Difference between revisions of "Mediawiki ipa"
m |
|||
Line 27: | Line 27: | ||
Follow the instructions on the next page to copy and extract the tarball to the right place in the webserver where mediawiki is installed. So copy the tarball to the webserver with scp and unpack it in the right place: | Follow the instructions on the next page to copy and extract the tarball to the right place in the webserver where mediawiki is installed. So copy the tarball to the webserver with scp and unpack it in the right place: | ||
− | + | <pre> | |
tar -xzf LdapAuthentication-MW1.18-90286.tar.gz -C /var/www/html/mediawiki/extensions | tar -xzf LdapAuthentication-MW1.18-90286.tar.gz -C /var/www/html/mediawiki/extensions | ||
− | </pre | + | </pre> |
This will create a directory LDAPAuthentication inside the directory 'extensions' with four files: | This will create a directory LDAPAuthentication inside the directory 'extensions' with four files: | ||
− | + | <pre> | |
[admin@webserver01 extensions]$ pwd | [admin@webserver01 extensions]$ pwd | ||
/var/www/html/mediawiki/extensions | /var/www/html/mediawiki/extensions | ||
Line 42: | Line 42: | ||
-rw-r--r--. 1 2010 2013 2892 Nov 14 2011 LdapAutoAuthentication.php | -rw-r--r--. 1 2010 2013 2892 Nov 14 2011 LdapAutoAuthentication.php | ||
-rw-r--r--. 1 2010 2013 256 Nov 14 2011 README | -rw-r--r--. 1 2010 2013 256 Nov 14 2011 README | ||
− | </pre | + | </pre> |
== Configure mediawiki to use LDAP authentication == | == Configure mediawiki to use LDAP authentication == | ||
Line 52: | Line 52: | ||
First we will enable the extension. Edit the LocalSettings.php file on the root of the mediawiki installation and add this line: | First we will enable the extension. Edit the LocalSettings.php file on the root of the mediawiki installation and add this line: | ||
− | + | <pre> | |
require_once( "$IP/extensions/LdapAuthentication/LdapAuthentication.php" ); | require_once( "$IP/extensions/LdapAuthentication/LdapAuthentication.php" ); | ||
− | </pre | + | </pre> |
The we define the ldap domain we want to use, bind to the directory etc. I have only binded with clear text authentication. This is not safe. Instructions on safer methods (TLS) are on the extension pages but I have not tested those yet. | The we define the ldap domain we want to use, bind to the directory etc. I have only binded with clear text authentication. This is not safe. Instructions on safer methods (TLS) are on the extension pages but I have not tested those yet. | ||
Line 62: | Line 62: | ||
Add this to the LocalSettings.php file: | Add this to the LocalSettings.php file: | ||
− | + | <pre> | |
$wgAuth = new LdapAuthenticationPlugin(); | $wgAuth = new LdapAuthenticationPlugin(); | ||
Line 88: | Line 88: | ||
); | ); | ||
− | </pre | + | </pre> |
With these changes we will be able to go to our mediawiki site and login with our IPA credentials. This is nice, but it can nicer. | With these changes we will be able to go to our mediawiki site and login with our IPA credentials. This is nice, but it can nicer. | ||
Line 97: | Line 97: | ||
Edit LocalSettings.php: | Edit LocalSettings.php: | ||
− | + | <pre> | |
//Option for allowing the retreival of user preferences from LDAP. | //Option for allowing the retreival of user preferences from LDAP. | ||
//Only pulls a small amount of info currently. | //Only pulls a small amount of info currently. | ||
Line 115: | Line 115: | ||
); | ); | ||
− | </pre | + | </pre> |
When we login our mediawiki installation, we will see that those fields are populated already (except the preferred language one, I could not see the attribute in the ldap tree but I have not looked very deep either). | When we login our mediawiki installation, we will see that those fields are populated already (except the preferred language one, I could not see the attribute in the ldap tree but I have not looked very deep either). | ||
Line 125: | Line 125: | ||
To do this we need to use the [[http://modauthkerb.sourceforge.net/ mod_auth_kerb]]. Using yum we can install it easily: | To do this we need to use the [[http://modauthkerb.sourceforge.net/ mod_auth_kerb]]. Using yum we can install it easily: | ||
− | + | <pre> | |
# yum install mod_auth_kerb [enter] | # yum install mod_auth_kerb [enter] | ||
− | </pre | + | </pre> |
Once installed, modify your virtual host configuration to use it. I have installed mediawiki on the root of the virtual host documentroot, so I enable it there. In this snippet, if you do not have a valid ticket you cannot view the site. If that is not what you want, change the krbMethodK5Passord parameter from 'off' to 'on' and you will be prompted for a password: | Once installed, modify your virtual host configuration to use it. I have installed mediawiki on the root of the virtual host documentroot, so I enable it there. In this snippet, if you do not have a valid ticket you cannot view the site. If that is not what you want, change the krbMethodK5Passord parameter from 'off' to 'on' and you will be prompted for a password: | ||
− | + | <pre> | |
# kerberos settings sso | # kerberos settings sso | ||
<Location / > | <Location / > | ||
Line 147: | Line 147: | ||
</Location> | </Location> | ||
− | </pre | + | </pre> |
Do not reload apache just yet! We need to get a keytab and place it in /etc/httpd/conf.d. | Do not reload apache just yet! We need to get a keytab and place it in /etc/httpd/conf.d. | ||
Line 154: | Line 154: | ||
In order for apache to allow clients with a valid kerberos ticket to log on, we need to create a service principal and export a keytab for it. | In order for apache to allow clients with a valid kerberos ticket to log on, we need to create a service principal and export a keytab for it. | ||
− | + | <pre> | |
$ ipa-getkeytab -p HTTP/webserver01.ipa.asenjo.nx -s kdc.ipa.asenjo.nx -k webserver01.keytab | $ ipa-getkeytab -p HTTP/webserver01.ipa.asenjo.nx -s kdc.ipa.asenjo.nx -k webserver01.keytab | ||
− | </pre | + | </pre> |
Place the keytab in the right place, in this case /etc/httpd/conf.d/webserver01.keytab. | Place the keytab in the right place, in this case /etc/httpd/conf.d/webserver01.keytab. | ||
Line 162: | Line 162: | ||
The keytab must be only available to the webserver user. Verify the permissions and the keytab: | The keytab must be only available to the webserver user. Verify the permissions and the keytab: | ||
− | + | <pre> | |
ls -lZ /etc/httpd/conf.d/webserver01.keytab | ls -lZ /etc/httpd/conf.d/webserver01.keytab | ||
-rw-------. apache apache unconfined_u:object_r:httpd_config_t:s0 /etc/httpd/conf.d/webserver01.keytab | -rw-------. apache apache unconfined_u:object_r:httpd_config_t:s0 /etc/httpd/conf.d/webserver01.keytab | ||
Line 174: | Line 174: | ||
1 HTTP/webserver01.ipa.asenjo.nx@IPA.ASENJO.NX | 1 HTTP/webserver01.ipa.asenjo.nx@IPA.ASENJO.NX | ||
1 HTTP/webserver01.ipa.asenjo.nx@IPA.ASENJO.NX | 1 HTTP/webserver01.ipa.asenjo.nx@IPA.ASENJO.NX | ||
− | </pre | + | </pre> |
For more information about service principals and IPA, consult the [[http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/managing-services.html docs]] | For more information about service principals and IPA, consult the [[http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/managing-services.html docs]] | ||
Line 181: | Line 181: | ||
We need to add another extension requirement: | We need to add another extension requirement: | ||
− | + | <pre> | |
require_once( "$IP/extensions/LdapAuthentication/LdapAutoAuthentication.php" ); | require_once( "$IP/extensions/LdapAuthentication/LdapAutoAuthentication.php" ); | ||
− | </pre | + | </pre> |
and then tell mediawiki that the IPA domain may autologin: | and then tell mediawiki that the IPA domain may autologin: | ||
− | + | <pre> | |
$wgLDAPAutoAuthDomain = "IPA"; | $wgLDAPAutoAuthDomain = "IPA"; | ||
Line 193: | Line 193: | ||
AutoAuthSetup(); | AutoAuthSetup(); | ||
− | </pre | + | </pre> |
=== Reload apache === | === Reload apache === | ||
First test if there are no typos: | First test if there are no typos: | ||
− | + | <pre> | |
# apachectl -t [enter] | # apachectl -t [enter] | ||
httpd: Could not reliably determine the server's fully qualified domain name, using webserver01.ipa.asenjo.nx for ServerName | httpd: Could not reliably determine the server's fully qualified domain name, using webserver01.ipa.asenjo.nx for ServerName | ||
Line 204: | Line 204: | ||
# apachectl graceful [enter] | # apachectl graceful [enter] | ||
− | </pre | + | </pre> |
I see I have not configured the ServerName directive yet :-), but for the rest the syntax is OK, so this should work. | I see I have not configured the ServerName directive yet :-), but for the rest the syntax is OK, so this should work. | ||
Line 216: | Line 216: | ||
start chrome with the --auth-server-whitelist swith: | start chrome with the --auth-server-whitelist swith: | ||
− | + | <pre> | |
google-chrome --auth-server-whitelist="*.ipa.asenjo.nx" [enter] | google-chrome --auth-server-whitelist="*.ipa.asenjo.nx" [enter] | ||
− | </pre | + | </pre> |
<hr> | <hr> | ||
That's it. Provided you have a valid kerberos ticket, point your browser to http://mediawiki.ipa.asenjo.nx and it should just work. You will be logged in mediawiki with your IPA user account. | That's it. Provided you have a valid kerberos ticket, point your browser to http://mediawiki.ipa.asenjo.nx and it should just work. You will be logged in mediawiki with your IPA user account. |
Latest revision as of 23:03, 28 August 2015
Contents
Goal
Configure our mediawiki installation for Single Sing On (SSO) when logged in a IPA kerberos/ldap domain.
Requirements
- We need (at least) a working ipa domain. See the instructions on how to install one: http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/ ; the instructions are the same for Fedora or other RHEL derivatives.
In my case, the IPA domain is IPA.ASENJO.NX. The server containing the kerberos kdc, ldap directory and DNS server is kdc.ipa.asenjo.nx.
- a webserver with a basic mediawiki application installed and configured. See the mediawikiwiki:installation guide.
In my case, the webserver is running apache2 with virtual hosting. The virtual host is called mediawiki.ipa.asenjo.nx, which is a CNAME to webserver01.ipa.asenjo.nx. The DocumentRoot of the mediawiki installation is /var/www/html/mediawiki.
You can find about apache2 virtual hosting here.
The webserver does not necessarily have to be joined to the IPA domain but this guide assumes it is. Besides, why would you not want to use your centralized authentication/authorazation store? So go ahead and join the webserver to the IPA domain :-) (see joining clients to IPA domain
Get the LDAP authentication extension for mediawiki
You can download it from mediawikiwiki:Extension:LDAP_Authentication ; on the right side of the page you can find download link to 'donwload snapshot': mediawikiwiki:Special:ExtensionDistributor/LdapAuthentication.
I have tested this with the latest stable version at this moment: 1.18.x. When you click on continue, a tarball will be downloaded to your computer.
Follow the instructions on the next page to copy and extract the tarball to the right place in the webserver where mediawiki is installed. So copy the tarball to the webserver with scp and unpack it in the right place:
tar -xzf LdapAuthentication-MW1.18-90286.tar.gz -C /var/www/html/mediawiki/extensions
This will create a directory LDAPAuthentication inside the directory 'extensions' with four files:
[admin@webserver01 extensions]$ pwd /var/www/html/mediawiki/extensions [admin@webserver01 extensions]$ ls -l LdapAuthentication total 84 -rw-r--r--. 1 2010 2013 9221 Nov 14 2011 LdapAuthentication.i18n.php -rw-r--r--. 1 2010 2013 62268 Nov 14 2011 LdapAuthentication.php -rw-r--r--. 1 2010 2013 2892 Nov 14 2011 LdapAutoAuthentication.php -rw-r--r--. 1 2010 2013 256 Nov 14 2011 README
Configure mediawiki to use LDAP authentication
These instructions are from [here ] and [here].
WARNING!!! Create first a local mediawiki user with the same loginname/password as one of your IPA domain users. I have used the admin user. Make that user sysop of the mediawiki installation. Otherwise you may not be able to login locally to your mediawiki installation after the changes we are going to make now. Do not panic either, because simple disabling the extension will reallow the local logins.
First we will enable the extension. Edit the LocalSettings.php file on the root of the mediawiki installation and add this line:
require_once( "$IP/extensions/LdapAuthentication/LdapAuthentication.php" );
The we define the ldap domain we want to use, bind to the directory etc. I have only binded with clear text authentication. This is not safe. Instructions on safer methods (TLS) are on the extension pages but I have not tested those yet.
I have added a user mediawikiuser to my IPA domain. Use an existing user in your environment.
Add this to the LocalSettings.php file:
$wgAuth = new LdapAuthenticationPlugin(); # Domain name $wgLDAPDomainNames = array( "IPA", ); $wgLDAPServerNames = array( "IPA" => "kdc.ipa.asenjo.nx" ); $wgLDAPSearchStrings = array( "IPA" => "uid=USER-NAME,cn=users,cn=accounts,dc=ipa,dc=asenjo,dc=nx" ); $wgLDAPEncryptionType = array( "IPA" => "clear" ); // user and password for proxy agent. Use unprivileged user!!! $wgLDAPProxyAgent = array( "IPA"=>"uid=mediawikiuser,cn=users,cn=accounts,dc=ipa,dc=asenjo,dc=nx" ); $wgLDAPProxyAgentPassword = array( "IPA"=>"mediawikiuserpassword" );
With these changes we will be able to go to our mediawiki site and login with our IPA credentials. This is nice, but it can nicer.
Populate mediawiki user info from our IPA directory
We already have info (name, surname, maybe e-mail info) in our directory, so why not use it?
Edit LocalSettings.php:
//Option for allowing the retreival of user preferences from LDAP. //Only pulls a small amount of info currently. //Default: false //DEPRECATED in 1.2a $wgLDAPRetrievePrefs = array( "IPA"=>true ); //Option for pulling specific preferences. Available options //are "email", "realname", "nickname", "language" //Ensure all attribute names given are in lower case. //Default: none; disabled //Available in 1.2a $wgLDAPPreferences = array( "IPA"=>array( "email"=>"mail","realname"=>"displayname","nickname"=>"cn","language"=>"preferredlanguage") );
When we login our mediawiki installation, we will see that those fields are populated already (except the preferred language one, I could not see the attribute in the ldap tree but I have not looked very deep either).
Enable SSO
What we have achieved is absolutely better that what we had, but we are already logged in the IPA domain, why log in again to the wiki?
mod_auth_kerb
To do this we need to use the [mod_auth_kerb]. Using yum we can install it easily:
# yum install mod_auth_kerb [enter]
Once installed, modify your virtual host configuration to use it. I have installed mediawiki on the root of the virtual host documentroot, so I enable it there. In this snippet, if you do not have a valid ticket you cannot view the site. If that is not what you want, change the krbMethodK5Passord parameter from 'off' to 'on' and you will be prompted for a password:
# kerberos settings sso <Location / > AuthType Kerberos AuthName "Kerberos login" KrbMethodNegotiate on KrbMethodK5Passwd off KrbLocalUserMapping On # strip @REALM from username KrbServiceName HTTP KrbAuthRealms IPA.ASENJO.NX Krb5KeyTab /etc/httpd/conf.d/webserver01.keytab KrbSaveCredentials on Require valid-user </Location>
Do not reload apache just yet! We need to get a keytab and place it in /etc/httpd/conf.d.
service principal
In order for apache to allow clients with a valid kerberos ticket to log on, we need to create a service principal and export a keytab for it.
$ ipa-getkeytab -p HTTP/webserver01.ipa.asenjo.nx -s kdc.ipa.asenjo.nx -k webserver01.keytab
Place the keytab in the right place, in this case /etc/httpd/conf.d/webserver01.keytab.
The keytab must be only available to the webserver user. Verify the permissions and the keytab:
ls -lZ /etc/httpd/conf.d/webserver01.keytab -rw-------. apache apache unconfined_u:object_r:httpd_config_t:s0 /etc/httpd/conf.d/webserver01.keytab # klist -k /etc/httpd/conf.d/webserver01.keytab Keytab name: WRFILE:/etc/httpd/conf.d/webserver01.keytab KVNO Principal ---- -------------------------------------------------------------------------- 1 HTTP/webserver01.ipa.asenjo.nx@IPA.ASENJO.NX 1 HTTP/webserver01.ipa.asenjo.nx@IPA.ASENJO.NX 1 HTTP/webserver01.ipa.asenjo.nx@IPA.ASENJO.NX 1 HTTP/webserver01.ipa.asenjo.nx@IPA.ASENJO.NX
For more information about service principals and IPA, consult the [docs]
Modify LocalSettings.php
We need to add another extension requirement:
require_once( "$IP/extensions/LdapAuthentication/LdapAutoAuthentication.php" );
and then tell mediawiki that the IPA domain may autologin:
$wgLDAPAutoAuthDomain = "IPA"; $wgLDAPAutoAuthUsername = preg_replace( '/@.*/', '', $_SERVER["REMOTE_USER"] ); AutoAuthSetup();
Reload apache
First test if there are no typos:
# apachectl -t [enter] httpd: Could not reliably determine the server's fully qualified domain name, using webserver01.ipa.asenjo.nx for ServerName Syntax OK # apachectl graceful [enter]
I see I have not configured the ServerName directive yet :-), but for the rest the syntax is OK, so this should work.
Configure the web browser
Firefox
see the [docs]
Chrome
start chrome with the --auth-server-whitelist swith:
google-chrome --auth-server-whitelist="*.ipa.asenjo.nx" [enter]
That's it. Provided you have a valid kerberos ticket, point your browser to http://mediawiki.ipa.asenjo.nx and it should just work. You will be logged in mediawiki with your IPA user account.