Extension:AuthRemoteUser
AuthRemoteUser Release status: stable |
|
---|---|
Implementation | User identity |
Description | Allows for authentication via the web server's REMOTE_AUTH (i.e., with Kerberos) functionality. |
Author(s) | Tobias Oetterer (oetterertalk) |
Latest version | 1.0.0 (2024/06/30) |
MediaWiki | 1.39 |
PHP | 7.1 |
Composer | mediawiki/auth-remote-user |
License | GNU General Public License 2.0 or later |
Download | GitHub: README |
|
|
The AuthRemoteUser extension manages authentication via the web server's REMOTE_AUTH
. Unlike Extension:Auth_RemoteUser, where the whole wiki requires a web server's authentication, this extension only relies upon authentication on one page (Special:AuthRemoteUser).
Installation
editDownload
editYou can either download this from git
git clone https://github.com/oetterer/AuthRemoteUser
or use composer (in which case, add the following to your composer.local.json
)
{
"require": {
"mediawiki/auth-remote-user": "^1.0"
}
}
Activation
editAdd the following to your LocalSettings.php
wfLoadExtension( 'AuthRemoteUser' );
Setting up webserver
editYour webserver does the actual authentication, so you need to set it up properly. Please refer to your webserver documentation for instructions on how to do this.
Apache using MIT kerberos
editmod_auth_gssapi
edit<LocationMatch ".*/index\.php">
<If "%{QUERY_STRING} =~ /title=[^:]+:AuthRemoteUser/">
SSLRequireSSL
AuthType GSSAPI
AuthName "Kerberos Login"
GssapiCredStore keytab:/etc/keytabs/krb5.keytab.HTTP
GssapiSSLonly On
GssapiAllowedMech krb5
require valid-user
</If>
</LocationMatch>
mod_auth_kerb
edit<LocationMatch ".*/index\.php">
<If "%{QUERY_STRING} =~ /title=[^:]+:AuthRemoteUser/">
SSLRequireSSL
AuthType Kerberos
AuthName "Kerberos Login"
KrbMethodNegotiate On
KrbMethodK5Passwd Off
KrbAuthoritative on
KrbAuthRealms <your krb realms>
KrbVerifyKDC on
Krb5KeyTab /etc/keytabs/krb5.keytab.HTTP
require valid-user
</If>
</LocationMatch>
Note: even, if you are using Short URL schema, you have to match against index.php?title=
, because the authentication special page is accessed internally with the original linking schema.
Configuration parameters
edit- $wgAuthRemoteUserDomain
- Specify your domain for remote authentication here. The extension does not validate the domain if this variable is left empty.
- $wgAuthRemoteUserUsernameNormalizer
- Use this function for normalizing username, for example 'strtolower'. By default, the kerberos domain is stripped and the remaining username is cast to lowercase..
Authentication button label
editYou can specify what text will be shown on the authentication button by editing the MediaWiki message MediaWiki:Auth-remote-user-login-button-label
and its localizations.
User rights
editPlease see Extension:PluggableAuth