Is it possible to use MediaWiki with Kerberos?
Yes, the LDAP plugin has support for this:
http://www.mediawiki.org/wiki/Extension:LDAP_Authentication/Kerberos_Con figuration_Examples
However, if you don't want to use LDAP, you can still stick with the HTTP_AUTH plugin; it may just need to be slightly modified.
I am currently using the MediaWiki HTTP_AUTH plugin and authenicating via Apache (which uses mod_auth_kerb as it's backend). This works find passing a password, which is checked against the Kerberos server because Apache authenicates and PHP provides the userID via $_SERVER[PHP_AUTH_USER]. This is then used by HTTP_AUTH.
The problem arsies if you do a kinit and use your kerberos ticket to authenticate with Apache. For some reason, although authentication is sucessful PHP does not put the userID into $_SERVER[PHP_AUTH_USER]. Therefore HTTP_AUTH does not get the userID and log you in.
As far as I can tell, it puts the user into $_SERVER["REMOTE_USER"]. Notice that the username will be in the form "<username>@<DOMAIN>.<TLD>". MediaWiki can't handle this format. I handle this in the LDAP plugin by turning this into a configuration option that is populated in LocalSettings.php:
$wgLDAPAutoAuthUsername = preg_replace( '/@.*/', '', $_SERVER["REMOTE_USER"] );
I use $wgLDAPAutoAuthUsername everywhere else.
So, I guess the questions are:
- Why doesn't $_SERVER[PHP_AUTH_USER] get populated (I
understand it's something to do with different HTTP headers being used between password auth (which is just BASIC auth) and ticket negociation)?
- Is there a way that PHP can detect if Apache has carried out a
sucessful Kerberos authentication?
If you are requiring Kerberos authentication, you can be assured that the authentication was successful if the user got to the protected resource.
- Is there another/better way to make MediaWiki play with
Kerberos? I understand there's a not terribly free as in Freedon PHP extention that allows PHP to play with Kerberos but I'd like to steer clear of it.
See the LDAP plugin; just remember that you'll also have to configure LDAP (which can be a PITA depending on your environment).
V/r,
Ryan Lane