Quick Recipe for MediaWiki with AD logins - Wed, Feb 2, 2011
Here’s a quick recipe for getting a server up with MediaWiki running and having Active Directory Logins working with it… I’ll warn you, there are other ways of doing this. I find this to satisfy my needs, but if you manage to cause the world to implode, I won’t be held responsible.
Step 1: Set up your server
I created an Ubuntu 10.10 server VM for this, use whatever if you have some sort of issue against doing the same as me.
Step 2: Get Centrify Going
My friend told me about “Centrify” the other day. It’s a package you can install to help make Active Directory Logins simple. To install it, you have to first uncomment the partner repos in /etc/apt/sources.list - then install it via “apt-get install centrifydc”.
To activate Centrify, run “adjoin -w AD-NAME”, if you need more options, use “adjoin –help” to learn more.
Reboot your machine and confirm you can login with your credentials in Active Directory.
Step 3: Install & Configure MediaWiki
Go through the regular fun of setting up MediaWiki.. So install Apache2, php5 and whatever database you like.
Once you’ve got the base install of MediaWiki going, add the following lines to your LocalSettings.php
require_once("./extensions/PwAuthPlugin.php"); $wgAuth = new PwAuthPlugin();
$wgGroupPermissions[’’][‘createaccount’] = false; $wgGroupPermissions[’’][‘read’] = true; $wgGroupPermissions[’’][’edit’] = false; $wgGroupPermissions[’’][‘createpage’] = false; $wgGroupPermissions[’*’][‘createtalk’] = false;
$wgShowIPinHeader = false; # For non-logged in users
Then, dump the following file to ./extentions/PwAuthPlugin.php
set('usedomain', false ); \t\t$template->set('useemail', false);\t// Disable the mail new password box. \t\t$template->set('create', false);\t// Remove option to create new accounts from the wiki. \t} \t/** \t * Check to see if the specific domain is a valid domain. \t * \t * @param string $domain \t * @return bool \t * @access public \t */ \tfunction validDomain( $domain ) { \t\t# We ignore domains, so erm, yes? \t\treturn true; \t} \t/** \t * When a user logs in, optionally fill in preferences and such. \t * For instance, you might pull the email address or real name from the \t * external user database. \t * \t * The User object is passed by reference so it can be modified; don't \t * forget the & on your function declaration. \t * \t * @param User $user \t * @access public \t */ \tfunction updateUser( &$user ) { \t\tglobal $pwauth_email_domain; \t\t// Lookup information about user \t\t$username = strtolower( $user->getName() ); \t\t$account = posix_getpwnam( $username ); \t\t$gecos = split( ',', $account['gecos'] ); \t\t// Set users real name \t\t$user->setRealName( $gecos[0] ); \t\t// Set email if domain is configured \t\tif (!empty( $pwauth_email_domain ) ) { \t\t\t// Set the email address \t\t\t$user->setEmail( $username.'@'.$pwauth_email_domain ); \t\t\t// We set the email address, therefore it is valid \t\t\t$user->confirmEmail(); \t\t} \t\t// For security, scramble the password to ensure the user can \t\t// only login using system password. \t\t// This set the password to a 15 byte random string. \t\t$pass = ''; \t\tfor($i=0; $i<15;++$i) $pass .= chr(mt_rand(0,255)); \t\t//$user->setPassword($pass); //Removed by James for those using Centrify, will cause ugliness \t\treturn true; \t} \t/** \t * Return true if the wiki should create a new local account automatically \t * when asked to login a user who doesn't exist locally but does in the \t * external auth database. \t * \t * If you don't automatically create accounts, you must still create \t * accounts in some way. It's not possible to authenticate without \t * a local account. \t * \t * This is just a question, and shouldn't perform any actions. \t * \t * @return bool \t * @access public \t */ \tfunction autoCreate() { \t\treturn true; \t} \t/** \t * Can users change their passwords? \t * \t * @return bool \t */ \tfunction allowPasswordChange() { \t\t# We can't change users system passwords \t\treturn false; \t} \t/** \t * Set the given password in the authentication database. \t * Return true if successful. \t * \t * @param string $password \t * @return bool \t * @access public \t */ \tfunction setPassword( $password ) { \t\t# We can't change users system passwords \t\treturn false; \t} \t/** \t * Update user information in the external authentication database. \t * Return true if successful. \t * \t * @param User $user \t * @return bool \t * @access public \t */ \tfunction updateExternalDB( $user ) { \t\t# We can't change users details \t\treturn false; \t} \t/** \t * Check to see if external accounts can be created. \t * Return true if external accounts can be created. \t * @return bool \t * @access public \t */ \tfunction canCreateAccounts() { \t\t# We can't create accounts \t\treturn false; \t} \t/** \t * Add a user to the external authentication database. \t * Return true if successful. \t * \t * @param User $user \t * @param string $password \t * @return bool \t * @access public \t */ \tfunction addUser( $user, $password ) { \t\t# We can't create accounts \t\treturn false; \t} \t/** \t * Return true to prevent logins that don't authenticate here from being \t * checked against the local database's password fields. \t * \t * This is just a question, and shouldn't perform any actions. \t * \t * @return bool \t * @access public \t */ \tfunction strict() { \t\t# Only allow authentication from system database \t\treturn true; \t} \t/** \t * When creating a user account, optionally fill in preferences and such. \t * For instance, you might pull the email address or real name from the \t * external user database. \t * \t * The User object is passed by reference so it can be modified; don't \t * forget the & on your function declaration. \t * \t * @param User $user \t * @access public \t */ \tfunction initUser(&$user) { \t\t# We do everything in updateUser \t} } /** * Some extension information init */ $wgExtensionCredits['other'][] = array( 'name' => 'PWAuthPlugin', 'version' => '1.0', 'author' => 'Nicholas Humfrey', 'description' => 'Automagic login with system accounts, using pwauth', 'url' => 'http://www.mediawiki.org/wiki/Extension:PwAuthPlugin' ); ?>Basically all of that plugin is from here. But I found I had to disable saving of passwords in the function “updateUser()” in order for this to work with Centrify in my environment.
Step 4: Send me Beer
Now that you’re happily up and running with AD auths in MediaWiki send me a beer via Paypal:
