Mediawiki ipa
Contents
Goal
Configure our mediawiki installation for Single Sing On (SSO) when logged in a IPA kerberos/ldap domain.
Requirements
- We need (at least) a working ipa domain. See the instructions on how to install one: http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/ ; the instructions are the same for Fedora or other RHEL derivatives.
In my case, the IPA domain is IPA.ASENJO.NX. The server containing the kerberos kdc, ldap directory and DNS server is kdc.ipa.asenjo.nx.
- a webserver with a basic mediawiki application installed and configured. See the mediawikiwiki:installation guide.
In my case, the webserver is running apache2 with virtual hosting. The virtual host is called mediawiki.ipa.asenjo.nx, which is a CNAME to webserver01.ipa.asenjo.nx. The DocumentRoot of the mediawiki installation is /var/www/html/mediawiki.
You can find about apache2 virtual hosting here.
The webserver does not necessarily have to be joined to the IPA domain but this guide assumes it is. Besides, why would you not want to use your centralized authentication/authorazation store? So go ahead and join the webserver to the IPA domain :-) (see joining clients to IPA domain
Get the LDAP authentication extension for mediawiki
You can download it from mediawikiwiki:Extension:LDAP_Authentication ; on the right side of the page you can find download link to 'donwload snapshot': mediawikiwiki:Special:ExtensionDistributor/LdapAuthentication.
I have tested this with the latest stable version at this moment: 1.18.x. When you click on continue, a tarball will be downloaded to your computer.
Follow the instructions on the next page to copy and extract the tarball to the right place in the webserver where mediawiki is installed. So copy the tarball to the webserver with scp and unpack it in the right place:
tar -xzf LdapAuthentication-MW1.18-90286.tar.gz -C /var/www/html/mediawiki/extensions
This will create a directory LDAPAuthentication inside the directory 'extensions' with four files:
[admin@webserver01 extensions]$ pwd /var/www/html/mediawiki/extensions [admin@webserver01 extensions]$ ls -l LdapAuthentication total 84 -rw-r--r--. 1 2010 2013 9221 Nov 14 2011 LdapAuthentication.i18n.php -rw-r--r--. 1 2010 2013 62268 Nov 14 2011 LdapAuthentication.php -rw-r--r--. 1 2010 2013 2892 Nov 14 2011 LdapAutoAuthentication.php -rw-r--r--. 1 2010 2013 256 Nov 14 2011 README
Configure mediawiki to use LDAP authentication
These instructions are from [here ] and [here].
WARNING!!! Create first a local mediawiki user with the same loginname/password as one of your IPA domain users. I have used the admin user. Make that user sysop of the mediawiki installation. Otherwise you may not be able to login locally to your mediawiki installation after the changes we are going to make now. Do not panic either, because simple disabling the extension will reallow the local logins.
First we will enable the extension. Edit the LocalSettings.php file on the root of the mediawiki installation and add this line:
require_once( "$IP/extensions/LdapAuthentication/LdapAuthentication.php" );
The we define the ldap domain we want to use, bind to the directory etc. I have only binded with clear text authentication. This is not safe. Instructions on safer methods (TLS) are on the extension pages but I have not tested those yet.
I have added a user mediawikiuser to my IPA domain. Use an existing user in your environment.
Add this to the LocalSettings.php file:
$wgAuth = new LdapAuthenticationPlugin();
# Domain name
$wgLDAPDomainNames = array(
"IPA",
);
$wgLDAPServerNames = array( "IPA" => "kdc.ipa.asenjo.nx" );
$wgLDAPSearchStrings = array(
"IPA" => "uid=USER-NAME,cn=users,cn=accounts,dc=ipa,dc=asenjo,dc=nx"
);
$wgLDAPEncryptionType = array(
"IPA" => "clear"
);
// user and password for proxy agent. Use unprivileged user!!!
$wgLDAPProxyAgent = array(
"IPA"=>"uid=mediawikiuser,cn=users,cn=accounts,dc=ipa,dc=asenjo,dc=nx"
);
$wgLDAPProxyAgentPassword = array(
"IPA"=>"mediawikiuserpassword"
);
With these changes we will be able to go to our mediawiki site and login with our IPA credentials. This is nice, but it can nicer.
Populate mediawiki user info from our IPA directory
We already have info (name, surname, maybe e-mail info) in our directory, so why not use it?
Edit LocalSettings.php:
//Option for allowing the retreival of user preferences from LDAP. //Only pulls a small amount of info currently. //Default: false //DEPRECATED in 1.2a $wgLDAPRetrievePrefs = array( "IPA"=>true ); //Option for pulling specific preferences. Available options //are "email", "realname", "nickname", "language" //Ensure all attribute names given are in lower case. //Default: none; disabled //Available in 1.2a $wgLDAPPreferences = array( "IPA"=>array( "email"=>"mail","realname"=>"displayname","nickname"=>"cn","language"=>"preferredlanguage") );
When we login our mediawiki installation, we will see that those fields are populated already (except the preferred language one, I could not see the attribute in the ldap tree but I have not looked very deep either).
Enable SSO
What we have achieved is absolutely better that what we had, but we are already logged in the IPA domain, why log in again to the wiki?
mod_auth_kerb
To do this we need to use the [mod_auth_kerb]. Using yum we can install it easily:
# yum install mod_auth_kerb [enter]
Once installed, modify your virtual host configuration to use it. I have installed mediawiki on the root of the virtual host documentroot, so I enable it there. In this snippet, if you do not have a valid ticket you cannot view the site. If that is not what you want, change the krbMethodK5Passord parameter from 'off' to 'on' and you will be prompted for a password:
# kerberos settings sso
<Location / >
AuthType Kerberos
AuthName "Kerberos login"
KrbMethodNegotiate on
KrbMethodK5Passwd off
KrbLocalUserMapping On # strip @REALM from username
KrbServiceName HTTP
KrbAuthRealms IPA.ASENJO.NX
Krb5KeyTab /etc/httpd/conf.d/webserver01.keytab
KrbSaveCredentials on
Require valid-user
</Location>
Do not reload apache just yet! We need to get a keytab and place it in /etc/httpd/conf.d.
service principal
In order for apache to allow clients with a valid kerberos ticket to log on, we need to create a service principal and export a keytab for it.
$ ipa-getkeytab -p HTTP/webserver01.ipa.asenjo.nx -s kdc.ipa.asenjo.nx -k webserver01.keytab
Place the keytab in the right place, in this case /etc/httpd/conf.d/webserver01.keytab.
The keytab must be only available to the webserver user. Verify the permissions and the keytab:
ls -lZ /etc/httpd/conf.d/webserver01.keytab -rw-------. apache apache unconfined_u:object_r:httpd_config_t:s0 /etc/httpd/conf.d/webserver01.keytab # klist -k /etc/httpd/conf.d/webserver01.keytab Keytab name: WRFILE:/etc/httpd/conf.d/webserver01.keytab KVNO Principal ---- -------------------------------------------------------------------------- 1 HTTP/webserver01.ipa.asenjo.nx@IPA.ASENJO.NX 1 HTTP/webserver01.ipa.asenjo.nx@IPA.ASENJO.NX 1 HTTP/webserver01.ipa.asenjo.nx@IPA.ASENJO.NX 1 HTTP/webserver01.ipa.asenjo.nx@IPA.ASENJO.NX
For more information about service principals and IPA, consult the [docs]
Modify LocalSettings.php
We need to add another extension requirement:
require_once( "$IP/extensions/LdapAuthentication/LdapAutoAuthentication.php" );
and then tell mediawiki that the IPA domain may autologin:
$wgLDAPAutoAuthDomain = "IPA"; $wgLDAPAutoAuthUsername = preg_replace( '/@.*/', '', $_SERVER["REMOTE_USER"] ); AutoAuthSetup();
Reload apache
First test if there are no typos:
# apachectl -t [enter] httpd: Could not reliably determine the server's fully qualified domain name, using webserver01.ipa.asenjo.nx for ServerName Syntax OK # apachectl graceful [enter]
I see I have not configured the ServerName directive yet :-), but for the rest the syntax is OK, so this should work.
Configure the web browser
Firefox
see the [docs]
Chrome
start chrome with the --auth-server-whitelist swith:
google-chrome --auth-server-whitelist="*.ipa.asenjo.nx" [enter]
That's it. Provided you have a valid kerberos ticket, point your browser to http://mediawiki.ipa.asenjo.nx and it should just work. You will be logged in mediawiki with your IPA user account.
