Hi Mediawiki folks,
I am trying to set up authentication for our existing wiki against an external database. I currently do this successfully for my subversion database using Apache's mod_auth_pam module. For our wiki, I would like to use a similar approach. I tried to use http://www.mediawiki.org/wiki/Extension:HttpAuth. Does this make sense?
I am using MediaWiki 1.14.0 PHP 5.2.6-1+lenny3 (apache2handler) MySQL 5.0.51a-24+lenny1
I downloaded the HttpAuth module, added the following lines to LocalSettings.php:
session_start(); if ((!empty($_SERVER['PHP_AUTH_USER']) && !empty($_SERVER['REMOTE_USER'])) || $_COOKIE['fpwiki_en_UserID']) { require_once("$IP/extensions/HttpAuthPlugin.php"); $wgAuth = new HttpAuthPlugin(); $wgHooks['UserLoadFromSession'][] = array($wgAuth,'autoAuthenticate'); }
I then added the following lines to http.conf: <Location /w/Special:UserLogin> AuthType "basic" AuthName "wiki" AuthPAM_Enabled on AuthPAM_FallThrough Off SSLRequireSSL Require valid-user </Location>
The result is that when users visit Special:UserLogin, they get a pop-up screen and must authenticate using PAM. They can then see the Special:UserLogin screen and must login again (which isn't compared to our external database). This isn't quite what I wanted. I am new to Apache and web administration. Does anyone have any advice?
Thank you.
Regards, Melissa Soriano
session_start(); if ((!empty($_SERVER['PHP_AUTH_USER']) && !empty($_SERVER['REMOTE_USER'])) || $_COOKIE['fpwiki_en_UserID']) { require_once("$IP/extensions/HttpAuthPlugin.php"); $wgAuth = new HttpAuthPlugin(); $wgHooks['UserLoadFromSession'][] = array($wgAuth,'autoAuthenticate'); }
This looks kind of strange. That if line is saying "if the user is authenticated by the web server, or the user has a cookie set, enable the plugin". I think that $_COOKIE['fpwiki_en_UserID'] part is wrong. The cookies assigned by your wiki wouldn't likely be 'fpwiki_en_UserID'; Try:
$_COOKIE[$wgDBserver . "UserID"]
Which, I think, is the default way MediaWiki sets cookies.
That said, I really don't even understand the point of the if statement or the session_start() line. Why isn't the plugin doing this stuff for you?
I then added the following lines to http.conf: <Location /w/Special:UserLogin> AuthType "basic" AuthName "wiki" AuthPAM_Enabled on AuthPAM_FallThrough Off SSLRequireSSL Require valid-user
</Location>
This looks fine.
The result is that when users visit Special:UserLogin, they get a pop-up screen and must authenticate using PAM. They can then see the Special:UserLogin screen and must login again (which isn't compared to our external database). This isn't quite what I wanted. I am new to Apache and web administration. Does anyone have any advice?
I'm very much betting it's that cookie line...
V/r,
Ryan Lane
Hi Ryan,
Thanks for your response! You were right. I changed my if statement in LocalSettings.php to:
session_start(); if ((!empty($_SERVER['PHP_AUTH_USER']) && !empty($_SERVER['REMOTE_USER'])) || $_COOKIE[$wgDBserver . "UserID"]) { require_once("$IP/extensions/HttpAuthPlugin.php"); $wgAuth = new HttpAuthPlugin(); $wgHooks['UserLoadFromSession'][] = array($wgAuth,'autoAuthenticate');
using $_COOKIE[$wgDBserver . "UserID"] rather than $_COOKIE['fpwiki_en_UserID'] as you suggested.
This is working much better now. I enabled pretty URLs using $wgUsePathInfo = true; I removed the "Create an Account or Login" link in the top right-hand corner of every page by editing Monobook.php as described in the FAQ. As I showed in my previous e-mail, Special:UserLogin is protected by SSL and PAM. This authentication is working great.
I have one small problem now. When a user visits Special:UserLogin, the user sees a pop-up screen and is prompted for a username and password, which is validated against the external database. If this validation is successful, the user is logged in, and can see this in the top-right hand corner of the page. However, the user then sees the Special:UserLogin page, which makes it seem as if the user needs to login AGAIN, which is not the case. Do you have any advice? I am thinking that my two main options are 1) to replace the text and layout of Special:UserLogin with something else (like "Welcome") or 2) redirect to the Main Page. There is some code on http://www.mediawiki.org/wiki/Extension:HttpAuth under "Allowing Anonymous Browsing" describing how to handle this redirectiong but I haven't been able to get it to work yet.
Thank you again for your time and help!
Regards, Melissa Soriano
I have one small problem now. When a user visits Special:UserLogin, the user sees a pop-up screen and is prompted for a username and password, which is validated against the external database. If this validation is successful, the user is logged in, and can see this in the top-right hand corner of the page. However, the user then sees the Special:UserLogin page, which makes it seem as if the user needs to login AGAIN, which is not the case. Do you have any advice? I am thinking that my two main options are
- to replace the text and layout of Special:UserLogin with
something else (like "Welcome") or 2) redirect to the Main Page. There is some code on http://www.mediawiki.org/wiki/Extension:HttpAuth under "Allowing Anonymous Browsing" describing how to handle this redirectiong but I haven't been able to get it to work yet.
I'd recommend redirecting. You should be able to do this in Apache by changing:
<Location /w/Special:UserLogin> AuthType "basic" AuthName "wiki" AuthPAM_Enabled on AuthPAM_FallThrough Off SSLRequireSSL Require valid-user </Location>
To:
<Location /w/Special:UserLogin> AuthType "basic" AuthName "wiki" AuthPAM_Enabled on AuthPAM_FallThrough Off SSLRequireSSL Require valid-user
Redirect /w/Special:UserLogin https://<servername>/wiki/Main_Page </Location>
V/r,
Ryan Lane
Dear Ryan,
Thanks for your help. I tried redirecting by adding "Redirect /w/Special:UserLogin https://<servername>/wiki/Main_Page" to http.conf. The pop-up box came up, I typed in my name and password, and was redirected to the Main Page, but I don't seem to be logged in. I don't see the usual logged-in icons on the top right and I don't see the option to edit pages.
Any advice?
Thanks again, Melissa
-----Original Message----- From: mediawiki-l-bounces@lists.wikimedia.org [mailto:mediawiki-l- bounces@lists.wikimedia.org] On Behalf Of Lane, Ryan Sent: Tuesday, May 12, 2009 6:40 AM To: MediaWiki announcements and site admin list Subject: Re: [Mediawiki-l] Authentication
I have one small problem now. When a user visits Special:UserLogin, the user sees a pop-up screen and is prompted for a username and password, which is validated against the external database. If this validation is successful, the user is logged in, and can see this in the top-right hand corner of the page. However, the user then sees the Special:UserLogin page, which makes it seem as if the user needs to login AGAIN, which is not the case. Do you have any advice? I am thinking that my two main options are
- to replace the text and layout of Special:UserLogin with something
else (like "Welcome") or 2) redirect to the Main Page. There is some code on http://www.mediawiki.org/wiki/Extension:HttpAuth under "Allowing Anonymous Browsing" describing how to handle this redirecting but I haven't been able to get it to work yet.
I'd recommend redirecting. You should be able to do this in Apache by changing:
<Location /w/Special:UserLogin> AuthType "basic" AuthName "wiki" AuthPAM_Enabled on AuthPAM_FallThrough Off SSLRequireSSL Require valid-user
</Location>
To:
<Location /w/Special:UserLogin> AuthType "basic" AuthName "wiki" AuthPAM_Enabled on AuthPAM_FallThrough Off SSLRequireSSL Require valid-user
Redirect /w/Special:UserLogin https://<servername>/wiki/Main_Page
</Location>
V/r,
Ryan Lane
Thanks for your help. I tried redirecting by adding "Redirect /w/Special:UserLogin https://<servername>/wiki/Main_Page" to http.conf. The pop-up box came up, I typed in my name and password, and was redirected to the Main Page, but I don't seem to be logged in. I don't see the usual logged-in icons on the top right and I don't see the option to edit pages.
Any advice?
After thinking about this, the redirect is occuring before hitting MediaWiki, and as such, the authentication plugin isn't logging the user in. After the redirect occurs, the user is on a page that doesn't require authentication, so Apache isn't sending the "REMOTE_USER" variable to PHP...
I'm assuming you want the login link to work, which is why you are doing the Location directive on /w/Special:UserLogin. So, what you can do is the following:
Redirect /w/Special:UserLogin https://<servername>/wiki/HttpAuthRedirect
<Location /wiki/HttpAuthRedirect> AuthType "basic" AuthName "wiki" AuthPAM_Enabled on AuthPAM_FallThrough Off SSLRequireSSL Require valid-user </Location>
Then protect and edit HttpAuthRedirect, and put the following line into the page:
#REDIRECT [[Main Page]]
Your users will get two redirects when they log in, but it should work.
V/r,
Ryan Lane
Thanks for your advice, Ryan! This worked great for my needs.
Regards, Melissa
I'm assuming you want the login link to work, which is why you are doing the Location directive on /w/Special:UserLogin. So, what you can do is the following:
Redirect /w/Special:UserLogin https://<servername>/wiki/HttpAuthRedirect
<Location /wiki/HttpAuthRedirect> AuthType "basic" AuthName "wiki" AuthPAM_Enabled on AuthPAM_FallThrough Off SSLRequireSSL Require valid-user
</Location>
Then protect and edit HttpAuthRedirect, and put the following line into the page:
#REDIRECT [[Main Page]]
Your users will get two redirects when they log in, but it should work.
V/r,
Ryan Lane
mediawiki-l@lists.wikimedia.org