Topic on Project:Support desk

HI,

Please find below are the software/product we are having with in Redhat Linux 7 cluster server.

Currently, We are having Kerberos/LDAP Setup with in our WIKI server(RHEL7) to achieve SSO (Single Sign On)

Now we do require our WIKI to be accessed over the Internet.

For that, we are having issues in authentication from AD server to our WIKI server (RHEL7) and we got error 401"Authorization Required" while accessing WIKI over internet

Now infrastructure team wonders, if WIKI can be setup with either NTLM or, Form based authentication setup?

Please let us know if WIKI supports for either of NTLM/ Form based authentication setup?

We look forward your help will greatly appreciated.

Thanking you in Adv !

You can use Extension:Auth remoteuser to have an implicit login if you have mod_auth_kerb (or something similar) set up on your server.

If you want to have certain IP ranges not to be logged in implicitly, but by using a local wiki account you can configure this within the Apache configuration (Deny/Allow rules or by using a different vHost)

If you don't want to manage the accounts in the wiki locally, but have a FBA against LDAP/AD you can have a look at LDAPAuthentication (which also requires Extension:PluggableAuth and LDAPProvider

Thanks for your prompt comments !

Since we are AD users then, we are using Extension: LDAPAuthentication with Kerberos setup using mod_auth_kerb  and SSO is working fine with in our network.

Now, we need to avail the WIKI in the internet and as per our infrastructure AD team, we need to approach NTLM / form based/ basic authentication.

Hence, I want to know if MediaWiki 1.30.0 supports for all these methodologies to establish SSO?

I am not aware of an HTTP Base Auth extension. Yet it should be doable. The AuthManager component for MediaWiki is quite powerful.

I assume you are using Extension:LDAP Authentication by Ryan Lane, not LDAPAuthentication (by MWStack). As far as I know with this extension a log in with a local user account (one that only exists in the Wiki database) is not possible. But FBA against the LDAP/AD backend is possible. An external user would need to have credentiáls in your LDAP/AD. In stead of being logged in implicitly, he would need to use standard Special:Login page.

You will have to add an exception in your mod_auth_kerb configuration, so external users can access the wiki. Also a little configuration switch in LocalSettings.php might be required. So AutoAuthSetup is not being called for external users.

Please be aware that NTLM is a less secure protocol than Kerberos. "Forms Based" is simply a way of entering a username/password. It sounds as though your infrastructure team are suggesting something like MS TMG's proxy which is awful, old and no longer supported by MS.

If your clients are all AD users and their PCs are all domain joined then Kerberos can work - even across the internet. See Intranet (I wrote it) Have a look at this: Intranet/Intranet Reference Build Ubuntu, specifically the Apache config. The require sections can be pretty sophisticated.

Thanks for the Information!

With our current requirement (to avail the WIKI over the internet),we are interacting with Loadbalancer server exist with in the corporate network.

AS per our infrastructure team LB server does not support for Kerberos authentication approach anymore.

Hence, they suggested to implement "Forms Based/Basic" authentication & authorization for WIKI to enable with SSO feature.

also I want to confirm that all our clients are AD user accessing WIKI over various platforms like Windows/Linux.

So, I would like establish multi authentication setup for internal and external traffic (i.e. Forms Based/Basic auth would parallelly work with Kerberos auth). Hence "Forms Based/Basic" authentication & authorization for external users(internet based users) & Kerberos would work for internal users. So, how would we achieve for SSO after the auth setup/implementation?