I'm setting up a wiki family, one wiki per (spoken) language: en.mywiki.com, fr.mywiki.com, de.wiki.com, etc. When somebody logs into the English wiki (for example), I want them also logged into the Spanish, French, and German (etc) wikis. So a single visit to any login page is enough.
What's the best way to make this work?
FYI, we're using the LDAPauthentication extension with Active Directory. I've tried Plexcel (a single sign-on system for Active Directory) which I thought would solve our problems, but it couldn't support our fairly strange Active Directory setup.
I looked at $wgSharedDB but it still requires a separate login per wiki.
Anybody tried http://www.mediawiki.org/wiki/Extension:Windows_NTLM_LDAP_Auto_Auth?
Any other ideas?
Thanks, DanB
I'm setting up a wiki family, one wiki per (spoken) language: en.mywiki.com, fr.mywiki.com, de.wiki.com, etc. When somebody logs into the English wiki (for example), I want them also logged into the Spanish, French, and German (etc) wikis. So a single visit to any login page is enough.
What's the best way to make this work?
FYI, we're using the LDAPauthentication extension with Active Directory. I've tried Plexcel (a single sign-on system for Active Directory) which I thought would solve our problems, but it couldn't support our fairly strange Active Directory setup.
I looked at $wgSharedDB but it still requires a separate login per wiki.
Anybody tried http://www.mediawiki.org/wiki/Extension:Windows_NTLM_LDAP_Auto_Auth?
Any other ideas?
Two ideas:
1. Use the Kerberos support in the LDAP plugin for this. 2. Use a web SSO solution, like OpenSSO (or the new fork OpenAM), Siteminder, CrowdAuth, etc.
The Kerberos support in the LDAP plugin is fairly easy to configure. See:
http://www.mediawiki.org/wiki/Extension:LDAP_Authentication/Kerberos_Configu ration_Examples
If you have a mixed environment, and not all of your systems are configured for Kerberos, a web SSO solution may be better.
Let me know if you have any issues.
Respectfully,
Ryan Lane
Ryan Lane suggested:
- Use the Kerberos support in the LDAP plugin for this.
Thanks Ryan. We previously tried a Kerberos auth solution for MediaWiki (Plexcel) but due to a quirk in our setup, it could not work for us. The quirk is that our userPrincipalName (foo.com) does not equal our AD domain (foo.net), an equivalence assumed at some level (Kerberos or Plexcel). Additionally the kerberos library did not support a principal type of KRB5_NT_ENTERPRISE_PRINCIPAL which is Windows specific. At least this is how it was explained to me. I will take a look at your article.
Thanks, DanB
On Wed, May 26, 2010 at 7:08 PM, Daniel Barrett danb@vistaprint.com wrote:
Ryan Lane suggested:
- Use the Kerberos support in the LDAP plugin for this.
Thanks Ryan. We previously tried a Kerberos auth solution for MediaWiki (Plexcel) but due to a quirk in our setup, it could not work for us. The quirk is that our userPrincipalName (foo.com) does not equal our AD domain (foo.net), an equivalence assumed at some level (Kerberos or Plexcel). Additionally the kerberos library did not support a principal type of KRB5_NT_ENTERPRISE_PRINCIPAL which is Windows specific. At least this is how it was explained to me. I will take a look at your article.
If your web server supports it, the LDAP plugin will as well. My support is based on web server authentication, and uses mod_auth_kerb as an example. You can munge the $_SERVER["REMOTE_USER"] however needed to get the username, and can match it against any LDAP attribute you wish. The LDAP plugin is far more flexible than the Plexcel one.
Respectfully,
Ryan Lane
mediawiki-l@lists.wikimedia.org