King's picture
King - Sat, 2011/09/24 - 00:26

I recently installed Turnkey MediaWiki and have been happy with what I have.

Now I want to restrict access to the MediaWiki site using my companies LDAP server.  I cannot find any documentation on how to accomplish this.  I am not fluent with Linux but can follow directions.

I assume I am looking for a Apache feature that blocks access for all or certain URLs but am not even sure if that is the way to do it.  

This server is only running MediaWiki on a Virtual Machine so I don't care if anything else might also be login restricted.

By the way, how do I find out what version of Ubuntu I installed with this Turnkey MediaWiki?

Forum: 
Support
Tags: 
apache
ldap
mediawiki
Jeremy Davis's picture

Jeremy Davis - Sat, 2011/09/24 - 03:26

But it should be possible. OTTOMH I would assume that you would be looking for a MediaWiki LDAP module to install and then set up MediaWiki to only allow viewing by logged in users (don't recall how this is done, but IIRC then it is possible).

OTOH if you have it installed locally and don't have any ports forwarded to the outside world then it should only be viewable by LAN users by default anyway.

Assuming you installed TKL v11.x then it is based on Ubuntu 10.04/Lucid

King's picture

King - Sat, 2011/09/24 - 03:34

OK. What I was hoping for is someone that has done it giving me a step by step.  I am not sure whether this would be a MediaWiki function or an Apache one.  I suppose either could be used.

I need to have more protection than behind the firewall and I want to use the common credentials that LDAP will offer me.  

Anyone else have any experience with LDAP with Apache or MediaWiki?

King

Dave's picture

Dave - Mon, 2011/10/03 - 22:15

Like you say, there are two places you can configure LDAP. The key difference is whether you want unauthenticated users to be able to read the content, or if you want all accesses to be authenticated. If you only want edits to be authenticated, then configure the LDAP plugin in MediaWiki. I did this first, there was a lot of documentation on it.

 I need all access to be authenticated. Here is how I did it:

1. Enable authnz_ldap and ldap:  

a2enmod authnz_ldap

a2enmod ldap

2. Then I configured the authnz_ldap plugin by creating a file  /etc/apache2/conf.d/LDAP.conf

<Location />
   AuthName "MediaWiki"

   AuthType Basic
   AuthBasicProvider ldap
   AuthLDAPUrl ldap://ldap.example.com/dc=example,dc=com?uid,mail,cn

   Require ldap-user larry curly moe
</Location>


Things to note in this file:

  • AuthName is the title of the HTTP-Basic Auth Popup.
  • ldap.example.com is the hostname of your server. We use a load balancer, but you can specify multiples here by separating them with spaces.
  • dc=example,dc=com is the baseDN of your search
  • uid,mail,cn are the attributes to search on (first one, uid) and to return. This way email and Common Name are pulled from LDAP.
  • The Require line tells the plugin to only authorize larry, curly and moe as users, denying all other users.

Now when you login, there will be headers sent for REMOTE_USER, AUTHENTICATE_CN, and AUTHENTICATE_MAIL, we just have to get MediaWiki to use and trust those values.

3. Install the auth_remoteuser plugin for MediaWiki.

4. Configure the plugin by editing /etc/mediawiki/extensions.php and adding the following lines:

require_once("$IP/extensions/Auth_remoteuser/Auth_remoteuser.php");
$wgAuth = new Auth_remoteuser();

$wgAuthRemoteuserAuthz = true; /* Your own authorization test */
$wgAuthRemoteuserName = $_SERVER["AUTHENTICATE_CN"]; /* User's name */
$wgAuthRemoteuserMail = $_SERVER["AUTHENTICATE_MAIL"]; /* User's Mail */
$wgAuthRemoteuserNotify = false; /* Do not send mail notifications */
// Don't let anonymous people do things...
$wgGroupPermissions['*']['createaccount']   = false;
$wgGroupPermissions['*']['read']            = false;
$wgGroupPermissions['*']['edit']            = false;


That should be all you need to do. That configuration should work as is.

Hope that helps,

Dave


King's picture

King - Tue, 2011/10/04 - 22:45

Thanks, Dave.  I did configure Apache to use LDAP but it cannot connect to the server successfully.  I have put in a request for help from our LDAP gurus.

I am still a bit confused between what is a literal value to be left as is and what is a variable value that I must fill-in.  For example with AuthName "MediaWiki". Is that to be left as is or filled in with my server name or ... .

The next problem I have encountered is that I cannot find any auth_remoteuser plugin for MediaWiki.  ??

Am I reading this too literally?

 

Thanks for any further help,

King

King

Dave's picture

Dave - Tue, 2011/10/04 - 22:59

You may need to authenticate to LDAP before you can do a search (especially Active Directory). If so, lookup AuthLDAPBindDN and AuthLDAPBindPassword in the documenation below.

This is the documentaion for the AuthNZ_LDAP module in Apache.

     http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html

All of the variables are on the left and values on the right, like so:

      AuthName "King's Awesome Wiki"

or

      AuthName "EvilCo Wiki"

 

Here is the URL to the AutomaticREMOTE_USER plugin:

     http://www.mediawiki.org/wiki/Extension:AutomaticREMOTE_USER

 

Dave


King's picture

King - Thu, 2011/10/06 - 19:44

Dave: I got it all working now.  When I try to access the website, Apache asks for a signin and when successful it brings up the MediaWiki home page having passed my login to MediaWiki.  Very slick.

That you for the step by step guidance that I needed.  I did have to Bind to LDAP and my basic trouble was not having the correct URL for our LDAP service.  Once I got those things established it worked as advertised. 

I only included the first two lines of the additions to the extensions.php file.  I will try those other features later. The defaults seem to be OK for me for now.

THanks again,

King

King

Add new comment