Hello,
To enable Single Sign-On to a MediaWiki hosted on IIS in a Windows Domain, the best MediaWiki extension I could find was NTLMActiveDirectory. https://www.mediawiki.org/wiki/Extension:NTLMActiveDirectory
However, I had two peeves with this extension: 1) Its name; I'm not doing NTLM, but Negotiate and Kerberos; and 2) Its use of LDAP; feels too much like a wart on Windows!
See, I'm sitting on an IIS box on a Windows domain with Integrated Windows Authentication enabled. By the time the MW extension gets hit, IIS has already authenticated the user, so why not just leverage that instead?
I therefore used NTLMActiveDirectory as a starting point, but threw out all the LDAP stuff and replaced it with a simple Web call to an IIS-hosted handler to get the AD group membership for the already authenticated user. Of NTLMActiveDirectory, I kept the AD / MW group mapping configuration required for authorization.
Personally, I find this solution much simpler and intuitive for AD integration when hosting MW on a Windows/IIS box.
Does this make sense to others in the community? Do others feel there was a need for a better AD integration extension? Would others in the community benefit from such an extension?
If so, I would be happy to share my work, following instructions found here: https://www.mediawiki.org/wiki/Writing_an_extension_for_deployment
Regards,
François
The best option here is: https://www.mediawiki.org/wiki/Extension:LDAP_Authentication
I'm not sure why you think LDAP is a wart on Windows. Active Directory is just LDAP with Kerberos.
Anyway, the LDAP Authentication extension has examples of how to do auto-auth using kerberos. You still need LDAP for things like group membership, username conversion, and other integrations.
- Ryan
On Tue, Feb 9, 2016 at 9:20 AM, François St-Arnaud fstarnaud@logisphere.ca wrote:
Hello,
To enable Single Sign-On to a MediaWiki hosted on IIS in a Windows Domain, the best MediaWiki extension I could find was NTLMActiveDirectory. https://www.mediawiki.org/wiki/Extension:NTLMActiveDirectory
However, I had two peeves with this extension:
- Its name; I'm not doing NTLM, but Negotiate and Kerberos; and
- Its use of LDAP; feels too much like a wart on Windows!
See, I'm sitting on an IIS box on a Windows domain with Integrated Windows Authentication enabled. By the time the MW extension gets hit, IIS has already authenticated the user, so why not just leverage that instead?
I therefore used NTLMActiveDirectory as a starting point, but threw out all the LDAP stuff and replaced it with a simple Web call to an IIS-hosted handler to get the AD group membership for the already authenticated user. Of NTLMActiveDirectory, I kept the AD / MW group mapping configuration required for authorization.
Personally, I find this solution much simpler and intuitive for AD integration when hosting MW on a Windows/IIS box.
Does this make sense to others in the community? Do others feel there was a need for a better AD integration extension? Would others in the community benefit from such an extension?
If so, I would be happy to share my work, following instructions found here: https://www.mediawiki.org/wiki/Writing_an_extension_for_deployment
Regards,
François
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Thanks, I'll take a closer look at your extension.
Well, although I understand that using LDAP against AD is supposed to work mostly seamlessly, I've had troubles trying to use it in our client's domain, mostly due to GPOs and other security constraints. For one thing, LDAP, even TLS-secured, is not authorized for authentication in the domain. Also, LDAP starts to feel like a wart -- or an overkill -- when I have to require and configure a PHP LDAP client on the Web server and send LDAP requests when I know that the web server I'm sitting on, IIS, has already authentified the user via Negotiate/Kerberos and already knows the user's AD group membership and other such information.
Hence, I feel that the approach of a simple loopback call from the extension back to a .NET ASHX web handler -- which is readily available via an API in that environment -- is more elegant. For example, to get the AD group membership of the currently logged-in user (some lines removed for clarity):
In PHP, using curl:
$curl = curl_init(); curl_setopt($curl, CURLOPT_URL, 'roles.ashx'); $result = curl_exec($curl); $wgAuth->userADGroups = Array($result);
In C#, in a roles.ashx file deployed with the extension on the IIS server:
public void ProcessRequest (HttpContext context) { context.Response.ContentType = @"text\json"; context.Response.Write("["); int i = 0; int count = Roles.GetRolesForUser().Length; foreach (var role in Roles.GetRolesForUser()) { context.Response.Write('"' + role + '"'); if (++i != count) context.Response.Write(','); } context.Response.Write(']'); context.Response.End(); }
- François
-----Original Message----- From: Wikitech-l [mailto:wikitech-l-bounces@lists.wikimedia.org] On Behalf Of Ryan Lane Sent: Tuesday, February 09, 2016 14:43 To: Wikimedia developers wikitech-l@lists.wikimedia.org Subject: Re: [Wikitech-l] Windows Single Sign-On Extension
The best option here is: https://www.mediawiki.org/wiki/Extension:LDAP_Authentication
I'm not sure why you think LDAP is a wart on Windows. Active Directory is just LDAP with Kerberos.
Anyway, the LDAP Authentication extension has examples of how to do auto-auth using kerberos. You still need LDAP for things like group membership, username conversion, and other integrations.
- Ryan
On Tue, Feb 9, 2016 at 9:20 AM, François St-Arnaud fstarnaud@logisphere.ca wrote:
Hello,
To enable Single Sign-On to a MediaWiki hosted on IIS in a Windows Domain, the best MediaWiki extension I could find was NTLMActiveDirectory. https://www.mediawiki.org/wiki/Extension:NTLMActiveDirectory
However, I had two peeves with this extension:
- Its name; I'm not doing NTLM, but Negotiate and Kerberos; and
- Its use of LDAP; feels too much like a wart on Windows!
See, I'm sitting on an IIS box on a Windows domain with Integrated Windows Authentication enabled. By the time the MW extension gets hit, IIS has already authenticated the user, so why not just leverage that instead?
I therefore used NTLMActiveDirectory as a starting point, but threw out all the LDAP stuff and replaced it with a simple Web call to an IIS-hosted handler to get the AD group membership for the already authenticated user. Of NTLMActiveDirectory, I kept the AD / MW group mapping configuration required for authorization.
Personally, I find this solution much simpler and intuitive for AD integration when hosting MW on a Windows/IIS box.
Does this make sense to others in the community? Do others feel there was a need for a better AD integration extension? Would others in the community benefit from such an extension?
If so, I would be happy to share my work, following instructions found here: https://www.mediawiki.org/wiki/Writing_an_extension_for_deployment
Regards,
François
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
_______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
If this is what you'll need, you're going to need to write a custom extension. None of the existing auth extensions do this.
On Tue, Feb 9, 2016 at 2:35 PM, François St-Arnaud fstarnaud@logisphere.ca wrote:
Thanks, I'll take a closer look at your extension.
Well, although I understand that using LDAP against AD is supposed to work mostly seamlessly, I've had troubles trying to use it in our client's domain, mostly due to GPOs and other security constraints. For one thing, LDAP, even TLS-secured, is not authorized for authentication in the domain. Also, LDAP starts to feel like a wart -- or an overkill -- when I have to require and configure a PHP LDAP client on the Web server and send LDAP requests when I know that the web server I'm sitting on, IIS, has already authentified the user via Negotiate/Kerberos and already knows the user's AD group membership and other such information.
Hence, I feel that the approach of a simple loopback call from the extension back to a .NET ASHX web handler -- which is readily available via an API in that environment -- is more elegant. For example, to get the AD group membership of the currently logged-in user (some lines removed for clarity):
In PHP, using curl:
$curl = curl_init(); curl_setopt($curl, CURLOPT_URL, 'roles.ashx'); $result = curl_exec($curl); $wgAuth->userADGroups = Array($result);
In C#, in a roles.ashx file deployed with the extension on the IIS server:
public void ProcessRequest (HttpContext context) { context.Response.ContentType = @"text\json"; context.Response.Write("["); int i = 0; int count = Roles.GetRolesForUser().Length; foreach (var role in Roles.GetRolesForUser()) { context.Response.Write('"' + role + '"'); if (++i != count) context.Response.Write(','); } context.Response.Write(']'); context.Response.End(); }
- François
-----Original Message----- From: Wikitech-l [mailto:wikitech-l-bounces@lists.wikimedia.org] On Behalf Of Ryan Lane Sent: Tuesday, February 09, 2016 14:43 To: Wikimedia developers wikitech-l@lists.wikimedia.org Subject: Re: [Wikitech-l] Windows Single Sign-On Extension
The best option here is: https://www.mediawiki.org/wiki/Extension:LDAP_Authentication
I'm not sure why you think LDAP is a wart on Windows. Active Directory is just LDAP with Kerberos.
Anyway, the LDAP Authentication extension has examples of how to do auto-auth using kerberos. You still need LDAP for things like group membership, username conversion, and other integrations.
- Ryan
On Tue, Feb 9, 2016 at 9:20 AM, François St-Arnaud < fstarnaud@logisphere.ca> wrote:
Hello,
To enable Single Sign-On to a MediaWiki hosted on IIS in a Windows Domain, the best MediaWiki extension I could find was
NTLMActiveDirectory.
https://www.mediawiki.org/wiki/Extension:NTLMActiveDirectory
However, I had two peeves with this extension:
- Its name; I'm not doing NTLM, but Negotiate and Kerberos; and
- Its use of LDAP; feels too much like a wart on Windows!
See, I'm sitting on an IIS box on a Windows domain with Integrated Windows Authentication enabled. By the time the MW extension gets hit, IIS has already authenticated the user, so why not just leverage that
instead?
I therefore used NTLMActiveDirectory as a starting point, but threw out all the LDAP stuff and replaced it with a simple Web call to an IIS-hosted handler to get the AD group membership for the already
authenticated user.
Of NTLMActiveDirectory, I kept the AD / MW group mapping configuration required for authorization.
Personally, I find this solution much simpler and intuitive for AD integration when hosting MW on a Windows/IIS box.
Does this make sense to others in the community? Do others feel there was a need for a better AD integration extension? Would others in the community benefit from such an extension?
If so, I would be happy to share my work, following instructions found here: https://www.mediawiki.org/wiki/Writing_an_extension_for_deployment
Regards,
François
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Right. As mentioned in my first post, I already have created a custom extension using this approach and NTLMActiveDirectory as a starting point. Now, I wonder if it is worth sharing with the community, if others would benefit from an LDAP-less SSO solution for MW hosted on IIS?
-----Original Message----- From: Wikitech-l [mailto:wikitech-l-bounces@lists.wikimedia.org] On Behalf Of Ryan Lane Sent: Tuesday, February 09, 2016 17:41 To: Wikimedia developers wikitech-l@lists.wikimedia.org Subject: Re: [Wikitech-l] Windows Single Sign-On Extension
If this is what you'll need, you're going to need to write a custom extension. None of the existing auth extensions do this.
On Tue, Feb 9, 2016 at 2:35 PM, François St-Arnaud fstarnaud@logisphere.ca wrote:
Thanks, I'll take a closer look at your extension.
Well, although I understand that using LDAP against AD is supposed to work mostly seamlessly, I've had troubles trying to use it in our client's domain, mostly due to GPOs and other security constraints. For one thing, LDAP, even TLS-secured, is not authorized for authentication in the domain. Also, LDAP starts to feel like a wart -- or an overkill -- when I have to require and configure a PHP LDAP client on the Web server and send LDAP requests when I know that the web server I'm sitting on, IIS, has already authentified the user via Negotiate/Kerberos and already knows the user's AD group membership and other such information.
Hence, I feel that the approach of a simple loopback call from the extension back to a .NET ASHX web handler -- which is readily available via an API in that environment -- is more elegant. For example, to get the AD group membership of the currently logged-in user (some lines removed for clarity):
In PHP, using curl:
$curl = curl_init(); curl_setopt($curl, CURLOPT_URL, 'roles.ashx'); $result = curl_exec($curl); $wgAuth->userADGroups = Array($result);
In C#, in a roles.ashx file deployed with the extension on the IIS server:
public void ProcessRequest (HttpContext context) { context.Response.ContentType = @"text\json"; context.Response.Write("["); int i = 0; int count = Roles.GetRolesForUser().Length; foreach (var role in Roles.GetRolesForUser()) { context.Response.Write('"' + role + '"'); if (++i != count) context.Response.Write(','); } context.Response.Write(']'); context.Response.End(); }
- François
-----Original Message----- From: Wikitech-l [mailto:wikitech-l-bounces@lists.wikimedia.org] On Behalf Of Ryan Lane Sent: Tuesday, February 09, 2016 14:43 To: Wikimedia developers wikitech-l@lists.wikimedia.org Subject: Re: [Wikitech-l] Windows Single Sign-On Extension
The best option here is: https://www.mediawiki.org/wiki/Extension:LDAP_Authentication
I'm not sure why you think LDAP is a wart on Windows. Active Directory is just LDAP with Kerberos.
Anyway, the LDAP Authentication extension has examples of how to do auto-auth using kerberos. You still need LDAP for things like group membership, username conversion, and other integrations.
- Ryan
On Tue, Feb 9, 2016 at 9:20 AM, François St-Arnaud < fstarnaud@logisphere.ca> wrote:
Hello,
To enable Single Sign-On to a MediaWiki hosted on IIS in a Windows Domain, the best MediaWiki extension I could find was
NTLMActiveDirectory.
https://www.mediawiki.org/wiki/Extension:NTLMActiveDirectory
However, I had two peeves with this extension:
- Its name; I'm not doing NTLM, but Negotiate and Kerberos; and
- Its use of LDAP; feels too much like a wart on Windows!
See, I'm sitting on an IIS box on a Windows domain with Integrated Windows Authentication enabled. By the time the MW extension gets hit, IIS has already authenticated the user, so why not just leverage that
instead?
I therefore used NTLMActiveDirectory as a starting point, but threw out all the LDAP stuff and replaced it with a simple Web call to an IIS-hosted handler to get the AD group membership for the already
authenticated user.
Of NTLMActiveDirectory, I kept the AD / MW group mapping configuration required for authorization.
Personally, I find this solution much simpler and intuitive for AD integration when hosting MW on a Windows/IIS box.
Does this make sense to others in the community? Do others feel there was a need for a better AD integration extension? Would others in the community benefit from such an extension?
If so, I would be happy to share my work, following instructions found here: https://www.mediawiki.org/wiki/Writing_an_extension_for_deployment
Regards,
François
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
_______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Never hurts :)
On Tue, Feb 9, 2016 at 6:06 PM, François St-Arnaud fstarnaud@logisphere.ca wrote:
Right. As mentioned in my first post, I already have created a custom extension using this approach and NTLMActiveDirectory as a starting point. Now, I wonder if it is worth sharing with the community, if others would benefit from an LDAP-less SSO solution for MW hosted on IIS?
-----Original Message----- From: Wikitech-l [mailto:wikitech-l-bounces@lists.wikimedia.org] On Behalf Of Ryan Lane Sent: Tuesday, February 09, 2016 17:41 To: Wikimedia developers wikitech-l@lists.wikimedia.org Subject: Re: [Wikitech-l] Windows Single Sign-On Extension
If this is what you'll need, you're going to need to write a custom extension. None of the existing auth extensions do this.
On Tue, Feb 9, 2016 at 2:35 PM, François St-Arnaud < fstarnaud@logisphere.ca> wrote:
Thanks, I'll take a closer look at your extension.
Well, although I understand that using LDAP against AD is supposed to work mostly seamlessly, I've had troubles trying to use it in our client's domain, mostly due to GPOs and other security constraints. For one thing, LDAP, even TLS-secured, is not authorized for
authentication in the domain.
Also, LDAP starts to feel like a wart -- or an overkill -- when I have to require and configure a PHP LDAP client on the Web server and send LDAP requests when I know that the web server I'm sitting on, IIS, has already authentified the user via Negotiate/Kerberos and already knows the user's AD group membership and other such information.
Hence, I feel that the approach of a simple loopback call from the extension back to a .NET ASHX web handler -- which is readily available via an API in that environment -- is more elegant. For example, to get the AD group membership of the currently logged-in user (some lines removed for clarity):
In PHP, using curl:
$curl = curl_init(); curl_setopt($curl, CURLOPT_URL, 'roles.ashx'); $result = curl_exec($curl); $wgAuth->userADGroups = Array($result);
In C#, in a roles.ashx file deployed with the extension on the IIS
server:
public void ProcessRequest (HttpContext context) { context.Response.ContentType = @"text\json"; context.Response.Write("["); int i = 0; int count = Roles.GetRolesForUser().Length; foreach (var role in Roles.GetRolesForUser()) { context.Response.Write('"' + role + '"'); if (++i != count) context.Response.Write(','); } context.Response.Write(']'); context.Response.End(); }
- François
-----Original Message----- From: Wikitech-l [mailto:wikitech-l-bounces@lists.wikimedia.org] On Behalf Of Ryan Lane Sent: Tuesday, February 09, 2016 14:43 To: Wikimedia developers wikitech-l@lists.wikimedia.org Subject: Re: [Wikitech-l] Windows Single Sign-On Extension
The best option here is: https://www.mediawiki.org/wiki/Extension:LDAP_Authentication
I'm not sure why you think LDAP is a wart on Windows. Active Directory is just LDAP with Kerberos.
Anyway, the LDAP Authentication extension has examples of how to do auto-auth using kerberos. You still need LDAP for things like group membership, username conversion, and other integrations.
- Ryan
On Tue, Feb 9, 2016 at 9:20 AM, François St-Arnaud < fstarnaud@logisphere.ca> wrote:
Hello,
To enable Single Sign-On to a MediaWiki hosted on IIS in a Windows Domain, the best MediaWiki extension I could find was
NTLMActiveDirectory.
https://www.mediawiki.org/wiki/Extension:NTLMActiveDirectory
However, I had two peeves with this extension:
- Its name; I'm not doing NTLM, but Negotiate and Kerberos; and
- Its use of LDAP; feels too much like a wart on Windows!
See, I'm sitting on an IIS box on a Windows domain with Integrated Windows Authentication enabled. By the time the MW extension gets hit, IIS has already authenticated the user, so why not just leverage that
instead?
I therefore used NTLMActiveDirectory as a starting point, but threw out all the LDAP stuff and replaced it with a simple Web call to an IIS-hosted handler to get the AD group membership for the already
authenticated user.
Of NTLMActiveDirectory, I kept the AD / MW group mapping configuration required for authorization.
Personally, I find this solution much simpler and intuitive for AD integration when hosting MW on a Windows/IIS box.
Does this make sense to others in the community? Do others feel there was a need for a better AD integration extension? Would others in the community benefit from such an extension?
If so, I would be happy to share my work, following instructions found here: https://www.mediawiki.org/wiki/Writing_an_extension_for_deployment
Regards,
François
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
On Tue, Feb 9, 2016 at 6:06 PM, François St-Arnaud fstarnaud@logisphere.ca wrote:
Right. As mentioned in my first post, I already have created a custom extension using this approach and NTLMActiveDirectory as a starting point. Now, I wonder if it is worth sharing with the community, if others would benefit from an LDAP-less SSO solution for MW hosted on IIS?
Note that the way authentication extensions need to be written is just about to change: https://www.mediawiki.org/wiki/User:Anomie/SessionManager_and_AuthManager
Thanks Gergo, timely information! When is this new authentication mechanism slated to make it to the baseline? Is it planned / on track for 1.27? Will (have) existing extensions be (been) adapted? Where can I see examples of adapted extensions (link to a branch in Phabricator, perhaps)?
-----Original Message----- From: Wikitech-l [mailto:wikitech-l-bounces@lists.wikimedia.org] On Behalf Of Gergo Tisza Sent: Wednesday, February 10, 2016 12:19 To: Wikimedia developers wikitech-l@lists.wikimedia.org Subject: Re: [Wikitech-l] Windows Single Sign-On Extension
On Tue, Feb 9, 2016 at 6:06 PM, François St-Arnaud fstarnaud@logisphere.ca wrote:
Right. As mentioned in my first post, I already have created a custom extension using this approach and NTLMActiveDirectory as a starting point. Now, I wonder if it is worth sharing with the community, if others would benefit from an LDAP-less SSO solution for MW hosted on IIS?
Note that the way authentication extensions need to be written is just about to change: https://www.mediawiki.org/wiki/User:Anomie/SessionManager_and_AuthManager _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
On Wed, Feb 10, 2016 at 1:11 PM, François St-Arnaud <fstarnaud@logisphere.ca
wrote:
When is this new authentication mechanism slated to make it to the baseline? Is it planned / on track for 1.27?
It's planned to happen before 1.27. Probably not long before, though.
Will (have) existing extensions be (been) adapted?
We plan to update all extensions that are deployed on the Wikimedia cluster ( https://phabricator.wikimedia.org/T110282 ), but not other affected extensions ( https://phabricator.wikimedia.org/T110291 ).
Where can I see examples of adapted extensions (link to a branch in Phabricator, perhaps)?
https://gerrit.wikimedia.org/r/#/c/251930/ is probably the one that's interesting to you.
wikitech-l@lists.wikimedia.org