We are currently using a single sign on system which sets the HTTP_AUTH variable via an Apache plugin. I have a requirement to tie this into the MediaWiki tool. Plus I need to have auto login, since the users all must be authenticated before accessing the wiki tool.
After trying unsuccessfully to use the AuthPlugin.php piece, I came up with a hack which appears to work. The hack is replacing the IP address piece with the username.
The change is in the includes/Setup.php file, by changing the _SERVER["REMOTE_ADDR"] to _SERVER['HTTP_AUTH']
Any reason why this won't work? My test bed everything seems cool. Also is there a way to do an auto login so this shows up when they first hit the initial page?
Thanks,
-Marcus
Marcus Kazmierczak wrote:
We are currently using a single sign on system which sets the HTTP_AUTH variable via an Apache plugin. I have a requirement to tie this into the MediaWiki tool. Plus I need to have auto login, since the users all must be authenticated before accessing the wiki tool.
After trying unsuccessfully to use the AuthPlugin.php piece, I came up with a hack which appears to work.
I'd rather you suggest necessary changes to AuthPlugin so we can support this cleanly. Adding a callback hook for authentication checks when no session is open would likely be appropriate. This would probably be called from User::loadFromSession() in place of calling the default User constructor.
The change is in the includes/Setup.php file, by changing the _SERVER["REMOTE_ADDR"] to _SERVER['HTTP_AUTH']
This would simply cause an unauthenticated user's edits to be recorded with their name in place of their IP address, but without any connection to their user account.
Watchlist and preferences would not work, and on creating an account by the same name, any edits with the original name would be obscured in Special:Contributions (as would any later edits done when not explicitly logged in through the wiki). A user with sysop privileges would for instance still have to separately log in to use them, as would any user have to log in to rename pages, mark edits as minor, or if $wgWhitelistEdit is on to edit anything.
This may also cause oddities if recording of IP addresses of user edits in the recentchanges table is enabled.
Can you confirm these problems, or have you worked around them somehow?
-- brion vibber (brion @ pobox.com)
I have such a patch for loadFromSession() see http://bugzilla.wikimedia.org/show_bug.cgi?id=1360 Auto-login / Auto-account-creation by hostname for intranet MediaWikis. The patch code itself has not yet been uploaded but is rather short.
Brion and Marcus: let me know, if you are interested - pls .study for this the text on the bugzilla; then I would revisited my code and upload the patch as a diff. Tom
Brion Vibber schrieb:
Marcus Kazmierczak wrote:
We are currently using a single sign on system which sets the HTTP_AUTH variable via an Apache plugin. I have a requirement to tie this into the MediaWiki tool. Plus I need to have auto login, since the users all must be authenticated before accessing the wiki tool.
After trying unsuccessfully to use the AuthPlugin.php piece, I came up with a hack which appears to work.
I'd rather you suggest necessary changes to AuthPlugin so we can support this cleanly. Adding a callback hook for authentication checks when no session is open would likely be appropriate. This would probably be called from User::loadFromSession() in place of calling the default User constructor.
Can you confirm these problems, or have you worked around them somehow?
-- brion vibber (brion @ pobox.com)
Wikitech-l mailing list Wikitech-l@wikimedia.org http://mail.wikipedia.org/mailman/listinfo/wikitech-l
Tom, that sounds like exactly what I am looking for. I'm very interested in the patch if you could make it available.
Depending on how the user/lookup table works, I could tie that to an environment variable set by Apache which stores the username.
A modification also to the AuthPlugin.php page can use that username to query a database which stores real name, e-mail address, etc...
My "table" looks like hostaname|name|emailaddress
"hostname" as seen by a gethostbyaddr() command in Setup.php "name" in UTF-8(preferred) or ISO-88859-1 according to the coding of your wiki. "emailaddress" for the user with accoutnanme "name"
Example: MA12345|Marcus Kazmierczak|marcus@mkaz.com (one entry per line, character encoding must correspond to wiki encoding; use command "iconv -f xxxxx -t yyyyyy" if needed to convert the file once)
The IP address of the user is translated to the hostname (here: MA12345) which is for example your staff identity code in a company. Then my auto-login / auto-create logs you immediately into your account (or creates it) with account name (=wiki user account) "Marcus Kazmierczak" - if no valid cookie for the corresponding userid is detected from the session.
http://bugzilla.wikimedia.org/show_bug.cgi?id=1360 Auto-login / Auto-account-creation by hostname for intranet MediaWikis
Marcus Kazmierczak schrieb:
Depending on how the user/lookup table works, I could tie that to an environment variable set by Apache which stores the username.
A modification also to the AuthPlugin.php page can use that username to query a database which stores real name, e-mail address, etc...
I would like to _close_ the discussion for this subject on this mailinglist wikitech-l now.
Interested developers can please add their names as "CC" to the mailing list of bugzilla enhancement entry http://bugzilla.wikipedia.org/show_bug.cgi?id=1360 http://bugzilla.wikimedia.org/show_bug.cgi?id=1360 where I upload a description and a flowchart as PNG image.
Tom
On Wed, 2005-02-16 at 07:20 +0100, Thomas Gries wrote:
I have such a patch for loadFromSession() see http://bugzilla.wikimedia.org/show_bug.cgi?id=1360 Auto-login / Auto-account-creation by hostname for intranet MediaWikis. The patch code itself has not yet been uploaded but is rather short.
Brion and Marcus: let me know, if you are interested - pls .study for this the text on the bugzilla; then I would revisited my code and upload the patch as a diff.
In related news, I've just written a first working version of a patch to loadFromSession() which logs you in as the Common Name from a client certificate presented by your browser as part of the SSL handshake to a secure Apache server. Not very elegant yet, but it seems to work okay. In effect, it punts the problem of getting the user's credentials up to Apache, but for what we're doing, that makes more sense anyway.
My questions are:
1) anyone interested in the patch (with documentation on how to set up Apache to pass in the bits MW needs, etc., once I get the time to scribble some down)?
2) ought I to append it to Thomas's bug #1360 discussion, or should this go elsewhere?
Note that I'm still in the middle of tweaking this for production use, and since I only started looking at MW's code a few hours ago, I probably have some cleaning up to do before it's very presentable.
But I'm happy to toss it out with some notes anyway for comment, especially if it turns out that I'm doing something majorly wrong.
wikitech-l@lists.wikimedia.org