MediaWiki

Présentation

MediaWiki est un logiciel wiki utilisé par le très connu Wikipedia.

Plusieurs extensions permettent de configurer le SSO dans MediaWiki :

We will explain how to use Automatic REMOTE_USER extension.

Installation

The extension is presented here: http://www.mediawiki.org/wiki/Extension:AutomaticREMOTE_USER

You can download the code here: https://www.mediawiki.org/wiki/Special:ExtensionDistributor/Auth_remoteuser

You have to install Auth_remoteuser in the extensions/ directory of your MediaWiki installation:

cp -a Auth_remoteuser/ extensions/

Configuration

Configuration locale MediaWiki

Éditer ensuite les paramètres locaux MediaWiki

vi LocalSettings.php
require_once "$IP/extensions/Auth_remoteuser/Auth_remoteuser.php";
$wgAuth = new Auth_remoteuser();

Add then extension configuration, for example:

$wgAuthRemoteuserAuthz = true; /* Your own authorization test */
$wgAuthRemoteuserName = $_SERVER["HTTP_AUTH_CN"]; /* User's name */
$wgAuthRemoteuserMail = $_SERVER["HTTP_AUTH_MAIL"]; /* User's Mail */
$wgAuthRemoteuserNotify = false; /* Do not send mail notifications */
//$wgAuthRemoteuserDomain = "NETBIOSDOMAIN"; /* Remove NETBIOSDOMAIN\ from the beginning or @NETBIOSDOMAIN at the end of a IWA username */
/* User's mail domain to append to the user name to make their email address */
//$wgAuthRemoteuserMailDomain = "example.com";
 
// see http://www.mediawiki.org/wiki/Manual:Hooks/SpecialPage_initList
// and http://www.mediawiki.org/w/Manual:Special_pages
// and http://lists.wikimedia.org/pipermail/mediawiki-l/2009-June/031231.html
// disable login and logout functions for all users
function LessSpecialPages(&$list) {
    unset( $list['Userlogout'] );
    unset( $list['Userlogin'] );
    return true;
}
$wgHooks['SpecialPage_initList'][]='LessSpecialPages';
 
// http://www.mediawiki.org/wiki/Extension:Windows_NTLM_LDAP_Auto_Auth
// remove login and logout buttons for all users
function StripLogin(&$personal_urls, &$wgTitle) {
    unset( $personal_urls["login"] );
    unset( $personal_urls["logout"] );
    unset( $personal_urls['anonlogin'] );
    return true;
}
$wgHooks['PersonalUrls'][] = 'StripLogin';

In last version of Auth_remoteuser and Mediawiki, empty passwords are not authorized, so you may need to patch the extension code if you get the error: “Unexpected REMOTE_USER authentication failure. Login Error was:EmptyPass”.

If necessary, use the code below to patch the extension:

sed -i "s/'wpPassword' => ''/'wpPassword' => 'none'/" extensions/Auth_remoteuser/Auth_remoteuser.body.php

In last version of Auth_remoteuser and Mediawiki, auto-provisioning requires REMOTE_USER to match the normalized mediawiki username (for example: john_doe → john doe), so you may need to patch the extension code if you get the error: “Unexpected REMOTE_USER authentication failure. Login Error was:WrongPluginPass”

You can use the code below for normalizing logins containing “_” in the extension:

sed -i '/$usertest = $this->getRemoteUsername();/a\                $usertest = str_replace( "_"," ", $usertest );' extensions/Auth_remoteuser/Auth_remoteuser.body.php

Hôte virtuel Mediawiki dans le manager

Configurer l'hôte virtuel Mediawiki comme n'importe quel autre hôte virtuel protégé.

<VirtualHost *:80>
       ServerName mediawiki.example.com
 
       PerlHeaderParserHandler Lemonldap::NG::Handler
 
       ...
 
</VirtualHost>

Si Mediawiki est protégé par un reverse-proxy LL::NG, convertir l'en-tête en variable d'environnement REMOTE_USER.

Hôte virtuel Mediawiki dans le manager

Aller dans le manager et créer un nouvel hôte virtuel pour Mediawiki.

Configurer simplement la règle d'accès. Il est possible d'ajouter une règle pour la déconnexion :

Userlogout => logout_sso

You can create these two headers to fill user name and mail (see extension configuration):

Auth-Cn => $cn
Auth-Mail => $mail

If using LL::NG as reverse proxy, configure also the Auth-User header,