[Mediawiki-l] A restricted wiki with ActiveDirectory - advice on ideal setup?

Daniel Barrett danb at VistaPrint.com
Fri Aug 31 13:56:51 UTC 2007 

I'm looking for advice on the best authentication & access control setup
for a "private" MediaWiki installation in the following environment:

*	Completely read-protected unless you are logged in (as in
http://23rdworld.com/2007/03/30/how-to-make-your-mediawiki-private/)
*	Usernames and passwords are stored in ActiveDirectory (we're
using the LDAPAuthentication extension)
*	Logins are restricted to a particular group (e.g., an NT
security group within ActiveDirectory, which LDAPAuthentication.php
supports)
*	Easily add and remove access control for individual guests (who
are also in ActiveDirectory, but not in the required NT security group)
*	Guests can be read-only or read/write
*	FYI, this is on a corporate intranet that is firewalled from the
world

If we use ActiveDirectory for access control, this provides login
security, but we can't revoke access instantly (since the user can
select "Remember my login on this computer" ...or is there a way to
destroy another user's session?). We also cannot control read-only vs.
read-write access at this level, I think.

This is solved if we also use MediaWiki user rights for access control;
but then to add a new user, you need to add them to the NT security
group AND bestow the appropriate MediaWiki user rights. It would be
cleaner to maintain permissions in just one place.  (This is my favorite
approach at the moment, however.)

A third possibility is to forget the NT security group and just allow
everyone in ActiveDirectory to log in, but use MediaWiki access control
after login. This works but you get the weird state of "successfully
logged in, but cannot read anything," which is confusing for users and
probably will generate customer support calls.

We are not considering the "100% MediaWiki" approach (use MediaWiki
authentication, not ActiveDirectory), nor the HTTP auth approach
(.htaccess), because we want to keep passwords in sync with
ActiveDirectory.  Nor do we want to control access by particular PCs or
IP addresses (e.g., by firewall rules) as it's too hard to maintain.

Are there any other possibilities I've missed?  Any other advice?  Thank
you.

DanB

More information about the MediaWiki-l mailing list