Extension:LDAP Authentication/Kerberos Configuration Examples

From MediaWiki.org
Jump to navigation Jump to search

About - Requirements - Examples - Configuration Options - Changelog - Roadmap - Suggestions - User provided info - FAQ - Support

Group and Preferences Examples - Generic LDAP Examples - Active Directory Examples - Smartcard Examples - Kerberos Examples


MediaWiki extensions manual
OOjs UI icon advanced.svg
LDAP Authentication
Release status: stable
Implementation User identity
Description Provides LDAP authentication, and some authorization functionality for MediaWiki
Author(s) Ryan Lane (Ryan lanetalk)
Latest version 2.1.0 (2018-10-11)
Compatibility policy master
MediaWiki 1.19+
Database changes Yes
License GNU General Public License 2.0 or later
Download
Download extension
Git [?]:
Hooks used
Hooks provided
Translate the LDAP Authentication extension if it is available at translatewiki.net
Check usage and version matrix.
Issues Open tasks · Report a bug

The LdapAuthentication extension 1.2+ supports generic web server authentication in MediaWiki 1.6+; this allows for Kerberos authentication. For those in a transitional period, the extension supports a mixture of web server and password authentication if needed. This article will describe a few different ways to configure Apache, and a few different ways to configure the extension.

If you do not need LDAP support, and only need Kerberos support, this is not the extension for you; please see the HttpAuth extension. Note that the HttpAuth extension only does generic web server authentication; Kerberos specific configuration is up to you.

Parts of this extension are based upon the work of the SSL Authentication extension and the Shibboleth Authentication extension.

General configuration[edit]

The Apache setup will require mod_auth_kerb. The wiki setup will require that you use a proxyagent and proxyagent password (anonymous searching is also supported). You cannot rely on user's credentials as the user never actually binds to the LDAP server.

Knowledge of how to use/configure Kerberos and how to receive a keytab are out of the scope of this document, and will be considered a prerequisite. Only directives that are mod_auth_kerb specific will be discussed. For detailed mod_auth_kerb documentation, see the mod_auth_kerb site.

Apache configuration[edit]

We will discuss two ways of configuring Apache for Kerberos login. The first is to protect the entire wiki, the second is to only protect a single page so that we can still allow password login.

These configurations assume that the mod_auth_kerb module is being loaded elsewhere.

Apache configuration for Kerberos protecting the entire wiki[edit]

The following can be configured at the global or virtual host level: 

<Location /wiki>
  SSLRequireSSL
  AuthType Kerberos
  AuthName "Kerberos Login"
  KrbMethodNegotiate On
  KrbMethodK5Passwd Off
  KrbLocalUserMapping On #Implemented in 5.4, strips @REALM from username
  KrbAuthRealms EXAMPLE.COM
  Krb5KeyTab /etc/httpd/conf/keytab
  require valid-user
</Location>

Apache configuration for allowing Kerberos login without protecting an entire wiki[edit]

The following configuration will only log a user in automatically when a user visits a wiki article called "Kerberos Login". This can allow you to mix password authentication domains and a Kerberos authentication domain. 

<Location /wiki/index.php/Kerberos_Login>
  SSLRequireSSL
  AuthType Kerberos
  AuthName "Kerberos Login"
  KrbMethodNegotiate On
  KrbMethodK5Passwd Off
  KrbLocalUserMapping On #Implemented in 5.4, strips @REALM from username
  KrbAuthRealms EXAMPLE.COM
  Krb5KeyTab /etc/httpd/conf/keytab
  require valid-user
</Location>

Basic LDAP extension configuration[edit]

The following example uses Active Directory. 

require_once( "$IP/extensions/LdapAuthentication/LdapAutoAuthentication.php" );
require_once( "$IP/extensions/LdapAuthentication/LdapAuthentication.php" );

$wgLDAPDomainNames = array("exampleADDomain");
$wgLDAPServerNames = array("exampleADDomain"=>"example.adserver.com");

$wgLDAPAutoAuthDomain = "exampleADDomain";

$wgLDAPProxyAgent = array("exampleADDomain"=>"CN=proxy agent,OU=Domain_Users,DC=example,DC=com");
$wgLDAPProxyAgentPassword = array("exampleADDomain"=>"password");
$wgLDAPBaseDNs = array("exampleADDomain"=>"DC=example,DC=com");

$wgLDAPSearchAttributes = array("exampleADDomain"=>"samaccountname");

// REMOTE_USER will be in the form username@EXAMPLE.COM, if we
// just chop off @EXAMPLE.COM, we have the username. You can change
// this as needed.
// I've added if condition because of Apache logging: PHP Notice:  Undefined index: REMOTE_USER in /var/www/mediawiki
//$wgLDAPAutoAuthUsername = preg_replace( '/@.*/', '', $_SERVER["REMOTE_USER"] );
// If you are using mod_auth_kerb 5.4, use KrbLocalUserMapping instead of this.
if (isset($_SERVER["REMOTE_USER"])) $wgLDAPAutoAuthUsername = preg_replace( '/@.*/', '', $_SERVER["REMOTE_USER"]);

// After we set all configuration options, we want to tell the extension to enable auto-authentication.
// This will create an instance of LdapAuthentication as $wgAuth.
AutoAuthSetup();

Advanced LDAP extension configuration[edit]

The following will configure three domains: one domain pointing to OpenLDAP, another pointing to Active Directory, and a third using Kerberos authentication pointing to the same Active directory.

The OpenLDAP domain will use straight binds, and the Active Directory domain will use proxy authentication.

This configuration assumes we are only Kerberos protecting a single page, like the last Apache configuration above. 

require_once( "$IP/extensions/LdapAuthentication/LdapAutoAuthentication.php" );
require_once( "$IP/extensions/LdapAuthentication/LdapAuthentication.php" );

$wgLDAPDomainNames = array("exampleOLDomain","exampleADDomain", "exampleADDomain-kerberos");
$wgLDAPServerNames = array("exampleOLDomain"=>"example.olserver.com", "exampleADDomain"=>"example.adserver.com", "exampleADDomain-kerberos"=>"example.adserver.com");

$wgLDAPSearchStrings = array("exampleOLDomain"=>"uid=USER-NAME,ou=people,dc=example,dc=oldomain,dc=com");

$wgLDAPAutoAuthDomain = "exampleADDomain-kerberos";

$wgLDAPProxyAgent = array("exampleADDomain"=>"CN=proxy agent,OU=Domain_Users,DC=example,DC=addomain,DC=com", "exampleADDomain-kerberos"=>"CN=proxy agent,OU=Domain_Users,DC=example,DC=addomain,DC=com");
$wgLDAPProxyAgentPassword = array("exampleADDomain"=>"password", "exampleADDomain-kerberos"=>"password");
$wgLDAPBaseDNs = array("exampleADDomain"=>"DC=example,DC=addomain,DC=com", "exampleADDomain-kerberos"=>"DC=example,DC=addomain,DC=com");

$wgLDAPSearchAttributes = array("exampleADDomain"=>"samaccountname", "exampleADDomain-kerberos"=>"samaccountname");

// REMOTE_USER will be in the form username@EXAMPLE.COM, if we
// just chop off @EXAMPLE.COM, we have the username. You can change
// this as needed. 
// If you are using mod_auth_kerb 5.4, use KrbLocalUserMapping instead of this.
$wgLDAPAutoAuthUsername = preg_replace( '/@.*/', '', $_SERVER["REMOTE_USER"] );

// After we set all configuration options, we want to tell the extension to enable auto-authentication.
// This will create an instance of LdapAuthentication as $wgAuth.
AutoAuthSetup();

Configuration steps for article based Kerberos login[edit]

  1. Create an article called "Kerberos Login"
    1. Add "#REDIRECT [[Main Page]]"
    2. Protect the article
  2. Edit loginprompt in Special:Allmessages and add:
    [[Kerberos Login|Click here to use your Single Sign On credentials.]]
Retrieved from "https://www.mediawiki.org/w/index.php?title=Extension:LDAP_Authentication/Kerberos_Configuration_Examples&oldid=2213486"