Extension:AuthRemoteUser

This extension requires the PluggableAuth extension to be installed first.
MediaWiki extensions manual
AuthRemoteUser
Release status: stable
Implementation User identity
Description Allows for authentication via the web server's REMOTE_AUTH (i.e., with Kerberos) functionality.
Author(s) Tobias Oetterer (oetterertalk)
Latest version 1.0.0 (2024/06/30)
MediaWiki 1.39
PHP 7.1
Composer mediawiki/auth-remote-user
License GNU General Public License 2.0 or later
Download
README
  • $wgAuthRemoteUserDomain
  • $wgAuthRemoteUserUsernameNormalizer

The AuthRemoteUser extension manages authentication via the web server's REMOTE_AUTH. Unlike Extension:Auth_RemoteUser, where the whole wiki requires a web server's authentication, this extension only relies upon authentication on one page (Special:AuthRemoteUser).

This extension relies upon external authentication by your web server. You are required to set this up properly, or your authentication won't work (see example below).

Installation

edit

Download

edit

You can either download this from git

git clone https://github.com/oetterer/AuthRemoteUser

or use composer (in which case, add the following to your composer.local.json)

{
	"require": {
		"mediawiki/auth-remote-user": "^1.0"
	}
}

Activation

edit

Add the following to your LocalSettings.php

wfLoadExtension( 'AuthRemoteUser' );

Setting up webserver

edit

Your webserver does the actual authentication, so you need to set it up properly. Please refer to your webserver documentation for instructions on how to do this.

Apache using MIT kerberos

edit

mod_auth_gssapi

edit
<LocationMatch ".*/index\.php">
    <If "%{QUERY_STRING} =~ /title=[^:]+:AuthRemoteUser/">
        SSLRequireSSL
        AuthType GSSAPI
        AuthName "Kerberos Login"
        GssapiCredStore keytab:/etc/keytabs/krb5.keytab.HTTP
        GssapiSSLonly On
        GssapiAllowedMech krb5
        require valid-user
    </If>
</LocationMatch>

mod_auth_kerb

edit
<LocationMatch ".*/index\.php">
    <If "%{QUERY_STRING} =~ /title=[^:]+:AuthRemoteUser/">
        SSLRequireSSL
        AuthType Kerberos
        AuthName "Kerberos Login"
        KrbMethodNegotiate On
        KrbMethodK5Passwd Off
        KrbAuthoritative on
        KrbAuthRealms <your krb realms>
        KrbVerifyKDC on
        Krb5KeyTab /etc/keytabs/krb5.keytab.HTTP
        require valid-user
    </If>
</LocationMatch>

Note: even, if you are using Short URL schema, you have to match against index.php?title=, because the authentication special page is accessed internally with the original linking schema.

Configuration parameters

edit
$wgAuthRemoteUserDomain
Specify your domain for remote authentication here. The extension does not validate the domain if this variable is left empty.
$wgAuthRemoteUserUsernameNormalizer
Use this function for normalizing username, for example 'strtolower'. By default, the kerberos domain is stripped and the remaining username is cast to lowercase..

Authentication button label

edit

You can specify what text will be shown on the authentication button by editing the MediaWiki message MediaWiki:Auth-remote-user-login-button-label and its localizations.

User rights

edit

Please see Extension:PluggableAuth

See also

edit