Hi Daniel,
If you're running MW on Linux or FreeBSD the Plexcel MediaWiki Plugin
is the most advanced plugin for integration with Active Directory. But
it does not provide everything to the degree you are looking for. More
comments inlined below.
On 8/31/07, Daniel Barrett <danb(a)vistaprint.com> wrote:
I'm looking for advice on the best authentication
& access control setup
for a "private" MediaWiki installation in the following environment:
* Completely read-protected unless you are logged in (as in
http://23rdworld.com/2007/03/30/how-to-make-your-mediawiki-private/)
* Usernames and passwords are stored in ActiveDirectory (we're
using the LDAPAuthentication extension)
Plexcel does SSO and explicit login using Kerberos which at this point
is as good as it gets for ease of use and security.
* Logins are restricted to a particular group
(e.g., an NT
security group within ActiveDirectory, which LDAPAuthentication.php
supports)
With respect to group based access control Plexcel's MediaWiki Plugin
has two significant advantages over LDAPAuthentication.php.
1. Plexcel's group access checks are very fast. Once the group names
used within the page_acls array are cached in shared memory, access
checks do not require communication with the server.
2. Group names can be in the full range of forms like
'IBK\International Banking' or just 'International Banking' or may be
specific individuals like 'abaker(a)example.com'com'. Coupled with the fact
that our ACLs mimic the semantics of Windows ACLs, this model is a
little easier to work with than using full DNs.
* Easily add and remove access control for
individual guests (who
are also in ActiveDirectory, but not in the required NT security group)
The Plexcel MediaWiki Plugin uses a page_acls array in
LocalSettings.conf that can include individual users. For example, a
somewhat elaborate example might look like:
$wgAuth->page_acls['*'] = array(
'http_sso_www1' => 'DENY',
'abaker(a)example.com' => 'DENY',
'Temps' => 'DENY',
'IBK\International Banking'
'eBank Wiki Maintenance'
);
The first entry is for the HTTP service account used by anonymous
users which is to say anonymous users are denied access. The
individual 'abaker(a)example.com' and anyone in the group 'Temps' are
also denied access. Users in either of the two remaining groups are
granted access. Otherwise they are denied access. The point is that
even though 'abaker(a)example.com' may also be in 'IBK\International
Banking', they will be denied access which I believe is the effect
you're looking for.
* Guests can be read-only or read/write
Currently we do not have read vs. write controls associated with our
ACLs but once the user logs in once a MW account will automatically be
created which I believe you can add or remove to or from MW groups and
use as the basis for blocking edits.
* FYI, this is on a corporate intranet that is
firewalled from the
world
If we use ActiveDirectory for access control, this provides login
security, but we can't revoke access instantly (since the user can
select "Remember my login on this computer" ...or is there a way to
destroy another user's session?). We also cannot control read-only vs.
read-write access at this level, I think.
Plexcel uses Kerberos which authenticates every request. However, if
the user is logged into their workstation while the account is
disabled, I think they can still access resources on the network until
their Kerberos ticket needs to be renewed. So I'm not sure how your
going to satisfy this feature.
This is solved if we also use MediaWiki user rights for access control;
but then to add a new user, you need to add them to the NT security
group AND bestow the appropriate MediaWiki user rights. It would be
cleaner to maintain permissions in just one place. (This is my favorite
approach at the moment, however.)
A third possibility is to forget the NT security group and just allow
everyone in ActiveDirectory to log in, but use MediaWiki access control
after login. This works but you get the weird state of "successfully
logged in, but cannot read anything," which is confusing for users and
probably will generate customer support calls.
When the Plexcel MediaWiki Plugin denies access to a user because of
an entry in the page_acls array, they are directed to a page
PlexcelAccessDenied. On that page you put whatever instructions to the
user that you feel appropriate like "You do not have permission to
access this content. This may be because you have been removed from a
required group. Please contact support at ...".
We are not considering the "100% MediaWiki" approach (use MediaWiki
authentication, not ActiveDirectory), nor the HTTP auth approach
(.htaccess), because we want to keep passwords in sync with
ActiveDirectory. Nor do we want to control access by particular PCs or
IP addresses (e.g., by firewall rules) as it's too hard to maintain.
Are there any other possibilities I've missed?
Plexcel MediaWiki Dan. It's still a little new but we have quite a few
large organizations using it now and bug reports are becoming few and
far between. Check it out.
http://www.ioplex.com/mediawiki_plugin.html
Mike