Topic on Extension talk:PluggableAuth

New user help (PluugableAuth + PluggableSSO + Active Directory)

7
Revansx (talkcontribs)

Hello,

I am setting up a new MW 1.29 application on a secure RHEL7+Apache2+PHP5.6+MariaDB5.5 host running in an Active Directory enterprise environment. All client browsers that will access the wiki have user session attributes in the header authenticated by the domain. When users visit the MW site, I would like MW to automatically log-in the users (and create new users as needed) from the authentication information in the browser session header. I am told by my enterprise security admins that the session header data is compatible with Siteminder (i.e. SM_SDOMAIN, etc..)

[Q1] Will I need anything beyond PluggableAuth and PluggableSSO? (like say Mod_auth_ker?)

[Q2] Will I need to configure either of these for my domain or should it just work?

So far I have successfully installed PluggableAuth and PluggableSSO and added the following to LocalSettings.php?

$wgPluggableAuth_EnableAutoLogin = true;

$wgPluggableAuth_EnableLocalLogin = true;

$wgPluggableAuth_EnableLocalProperties = false;

$wgPluggableAuth_Class = "PluggableSSO";

wfLoadExtension( 'PluggableAuth' );

wfLoadExtension( 'PluggableSSO' );

but it does not work as straightforwardly as hoped.

I have set $wgShowDebug = true; in my Localsettings.php and can see all of the session data and trace info, but I don't know how to interpret it as well as i'd like.

[Q3] My local login no longer works either. Is this to be expected?

Any advice from the authentication gurus is greatly appreciated :-)

Thanks in advance,

-Rich

Revansx (talkcontribs)
Revansx (talkcontribs)

from the DebugData, here is what I think is the interesting/telling part:

  • QuickTemplate::__construct was called with no Config instance passed to it
  • [authentication] Primary login with PluggableAuthPrimaryAuthenticationProvider succeeded
  • [authentication] Primary login with PluggableAuthPrimaryAuthenticationProvider succeeded, but returned no user
Revansx (talkcontribs)

[SOLVED] .. I wound up using the Extension: “Auth_remoteuser”

https://www.mediawiki.org/wiki/Extension:Auth_remoteuser

using something like this:

wfLoadExtension( 'Auth_remoteuser' );

$wgGroupPermissions['*']['createaccount'] = false;

$wgGroupPermissions['*']['autocreateaccount'] = true;

$wgAuthRemoteuserUserName = $_SERVER["HTTP_MYCOMPANYUID"];

$wgAuthRemoteuserUserPrefsForced = [

    'email' => $_SERVER["HTTP_MYCOMPANYEMAIL"],

    'realname' => $_SERVER["HTTP_CN"]

];

This denies users the ability to manually create accounts, but allows the extension to do so upon first visit when the session variables are set by the server. Sorry to trouble everyone here with what is probably a very simple goal, but maybe it will help another user like me.. in the meantime.. i would still be interested in how this might be implemented using the PluggableAuth and PluggableSSO extentions... but i'm in no hurry to switch now.

Thank you, all.

-Rich

Packetboxer (talkcontribs)

Are you able to confirm how you setup AD with MediaWiki? Are all 3 extensions (PluggableAuth, PluggableSSO, and Auth_remoteuser) all required to successfully integrate AD? I haven't had any success with PluggableAuth/PluggableSSO on their own. Although admittedly I feel I'm missing something somewhere that allows me to enter the Domain Controller details (ie server name, and domain admin to confirm users with AD).

Crismagnabosco (talkcontribs)

Hello @Packetboxer, did you solve this problem yet? If yes, how have you done it? Are you using to use PluggableSSO, Auth_remoteuser or both? I'm with the same trouble and I don't know how is the better way to choose.

Thanks

Revansx (talkcontribs)

Does your server enforce an immutable sessions from an external identity provider? (Mine does. It uses CA SiteMinder). This means that is a user is able to visit my wiki at all it is guaranteed that they will have a session cookie that I can trust that has properties that Auth_RemoteUser can read to identify them. In this scenario I don't need PluggableSSO. I think you only need PluggableSSO if the wiki is expected to query an active directory or a remote LDAP server. For me that query has already been done at an external site enforced by SiteMinder.

Reply to "New user help (PluugableAuth + PluggableSSO + Active Directory)"