Extension:SSLClientAuth

From MediaWiki.org
Jump to navigation Jump to search
MediaWiki extensions manual
Crystal Clear action run.svg
SSLClientAuth
Release status: experimental
Implementation User identity
Description Replaces password authentication with the one based on client SSL certificates.
Author(s) (WGHtalk)
Latest version 1.0
MediaWiki 1.25.2
Database changes No
License BSD 3-clause "Modified" License
Download
Hooks used
UserLoadFromSession
PersonalUrls
UserLogout
Translate the SSLClientAuth extension if it is available at translatewiki.net
Check usage and version matrix.

The SSLClientAuth extension replaces password authentication with the one based on client SSL certificates.

Conceptually it's the same as SSL authentication extension, but it has been written for modern (1.25) MediaWiki version and uses much less hacks.

The first time user tries to open the wiki with a valid client certificate, a new account with name specified in certificate's Common Name is created automatically. Account registration should probably be disabled, as no user can log in without a certificate anyway.

It has only been tested with nginx with PHP running in FastCGI mode, but it should be easy to add support for other servers, too.

Installation[edit]

  • Enable client certificate validation on nginx:
    • ssl_client_certificate <path to .ca file>
    • ssl_verify_client <on|optional>
    • fastcgi_param SSL_CLIENT_S_DN $ssl_client_s_dn
  • Download and place the file(s) in a directory called SSLClientAuth in your extensions/ folder.
  • Add the following code at the bottom of your LocalSettings.php:
    wfLoadExtension( 'SSLClientAuth' );
    
  • Yes Done – Navigate to Special:Version on your wiki to verify that the extension is successfully installed.

To users running MediaWiki 1.24 or earlier:

The instructions above describe the new way of installing this extension using wfLoadExtension() If you need to install this extension on these earlier versions (MediaWiki 1.24 and earlier), instead of wfLoadExtension( 'SSLClientAuth' );, you need to use:

require_once "$IP/extensions/SSLClientAuth/SSLClientAuth.php";