I was tasked with providing a wiki application for the use of the sales team here at Ping Identity. For the sake of a mature solution, we chose to use MediaWiki, which is the open-source PHP application that runs Wikipedia.
MediaWiki is built to support the same editing system that Wikipedia is founded upon: namely, to let anyone create or edit content, and do so via a self-created account or anonymously (with the IP tracked). Now Ping Identity, as a single sign-on and identity management software, is all about easy identity management. Besides the fact that most of our users from sales would balk at having to create yet another user account, I would be breaking faith with the company if I didn't allow automatic provisioning (ie, the automatic creation of new accounts if they've been authorized by our AD server). So, after getting MediaWiki installed, I went off to search the blogosphere for single sign-on solutions to make our Apache web server authenticate against our Active Directory service, then have people automatically recognized and provisioned as necessary by our wiki.
The first place I started was to configure our Apache server to protect our wiki site with a basic authentication challenge which would be checked against an LDAP (or Active Directory) service. The solution I found was to take a little inspiration from the work Sander Marechal did to get an AD server to integrate with Subversion. I won't repeat all of the details, but in essence you 1) make sure that you have the LDAP modules installed and configured properly, and 2) have the correct directives in your Apache configuration files, like so:
AuthBasicProvider ldap
AuthType Basic
AuthzLDAPAuthoritative off
AuthName "Wikis"
AuthLDAPURL "ldap://your.ad.server.com:389/DC=your,DC=ad,DC=server,DC=com?sAMAccountName?sub?(objectClass=*)" NONE
AuthLDAPBindDN "CN=apache,CN=Users,DC=your,DC=ad,DC=server,DC=com"
AuthLDAPBindPassword somepass
require valid-user
Pay careful attention to the AUTHLDAPURL and AUTHLDAPBindDN directives; chances are that you'll need to put very specific information in those lines. Check Sander's blog entry for detailed directions. You may also need to make sure that your firewall has the correct ports open so that your web server can talk to the AD server.
So if you have Apache talking to your AD server correctly, and letting valid users into the site, you next have to get MediaWiki to automatically read the username from the webserver, log the person in, and create an account if necessary.
After playing around with some scripts I found on the web, I finally found the solution on the MediaWiki site, in an article on an automatic remote user extension. Just save the file from that page as /includes/Auth_remoteuser.php, and place the following two lines in your LocalSettings.php file:
require_once('extensions/Auth_remoteuser.php');
$wgAuth = new Auth_remoteuser();
Then I was all set. Our users log into the site with their corporate password, and the wiki recognizes them immediately. No separate login or account creation required.
Comments (6)
November 27, 2008
6:49AM | #
I have looked at the script.,
January 29, 2009
3:17PM | #
Thanks for this article.
It was just what I was looking for.
Congrats.
May 20, 2009
1:44PM | #
Tom, does this overwrite/inactivate the following settings?
$wgGroupPermissions['*']['edit'] = false;
$wgGroupPermissions['*']['read'] = false;
I've implemented your single login method, and now the wiki doesn't require users to be logged in to edit/view.
Thanks a bunch for any help you can provide! :)
May 20, 2009
9:32PM | #
@ninermac: I don't think that the single sign-on configuration would overwrite configuration settings like the ones you describe. But there's one mistake in your thinking-- the users who hit the wiki are logged in. It just happens automatically after they respond to basic auth, instead of through an HTML form.
August 10, 2009
6:55AM | #
Hi, i'm trying to use this in a stage similar, y have a wiki installed in a apache protected directory, y log against a active directory, all ok (remote_user is my username, etc) but the wiki doesn't creates the account and i'm not logged in. i'm an annonimous user...
i do the same your post saids.
July 6, 2010
7:59AM | #
Hi, LDAP authentication works, but mediawiki isnt using the username i entered.