[Mediawiki-l] A restricted wiki with ActiveDirectory - advice on ideal setup?
Michael B Allen
ioplex at gmail.com
Fri Aug 31 18:53:50 UTC 2007
If you're running MW on Linux or FreeBSD the Plexcel MediaWiki Plugin
is the most advanced plugin for integration with Active Directory. But
it does not provide everything to the degree you are looking for. More
comments inlined below.
On 8/31/07, Daniel Barrett <danb at vistaprint.com> wrote:
> I'm looking for advice on the best authentication & access control setup
> for a "private" MediaWiki installation in the following environment:
> * Completely read-protected unless you are logged in (as in
> * Usernames and passwords are stored in ActiveDirectory (we're
> using the LDAPAuthentication extension)
Plexcel does SSO and explicit login using Kerberos which at this point
is as good as it gets for ease of use and security.
> * Logins are restricted to a particular group (e.g., an NT
> security group within ActiveDirectory, which LDAPAuthentication.php
With respect to group based access control Plexcel's MediaWiki Plugin
has two significant advantages over LDAPAuthentication.php.
1. Plexcel's group access checks are very fast. Once the group names
used within the page_acls array are cached in shared memory, access
checks do not require communication with the server.
2. Group names can be in the full range of forms like
'IBK\International Banking' or just 'International Banking' or may be
specific individuals like 'abaker at example.com'. Coupled with the fact
that our ACLs mimic the semantics of Windows ACLs, this model is a
little easier to work with than using full DNs.
> * Easily add and remove access control for individual guests (who
> are also in ActiveDirectory, but not in the required NT security group)
The Plexcel MediaWiki Plugin uses a page_acls array in
LocalSettings.conf that can include individual users. For example, a
somewhat elaborate example might look like:
$wgAuth->page_acls['*'] = array(
'http_sso_www1' => 'DENY',
'abaker at example.com' => 'DENY',
'Temps' => 'DENY',
'eBank Wiki Maintenance'
The first entry is for the HTTP service account used by anonymous
users which is to say anonymous users are denied access. The
individual 'abaker at example.com' and anyone in the group 'Temps' are
also denied access. Users in either of the two remaining groups are
granted access. Otherwise they are denied access. The point is that
even though 'abaker at example.com' may also be in 'IBK\International
Banking', they will be denied access which I believe is the effect
you're looking for.
> * Guests can be read-only or read/write
Currently we do not have read vs. write controls associated with our
ACLs but once the user logs in once a MW account will automatically be
created which I believe you can add or remove to or from MW groups and
use as the basis for blocking edits.
> * FYI, this is on a corporate intranet that is firewalled from the
> If we use ActiveDirectory for access control, this provides login
> security, but we can't revoke access instantly (since the user can
> select "Remember my login on this computer" ...or is there a way to
> destroy another user's session?). We also cannot control read-only vs.
> read-write access at this level, I think.
Plexcel uses Kerberos which authenticates every request. However, if
the user is logged into their workstation while the account is
disabled, I think they can still access resources on the network until
their Kerberos ticket needs to be renewed. So I'm not sure how your
going to satisfy this feature.
> This is solved if we also use MediaWiki user rights for access control;
> but then to add a new user, you need to add them to the NT security
> group AND bestow the appropriate MediaWiki user rights. It would be
> cleaner to maintain permissions in just one place. (This is my favorite
> approach at the moment, however.)
> A third possibility is to forget the NT security group and just allow
> everyone in ActiveDirectory to log in, but use MediaWiki access control
> after login. This works but you get the weird state of "successfully
> logged in, but cannot read anything," which is confusing for users and
> probably will generate customer support calls.
When the Plexcel MediaWiki Plugin denies access to a user because of
an entry in the page_acls array, they are directed to a page
PlexcelAccessDenied. On that page you put whatever instructions to the
user that you feel appropriate like "You do not have permission to
access this content. This may be because you have been removed from a
required group. Please contact support at ...".
> We are not considering the "100% MediaWiki" approach (use MediaWiki
> authentication, not ActiveDirectory), nor the HTTP auth approach
> (.htaccess), because we want to keep passwords in sync with
> ActiveDirectory. Nor do we want to control access by particular PCs or
> IP addresses (e.g., by firewall rules) as it's too hard to maintain.
> Are there any other possibilities I've missed?
Plexcel MediaWiki Dan. It's still a little new but we have quite a few
large organizations using it now and bug reports are becoming few and
far between. Check it out.
More information about the MediaWiki-l