[Mediawiki-l] NTLM authentication for MediaWiki

Tue Mar 29 23:57:43 UTC 2005

Based on a post from David Cameron (19 Feb 2005) I've hacked up the
following modification to loadFromSession (in User.php) which allows
authentication against our NTLM database (based on the variable AUTH_USER
passed from IIS).

I'm trying to avoid hacking the code for 1.4 so if you know a way to achieve
this without modifying User.php (or another core file) then feedback would
be most appreciated.

Cheers,

al.

	/**
	 * Read datas from session
	 * @static
	 */
	function loadFromSession() {
	global $wgMemc, $wgDBname;

	if ( isset( $_SESSION['wsUserID'] ) ) {
		if ( 0 != $_SESSION['wsUserID'] ) {
			$sId = $_SESSION['wsUserID'];
		} else {
			return new User();
		}
	} else if ( isset( $_COOKIE["{$wgDBname}UserID"] ) ) {
		$sId = IntVal( $_COOKIE["{$wgDBname}UserID"] );
		$_SESSION['wsUserID'] = $sId;
	} else if ( isset($_SERVER["AUTH_USER"])) {
		//Rembrandt modification to allow logon via authentication
information
	      //passed from IIS
	      global $wgUser;
	      global $wgDeferredUpdateList;

	      //get the username
	      $temp = explode('DOMAINNAME', $_SERVER["AUTH_USER"]); //remove
the domain name from AUTH_USER
	      $name = $temp[1];

	      //pull in the usernames and passwords we'll need for the
database lookup
	      global $wgDBprefix;
	      global $wgDBuser;
	      global $wgDBpassword;
	      global $wgDBserver;
	      global $wgDBname;

	      //we'll use PHP's MYSQL module to access the mediawiki
database as it's Q&D
	      mysql_connect($wgDBserver,$wgDBuser,$wgDBpassword);
	      @mysql_select_db($wgDBname) or die( "Unable to select user
database for NTLM authentication");
	      $query="SELECT * FROM " . $wgDBprefix . "user WHERE
LOWER(user_name) = '" . strtolower($name) . "'";
	      $result = mysql_query($query);
	      $row = mysql_fetch_array($result, MYSQL_ASSOC);
	      mysql_close();

	      //set the variables we need to transparently authenticate
	      $sId                    = $row['user_id'];
	      $_SESSION['wsUserID']   = $row['user_id'];
		$_SESSION['wsUserName'] = $row['user_name'];
		$_SESSION['wsToken']    = $row['user_token'];

    } else {
		return new User();
		}
		if ( isset( $_SESSION['wsUserName'] ) ) {
			$sName = $_SESSION['wsUserName'];
		} else if ( isset( $_COOKIE["{$wgDBname}UserName"] ) ) {
			$sName = $_COOKIE["{$wgDBname}UserName"];
			$_SESSION['wsUserName'] = $sName;
		} else {
			return new User();
		}

		$passwordCorrect = FALSE;
		$user = $wgMemc->get( $key = "$wgDBname:user:id:$sId" );
		if($makenew = !$user) {
			wfDebug( "User::loadFromSession() unable to load
from memcached\n" );
			$user = new User();
			$user->mId = $sId;
			$user->loadFromDatabase();
		} else {
			wfDebug( "User::loadFromSession() got from cache!\n"
);
		}

		if ( isset( $_SESSION['wsToken'] ) ) {
			$passwordCorrect = $_SESSION['wsToken'] ==
$user->mToken;
		} else if ( isset( $_COOKIE["{$wgDBname}Token"] ) ) {
			$passwordCorrect = $user->mToken ==
$_COOKIE["{$wgDBname}Token"];
		} else {
			return new User(); # Can't log in from session
		}

		if ( ( strtolower($sName) == strtolower($user->mName) ) &&
$passwordCorrect ) { //modified to allow for case differences between
mediawiki and NTLM usernames
			if($makenew) {
				if($wgMemc->set( $key, $user )) {
					wfDebug( "User::loadFromSession()
successfully saved user\n" );
				} else {
					wfDebug( "User::loadFromSession()
unable to save to memcached\n" );
				}
			}
			$user->spreadBlock();
			return $user;
		}

		return new User(); # Can't log in from session
	}