Mediawiki ipa
Contents
Goal
Configure our mediawiki installation for Single Sing On (SSO) when logged in a IPA kerberos/ldap domain.
Requirements
- We need (at least) a working ipa domain. See the instructions on how to install one: http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/ ; the instructions are the same for Fedora or other RHEL derivatives.
In my case, the IPA domain is IPA.ASENJO.NX. The server containing the kerberos kdc, ldap directory and DNS server is kdc.ipa.asenjo.nx.
- a webserver with a basic mediawiki application installed and configured. See the mediawikiwiki:installation guide.
In my case, the webserver is running apache2 with virtual hosting. The virtual host is called mediawiki.ipa.asenjo.nx, which is a CNAME to webserver01.ipa.asenjo.nx. The DocumentRoot of the mediawiki installation is /var/www/html/mediawiki.
You can find about apache2 virtual hosting here.
The webserver does not necessarily have to be joined to the IPA domain but this guide assumes it is. Besides, why would you not want to use your centralized authentication/authorazation store? So go ahead and join the webserver to the IPA domain :-) (see joining clients to IPA domain
Get the LDAP authentication extension for mediawiki
You can download it from mediawikiwiki:Extension:LDAP_Authentication ; on the right side of the page you can find download link to 'donwload snapshot': mediawikiwiki:Special:ExtensionDistributor/LdapAuthentication.
I have tested this with the latest stable version at this moment: 1.18.x. When you click on continue, a tarball will be downloaded to your computer.
Follow the instructions on the next page to copy and extract the tarball to the right place in the webserver where mediawiki is installed. So copy the tarball to the webserver with scp and unpack it in the right place:
tar -xzf LdapAuthentication-MW1.18-90286.tar.gz -C /var/www/html/mediawiki/extensions
This will create a directory LDAPAuthentication inside the directory 'extensions' with four files:
[admin@webserver01 extensions]$ pwd
/var/www/html/mediawiki/extensions
[admin@webserver01 extensions]$ ls -l LdapAuthentication
total 84
-rw-r--r--. 1 2010 2013 9221 Nov 14 2011 LdapAuthentication.i18n.php
-rw-r--r--. 1 2010 2013 62268 Nov 14 2011 LdapAuthentication.php
-rw-r--r--. 1 2010 2013 2892 Nov 14 2011 LdapAutoAuthentication.php
-rw-r--r--. 1 2010 2013 256 Nov 14 2011 README
Configure mediawiki to use LDAP authentication
These instructions are from [here ] and [here].
WARNING!!! Create first a local mediawiki user with the same loginname/password as one of your IPA domain users. Make that user sysop of the mediawiki installation. Otherwise you may not be able to login locally to your mediawiki installation after the changes we are going to make now. Do not panic either, because simple disabling the extension will reallow the local logins.
First we will enable the extension. Edit the LocalSettings.php file on the root of the mediawiki installation and add this line:
require_once( "$IP/extensions/LdapAuthentication/LdapAuthentication.php" );
The we define the ldap domain we want to use, bind to the directory etc. I have only binded with clear text authentication. This is not safe. Instructions on safer methods (TLS) are on the extension pages but I have not tested those yet.
I have added a user mediawikiuser to my IPA domain. Use an existing user in your environment.
Add this to the LocalSettings.php file:
$wgAuth = new LdapAuthenticationPlugin();
# Domain name
$wgLDAPDomainNames = array(
"IPA",
);
$wgLDAPServerNames = array( "IPA" => "kdc.ipa.asenjo.nx" );
$wgLDAPSearchStrings = array(
"IPA" => "uid=USER-NAME,cn=users,cn=accounts,dc=ipa,dc=asenjo,dc=nx"
);
$wgLDAPEncryptionType = array(
"IPA" => "clear"
);
// user and password for proxy agent. Use unprivileged user!!!
$wgLDAPProxyAgent = array(
"IPA"=>"uid=mediawikiuser,cn=users,cn=accounts,dc=ipa,dc=asenjo,dc=nx"
);
$wgLDAPProxyAgentPassword = array(
"IPA"=>"mediawikiuserpassword"
);
With these changes we will be able to go to our mediawiki site and login with our IPA credentials. This is nice, but it can nicer.
Populate mediawiki user info from our IPA directory
We already have info (name, surname, maybe e-mail info) in our directory, so why not use it?
Edit LocalSettings.php:
//Option for allowing the retreival of user preferences from LDAP.
//Only pulls a small amount of info currently.
//Default: false
//DEPRECATED in 1.2a
$wgLDAPRetrievePrefs = array(
"IPA"=>true
);
//Option for pulling specific preferences. Available options
//are "email", "realname", "nickname", "language"
//Ensure all attribute names given are in lower case.
//Default: none; disabled
//Available in 1.2a
$wgLDAPPreferences = array(
"IPA"=>array( "email"=>"mail","realname"=>"displayname","nickname"=>"cn","language"=>"preferredlanguage")
);
When we login our mediawiki installation, we will see that those fields are populated already (except the preferred language one, I could not see the attribute in the ldap tree but I have not looked very deep either).
