[Mediawiki-l] NTLM authentication for MediaWiki
Alistair Johnson
JohnsonA at rembrandt.co.nz
Wed Mar 30 02:28:43 UTC 2005
Thanks Jamie. From quickly looking at it I *think* AuthPlugin is designed to
operate through the normal logon process. I'm bypassing that and
transparently authenticating against NTLM (for Intranet users - Internet
users will be prompted for a domain username and password).
If anyone's planning on using the code below I just found out that it breaks
the preferences screen. The way to fix that is to set cookies by adding:
//set cookies with this info to make life easier for us in the future
global $wgCookieExpiration, $wgCookiePath, $wgCookieDomain, $wgDBname;
$exp = time() + $wgCookieExpiration;
setcookie( $wgDBname.'UserID', $row['user_id'], $exp, $wgCookiePath,
$wgCookieDomain );
setcookie( $wgDBname.'UserName', $row['user_name'], $exp, $wgCookiePath,
$wgCookieDomain );
setcookie( $wgDBname.'Token', $row['user_token'], $exp, $wgCookiePath,
$wgCookieDomain );
immediately underneath:
//set the variables we need to transparently authenticate
$sId = $row['user_id'];
$_SESSION['wsUserID'] = $row['user_id'];
$_SESSION['wsUserName'] = $row['user_name'];
$_SESSION['wsToken'] = $row['user_token'];
Cheers,
al.
-----Original Message-----
From: Jamie Bliss [mailto:astronouth7303 at gmail.com]
Sent: Wednesday, 30 March 2005 12:01 p.m.
To: MediaWiki announcements and site admin list
Subject: Re: [Mediawiki-l] NTLM authentication for MediaWiki
Check AuthPlugin.php, as that may let you do it.
On Wed, 30 Mar 2005 11:57:43 +1200, Alistair Johnson
<JohnsonA at rembrandt.co.nz> wrote:
> Based on a post from David Cameron (19 Feb 2005) I've hacked up the
> following modification to loadFromSession (in User.php) which allows
> authentication against our NTLM database (based on the variable AUTH_USER
> passed from IIS).
>
> I'm trying to avoid hacking the code for 1.4 so if you know a way to
achieve
> this without modifying User.php (or another core file) then feedback would
> be most appreciated.
>
> Cheers,
>
> al.
>
> /**
> * Read datas from session
> * @static
> */
> function loadFromSession() {
> global $wgMemc, $wgDBname;
>
> if ( isset( $_SESSION['wsUserID'] ) ) {
> if ( 0 != $_SESSION['wsUserID'] ) {
> $sId = $_SESSION['wsUserID'];
> } else {
> return new User();
> }
> } else if ( isset( $_COOKIE["{$wgDBname}UserID"] ) ) {
> $sId = IntVal( $_COOKIE["{$wgDBname}UserID"] );
> $_SESSION['wsUserID'] = $sId;
> } else if ( isset($_SERVER["AUTH_USER"])) {
> //Rembrandt modification to allow logon via authentication
> information
> //passed from IIS
> global $wgUser;
> global $wgDeferredUpdateList;
>
> //get the username
> $temp = explode('DOMAINNAME', $_SERVER["AUTH_USER"]);
//remove
> the domain name from AUTH_USER
> $name = $temp[1];
>
> //pull in the usernames and passwords we'll need for the
> database lookup
> global $wgDBprefix;
> global $wgDBuser;
> global $wgDBpassword;
> global $wgDBserver;
> global $wgDBname;
>
> //we'll use PHP's MYSQL module to access the mediawiki
> database as it's Q&D
> mysql_connect($wgDBserver,$wgDBuser,$wgDBpassword);
> @mysql_select_db($wgDBname) or die( "Unable to select user
> database for NTLM authentication");
> $query="SELECT * FROM " . $wgDBprefix . "user WHERE
> LOWER(user_name) = '" . strtolower($name) . "'";
> $result = mysql_query($query);
> $row = mysql_fetch_array($result, MYSQL_ASSOC);
> mysql_close();
>
> //set the variables we need to transparently authenticate
> $sId = $row['user_id'];
> $_SESSION['wsUserID'] = $row['user_id'];
> $_SESSION['wsUserName'] = $row['user_name'];
> $_SESSION['wsToken'] = $row['user_token'];
>
> } else {
> return new User();
> }
> if ( isset( $_SESSION['wsUserName'] ) ) {
> $sName = $_SESSION['wsUserName'];
> } else if ( isset( $_COOKIE["{$wgDBname}UserName"] ) ) {
> $sName = $_COOKIE["{$wgDBname}UserName"];
> $_SESSION['wsUserName'] = $sName;
> } else {
> return new User();
> }
>
> $passwordCorrect = FALSE;
> $user = $wgMemc->get( $key = "$wgDBname:user:id:$sId" );
> if($makenew = !$user) {
> wfDebug( "User::loadFromSession() unable to load
> from memcached\n" );
> $user = new User();
> $user->mId = $sId;
> $user->loadFromDatabase();
> } else {
> wfDebug( "User::loadFromSession() got from
cache!\n"
> );
> }
>
> if ( isset( $_SESSION['wsToken'] ) ) {
> $passwordCorrect = $_SESSION['wsToken'] ==
> $user->mToken;
> } else if ( isset( $_COOKIE["{$wgDBname}Token"] ) ) {
> $passwordCorrect = $user->mToken ==
> $_COOKIE["{$wgDBname}Token"];
> } else {
> return new User(); # Can't log in from session
> }
>
> if ( ( strtolower($sName) == strtolower($user->mName) ) &&
> $passwordCorrect ) { //modified to allow for case differences between
> mediawiki and NTLM usernames
> if($makenew) {
> if($wgMemc->set( $key, $user )) {
> wfDebug( "User::loadFromSession()
> successfully saved user\n" );
> } else {
> wfDebug( "User::loadFromSession()
> unable to save to memcached\n" );
> }
> }
> $user->spreadBlock();
> return $user;
> }
>
> return new User(); # Can't log in from session
> }
> _______________________________________________
> MediaWiki-l mailing list
> MediaWiki-l at Wikimedia.org
> http://mail.wikipedia.org/mailman/listinfo/mediawiki-l
>
--
-------------------------------------------------------------------
http://endeavour.zapto.org/astro73/
Thank you to JosephM for inviting me to Gmail!
Has lots of invites.
_______________________________________________
MediaWiki-l mailing list
MediaWiki-l at Wikimedia.org
http://mail.wikipedia.org/mailman/listinfo/mediawiki-l
More information about the MediaWiki-l
mailing list