[Mediawiki-l] NTLM Authentication

Michael B Allen ioplex at gmail.com
Tue Sep 18 22:23:07 UTC 2007


On 9/18/07, Connolly, Wayne <Wayne.Connolly at team.telstra.com> wrote:
> There is only one thing left to do to make this complete -> Automatic
> Authentication against the domain 'ACCOUNT-01' via Windows native NTLM
> authentication.
>
> Before I embark on this journey I was hoping that anyone could offer any
> tips, extension ideas or pitfalls to avoid.

Hi Wayne,

Theres a PHP extension called Plexcel that does Windows authentication
and much much more. It doesn't use NTLM though. It uses Kerberos and
something called SPNEGO. This is actually what IIS is doing when you
turn on IWA. On the wire, Plexcel is just like IWA.

If you want NTLM I think theres a module for Apache that can call
Samba's Winbind daemon. But note that NTLM is not optimal for this
scenario. It requires communication with a domain controller whereas
Kerberos does not (although NTLM is still required for scenarios where
the client is not a member of the domain or a member of a domain that
has a trust with the target domain).

Anyway, I guess I'm starting to rant. In addition to the Plexcel
extension there's a little MediaWiki plugin that calls plexcel. Check
it out:

http://www.ioplex.com/mediawiki_plugin.html

It handles SSO, explicit login using the conventional form,
automatically creates accounts in the local DB with the user's info
from AD and has ACLs to control who can access content and such.

Bear in mind that you're going to need a MediaWiki plugin so that the
user's information can be pushed into MW so that the higher level
logic does sensible things. You can't just use mod_ntlm or flip on IWA
in IIS.

Mike
-- 
Michael B Allen
PHP Active Directory Kerberos SSO
http://www.ioplex.com/



More information about the MediaWiki-l mailing list