Extension:SSLClientAuth
 | This extension is currently not actively maintained! Although it may still work, any bug reports or feature requests will more than likely be ignored. |
 Release status: unmaintained |
|
|---|---|
| Implementation | User identity |
| Description | Replaces password authentication with the one based on client SSL certificates. |
| Author(s) | (WGHtalk) |
| Latest version | 1.0 |
| MediaWiki | 1.25.2 |
| Database changes | No |
| License | BSD 3-clause "Modified" License |
| Download | GitHub: Note: |
The SSLClientAuth extension replaces password authentication with the one based on client SSL certificates.
Conceptually it's the same as SSL authentication extension, but it has been written for modern (1.25) MediaWiki version and uses much less hacks.
The first time user tries to open the wiki with a valid client certificate, a new account with name specified in certificate's Common Name is created automatically. Account registration should probably be disabled, as no user can log in without a certificate anyway.
It has only been tested with nginx with PHP running in FastCGI mode, but it should be easy to add support for other servers, too.
Installation[edit]
- Enable client certificate validation on nginx:
ssl_client_certificate <path to .ca file>ssl_verify_client <on|optional>fastcgi_param SSL_CLIENT_S_DN $ssl_client_s_dn
- Download and place the file(s) in a directory called
SSLClientAuthin yourextensions/folder. - Add the following code at the bottom of your
LocalSettings.php:wfLoadExtension( 'SSLClientAuth' );
Done – Navigate to Special:Version on your wiki to verify that the extension is successfully installed.
To users running MediaWiki 1.24 or earlier:
The instructions above describe the new way of installing this extension using wfLoadExtension().
If you need to install this extension on these earlier versions (MediaWiki 1.24 and earlier), instead of wfLoadExtension( 'SSLClientAuth' );, you need to use:
require_once "$IP/extensions/SSLClientAuth/SSLClientAuth.php";