Mediawiki ipa

From Asenjo
Jump to: navigation, search


Configure our mediawiki installation for Single Sing On (SSO) when logged in a IPA kerberos/ldap domain.


In my case, the IPA domain is IPA.ASENJO.NX. The server containing the kerberos kdc, ldap directory and DNS server is kdc.ipa.asenjo.nx.

In my case, the webserver is running apache2 with virtual hosting. The virtual host is called mediawiki.ipa.asenjo.nx, which is a CNAME to webserver01.ipa.asenjo.nx. The DocumentRoot of the mediawiki installation is /var/www/html/mediawiki.

You can find about apache2 virtual hosting here.

The webserver does not necessarily have to be joined to the IPA domain but this guide assumes it is. Besides, why would you not want to use your centralized authentication/authorazation store? So go ahead and join the webserver to the IPA domain :-) (see joining clients to IPA domain

Get the LDAP authentication extension for mediawiki

You can download it from mediawikiwiki:Extension:LDAP_Authentication ; on the right side of the page you can find download link to 'donwload snapshot': mediawikiwiki:Special:ExtensionDistributor/LdapAuthentication.

I have tested this with the latest stable version at this moment: 1.18.x. When you click on continue, a tarball will be downloaded to your computer.

Follow the instructions on the next page to copy and extract the tarball to the right place in the webserver where mediawiki is installed. So copy the tarball to the webserver with scp and unpack it in the right place:

tar -xzf LdapAuthentication-MW1.18-90286.tar.gz -C /var/www/html/mediawiki/extensions

This will create a directory LDAPAuthentication inside the directory 'extensions' with four files:

[admin@webserver01 extensions]$ pwd
[admin@webserver01 extensions]$ ls -l LdapAuthentication
total 84
-rw-r--r--. 1 2010 2013  9221 Nov 14  2011 LdapAuthentication.i18n.php
-rw-r--r--. 1 2010 2013 62268 Nov 14  2011 LdapAuthentication.php
-rw-r--r--. 1 2010 2013  2892 Nov 14  2011 LdapAutoAuthentication.php
-rw-r--r--. 1 2010 2013   256 Nov 14  2011 README

Configure mediawiki to use LDAP authentication

These instructions are from [here ] and [here].

WARNING!!! Create first a local mediawiki user with the same loginname/password as one of your IPA domain users. I have used the admin user. Make that user sysop of the mediawiki installation. Otherwise you may not be able to login locally to your mediawiki installation after the changes we are going to make now. Do not panic either, because simple disabling the extension will reallow the local logins.

First we will enable the extension. Edit the LocalSettings.php file on the root of the mediawiki installation and add this line:

require_once( "$IP/extensions/LdapAuthentication/LdapAuthentication.php" );

The we define the ldap domain we want to use, bind to the directory etc. I have only binded with clear text authentication. This is not safe. Instructions on safer methods (TLS) are on the extension pages but I have not tested those yet.

I have added a user mediawikiuser to my IPA domain. Use an existing user in your environment.

Add this to the LocalSettings.php file:

$wgAuth = new LdapAuthenticationPlugin();

# Domain name
$wgLDAPDomainNames = array(

$wgLDAPServerNames = array( "IPA" => "kdc.ipa.asenjo.nx" );

$wgLDAPSearchStrings = array(
    "IPA" => "uid=USER-NAME,cn=users,cn=accounts,dc=ipa,dc=asenjo,dc=nx"

$wgLDAPEncryptionType = array(
    "IPA" => "clear"

// user and password for proxy agent. Use unprivileged user!!!
$wgLDAPProxyAgent = array(
$wgLDAPProxyAgentPassword = array(

With these changes we will be able to go to our mediawiki site and login with our IPA credentials. This is nice, but it can nicer.

Populate mediawiki user info from our IPA directory

We already have info (name, surname, maybe e-mail info) in our directory, so why not use it?

Edit LocalSettings.php:

//Option for allowing the retreival of user preferences from LDAP.
//Only pulls a small amount of info currently.
//Default: false
//DEPRECATED in 1.2a
$wgLDAPRetrievePrefs = array(

//Option for pulling specific preferences. Available options
//are "email", "realname", "nickname", "language"
//Ensure all attribute names given are in lower case.
//Default: none; disabled
//Available in 1.2a
$wgLDAPPreferences = array(
  "IPA"=>array( "email"=>"mail","realname"=>"displayname","nickname"=>"cn","language"=>"preferredlanguage")

When we login our mediawiki installation, we will see that those fields are populated already (except the preferred language one, I could not see the attribute in the ldap tree but I have not looked very deep either).

Enable SSO

What we have achieved is absolutely better that what we had, but we are already logged in the IPA domain, why log in again to the wiki?


To do this we need to use the [mod_auth_kerb]. Using yum we can install it easily:

# yum install mod_auth_kerb [enter]

Once installed, modify your virtual host configuration to use it. I have installed mediawiki on the root of the virtual host documentroot, so I enable it there. In this snippet, if you do not have a valid ticket you cannot view the site. If that is not what you want, change the krbMethodK5Passord parameter from 'off' to 'on' and you will be prompted for a password:

    # kerberos settings sso
    <Location / >
    AuthType Kerberos
    AuthName "Kerberos login"
    KrbMethodNegotiate on
    KrbMethodK5Passwd off
    KrbLocalUserMapping On # strip @REALM from username
    KrbServiceName HTTP
    KrbAuthRealms IPA.ASENJO.NX
    Krb5KeyTab /etc/httpd/conf.d/webserver01.keytab
    KrbSaveCredentials on
    Require valid-user


Do not reload apache just yet! We need to get a keytab and place it in /etc/httpd/conf.d.

service principal

In order for apache to allow clients with a valid kerberos ticket to log on, we need to create a service principal and export a keytab for it.

$ ipa-getkeytab -p HTTP/webserver01.ipa.asenjo.nx -s kdc.ipa.asenjo.nx -k webserver01.keytab

Place the keytab in the right place, in this case /etc/httpd/conf.d/webserver01.keytab.

The keytab must be only available to the webserver user. Verify the permissions and the keytab:

ls -lZ /etc/httpd/conf.d/webserver01.keytab
-rw-------. apache apache unconfined_u:object_r:httpd_config_t:s0 /etc/httpd/conf.d/webserver01.keytab

# klist -k /etc/httpd/conf.d/webserver01.keytab
Keytab name: WRFILE:/etc/httpd/conf.d/webserver01.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   1 HTTP/webserver01.ipa.asenjo.nx@IPA.ASENJO.NX
   1 HTTP/webserver01.ipa.asenjo.nx@IPA.ASENJO.NX
   1 HTTP/webserver01.ipa.asenjo.nx@IPA.ASENJO.NX
   1 HTTP/webserver01.ipa.asenjo.nx@IPA.ASENJO.NX

For more information about service principals and IPA, consult the [docs]

Modify LocalSettings.php

We need to add another extension requirement:

require_once( "$IP/extensions/LdapAuthentication/LdapAutoAuthentication.php" );

and then tell mediawiki that the IPA domain may autologin:

$wgLDAPAutoAuthDomain = "IPA";

$wgLDAPAutoAuthUsername = preg_replace( '/@.*/', '', $_SERVER["REMOTE_USER"] );


Reload apache

First test if there are no typos:

# apachectl -t [enter]
httpd: Could not reliably determine the server's fully qualified domain name, using webserver01.ipa.asenjo.nx for ServerName
Syntax OK

# apachectl graceful [enter]

I see I have not configured the ServerName directive yet :-), but for the rest the syntax is OK, so this should work.

Configure the web browser


see the [docs]


start chrome with the --auth-server-whitelist swith:

google-chrome --auth-server-whitelist="*.ipa.asenjo.nx" [enter]

That's it. Provided you have a valid kerberos ticket, point your browser to http://mediawiki.ipa.asenjo.nx and it should just work. You will be logged in mediawiki with your IPA user account.