The best option here is: https://www.mediawiki.org/wiki/Extension:LDAP_Authentication
I'm not sure why you think LDAP is a wart on Windows. Active Directory is just LDAP with Kerberos.
Anyway, the LDAP Authentication extension has examples of how to do auto-auth using kerberos. You still need LDAP for things like group membership, username conversion, and other integrations.
- Ryan
On Tue, Feb 9, 2016 at 9:20 AM, François St-Arnaud fstarnaud@logisphere.ca wrote:
Hello,
To enable Single Sign-On to a MediaWiki hosted on IIS in a Windows Domain, the best MediaWiki extension I could find was NTLMActiveDirectory. https://www.mediawiki.org/wiki/Extension:NTLMActiveDirectory
However, I had two peeves with this extension:
- Its name; I'm not doing NTLM, but Negotiate and Kerberos; and
- Its use of LDAP; feels too much like a wart on Windows!
See, I'm sitting on an IIS box on a Windows domain with Integrated Windows Authentication enabled. By the time the MW extension gets hit, IIS has already authenticated the user, so why not just leverage that instead?
I therefore used NTLMActiveDirectory as a starting point, but threw out all the LDAP stuff and replaced it with a simple Web call to an IIS-hosted handler to get the AD group membership for the already authenticated user. Of NTLMActiveDirectory, I kept the AD / MW group mapping configuration required for authorization.
Personally, I find this solution much simpler and intuitive for AD integration when hosting MW on a Windows/IIS box.
Does this make sense to others in the community? Do others feel there was a need for a better AD integration extension? Would others in the community benefit from such an extension?
If so, I would be happy to share my work, following instructions found here: https://www.mediawiki.org/wiki/Writing_an_extension_for_deployment
Regards,
François
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l