Thanks Jamie. From quickly looking at it I *think* AuthPlugin is designed to operate through the normal logon process. I'm bypassing that and transparently authenticating against NTLM (for Intranet users - Internet users will be prompted for a domain username and password).
If anyone's planning on using the code below I just found out that it breaks the preferences screen. The way to fix that is to set cookies by adding: //set cookies with this info to make life easier for us in the future global $wgCookieExpiration, $wgCookiePath, $wgCookieDomain, $wgDBname; $exp = time() + $wgCookieExpiration; setcookie( $wgDBname.'UserID', $row['user_id'], $exp, $wgCookiePath, $wgCookieDomain ); setcookie( $wgDBname.'UserName', $row['user_name'], $exp, $wgCookiePath, $wgCookieDomain ); setcookie( $wgDBname.'Token', $row['user_token'], $exp, $wgCookiePath, $wgCookieDomain );
immediately underneath: //set the variables we need to transparently authenticate $sId = $row['user_id']; $_SESSION['wsUserID'] = $row['user_id']; $_SESSION['wsUserName'] = $row['user_name']; $_SESSION['wsToken'] = $row['user_token'];
Cheers,
al. -----Original Message----- From: Jamie Bliss [mailto:astronouth7303@gmail.com] Sent: Wednesday, 30 March 2005 12:01 p.m. To: MediaWiki announcements and site admin list Subject: Re: [Mediawiki-l] NTLM authentication for MediaWiki
Check AuthPlugin.php, as that may let you do it.
On Wed, 30 Mar 2005 11:57:43 +1200, Alistair Johnson JohnsonA@rembrandt.co.nz wrote:
Based on a post from David Cameron (19 Feb 2005) I've hacked up the following modification to loadFromSession (in User.php) which allows authentication against our NTLM database (based on the variable AUTH_USER passed from IIS).
I'm trying to avoid hacking the code for 1.4 so if you know a way to
achieve
this without modifying User.php (or another core file) then feedback would be most appreciated.
Cheers,
al.
/** * Read datas from session * @static */ function loadFromSession() { global $wgMemc, $wgDBname; if ( isset( $_SESSION['wsUserID'] ) ) { if ( 0 != $_SESSION['wsUserID'] ) { $sId = $_SESSION['wsUserID']; } else { return new User(); } } else if ( isset( $_COOKIE["{$wgDBname}UserID"] ) ) { $sId = IntVal( $_COOKIE["{$wgDBname}UserID"] ); $_SESSION['wsUserID'] = $sId; } else if ( isset($_SERVER["AUTH_USER"])) { //Rembrandt modification to allow logon via authentication
information //passed from IIS global $wgUser; global $wgDeferredUpdateList;
//get the username $temp = explode('DOMAINNAME', $_SERVER["AUTH_USER"]);
//remove
the domain name from AUTH_USER $name = $temp[1];
//pull in the usernames and passwords we'll need for the
database lookup global $wgDBprefix; global $wgDBuser; global $wgDBpassword; global $wgDBserver; global $wgDBname;
//we'll use PHP's MYSQL module to access the mediawiki
database as it's Q&D mysql_connect($wgDBserver,$wgDBuser,$wgDBpassword); @mysql_select_db($wgDBname) or die( "Unable to select user database for NTLM authentication"); $query="SELECT * FROM " . $wgDBprefix . "user WHERE LOWER(user_name) = '" . strtolower($name) . "'"; $result = mysql_query($query); $row = mysql_fetch_array($result, MYSQL_ASSOC); mysql_close();
//set the variables we need to transparently authenticate $sId = $row['user_id']; $_SESSION['wsUserID'] = $row['user_id']; $_SESSION['wsUserName'] = $row['user_name']; $_SESSION['wsToken'] = $row['user_token']; } else { return new User(); } if ( isset( $_SESSION['wsUserName'] ) ) { $sName = $_SESSION['wsUserName']; } else if ( isset( $_COOKIE["{$wgDBname}UserName"] ) ) { $sName = $_COOKIE["{$wgDBname}UserName"]; $_SESSION['wsUserName'] = $sName; } else { return new User(); } $passwordCorrect = FALSE; $user = $wgMemc->get( $key = "$wgDBname:user:id:$sId" ); if($makenew = !$user) { wfDebug( "User::loadFromSession() unable to load
from memcached\n" ); $user = new User(); $user->mId = $sId; $user->loadFromDatabase(); } else { wfDebug( "User::loadFromSession() got from
cache!\n"
); }
if ( isset( $_SESSION['wsToken'] ) ) { $passwordCorrect = $_SESSION['wsToken'] ==
$user->mToken; } else if ( isset( $_COOKIE["{$wgDBname}Token"] ) ) { $passwordCorrect = $user->mToken == $_COOKIE["{$wgDBname}Token"]; } else { return new User(); # Can't log in from session }
if ( ( strtolower($sName) == strtolower($user->mName) ) &&
$passwordCorrect ) { //modified to allow for case differences between mediawiki and NTLM usernames if($makenew) { if($wgMemc->set( $key, $user )) { wfDebug( "User::loadFromSession() successfully saved user\n" ); } else { wfDebug( "User::loadFromSession() unable to save to memcached\n" ); } } $user->spreadBlock(); return $user; }
return new User(); # Can't log in from session }
MediaWiki-l mailing list MediaWiki-l@Wikimedia.org http://mail.wikipedia.org/mailman/listinfo/mediawiki-l
I think that the Auth plugin system still uses the user table because of MediaWiki options, user references, etc. But you can set it up so that a user is automagically added to the users table if they authenticate. Try it, It's worth a shot.
On Wed, 30 Mar 2005 14:28:43 +1200, Alistair Johnson JohnsonA@rembrandt.co.nz wrote:
Thanks Jamie. From quickly looking at it I *think* AuthPlugin is designed to operate through the normal logon process. I'm bypassing that and transparently authenticating against NTLM (for Intranet users - Internet users will be prompted for a domain username and password).
If anyone's planning on using the code below I just found out that it breaks the preferences screen. The way to fix that is to set cookies by adding: //set cookies with this info to make life easier for us in the future global $wgCookieExpiration, $wgCookiePath, $wgCookieDomain, $wgDBname; $exp = time() + $wgCookieExpiration; setcookie( $wgDBname.'UserID', $row['user_id'], $exp, $wgCookiePath, $wgCookieDomain ); setcookie( $wgDBname.'UserName', $row['user_name'], $exp, $wgCookiePath, $wgCookieDomain ); setcookie( $wgDBname.'Token', $row['user_token'], $exp, $wgCookiePath, $wgCookieDomain );
immediately underneath: //set the variables we need to transparently authenticate $sId = $row['user_id']; $_SESSION['wsUserID'] = $row['user_id']; $_SESSION['wsUserName'] = $row['user_name']; $_SESSION['wsToken'] = $row['user_token'];
Cheers,
al. -----Original Message----- From: Jamie Bliss [mailto:astronouth7303@gmail.com] Sent: Wednesday, 30 March 2005 12:01 p.m. To: MediaWiki announcements and site admin list Subject: Re: [Mediawiki-l] NTLM authentication for MediaWiki
Check AuthPlugin.php, as that may let you do it.
On Wed, 30 Mar 2005 11:57:43 +1200, Alistair Johnson JohnsonA@rembrandt.co.nz wrote:
Based on a post from David Cameron (19 Feb 2005) I've hacked up the following modification to loadFromSession (in User.php) which allows authentication against our NTLM database (based on the variable AUTH_USER passed from IIS).
I'm trying to avoid hacking the code for 1.4 so if you know a way to
achieve
this without modifying User.php (or another core file) then feedback would be most appreciated.
Cheers,
al.
/** * Read datas from session * @static */ function loadFromSession() { global $wgMemc, $wgDBname; if ( isset( $_SESSION['wsUserID'] ) ) { if ( 0 != $_SESSION['wsUserID'] ) { $sId = $_SESSION['wsUserID']; } else { return new User(); } } else if ( isset( $_COOKIE["{$wgDBname}UserID"] ) ) { $sId = IntVal( $_COOKIE["{$wgDBname}UserID"] ); $_SESSION['wsUserID'] = $sId; } else if ( isset($_SERVER["AUTH_USER"])) { //Rembrandt modification to allow logon via authentication
information //passed from IIS global $wgUser; global $wgDeferredUpdateList;
//get the username $temp = explode('DOMAINNAME', $_SERVER["AUTH_USER"]);
//remove
the domain name from AUTH_USER $name = $temp[1];
//pull in the usernames and passwords we'll need for the
database lookup global $wgDBprefix; global $wgDBuser; global $wgDBpassword; global $wgDBserver; global $wgDBname;
//we'll use PHP's MYSQL module to access the mediawiki
database as it's Q&D mysql_connect($wgDBserver,$wgDBuser,$wgDBpassword); @mysql_select_db($wgDBname) or die( "Unable to select user database for NTLM authentication"); $query="SELECT * FROM " . $wgDBprefix . "user WHERE LOWER(user_name) = '" . strtolower($name) . "'"; $result = mysql_query($query); $row = mysql_fetch_array($result, MYSQL_ASSOC); mysql_close();
//set the variables we need to transparently authenticate $sId = $row['user_id']; $_SESSION['wsUserID'] = $row['user_id']; $_SESSION['wsUserName'] = $row['user_name']; $_SESSION['wsToken'] = $row['user_token']; } else { return new User(); } if ( isset( $_SESSION['wsUserName'] ) ) { $sName = $_SESSION['wsUserName']; } else if ( isset( $_COOKIE["{$wgDBname}UserName"] ) ) { $sName = $_COOKIE["{$wgDBname}UserName"]; $_SESSION['wsUserName'] = $sName; } else { return new User(); } $passwordCorrect = FALSE; $user = $wgMemc->get( $key = "$wgDBname:user:id:$sId" ); if($makenew = !$user) { wfDebug( "User::loadFromSession() unable to load
from memcached\n" ); $user = new User(); $user->mId = $sId; $user->loadFromDatabase(); } else { wfDebug( "User::loadFromSession() got from
cache!\n"
); }
if ( isset( $_SESSION['wsToken'] ) ) { $passwordCorrect = $_SESSION['wsToken'] ==
$user->mToken; } else if ( isset( $_COOKIE["{$wgDBname}Token"] ) ) { $passwordCorrect = $user->mToken == $_COOKIE["{$wgDBname}Token"]; } else { return new User(); # Can't log in from session }
if ( ( strtolower($sName) == strtolower($user->mName) ) &&
$passwordCorrect ) { //modified to allow for case differences between mediawiki and NTLM usernames if($makenew) { if($wgMemc->set( $key, $user )) { wfDebug( "User::loadFromSession() successfully saved user\n" ); } else { wfDebug( "User::loadFromSession() unable to save to memcached\n" ); } } $user->spreadBlock(); return $user; }
return new User(); # Can't log in from session }
MediaWiki-l mailing list MediaWiki-l@Wikimedia.org http://mail.wikipedia.org/mailman/listinfo/mediawiki-l
--
http://endeavour.zapto.org/astro73/ Thank you to JosephM for inviting me to Gmail! Has lots of invites. _______________________________________________ MediaWiki-l mailing list MediaWiki-l@Wikimedia.org http://mail.wikipedia.org/mailman/listinfo/mediawiki-l _______________________________________________ MediaWiki-l mailing list MediaWiki-l@Wikimedia.org http://mail.wikipedia.org/mailman/listinfo/mediawiki-l
mediawiki-l@lists.wikimedia.org