[Mediawiki-l] Re: Intranet Single Signon
Alistair Johnson
JohnsonA at rembrandt.co.nz
Wed Nov 16 20:44:43 UTC 2005
Chris, if you check archives of this list you'll see I've posted a solution
to the NTLM passthrough authentication issue a few times for MW1.4. Anyway,
our code that does this is below.
Cheers,
Al.
function loadFromSession() {
global $wgMemc, $wgDBname;
if ( isset( $_SESSION['wsUserID'] ) ) {
if ( 0 != $_SESSION['wsUserID'] ) {
$sId = $_SESSION['wsUserID'];
} else {
return new User();
}
} else if ( isset( $_COOKIE["{$wgDBname}UserID"] ) ) {
$sId = IntVal( $_COOKIE["{$wgDBname}UserID"] );
$_SESSION['wsUserID'] = $sId;
} else if ( isset($_SERVER["AUTH_USER"])) {
//Rembrandt modification to allow logon via authentication
information
//passed from IIS
global $wgUser;
global $wgDeferredUpdateList;
//get the username
$temp = explode('domainname', strtolower($_SERVER["AUTH_USER"]));
//remove the domain name from AUTH_USER
if ($temp[1] == "") {
$name = $temp[0];
} else {
$name = $temp[1];
}
if (substr($username,0,1) == "\\") { $username = substr($username,1);}
//pull in the usernames and passwords we'll need for the database
lookup
global $wgDBprefix;
global $wgDBuser;
global $wgDBpassword;
global $wgDBserver;
global $wgDBname;
//we'll use PHP's MYSQL module to access the mediawiki database
$link = mysql_connect($wgDBserver,$wgDBuser,$wgDBpassword);
@mysql_select_db($wgDBname, $link) or die( "Unable to select user
database for NTLM authentication");
$query="SELECT * FROM " . $wgDBprefix . "user WHERE LOWER(user_name) =
'" . strtolower($name) . "'";
$result = mysql_query($query, $link);
$row = mysql_fetch_array($result, MYSQL_ASSOC);
mysql_close($link);
//set the variables we need to transparently authenticate
$sId = $row['user_id'];
$_SESSION['wsUserID'] = $row['user_id'];
$_SESSION['wsUserName'] = $row['user_name'];
$_SESSION['wsToken'] = $row['user_token'];
//set cookies with this info to make life easier for us in the future
global $wgCookieExpiration, $wgCookiePath, $wgCookieDomain,
$wgDBname;
setcookie( $wgDBname.'UserID', $row['user_id'], 0,
$wgCookiePath, $wgCookieDomain );
setcookie( $wgDBname.'UserName', $row['user_name'], 0,
$wgCookiePath, $wgCookieDomain );
setcookie( $wgDBname.'Token', $row['user_token'], 0,
$wgCookiePath, $wgCookieDomain );
} else {
return new User();
}
if ( isset( $_SESSION['wsUserName'] ) ) {
$sName = $_SESSION['wsUserName'];
} else if ( isset( $_COOKIE["{$wgDBname}UserName"] ) ) {
$sName = $_COOKIE["{$wgDBname}UserName"];
$_SESSION['wsUserName'] = $sName;
} else {
return new User();
}
$passwordCorrect = FALSE;
$user = $wgMemc->get( $key = "$wgDBname:user:id:$sId" );
if($makenew = !$user) {
wfDebug( "User::loadFromSession() unable to load
from memcached\n" );
$user = new User();
$user->mId = $sId;
$user->loadFromDatabase();
} else {
wfDebug( "User::loadFromSession() got from cache!\n"
);
}
if ( isset( $_SESSION['wsToken'] ) ) {
$passwordCorrect = $_SESSION['wsToken'] ==
$user->mToken;
} else if ( isset( $_COOKIE["{$wgDBname}Token"] ) ) {
$passwordCorrect = $user->mToken ==
$_COOKIE["{$wgDBname}Token"];
} else {
return new User(); # Can't log in from session
}
if ( ( strtolower($sName) == strtolower($user->mName) ) &&
$passwordCorrect ) { //modified to allow for case differences between
mediawiki and NTLM usernames
if($makenew) {
if($wgMemc->set( $key, $user )) {
wfDebug( "User::loadFromSession()
successfully saved user\n" );
} else {
wfDebug( "User::loadFromSession()
unable to save to memcached\n" );
}
}
$user->spreadBlock();
return $user;
}
return new User(); # Can't log in from session
}
-----Original Message-----
From: Chris McIntosh [mailto:cmcintosh at gmail.com]
Sent: Thursday, 17 November 2005 7:19 a.m.
To: mediawiki-l at wikimedia.org
Subject: [Mediawiki-l] Re: Intranet Single Signon
I should add more information.
$wgIP is set to the login name of the user. So what I am doing here is
checking if that login name is already a vaild user if so load it, else
create a new account with that name.
All that works well, as I said before only problem I have been able to find
is saving the preferences. Can't seem to get that token set right. I think
it is some sort of session issue since my code executes on each load, but I
am not sure.
Any help would be appreciated,
Thanks
Chris McIntosh
On 11/16/05, Chris McIntosh <cmcintosh at gmail.com> wrote:
>
> I am modifying the source code to allow our internal Intranet users to
> automatically log in to the wiki based on their username applied by
apache.
> I do this by using mod_ntlm to get their NTLM credentials and then
> want to seemlessly log them in.
>
> The problem I am having is setting up the user variable (wgUser) properly.
> I have tried the following.
>
> For now I have it near the bottom of Setup.php just to test around
> line 300.
>
> if ( $wgUseRemoteUser)
> {
> if ($userid = $wgUser->idFromName($wgIP)) { $wgUser->setId($userid);
> $wgUser->loadFromDatabase(); } else { $wgUser =
> $wgUser->newFromName($wgIP); $wgUser->setId($wgUser->getMaxId());
> $wgUser->addToDatabase();
> }
> $wgUser->setToken() ;
> $wgUser->setCookies();
> }
>
> The problem with this approach is I can't change any preferences for
> this user. Everything else seems fine but if I try and change a
> setting like Underline links, the preference page won't save. I have
> tracked that down to the edit token not being set properly, but I am
> not sure how to set it. If I remove the check in SpecialPreferences
> where it calls matchEditToken then everything works fine.
>
> Any advice?
>
> Thanks
> Chris McIntosh
>
_______________________________________________
MediaWiki-l mailing list
MediaWiki-l at Wikimedia.org
http://mail.wikipedia.org/mailman/listinfo/mediawiki-l
More information about the MediaWiki-l
mailing list