Is it possible to use MediaWiki with Kerberos?
Yes, the LDAP plugin has support for this:
http://www.mediawiki.org/wiki/Extension:LDAP_Authentication/Kerberos_Con
figuration_Examples
However, if you don't want to use LDAP, you can still stick with the
HTTP_AUTH plugin; it may just need to be slightly modified.
I am currently using the MediaWiki HTTP_AUTH plugin
and authenicating
via Apache (which uses mod_auth_kerb as it's backend). This
works find
passing a password, which is checked against the Kerberos
server because
Apache authenicates and PHP provides the userID via
$_SERVER[PHP_AUTH_USER]. This is then used by HTTP_AUTH.
The problem arsies if you do a kinit and use your kerberos ticket to
authenticate with Apache. For some reason, although authentication is
sucessful PHP does not put the userID into $_SERVER[PHP_AUTH_USER].
Therefore HTTP_AUTH does not get the userID and log you in.
As far as I can tell, it puts the user into $_SERVER["REMOTE_USER"].
Notice that the username will be in the form
"<username>(a)<DOMAIN>.<TLD>"DOMAIN>.<TLD>". MediaWiki can't handle this
format. I
handle this in the LDAP plugin by turning this into a configuration
option that is populated in LocalSettings.php:
$wgLDAPAutoAuthUsername = preg_replace( '/@.*/', '',
$_SERVER["REMOTE_USER"] );
I use $wgLDAPAutoAuthUsername everywhere else.
So, I guess the questions are:
1) Why doesn't $_SERVER[PHP_AUTH_USER] get populated (I
understand it's
something to do with different HTTP headers being used
between password
auth (which is just BASIC auth) and ticket negociation)?
2) Is there a way that PHP can detect if Apache has carried out a
sucessful Kerberos authentication?
If you are requiring Kerberos authentication, you can be assured that
the authentication was successful if the user got to the protected
resource.
3) Is there another/better way to make MediaWiki play
with
Kerberos? I
understand there's a not terribly free as in Freedon PHP
extention that
allows PHP to play with Kerberos but I'd like to steer clear of it.
See the LDAP plugin; just remember that you'll also have to configure
LDAP (which can be a PITA depending on your environment).
V/r,
Ryan Lane