MediaWiki

Presentation

MediaWiki is a wiki software, used by the well known Wikipedia.

Several extensions allows one to configure SSO on MediaWiki:

We will explain how to use Automatic REMOTE_USER extension.

Installation

The extension is presented here: http://www.mediawiki.org/wiki/Extension:AutomaticREMOTE_USER

You can download the code here: https://www.mediawiki.org/wiki/Special:ExtensionDistributor/Auth_remoteuser

You have to install Auth_remoteuser in the extensions/ directory of your MediaWiki installation:

cp -a Auth_remoteuser/ extensions/

Configuration

MediWiki local configuration

Then edit MediaWiki local settings

vi LocalSettings.php
require_once "$IP/extensions/Auth_remoteuser/Auth_remoteuser.php";
$wgAuth = new Auth_remoteuser();

Add then extension configuration, for example:

$wgAuthRemoteuserAuthz = true; /* Your own authorization test */
$wgAuthRemoteuserName = $_SERVER["HTTP_AUTH_CN"]; /* User's name */
$wgAuthRemoteuserMail = $_SERVER["HTTP_AUTH_MAIL"]; /* User's Mail */
$wgAuthRemoteuserNotify = false; /* Do not send mail notifications */
//$wgAuthRemoteuserDomain = "NETBIOSDOMAIN"; /* Remove NETBIOSDOMAIN\ from the beginning or @NETBIOSDOMAIN at the end of a IWA username */
/* User's mail domain to append to the user name to make their email address */
//$wgAuthRemoteuserMailDomain = "example.com";
 
// see http://www.mediawiki.org/wiki/Manual:Hooks/SpecialPage_initList
// and http://www.mediawiki.org/w/Manual:Special_pages
// and http://lists.wikimedia.org/pipermail/mediawiki-l/2009-June/031231.html
// disable login and logout functions for all users
function LessSpecialPages(&$list) {
    unset( $list['Userlogout'] );
    unset( $list['Userlogin'] );
    return true;
}
$wgHooks['SpecialPage_initList'][]='LessSpecialPages';
 
// http://www.mediawiki.org/wiki/Extension:Windows_NTLM_LDAP_Auto_Auth
// remove login and logout buttons for all users
function StripLogin(&$personal_urls, &$wgTitle) {
    unset( $personal_urls["login"] );
    unset( $personal_urls["logout"] );
    unset( $personal_urls['anonlogin'] );
    return true;
}
$wgHooks['PersonalUrls'][] = 'StripLogin';
In last version of Auth_remoteuser and Mediawiki, empty passwords are not authorized, so you may need to patch the extension code if you get the error: “Unexpected REMOTE_USER authentication failure. Login Error was:EmptyPass”.

If necessary, use the code below to patch the extension:

sed -i "s/'wpPassword' => ''/'wpPassword' => 'none'/" extensions/Auth_remoteuser/Auth_remoteuser.body.php
In last version of Auth_remoteuser and Mediawiki, auto-provisioning requires REMOTE_USER to match the normalized mediawiki username (for example: john_doe → john doe), so you may need to patch the extension code if you get the error: “Unexpected REMOTE_USER authentication failure. Login Error was:WrongPluginPass”

You can use the code below for normalizing logins containing “_” in the extension:

sed -i '/$usertest = $this->getRemoteUsername();/a\                $usertest = str_replace( "_"," ", $usertest );' extensions/Auth_remoteuser/Auth_remoteuser.body.php

MediaWiki virtual host

Configure MediaWiki virtual host like other protected virtual host.

If you are protecting MediaWiki with LL::NG as reverse proxy, convert header into REMOTE_USER environment variable.
  • For Apache:
<VirtualHost *:80>
       ServerName mediawiki.example.com
 
       PerlHeaderParserHandler Lemonldap::NG::Handler
 
       ...
 
</VirtualHost>
  • For Nginx:
server {
  listen 80;
  server_name mediawiki.example.com;
  root /path/to/application;
  # Internal authentication request
  location = /lmauth {
    internal;
    include /etc/nginx/fastcgi_params;
    fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
    # Drop post datas
    fastcgi_pass_request_body  off;
    fastcgi_param CONTENT_LENGTH "";
    # Keep original hostname
    fastcgi_param HOST $http_host;
    # Keep original request (LLNG server will received /llauth)
    fastcgi_param X_ORIGINAL_URI  $request_uri;
  } 
 
  # Client requests
  location / {
    auth_request /lmauth;
    auth_request_set $lmremote_user $upstream_http_lm_remote_user;
    auth_request_set $lmlocation $upstream_http_location;
    error_page 401 $lmlocation;
    try_files $uri $uri/ =404;
 
    ...
 
    include /etc/lemonldap-ng/nginx-lua-headers.conf;
  }
  location / {
    try_files $uri $uri/ =404;
  }
}

MediaWiki virtual host in Manager

Go to the Manager and create a new virtual host for MediaWiki.

Just configure the access rules. You can also add a rule for logout:

Userlogout => logout_sso

You can create these two headers to fill user name and mail (see extension configuration):

Auth-Cn => $cn
Auth-Mail => $mail

If using LL::NG as reverse proxy, configure also the Auth-User header,