Release status: stable
|Implementation||User identity, User rights|
|Description||Provides Active Directory SPNEGO Single Sign-On (SSO) and explicit Kerberos 5 logon using the conventional loign form. Users allowed to authenticate with the site may be restricted to specific Windows groups. Windows groups may be mapped to MW groups. Local accounts will be created automatically, populated and updated as necessary when the user authenticates a new session.|
|Latest version||3.2.1 (2008-10-1)|
|MediaWiki||1.11.1 (at least)|
|License||No license specified|
|Download||IOPLEX Software Downloads|
|Translate the Plexcel extension if it is available at translatewiki.net|
|Check usage and version matrix.|
Plexcel MediaWiki Plugin
Note: The Plexcel product has been discontinued
Note: This Plugin requires the Plexcel PHP extension from IOPLEX Software (free for 25 users, $250 for 500 users, $500 for unlimited users) which does not run on the Windows platform at this time. Please review the Requirements section carefully.
The Plexcel MediaWiki Plugin seamlessly adds Active Directory authentication and authorization to MediaWiki. This plugin has the following features.
- Active Directory SPNEGO Single Sign-On (SSO)
- User Information Populated from Active Directory
- Configurable Username Canonicalization
- Explicit Login with Username and Password
- Windows Group Based Access Control List (ACL)
- Windows to MW Group Mapping
- Automatic Directory Location
- No setup on Windows side required
- Superior Security of Kerberos
- Internationalization (I18N)
The Plexcel MediaWiki Plugin can authenticate clients against Active Directory using SPNEGO Single Sign-On (SSO) or by explicit Kerberos 5 login using the standard login form.
The default behavior is to authenticate clients using SSO. Users will not need to repeatedly enter their username and password. Just visiting the site will trigger the browser to automatically authenticate the client and pass the user's information to the web server (provided the browser options have been changed to trust the target site).
Alternatively they may also use the standard login form. If the client does not support SSO (e.g. because they are not logged into the domain) authentication will fall-back to the login form.
Windows Group Based Authentication Control and Windows Group Mapping
The Plexcel MediaWiki Plugin employs an authentication ACL that can be used to restrict who can authenticate with MediaWiki to specific Windows groups. The plugin also allows mapping Windows groups into MediaWiki groups (e.g. users in ACME\Wiki Bureaucrats will automatically be added to the MediaWiki bureaucrat group). These features allow operators to push wiki access controls into AD and leverage existing IT infrastructure.
The full range of Windows group name forms may be used (no awkward LDAP DN strings). These access checks are very fast. Once the group names in your ACL have been resolved, no communication with the domain is required for subsequent requests.
It is worth noting that Plexcel's Windows group name access checks are very fast. Once the group names in the $wgAuth->authAcl and $wgAuth->groupMap have been resolved and cached in shared memory, no communication with the domain controller is required for subsequent requests until Apache is restarted. The user's group SIDs are extracted from their Kerberos ticket and compared with the cached SIDs.
NOTICE: Previous versions of this plugin used different forms of ACLs that were either unsafe or did not work very well. We are confident that the model we are using now is optimal. Please upgrade to the 3.x version of this plugin.
Please read the Plexcel MediaWiki Plugin Manual for a complete description of this plugin. It describes many other features such as:
- How to specify how usernames should be canonicalized (e.g. ACME\abaker or Abaker@acme.net or Abaker)
- How to deny by Windows group (as opposed to allow)
- How the ACL evaluation is performed exactly
- How to create an "Access Denied" page that explains to users that Windows group based access control is in effect
- How $wgGroupPermission interacts with $wgAuth->authAcl
- How to migrate existing accounts
- How to bypass authentication for certain targets (e.g. *.js files)
- How to disable SSO and use only the login form
The following requirements must be satisfied for the Plexcel MediaWiki extension to work.
- MediaWiki 1.11.1 or newer (older versions should work but they have not been tested recently)
- The Plexcel PHP extension version 2.5.0 or later also from IOPLEX Software. Plexcel has the following requirements.
- Linux or FreeBSD on i386 or x86_64
- PHP 5
- Browsers that support Kerberos SSO (e.g. Internet Explorer, Firefox, ...)
- Installer must have sufficient AD privileges to create the HTTP service account
- Web server must have valid entires in DNS
- For an SSL protected login form, Apache must support SSL
- Apache must run in a UTF-8 locale to support internationalized text
- Time and date differences on all machines must minimal (usually within 5 minutes)
For detailed Plexcel requirements and installation instructions please see the Plexcel Operator's Manual on the IOPLEX Software Support page.
Install Apache (with SSL if you want the login form to be protected), PHP and any other prerequisites for MediaWiki. These packages should be installable from your package manager (e.g. yum on Red Hat Linux, apt-get on Ubuntu, /usr/ports on FreeBSD, etc).
Install Plexcel. See the Plexcel Operator's Manual for details.
Install the Extension
Download the plexcel-mediawiki-3.2.1.tar.gz file. Unpack the file and copy the PlexcelAuth directory into the MediaWiki extensions directory. This procedure is illustrated by the example command dialog below:
$ wget http://www.ioplex.com/d/plexcel-mediawiki-3.2.1.tar.gz $ tar -xvzf plexcel-mediawiki-3.2.1.tar.gz $ cp -a plexcel-mediawiki-3.2.1/PlexcelAuth mediawiki-1.11.1/extensions
To activate the Plexcel MediaWiki plugin, add the following to the end of the MediaWiki LocalSettings.php file:
require_once('extensions/PlexcelAuth/PlexcelAuth.php'); $wgAuth = new PlexcelAuth(NULL, array('disable_encrypted_login' => TRUE)); $wgAuth->authAcl['EXAMPLE\\Domain Users'] = true; $wgGroupPermissions['*']['createaccount'] = false; $wgGroupPermissions['*']['read'] = false; $wgAuth->groupMap = array( 'EXAMPLE\\Wiki Bureaucrats' => 'bureaucrats', );
This configuration will only allow users in the EXAMPLE\Domain Users Windows group to authenticate and edit pages. Note that you will of course need to substitute your domain in place of EXAMPLE and you may wish to enter a different group entirely (e.g. 'ACME\\Wiki Users'). Beware that builtin groups like 'BUILTIN\Users' will not work. This configuration also allows anyone in the EXAMPLE\Wiki Bureaucrats Windows group to perform bureaucrats group operations such as User rights management.
Although this is a minimal example configuration, the plugin should now be fully functional. Try visiting a page with a suitable Kerberos enabled browser. The user should automatically login. Try clicking “log out” and manually enter alternative credentials. Then logout again and click on any page to resume SSO behavior.
If any of this does not work, verify that the Plexcel examples still work and review the Plexcel Operator's Manual if they do not. If the Plexcel examples do not work, the MediaWiki plugin will not work.
Securing the Login Form
If you have enabled and configured SSL for Apache properly you can set the 'disable_encrypted_login => 'FALSE' option (or not set it all - false is the default value). With SSL enabled, the $wgAuth setting should look like the following:
$wgAuth = new PlexcelAuth();
Note that this setting has no impact on SSO - Kerberos tokens sent between the client and webserver are always encrypted.