[Mediawiki-l] Kerberos? (Re: Single-Login with Woltlab Burbing Board (Wbb)?

Lane, Ryan Ryan.Lane at ocean.navo.navy.mil
Thu Aug 16 14:27:20 UTC 2007


> So the SSO hack we've been using on RHEL 3 and 4 (busted in RHEL 5!)
to
> authenticate off of our AD infrastructure is to tell RHEL that the AD
> stuff
> is a Kerberos KDC.  Works pretty well - all I need to do is a useradd
on
> the person's AD login it's maintenance free from there as far as I'm
> concerned plus I control just which AD users can get in.
> 
> Anyone doing something like this with MW 1.10?  I see
> http://www.mediawiki.org/wiki/Extension:LDAP_Authentication and that
might
> do it, but I wasn't the one that came up with the scheme we use and
don't
> know enough about AD and Kerberos to be able to do any necessary
hacking.
> 
> I realize that I couldn't control who had an account (like having to
do a
> useradd on RHEL), but I can probably do something similar via a group
in
> AD.

The LDAP plugin doesn't (currently) do Kerberos authentication. Users
will have to log in to your wiki using their AD username/password.
CAC/Smartcard authentication is currently supported though.

I'm planning on adding http authentication support to the plugin soon.
This support would allow you to use any apache module (including
Kerberos) to do authentication, and then use LDAP for authorization and
group/user information synchronization.

You can control access in a number of ways: roles, LDAP groups,
mediawiki groups, attributes, OUs, etc. You just need to be crafty as to
how you configure the plugin. I'll readily admit that the configuration
examples are lacking in this area...

V/r,

Ryan Lane



More information about the MediaWiki-l mailing list