MediaWiki

Extension:AuthRemoteUser

This extension depends on the PluggableAuth extension, which must be installed beforehand.
MediaWiki extensions manual
AuthRemoteUser
Release status: stable
Implementation User identity
Description Allows for authentication via the web server's REMOTE_AUTH (i.e., with Kerberos) functionality.
Author(s) Tobias Oetterer (oetterertalk)
Latest version 1.0.0 (2024/06/30)
MediaWiki 1.39
PHP 7.1
Composer mediawiki/auth-remote-user
License GNU General Public License 2.0 or later
Download

GitHub:


README
Parameters
  • $wgAuthRemoteUserDomain
  • $wgAuthRemoteUserUsernameNormalizer

The AuthRemoteUser extension manages authentication via the web server's REMOTE_AUTH. Unlike Extension:Auth remoteuser, where the whole wiki requires a web server's authentication, this extension only relies upon authentication on one page (Special:AuthRemoteUser).

This extension relies on external authentication configured through the web server. Proper setup is required; without it, authentication will not function correctly. (See example in § Apache using MIT kerberos.)

Installation

edit

Download

edit
  • Download and move the extracted AuthRemoteUser folder to your extensions/ directory.
    Developers and code contributors should install the extension from Git instead, using:
    cd extensions/
git clone https://gerrit.wikimedia.org/r/mediawiki/extensions/AuthRemoteUser
  • Add the following code at the bottom of your LocalSettings.php file: 
    wfLoadExtension( 'AuthRemoteUser' );
  •   Done – Navigate to Special:Version on your wiki to verify that the extension is successfully installed.

You can either download this from Git, using: 

git clone https://github.com/oetterer/AuthRemoteUser

or use composer (in which case, add the following to your composer.local.json) 

{
	"require": {
		"mediawiki/auth-remote-user": "^1.0"
	}
}

Activation

edit

Add the following to your LocalSettings.php 

wfLoadExtension( 'AuthRemoteUser' );

Setting up webserver

edit

Your webserver does the actual authentication, so you need to set it up properly. Please refer to your webserver documentation for instructions on how to do this.

Apache using MIT kerberos

edit

mod_auth_gssapi

edit 
<LocationMatch ".*/index\.php">
    <If "%{QUERY_STRING} =~ /title=[^:]+:AuthRemoteUser/">
        SSLRequireSSL
        AuthType GSSAPI
        AuthName "Kerberos Login"
        GssapiCredStore keytab:/etc/keytabs/krb5.keytab.HTTP
        GssapiSSLonly On
        GssapiAllowedMech krb5
        require valid-user
    </If>
</LocationMatch>

mod_auth_kerb

edit 
<LocationMatch ".*/index\.php">
    <If "%{QUERY_STRING} =~ /title=[^:]+:AuthRemoteUser/">
        SSLRequireSSL
        AuthType Kerberos
        AuthName "Kerberos Login"
        KrbMethodNegotiate On
        KrbMethodK5Passwd Off
        KrbAuthoritative on
        KrbAuthRealms <your krb realms>
        KrbVerifyKDC on
        Krb5KeyTab /etc/keytabs/krb5.keytab.HTTP
        require valid-user
    </If>
</LocationMatch>

Note: even, if you are using Short URL schema, you have to match against index.php?title=, because the authentication special page is accessed internally with the original linking schema.

Configuration parameters

edit
$wgAuthRemoteUserDomain
Specify your domain for remote authentication here. The extension does not validate the domain if this variable is left empty.
$wgAuthRemoteUserUsernameNormalizer
Use this function for normalizing username, for example 'strtolower'. By default, the kerberos domain is stripped and the remaining username is cast to lowercase..

Authentication button label

edit

You can specify what text will be shown on the authentication button by editing the MediaWiki message MediaWiki:Auth-remote-user-login-button-label and its localizations.

User rights

edit

Please see Extension:PluggableAuth

See also

edit
Retrieved from "https://www.mediawiki.org/w/index.php?title=Extension:AuthRemoteUser&oldid=7729825"