Extension talk:SSL authentication/Archive 1

Latest comment: 12 years ago by Edward Z. Yang in topic Underscores in usernames

Support for MW 1.16.0! =

I just downloaded and tested this one with mediawiki 1.16.0 - and it seems if there's happening absolutely nothing. I added in front of my LocalSettings.php the Variables + the function call - and a short debug output gives me all variables right. So i think there has to be an error in SSLAuthPlugin.php - but there is neither an errormessage nor login or visual function of this plugin? What is going wrong? I figured it out... there are some changes in AuthPlugin etc... i will publish it if i've proved if it works well.

--Veraldi Fri Jan 14 23:19:53 CET 2011

I am afraid to upgrade to 1.16.x because actually I am using version 1.15.x and al my logins are base on X.509 user authentication. Is SSLAuthPlugin now working with 1.16.x versions ?
--Pb.marty 12:54, 20 October 2011 (UTC)
I just upgraded a mandriva box upto 2010.2 (=> apache = 2.2.15 ; mysql = 5.1.58 ; php = 5.3.6) and then untared mediawiki 1.17.0 and then copy/pasted SSLAuth 1.1.4 (for MW1.15) and it works out-of-the-box ! (just be careful when creating SSLAuth.php file in the extension directory : it should be of course apache-readable ... I had a strict umask hanging around and I wondered for minutes why the hell this white-screen-of-death before I realized the perms problem ;)

Re-negotiation handshake failed: Not accepted by client!?

Using "current" versions of MediaWiki (1.15.5) Apache (2.2.16) and Openssl (1.0.0a) and the SSL client authentication only for the mediawiki subdirectory this extensions always causes the error "Re-negotiation handshake failed: Not accepted by client!?" in the apache error log. On the client side (Firefox 3.6.12) you get then an "Errorcode: ssl_error_handshake_unexpected_alert". On other apache directories using exactly the same config in apache or Mediawiki with this extension disabled everything works fine. Mediaj 15:43, 8 November 2010 (UTC)

Does anybody watch this page?

--Johnp125 16:43, 25 March 2010 (UTC)

I do from time to time. Datenritter 11:27, 10 April 2010 (UTC)

Not sure what to change in the localsettings.php to get the app to work

Ok I have this loaded on mediawiki 1.15.1 and I have the SSL auth working on Apache. Not sure what I need to do to get the wiki to auto login. I need some direction on what the next step is. What if anything needs to be tweaked in the localsettings.php.

--Johnp125 13:50, 24 March 2010 (UTC)

Well check the extension page, it's said there. Datenritter 11:28, 10 April 2010 (UTC)

Is there any way to have both login and ssl auth on the same wiki

Just wondering if there was a way to have login and ssl auth, what if I had 2 virtual machines in apache that went to the same wiki, 1 with the ssl auth and 1 without, would that do the job?

--Johnp125 12:45, 7 October 2008 (UTC)

You could install two wikis with the same DB and make only one use the extension. I think it should work. Datenritter 16:33, 7 October 2008 (UTC)

I just did a quick test, and managed to do this by just encapsulating the SSL section of LocalSettings.php with "if( isset($_SERVER['SSL_CLIENT_S_DN_CN']) )". If the user reaches the site with http:// then that section is not evaluated. If they reach it with https:// then it is evaluated (two separate apache configs for the different ports). I believe you can do the same thing by setting apache to make the certificate optional, in which case if the user does not supply one, then the appropriate environment variables will not be set.

Working on integrating this into the LDAP Authentication plugin

This plugin is great, and exactly what I was looking for. I'll be integrating this into my LDAP Authentication plugin. I've been looking for documentation on how to do this for the past couple of weeks, but this plugin fits my need perfectly.

Thanks for the great work!

-- Ryan Lane

Little bug

Great work :), but when I enter my site first time in browsers session - I am not logged. The problem is probably in file SSLAuthPlugin.php in function SSLAuth:

SEARCH:

    //If exists, log them in
    if($tmpuser->getID() != 0)
    {
        $wgUser = &$tmpuser;
        $wgUser->setCookies();
        $wgUser->setupSession();
        return;
    }

REPLACE WITH:

    //If exists, log them in
    if($tmpuser->getID() != 0)
    {
        $wgUser = &$tmpuser;
        $wgUser->setupSession(); // Before cookies!
        $wgUser->setCookies();
        return;
    }

-- Krzysztof Kozlowski

tested with mediawiki 1.9?

Anyone else tried this out? I'm having a hell of a time getting it to work out.

Re - MediaWiki 1.9

Tested, but following changes were needed in SSLAuthPlugin.php: FIND:

$tmpuser = User::LoadFromSession();

REPLACE WITH:

$tmpuser = new User() ;
$tmpuser->LoadFromSession();

FIND:

$tmpuser = User::newFromName($ssl_UN);

REPLACE WITH:

unset($tmpuser) ;
$tmpuser = new User() ;
$tmpuser = $tmpuser->newFromName($ssl_UN);

And works OK

-- Krzysztof Kozlowski (kozik [some special char] kozik.net.pl)

1.9 better, but new error

Original exception: exception 'MWException' with message 'Unstub loop detected on call of $wgUser->getOption from StubUserLang::_newObject ' in /var/www/wiki/includes/StubObject.php:54

Note: Tested with 1.9.3

Succeded in integrating SSL authentication with the following SSLAuthPlugin.php:

<?php
 
 /**
  * Version 1.0.2 (Works out of box with MW 1.7.1 and up)
  *
  * Authentication Plugin for Apache2 mod_ssl
  * Derived from AuthPlugin.php and
  * http://meta.wikimedia.org/wiki/Shibboleth_Authentication
  *
  * Much of the commenting comes straight from AuthPlugin.php
  *
  * Portions Copyright 2006 Martin Johnson
  * Portions Copyright 2006, 2007 Regents of the University of California
  * Portions Copyright 2007 Steven Langenaken
  * Released under the GNU General Public License
  *
  * Changes between 1.0.2 and 1.0.1:
  * = Merge changes from Shibboleth Authentication: (By DJC)
  * == More 1.9 compatibility fixes and less ugly code
  *
  * Changes between 1.0.1 and 1.0:
  * = Merge changes from Shibboleth Authentication: (By DJC)
  * == Compatible with MW 1.9+ again (By DJC)
  * == Minor fix in loginform handling (By Steven Langenaken)
  *
  * Documentation at http://www.mediawiki.org/wiki/Extension:SSL_authentication
  */
 
 require_once('AuthPlugin.php');
 
 class SSLAuthPlugin extends AuthPlugin {
     /**
      * See AuthPlugin.php for specific information
      */
     function userExists( $username ) {
         return true;
     }
 
     /**
      * See AuthPlugin.php for specific information
      */
     function authenticate( $username, $password ) {
         global $ssl_UN;
 
         if($username == $ssl_UN)
             return true;
         else
             return false;
     }
 
     /**
      * See AuthPlugin.php for specific information
      */
     function modifyUITemplate( &$template ) {
         $template->set( 'usedomain', false );
     }
 
     /**
      * See AuthPlugin.php for specific information
      */
     function setDomain( $domain ) {
         $this->domain = $domain;
     }
 
     /**
      * See AuthPlugin.php for specific information
      */
     function validDomain( $domain ) {
         return true;
     }
 
     /**
      * See AuthPlugin.php for specific information
      */
     function updateUser( &$user ) {
         global $ssl_map_info;
         global $ssl_email;
         global $ssl_RN;
 
                 //Map extra info or not?
         if($ssl_map_info != true)
         {
                     //If Email, set info in MW
             if($ssl_email != null)
                 $user->setEmail($ssl_email);
     
                     //If realName, set info in MW
             if($ssl_RN != null)
                 $user->setRealName($ssl_RN);
         }
 
        //For security, set password to a non-existant hash.
        $user->load();
        if($user->mPassword != "nologin")
        {
            $user->mPassword = "nologin";
            $user->saveSettings();
        }
 
         return true;
     }
 
 
     /**
      * See AuthPlugin.php for specific information
      */
     function autoCreate() {
         return true;
     }
 
     /**
      * See AuthPlugin.php for specific information
      */
    //function allowPasswordChange() {
    //    return false;
    //}

function allowPasswordChange() { return true; // KK - bug: password-change-forbidden
 } 


     /**
      * See AuthPlugin.php for specific information
      */
    function setPassword( $password ) {
        return false;
    }
 
     /**
      * See AuthPlugin.php for specific information
      */
     function updateExternalDB( $user ) {
         //Not really, but wiki thinks we did...
         return true;
     }
 
     /**
      * See AuthPlugin.php for specific information
      */
     function canCreateAccounts() {
         return false;
     }
 
     /**
      * See AuthPlugin.php for specific information
      */
     function addUser( $user, $password ) {
         return false;
     }
 
     /**
      * See AuthPlugin.php for specific information
      */
     function strict() {
         return false;
     }
 
     /**
      * See AuthPlugin.php for specific information
      */
     function initUser( &$user ) {
             //Update MW with new user information
         $this->updateUser($user);
     }
 
     /**
      * See AuthPlugin.php for specific information
      */
     function getCanonicalName( $username ) {
         return $username;
     }
 }
 
 /**
  * End of AuthPlugin Code, beginning of hook code and auth functions
  */
 
 /**
  * Some extension information init
  */
 $wgExtensionFunctions[] = 'SSLAuthSetup';
 $wgExtensionCredits['other'][] = array(
    'name' => 'SSLAuth',
    'version' => '1.0.2',
    'author' => 'Martin Johnson',
    'description' => 'Automagic login with certificates using Apache2 mod_ssl clientside',
    'url' => 'http://www.mediawiki.org/wiki/Extension:SSL_authentication'
 );
 
 /**
  * Setup extensionfunctions
  */
 function SSLAuthSetup()
 {
     global $ssl_UN;
     global $wgHooks;
     global $wgAuth;
 
     if($ssl_UN != null)
     {
         $wgHooks['AutoAuthenticate'][] = 'SSLAuth'; /* Hook for magical authN */
         $wgHooks['PersonalUrls'][] = 'NoLogout'; /* Disallow logout link */
         $wgAuth = new SSLAuthPlugin();
     }
 /**
 * Hooks looks funny in Special:Version
 * Written twice. Whats wrong with this code?
 */
 }
 
 /* No logout link in MW */
 function NoLogout(&$personal_urls, $title)
 {
     $personal_urls['logout'] = null;
 }
 
 /* Tries to be magical about when to log in users and when not to. */
 function SSLAuth(&$user)
 {
     global $ssl_UN;
     global $wgUser;
     global $wgContLang;
     global $wgHooks;

     //Give us a user, see if we're around
     //$tmpuser = User::LoadFromSession(); // Pre MediaWiki 1.10
$tmpuser = new User() ;
 $tmpuser->LoadFromSession(); 

     //$tmpuser = User::newFromSession(); // For MediaWiki 1.10.0 and up
 
     //They already with us?  If so, quit this function.
     if($tmpuser->isLoggedIn())
         return;
 
     //Is the user already in the database?
     //$tmpuser = User::newFromName($ssl_UN);
unset($tmpuser) ; 
$tmpuser = new User() ;
 $tmpuser = $tmpuser->newFromName($ssl_UN); 

 
     //If exists, log them in
     if($tmpuser->getID() != 0)
     {
         $wgUser = &$tmpuser;
         $wgUser->setupSession();
         $wgUser->setCookies();
         return;
     }
 
     //Okay, kick this up a notch then...
     //$wgUser = &$tmpuser;
$wgUser = new User();

     $wgUser->setName($wgContLang->ucfirst($ssl_UN));
 
     /*
      * Some magic that Shibboleth Authentication does and I just copy
      */
      require_once('SpecialUserlogin.php');
 
      //This section contains a silly hack for MW
      global $wgLang;
      global $wgContLang;
      global $wgRequest;
      if(!isset($wgLang))
      {
          $wgLang = $wgContLang;
          $wgLangUnset = true;
      }
 
      //Temporarily kill The AutoAuth Hook to prevent recursion
      foreach ($wgHooks['AutoAuthenticate'] as $key => $value)
      {
            if($value == 'AutoAuth')
                $wgHooks['AutoAuthenticate'][$key] = 'BringBackAA';
      }
         
      //This creates our form that'll do black magic
      $lf = new LoginForm($wgRequest);

      //Place the hook back (Not strictly necessarily MW Ver >= 1.9)
      BringBackAA();

      //And now we clean up our hack
      if($wgLangUnset == true)
      {
            unset($wgLang);
            unset($wgLangUnset);
      }

      //Now we _do_ the black magic
      $lf->mRemember = false;
      $lf->initUser($wgUser);
 
      //Finish it off
      $wgUser->saveSettings();
      $wgUser->setupSession();
      $wgUser->setCookies();
 }

/* Puts the auto-auth hook back into the hooks array */
function BringBackAA()
{
        global $wgHooks;

        foreach ($wgHooks['AutoAuthenticate'] as $key => $value)
        {
            if($value == 'BringBackAA')
                $wgHooks['AutoAuthenticate'][$key] = 'AutoAuth';
        }
}

?>


Regards

Markus

gridsitewiki

Is it worth investigating if the work done for x509 integration with 1.4.x tree as part of GridSiteWiki can be reused?

Internal error :

Hi , Got an internal error when trying to use the extension :

MediaWiki internal error.
Original exception: exception 'MWException' with message 'Unstub loop detected on call of $wgUser->getOption from  StubUserLang::_newObject
' in /var/www/html/wiki/includes/StubObject.php:54
Stack trace:
#0 /var/www/html/wiki/includes/StubObject.php(31): StubObject->_unstub('getOption', 5)
#1 /var/www/html/wiki/includes/StubObject.php(122): StubObject->_call('getOption', Array)
#2 [internal function]: StubUser->__call('getOption', Array)
#3 /var/www/html/wiki/includes/StubObject.php(92): StubUser->getOption('language')
#4 /var/www/html/wiki/includes/StubObject.php(57): StubUserLang->_newObject()
#5 /var/www/html/wiki/includes/StubObject.php(31): StubObject->_unstub('specialPage', 5)
#6 /var/www/html/wiki/includes/StubObject.php(87): StubObject->_call('specialPage', Array)
#7 [internal function]: StubUserLang->__call('specialPage', Array)
#8 /var/www/html/wiki/includes/SpecialUserlogin.php(83): StubUserLang->specialPage('Userlogout')
#9 /var/www/html/wiki/extensions/SSLAuthPlugin.php(268): LoginForm->LoginForm(Object(WebRequest))
#10 [internal function]: SSLAuth(Object(User))
#11 /var/www/html/wiki/includes/Hooks.php(113): call_user_func_array('SSLAuth', Array)
#12 /var/www/html/wiki/includes/StubObject.php(131): wfRunHooks('AutoAuthenticat...', Array)
#13 /var/www/html/wiki/includes/StubObject.php(57): StubUser->_newObject()
#14 /var/www/html/wiki/includes/StubObject.php(31): StubObject->_unstub('getOption', 5)
#15 /var/www/html/wiki/includes/StubObject.php(122): StubObject->_call('getOption', Array)
#16 [internal function]: StubUser->__call('getOption', Array)
#17 /var/www/html/wiki/includes/StubObject.php(92): StubUser->getOption('language')
#18 /var/www/html/wiki/includes/StubObject.php(57): StubUserLang->_newObject()
#19 /var/www/html/wiki/includes/StubObject.php(31): StubObject->_unstub('specialPage', 5)
#20 /var/www/html/wiki/includes/StubObject.php(87): StubObject->_call('specialPage', Array)
#21 [internal function]: StubUserLang->__call('specialPage', Array)
#22 /var/www/html/wiki/includes/SpecialUserlogin.php(83): StubUserLang->specialPage('Userlogout')
#23 /var/www/html/wiki/extensions/SSLAuthPlugin.php(268): LoginForm->LoginForm(Object(WebRequest))
#24 [internal function]: SSLAuth(Object(User))
#25 /var/www/html/wiki/includes/Hooks.php(113): call_user_func_array('SSLAuth', Array)
#26 /var/www/html/wiki/includes/StubObject.php(131): wfRunHooks('AutoAuthenticat...', Array)
#27 /var/www/html/wiki/includes/StubObject.php(57): StubUser->_newObject()
#28 /var/www/html/wiki/includes/StubObject.php(31): StubObject->_unstub('isAllowed', 5)
#29 /var/www/html/wiki/includes/StubObject.php(122): StubObject->_call('isAllowed', Array)
#30 [internal function]: StubUser->__call('isAllowed', Array)
#31 /var/www/html/wiki/includes/Title.php(1144): StubUser->isAllowed('read')
#32 /var/www/html/wiki/includes/Wiki.php(123): Title->userCanRead()
#33 /var/www/html/wiki/includes/Wiki.php(43): MediaWiki->preliminaryChecks(Object(Title), Object(StubObject), Object(WebRequest))
#34 /var/www/html/wiki/index.php(89): MediaWiki->initialize(Object(Title), Object(StubObject), Object(StubUser), Object(WebRequest))
#35 {main}
Exception caught inside exception handler: exception 'MWException' with message 'Unstub loop detected on call of $wgLang->getCode   from MessageCache::get
' in /var/www/html/wiki/includes/StubObject.php:54
Stack trace:
#0 /var/www/html/wiki/includes/StubObject.php(31): StubObject->_unstub('getCode', 5)
#1 /var/www/html/wiki/includes/StubObject.php(87): StubObject->_call('getCode', Array)
#2 [internal function]: StubUserLang->__call('getCode', Array)
#3 /var/www/html/wiki/includes/MessageCache.php(433): StubUserLang->getCode()
#4 /var/www/html/wiki/includes/GlobalFunctions.php(463): MessageCache->get('internalerror', true, false)
#5 /var/www/html/wiki/includes/GlobalFunctions.php(421): wfMsgGetKey('internalerror', true, false, true)
#6 /var/www/html/wiki/includes/GlobalFunctions.php(326): wfMsgReal('internalerror', Array, true)
#7 /var/www/html/wiki/includes/Exception.php(57): wfMsg('internalerror')
#8 /var/www/html/wiki/includes/Exception.php(125): MWException->getPageTitle()
#9 /var/www/html/wiki/includes/Exception.php(88): MWException->htmlHeader()
#10 /var/www/html/wiki/includes/Exception.php(111): MWException->reportHTML()
#11 /var/www/html/wiki/includes/Exception.php(191): MWException->report()
#12 /var/www/html/wiki/includes/Exception.php(225): wfReportException(Object(MWException))
#13 [internal function]: wfExceptionHandler(Object(MWException))
#14 {main}

In my LocalSetting.php :

#
##SSL Authentication Stuff
#
#Load SSLAuthPlugin
require_once('extensions/SSLAuthPlugin.php');
#Feel free to use extra PHP code to munge the variables if you'd like
#Additionally if you wish to only map some of the name data, set this to true
##and either blank ssl_RN and ssl_email or comment them out entirely.
$ssl_map_info = "true";
#Ssssh.... quiet down errors
$olderror = error_reporting(E_ALL ^ E_NOTICE);
#Map Real Name from certificate
#Can be DN but is it right?
$ssl_RN = strtolower($_SERVER['SSL_CLIENT_S_DN_CN']);
#MW username is required to map to something
#You should beware of possible namespace collisions, it is best to chose
#something that will not violate MW's usual restrictions on characters
#Just using Firstname + Lastname from Certificate 'will' make collisions... but what to use?
#UN could be md5-hash of DN, but its ugly to use...
$search = array ('/å/i', '/ä/i', '/ö/i', '/é/i');
$replace = array ('a', 'a', 'o', 'e');
$nom = explode(" ",$_SERVER['SSL_CLIENT_S_DN_CN']);
$firstname = $nom[0];
$firstname = preg_replace($search, $replace, $firstname);
$lastname = $nom[1];
$lastname = preg_replace($search, $replace, $lastname);
$ssl_UN = $_SERVER['SSL_CLIENT_S_DN_Email'];
#Map e-mail to something close?
$ssl_email = $_SERVER['SSL_CLIENT_S_DN_Email'];
#Turn error reporting back on
error_reporting($olderror);
#Activate SSL Plugin
SSLAuthSetup();

i've just modify some variables to be working with my AC. Did you have any Idea ? Thanks

Bug?

When I install the extension as advised, I got the following error in Apache's error_log:

[Wed May 30 08:26:57 2007] [error] [client 127.0.0.2]
PHP Fatal error:  Call to undefined method User::newfromsession() in /srv/www/htdocs/mediawiki/extensions/SSLAuthPlugin.php on line 223

My MediaWiki version is 1.8.2 and my PHP version is 5.2.0 on openSuSE 10.2.

Thanks for any hint

-- Uwe 07:31, 30 May 2007 (UTC)

Work in progress

Hi,

No work has been done from me the last time but now I'm back. I have noticed that MediaWiki 1.10.0 and Extension:SSL authentication don't work so well, actually not at all... Djcapelis, Krzysztof Kozlowski, Markus and others has contibuted in the past. Thanks! If you, or someone else has more tips or solutions, please help. I use MeliaWiki 1.7.1 at work but its time to upgrade. :-)

SSL auth and MediaWiki 1.10.0

Problem - with "Internal error :" replace

if($value == 'AutoAuth')
(...)
$wgHooks['AutoAuthenticate'][$key] = 'AutoAuth';

with

if($value == 'SSLAuth')
(...)
$wgHooks['AutoAuthenticate'][$key] = 'SSLAuth';

Krzysztof Kozłowski --217.153.130.210 12:07, 12 June 2007 (UTC)

SSL Auth and MediaWiki 1.10.0 - new version

Tested with 1.10.0 and works OK but I haven't done many tests (simple usage, auto-login, etc.) . Probably wont work with 1.7 and 1.8 (<1.10). Previous error:

Original exception: exception 'MWException' with message 'Unstub loop detected on call of $wgUser->getOption from  StubUserLang::_newObject

(when user did not exist in database) has been fixed.

<?php
 
 /**
  * Version 1.0.2 (Works out of box with MW 1.7.1 and up)
  *
  * Authentication Plugin for Apache2 mod_ssl
  * Derived from AuthPlugin.php and
  * http://meta.wikimedia.org/wiki/Shibboleth_Authentication
  *
  * Much of the commenting comes straight from AuthPlugin.php
  *
  * Portions Copyright 2006 Martin Johnson
  * Portions Copyright 2006, 2007 Regents of the University of California
  * Portions Copyright 2007 Steven Langenaken
  * Released under the GNU General Public License
  *
  * Changes between 1.0.2 and 1.0.1:
  * = Merge changes from Shibboleth Authentication: (By DJC)
  * == More 1.9 compatibility fixes and less ugly code
  *
  * Changes between 1.0.1 and 1.0:
  * = Merge changes from Shibboleth Authentication: (By DJC)
  * == Compatible with MW 1.9+ again (By DJC)
  * == Minor fix in loginform handling (By Steven Langenaken)
  *
  * Documentation at http://www.mediawiki.org/wiki/Extension:SSL_authentication
  */
 
 require_once('AuthPlugin.php');
 
 class SSLAuthPlugin extends AuthPlugin {
     /**
      * See AuthPlugin.php for specific information
      */
     function userExists( $username ) {
         return true;
     }
 
     /**
      * See AuthPlugin.php for specific information
      */
     function authenticate( $username, $password ) {
         global $ssl_UN;
 
         if($username == $ssl_UN)
             return true;
         else
             return false;
     }
 
     /**
      * See AuthPlugin.php for specific information
      */
     function modifyUITemplate( &$template ) {
         $template->set( 'usedomain', false );
     }
 
     /**
      * See AuthPlugin.php for specific information
      */
     function setDomain( $domain ) {
         $this->domain = $domain;
     }
 
     /**
      * See AuthPlugin.php for specific information
      */
     function validDomain( $domain ) {
         return true;
     }
 
     /**
      * See AuthPlugin.php for specific information
      */
     function updateUser( &$user ) {
         global $ssl_map_info;
         global $ssl_email;
         global $ssl_RN;
 
                 //Map extra info or not?
         if($ssl_map_info)
         {
                     //If Email, set info in MW
             if($ssl_email)
                 $user->setEmail($ssl_email);
     
                     //If realName, set info in MW
             if($ssl_RN)
                 $user->setRealName($ssl_RN);
         }
        // KK - MediaWiki 1.10.0
        $user->setInternalPassword(mt_rand() . mt_rand()) ;
 
         return true;
     }
 
 
     /**
      * See AuthPlugin.php for specific information
      */
     function autoCreate() {
         return true;
     }
 
     /**
      * See AuthPlugin.php for specific information
      */
    function allowPasswordChange() {
        return false;
    }

     /**
      * See AuthPlugin.php for specific information
      */
    function setPassword( $password ) {
        return false;
    }
 
     /**
      * See AuthPlugin.php for specific information
      */
     function updateExternalDB( $user ) {
         //Not really, but wiki thinks we did...
         return true;
     }
 
     /**
      * See AuthPlugin.php for specific information
      */
     function canCreateAccounts() {
         return false;
     }
 
     /**
      * See AuthPlugin.php for specific information
      */
     function addUser( $user, $password ) {
         return false;
     }
 
     /**
      * See AuthPlugin.php for specific information
      */
     function strict() {
         return false;
     }
 
     /**
      * See AuthPlugin.php for specific information
      */
     function initUser( &$user ) {
             //Update MW with new user information
         $this->updateUser($user);
     }
 
     /**
      * See AuthPlugin.php for specific information
      */
     function getCanonicalName( $username ) {
         return $username;
     }
 }
 
 /**
  * End of AuthPlugin Code, beginning of hook code and auth functions
  */
 
 /**
  * Some extension information init
  */
 $wgExtensionFunctions[] = 'SSLAuthSetup';
 $wgExtensionCredits['other'][] = array(
    'name' => 'SSLAuth',
    'version' => '1.0.2',
    'author' => 'Martin Johnson',
    'description' => 'Automagic login with certificates using Apache2 mod_ssl clientside',
    'url' => 'http://www.mediawiki.org/wiki/Extension:SSL_authentication'
 );
 
 /**
  * Setup extensionfunctions
  */
 function SSLAuthSetup()
 {
     global $ssl_UN;
     global $wgHooks;
     global $wgAuth;
 
     if($ssl_UN != null)
     {
         $wgHooks['AutoAuthenticate'][] = 'SSLAuth'; /* Hook for magical authN */
         $wgHooks['PersonalUrls'][] = 'NoLogout'; /* Disallow logout link */
         $wgAuth = new SSLAuthPlugin();
     }
 /**
 * Hooks looks funny in Special:Version
 * Written twice. Whats wrong with this code?
 */
 }
 
 /* No logout link in MW */
 function NoLogout(&$personal_urls, $title)
 {
     $personal_urls['logout'] = null;
 }
 
 /* Tries to be magical about when to log in users and when not to. */
 function SSLAuth(&$user)
 {
     global $ssl_UN;
     global $wgUser;
     global $wgContLang;
     global $wgHooks;

    //Temporarily kill The AutoAuth Hook to prevent recursion
    foreach ($wgHooks['AutoAuthenticate'] as $key => $value)
    {
      if($value == 'SSLAuth')
        $wgHooks['AutoAuthenticate'][$key] = 'BringBackAA';
    }
    //Give us a user, see if we're around
    //$tmpuser = User::LoadFromSession(); // MediaWiki < 1.10
    $tmpuser = User::newFromSession();// MediaWiki 1.10.0 and up

     //They already with us?  If so, quit this function.
     if($tmpuser->isLoggedIn())
     {
         BringBackAA();
         return;
     }

     //Is the user already in the database?
     $tmpuser = User::newFromName($ssl_UN) ;
     
     //If exists, log them in
     if($tmpuser->getID())
     {
          $wgUser = &$tmpuser;
          $user = &$tmpuser;
          $user->setupSession(); // Session before cookies!
          $user->setCookies();
          return;
       }
     
     //Place the hook back (Not strictly necessarily MW Ver >= 1.9)
     BringBackAA();

     //Okay, kick this up a notch then...
     $user = &$tmpuser;
     $user->setName($ssl_UN); // Set users name - Dont use ucfirst()...

     /*
      * Some magic that Shibboleth Authentication does and I just copy
      */
      require_once('SpecialUserlogin.php');
 
      //This section contains a silly hack for MW
      global $wgLang;
      global $wgContLang;
      global $wgRequest;
      $wgLangUnset = false;
      if(!isset($wgLang))
      {
          $wgLang = $wgContLang;
          $wgLangUnset = true;
      }
 
      //Temporarily kill The AutoAuth Hook to prevent recursion
      foreach ($wgHooks['AutoAuthenticate'] as $key => $value)
      {
        if($value == 'SSLAuth')
          $wgHooks['AutoAuthenticate'][$key] = 'BringBackAA';
      }

      //This creates our form that'll do black magic
      $lf = new LoginForm($wgRequest);

      //Place the hook back (Not strictly necessarily MW Ver >= 1.9)
      BringBackAA();

      //And now we clean up our hack
      if($wgLangUnset == true)
      {
            unset($wgLang);
            unset($wgLangUnset);
      }

      //Now we _do_ the black magic
      $lf->mRemember = false;
      $lf->initUser($user);
 
      //Finish it off
      $user->saveSettings();
      $user->setupSession();
      $user->setCookies();
 }

/* Puts the auto-auth hook back into the hooks array */
function BringBackAA()
{
        global $wgHooks;

        foreach ($wgHooks['AutoAuthenticate'] as $key => $value)
        {
            if($value == 'BringBackAA')
                $wgHooks['AutoAuthenticate'][$key] = 'SSLAuth';
        }
}

?>

Krzysztof Kozlowski --217.153.130.210 13:04, 12 June 2007 (UTC)

Problems with national characters in CN

Hi, Your extension works, but only when users don't have national characters in CN (altough login is email...). Can You help me with it? (from 217.74.68.2)

I used to have that problem in earier versions of MediaWiki (1.7.x) but now when I upgraded to 1.10.0 swedish national characters works fine. Take a look at my LocalSettings.php in http://www.mediawiki.org/w/index.php?title=Extension:SSL_authentication&oldid=99654 to see how I solved it then. MaJoh 09:19, 7 July 2007 (UTC)


Error with mediawiki 1.11.0

Hi, I got an error with 1.11.0 :

MediaWiki internal error.

Original exception: exception 'MWException' with message 'Detected bug in an extension! Hook SSLAuth failed to return a value;  should return true to continue hook processing or false to abort.' in /var/www/mediawiki-1.11.0/includes/Hooks.php:133
Stack trace:
#0 /var/www/mediawiki-1.11.0/includes/StubObject.php(131): wfRunHooks('AutoAuthenticat...', Array)
#1 /var/www/mediawiki-1.11.0/includes/StubObject.php(57): StubUser->_newObject()
#2 /var/www/mediawiki-1.11.0/includes/StubObject.php(31): StubObject->_unstub('isAllowed', 5)
#3 /var/www/mediawiki-1.11.0/includes/StubObject.php(122): StubObject->_call('isAllowed', Array)
#4 [internal function]: StubUser->__call('isAllowed', Array)
#5 /var/www/mediawiki-1.11.0/includes/Title.php(1269): StubUser->isAllowed('read')
#6 /var/www/mediawiki-1.11.0/includes/Wiki.php(133): Title->userCanRead()
#7 /var/www/mediawiki-1.11.0/includes/Wiki.php(43): MediaWiki->preliminaryChecks(Object(Title), Object(StubObject),  Object(WebRequest))
#8 /var/www/mediawiki-1.11.0/index.php(89): MediaWiki->initialize(Object(Title), Object(StubObject), Object(StubUser), Object(WebRequest))
#9 {main}

Exception caught inside exception handler: exception 'MWException' with message 'Detected bug in an extension! Hook SSLAuth failed to return a value; should return true to continue hook processing or false to abort.' in var/www/mediawiki-1.11.0/includes/Hooks.php:133
Stack trace:
#0 /var/www/mediawiki-1.11.0/includes/StubObject.php(131): wfRunHooks('AutoAuthenticat...', Array)
#1 /var/www/mediawiki-1.11.0/includes/StubObject.php(57): StubUser->_newObject()
#2 /var/www/mediawiki-1.11.0/includes/StubObject.php(31): StubObject->_unstub('getOption', 5)
#3 /var/www/mediawiki-1.11.0/includes/StubObject.php(122): StubObject->_call('getOption', Array)
#4 [internal function]: StubUser->__call('getOption', Array)
#5 /var/www/mediawiki-1.11.0/includes/StubObject.php(92): StubUser->getOption('language')
#6 /var/www/mediawiki-1.11.0/includes/StubObject.php(57): StubUserLang->_newObject()
#7 /var/www/mediawiki-1.11.0/includes/StubObject.php(31): StubObject->_unstub('getCode', 5)
#8 /var/www/mediawiki-1.11.0/includes/StubObject.php(87): StubObject->_call('getCode', Array)
#9 [internal function]: StubUserLang->__call('getCode', Array)
#10 /var/www/mediawiki-1.11.0/includes/MessageCache.php(434): StubUserLang->getCode()
#11 /var/www/mediawiki-1.11.0/includes/GlobalFunctions.php(467): MessageCache->get('internalerror', true, false)
#12 /var/www/mediawiki-1.11.0/includes/GlobalFunctions.php(421): wfMsgGetKey('internalerror', true, false, true)
#13 /var/www/mediawiki-1.11.0/includes/GlobalFunctions.php(326): wfMsgReal('internalerror', Array, true)
#14 /var/www/mediawiki-1.11.0/includes/Exception.php(57): wfMsg('internalerror')
#15 /var/www/mediawiki-1.11.0/includes/Exception.php(125): MWException->getPageTitle()
#16 /var/www/mediawiki-1.11.0/includes/Exception.php(88): MWException->htmlHeader()
#17 /var/www/mediawiki-1.11.0/includes/Exception.php(111): MWException->reportHTML()
#18 /var/www/mediawiki-1.11.0/includes/Exception.php(191): MWException->report()
#19 /var/www/mediawiki-1.11.0/includes/Exception.php(225): wfReportException(Object(MWException))
#20 [internal function]: wfExceptionHandler(Object(MWException))
#21 {main}

Tanks for your job !


--Ju

  • As a quick-and-dirty fix, add return values to every hook: "return true;" for NoLogout, SSLAuth and BringBackAA, and change the "return;" in the middle of SSLAuth to a "return false;". Results may vary, since I have no idea how any of this actually works - I chose the return values arbitrarily, and I also don't know if SSLAuthSetup needs a return value. But this seems to work for me. --Meeg

MediaWiki 1.13.0

Does this extension work with MediaWiki 1.13.0? I've added all the strings as needed, but it doesn't authorize me. Can someone help?

Looks like the AutoAuthenticate hook has been replaced in 1.13.

--131.225.80.148 19:15, 8 September 2008 (UTC)

Does anyone have this working? The experimental version below does not work for my stock Ubuntu install. --September 1, 2009

Experimental version for MW 1.13

I made an experimental version of the extension for MW 1.13, based on the latest version of the Shibboleth authentication extension. If you'd like to try it, grab it from the git repo here:

http://github.com/dhess/sslauthplugin/tree/master

Please note that I'm not an experienced MediaWiki extension author, so this version may have bugs or security flaws. So far, anyway, "it works for me."

Please contact me (see my GitHub page) if you have any problems with it or discover any bugs. --Dhess 06:55, 16 September 2008 (UTC)

SSL Authentication extension available for Mediawiki 1.14.0 ?

Hi everyone,

I will know if this extension is available for Mediawiki 1.14.0 ? On the description page nothing about that, maybe it is a forgot ? My configuration is:

  • Mediawiki 1.14.0
  • PHP 5.2.6 (apache2handler)
  • MySQL 5.0.67

Will this be functionnal if I use the version for mw 1.13.x ? Thanks a lot, Enes

How to have both SSL and ordinary logins?

Hello --

Thanks to the developers for creating such a fantastic extension. I am running a wiki on a university where I'd like to automatically allow everyone in the university to view the wiki and make anonymous edits without having to register. But, I'd like to also specific people who are not part of the university (and therefore don't have SSL certificates) to make edits and view if they have a user name.

Does anyone know a way to do this? I know @johnp mentioned something, but I wasn't sure I understood it or if the advice was applicable.

Thanks in advance, Dc321 22:05, 9 September 2011 (UTC)

Underscores in usernames

I am running MW 1.11.2 and the plugin version for that rev. I am having a problem with users that have an underscore in their username. They get various errors when they attempt to log in. Evidently, this is a common issue with any external auth module for MW. Here's what happens when they attempt to log in. I realize I probably just need to undo the automatic changing of the underscore to a space - somewhere, but where exactly?

Initial entry:

Detected bug in an extension! Hook SSLAuth failed to return a value; should return true to continue hook processing or false to abort.

Backtrace:

  1. 0 /var/www/sfsintranet/includes/StubObject.php(131): wfRunHooks('AutoAuthenticat...', Array)
  2. 1 /var/www/sfsintranet/includes/StubObject.php(57): StubUser->_newObject()
  3. 2 /var/www/sfsintranet/includes/StubObject.php(31): StubObject->_unstub('isAllowed', 5)
  4. 3 /var/www/sfsintranet/includes/StubObject.php(122): StubObject->_call('isAllowed', Array)
  5. 4 [internal function]: StubUser->__call('isAllowed', Array)
  6. 5 /var/www/sfsintranet/includes/Title.php(1269): StubUser->isAllowed('read')
  7. 6 /var/www/sfsintranet/includes/Wiki.php(133): Title->userCanRead()
  8. 7 /var/www/sfsintranet/includes/Wiki.php(43): MediaWiki->preliminaryChecks(Object(Title), Object(OutputPage), Object(WebRequest))
  9. 8 /var/www/sfsintranet/index.php(89): MediaWiki->initialize(Object(Title), Object(OutputPage), Object(User), Object(WebRequest))
  10. 9 {main}

Subsequent entry attempts:

A database query syntax error has occurred. This may indicate a bug in the software. The last attempted database query was: (SQL query hidden) from within function "User::addToDatabase". MySQL returned error "1062: Duplicate entry 'Mj_p' for key 2 (localhost)".

Try string replacing underscores to spaces when setting up $ssl_UN ? — Edward Z. Yang(Talk) 02:48, 30 July 2012 (UTC)
Return to "SSL authentication/Archive 1" page.