You are here
King - Sat, 2011/09/24 - 00:26
I recently installed Turnkey MediaWiki and have been happy with what I have.
Now I want to restrict access to the MediaWiki site using my companies LDAP server. I cannot find any documentation on how to accomplish this. I am not fluent with Linux but can follow directions.
I assume I am looking for a Apache feature that blocks access for all or certain URLs but am not even sure if that is the way to do it.
This server is only running MediaWiki on a Virtual Machine so I don't care if anything else might also be login restricted.
By the way, how do I find out what version of Ubuntu I installed with this Turnkey MediaWiki?
Forum:
Not sure about LDAP
But it should be possible. OTTOMH I would assume that you would be looking for a MediaWiki LDAP module to install and then set up MediaWiki to only allow viewing by logged in users (don't recall how this is done, but IIRC then it is possible).
OTOH if you have it installed locally and don't have any ports forwarded to the outside world then it should only be viewable by LAN users by default anyway.
Assuming you installed TKL v11.x then it is based on Ubuntu 10.04/Lucid
Re: Not sure about LDAP
OK. What I was hoping for is someone that has done it giving me a step by step. I am not sure whether this would be a MediaWiki function or an Apache one. I suppose either could be used.
I need to have more protection than behind the firewall and I want to use the common credentials that LDAP will offer me.
Anyone else have any experience with LDAP with Apache or MediaWiki?
King
LDAP Authenticate all Requests
Like you say, there are two places you can configure LDAP. The key difference is whether you want unauthenticated users to be able to read the content, or if you want all accesses to be authenticated. If you only want edits to be authenticated, then configure the LDAP plugin in MediaWiki. I did this first, there was a lot of documentation on it.
I need all access to be authenticated. Here is how I did it:
1. Enable authnz_ldap and ldap:
2. Then I configured the authnz_ldap plugin by creating a file /etc/apache2/conf.d/LDAP.conf
Things to note in this file:
Now when you login, there will be headers sent for REMOTE_USER, AUTHENTICATE_CN, and AUTHENTICATE_MAIL, we just have to get MediaWiki to use and trust those values.
3. Install the auth_remoteuser plugin for MediaWiki.
4. Configure the plugin by editing /etc/mediawiki/extensions.php and adding the following lines:
That should be all you need to do. That configuration should work as is.
Hope that helps,
Dave
Re: LDAP Authenticate all Requests
Thanks, Dave. I did configure Apache to use LDAP but it cannot connect to the server successfully. I have put in a request for help from our LDAP gurus.
I am still a bit confused between what is a literal value to be left as is and what is a variable value that I must fill-in. For example with AuthName "MediaWiki". Is that to be left as is or filled in with my server name or ... .
The next problem I have encountered is that I cannot find any auth_remoteuser plugin for MediaWiki. ??
Am I reading this too literally?
Thanks for any further help,
King
King
You may need to authenticate
You may need to authenticate to LDAP before you can do a search (especially Active Directory). If so, lookup AuthLDAPBindDN and AuthLDAPBindPassword in the documenation below.
This is the documentaion for the AuthNZ_LDAP module in Apache.
http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html
All of the variables are on the left and values on the right, like so:
AuthName "King's Awesome Wiki"
or
AuthName "EvilCo Wiki"
Here is the URL to the AutomaticREMOTE_USER plugin:
http://www.mediawiki.org/wiki/Extension:AutomaticREMOTE_USER
Dave
Re: You may need to authenticate
Dave: I got it all working now. When I try to access the website, Apache asks for a signin and when successful it brings up the MediaWiki home page having passed my login to MediaWiki. Very slick.
That you for the step by step guidance that I needed. I did have to Bind to LDAP and my basic trouble was not having the correct URL for our LDAP service. Once I got those things established it worked as advertised.
I only included the first two lines of the additions to the extensions.php file. I will try those other features later. The defaults seem to be OK for me for now.
THanks again,
King
King
Add new comment