Folks,
Is it possible to use MediaWiki with Kerberos?
I am currently using the MediaWiki HTTP_AUTH plugin and authenicating via Apache (which uses mod_auth_kerb as it's backend). This works find passing a password, which is checked against the Kerberos server because Apache authenicates and PHP provides the userID via $_SERVER[PHP_AUTH_USER]. This is then used by HTTP_AUTH.
The problem arsies if you do a kinit and use your kerberos ticket to authenticate with Apache. For some reason, although authentication is sucessful PHP does not put the userID into $_SERVER[PHP_AUTH_USER]. Therefore HTTP_AUTH does not get the userID and log you in.
So, I guess the questions are:
1) Why doesn't $_SERVER[PHP_AUTH_USER] get populated (I understand it's something to do with different HTTP headers being used between password auth (which is just BASIC auth) and ticket negociation)?
2) Is there a way that PHP can detect if Apache has carried out a sucessful Kerberos authentication?
3) Is there another/better way to make MediaWiki play with Kerberos? I understand there's a not terribly free as in Freedon PHP extention that allows PHP to play with Kerberos but I'd like to steer clear of it.
Mike.
Is it possible to use MediaWiki with Kerberos?
Yes, the LDAP plugin has support for this:
http://www.mediawiki.org/wiki/Extension:LDAP_Authentication/Kerberos_Con figuration_Examples
However, if you don't want to use LDAP, you can still stick with the HTTP_AUTH plugin; it may just need to be slightly modified.
I am currently using the MediaWiki HTTP_AUTH plugin and authenicating via Apache (which uses mod_auth_kerb as it's backend). This works find passing a password, which is checked against the Kerberos server because Apache authenicates and PHP provides the userID via $_SERVER[PHP_AUTH_USER]. This is then used by HTTP_AUTH.
The problem arsies if you do a kinit and use your kerberos ticket to authenticate with Apache. For some reason, although authentication is sucessful PHP does not put the userID into $_SERVER[PHP_AUTH_USER]. Therefore HTTP_AUTH does not get the userID and log you in.
As far as I can tell, it puts the user into $_SERVER["REMOTE_USER"]. Notice that the username will be in the form "<username>@<DOMAIN>.<TLD>". MediaWiki can't handle this format. I handle this in the LDAP plugin by turning this into a configuration option that is populated in LocalSettings.php:
$wgLDAPAutoAuthUsername = preg_replace( '/@.*/', '', $_SERVER["REMOTE_USER"] );
I use $wgLDAPAutoAuthUsername everywhere else.
So, I guess the questions are:
- Why doesn't $_SERVER[PHP_AUTH_USER] get populated (I
understand it's something to do with different HTTP headers being used between password auth (which is just BASIC auth) and ticket negociation)?
- Is there a way that PHP can detect if Apache has carried out a
sucessful Kerberos authentication?
If you are requiring Kerberos authentication, you can be assured that the authentication was successful if the user got to the protected resource.
- Is there another/better way to make MediaWiki play with
Kerberos? I understand there's a not terribly free as in Freedon PHP extention that allows PHP to play with Kerberos but I'd like to steer clear of it.
See the LDAP plugin; just remember that you'll also have to configure LDAP (which can be a PITA depending on your environment).
V/r,
Ryan Lane
mediawiki-l@lists.wikimedia.org