So the SSO hack we've been using on RHEL 3 and 4
(busted in RHEL 5!)
to
authenticate off of our AD infrastructure is to tell
RHEL that the AD
stuff
is a Kerberos KDC. Works pretty well - all I need to do is a useradd
on
the person's AD login it's maintenance free
from there as far as I'm
concerned plus I control just which AD users can get in.
Anyone doing something like this with MW 1.10? I see
http://www.mediawiki.org/wiki/Extension:LDAP_Authentication and that
might
do it, but I wasn't the one that came up with the
scheme we use and
don't
know enough about AD and Kerberos to be able to do any
necessary
hacking.
I realize that I couldn't control who had an account (like having to
do a
useradd on RHEL), but I can probably do something
similar via a group
in
AD.
The LDAP plugin doesn't (currently) do Kerberos authentication. Users
will have to log in to your wiki using their AD username/password.
CAC/Smartcard authentication is currently supported though.
I'm planning on adding http authentication support to the plugin soon.
This support would allow you to use any apache module (including
Kerberos) to do authentication, and then use LDAP for authorization and
group/user information synchronization.
You can control access in a number of ways: roles, LDAP groups,
mediawiki groups, attributes, OUs, etc. You just need to be crafty as to
how you configure the plugin. I'll readily admit that the configuration
examples are lacking in this area...
V/r,
Ryan Lane