication.php" );
require_once( "$IP/extensions/LdapAuthentication/LdapAuthentication.php" );

$wgLDAPDomainNames = array("exampleOLDomain","exampleADDomain", "exampleADDomain-kerberos");
$wgLDAPServerNames = array("exampleOLDomain"=>"example.olserver.com", "exampleADDomain"=>"example.adserver.com", "exampleADDomain-kerberos"=>"example.adserver.com");

$wgLDAPSearchStrings = array("exampleOLDomain"=>"uid=USER-NAME,ou=people,dc=example,dc=oldomain,dc=com");

$wgLDAPAutoAuthDomain = "exampleADDomain-kerberos";

$wgLDAPProxyAgent = array("exampleADDomain"=>"CN=proxy agent,OU=Domain_Users,DC=example,DC=addomain,DC=com", "exampleADDomain-kerberos"=>"CN=proxy agent,OU=Domain_Users,DC=example,DC=addomain,DC=com");
$wgLDAPProxyAgentPassword = array("exampleADDomain"=>"password", "exampleADDomain-kerberos"=>"password");
$wgLDAPBaseDNs = array("exampleADDomain"=>"DC=example,DC=addomain,DC=com", "exampleADDomain-kerberos"=>"DC=example,DC=addomain,DC=com");

$wgLDAPSearchAttributes = array("exampleADDomain"=>"samaccountname", "exampleADDomain-kerberos"=>"samaccountname");

// REMOTE_USER will be in the form username@EXAMPLE.COM, if we
// just chop off @EXAMPLE.COM, we have the username. You can change
// this as needed. 
// If you are using mod_auth_kerb 5.4, use KrbLocalUserMapping instead of this.
$wgLDAPAutoAuthUsername = preg_replace( '/@.*/', '', $_SERVER["REMOTE_USER"] );

// After we set all configuration options, we want to tell the extension to enable auto-authentication.
// This will create an instance of LdapAuthentication as $wgAuth.
AutoAuthSetup();

Configuration steps for article based Kerberos login[edit]

Create an article called "Kerberos Login"
1. Add "#REDIRECT [[Main Page]]"
2. Protect the article
Edit loginprompt in Special:Allmessages and add:
[[Kerberos Login|Click here to use your Single Sign On credentials.]]

LDAP Authentication Release status: unmaintained
Implementation	User identity
Description	Provides LDAP authentication, and some authorization functionality for MediaWiki
Author(s)	Ryan Lane (Ryan lane^talk)
Latest version	2.1.0 (2018-10-11)
Compatibility policy	Snapshots releases along with MediaWiki. Master is not backward compatible.
MediaWiki	1.19-1.26
Database changes	Yes
License	GNU General Public License 2.0 or later
Download	Download extension Git ^[?]: Download Git master browse repository (GitHub) commit history repository contributors (GitHub) code review
Parameters $wgAutoAuthUsername $wgGroupsUseMemberOf $wgDomainNames $wgEncryptionType $wgSearchAttributes $wgGroupUseFullDN $wgPort $wgWriterPassword $wgUserBaseDNs $wgGroupBaseDNs $wgUseLDAPGroups $wgAutoAuthDomain $wgWriteLocation $wgProxyAgentPassword $wgUseLocal $wgLockPasswordPolicy $wgLockOnBlock $wgLocallyManagedGroups $wgAddLDAPUsers $wgProxyAgent $wgServerNames $wgPasswordHash $wgAuthAttribute $wgGroupSearchNestedGroups $wgExcludedGroups $wgGroupNameAttribute $wgRequiredGroups $wgBaseDNs $wgGroupAttribute $wgOptions $wgGroupsPrevail $wgDisableAutoCreate $wgGroupObjectclass $wgLowerCaseUsername $wgUpdateLDAP $wgDebug $wgMailPassword $wgSearchStrings $wgPreferences $wgActiveDirectory $wgGroupUseRetrievedUsername $wgGroupSearchPosixPrimaryGroup $wgWriterDN
Hooks used BlockIpComplete LoadExtensionSchemaUpdates UnblockUserComplete
Hooks provided ChainAuth LDAPSetCreationValues LDAPRetrySetCreationValues LDAPUpdateUser SetUsernameAttributeFromLDAP
Check usage and version matrix.
Issues	Open tasks · Report a bug