Mailing List Archive: Wikipedia: Mediawiki

Authentication

Index | Next | Previous | View Threaded

jwelters at gmail

Jun 20, 2008, 6:57 AM

Post #1 of 12 (3145 views)
Permalink

Authentication

All,

Another quick question concerning authentication in Mediawiki. It would
apear as though we are seeking a system where the user doesn't need a
password and doesn't have to register. I do have all of the users on an LDAP
server which is at my disposal. I guess two questions stem from this :

1. Is there a way for mediawiki to just ask the user a username and not a
password without using LDAP? I know that sounds wierd.... but it's kinda the
end goal.
2. If I use LDAP is there a way to just tell it always to accept the PW
without botherin to check if it's right?
3. My only other idea is to enable httpauth and figure out how to leave the
auth open..

The wiki is on a private network FYI so security isn't really an issue.

--
Thank You and Sincerely,
Jon
_______________________________________________
MediaWiki-l mailing list
MediaWiki-l [at] lists
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l

jwelters at gmail

Jun 20, 2008, 6:57 AM

Post #2 of 12 (3042 views)
Permalink

Authentication [In reply to]

Ryan.Lane at ocean

Jun 20, 2008, 7:03 AM

Post #3 of 12 (3021 views)
Permalink

Re: Authentication [In reply to]

> Another quick question concerning authentication in
> Mediawiki. It would
> apear as though we are seeking a system where the user doesn't need a
> password and doesn't have to register. I do have all of the
> users on an LDAP
> server which is at my disposal. I guess two questions stem from this :
>
> 1. Is there a way for mediawiki to just ask the user a
> username and not a
> password without using LDAP? I know that sounds wierd.... but
> it's kinda the
> end goal.
> 2. If I use LDAP is there a way to just tell it always to
> accept the PW
> without botherin to check if it's right?
> 3. My only other idea is to enable httpauth and figure out
> how to leave the
> auth open..
>
> The wiki is on a private network FYI so security isn't really
> an issue.

You could write an auth plugin that always returns true in the
authenticate function.

You may also be able to use this extension:

http://www.mediawiki.org/wiki/Extension:NetworkAuth

I'm not totally sure it will fufill your purpose though.

V/r,

Ryan Lane

_______________________________________________
MediaWiki-l mailing list
MediaWiki-l [at] lists
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l

jwelters at gmail

Jun 20, 2008, 11:17 AM

Post #4 of 12 (3023 views)
Permalink

Re: Authentication [In reply to]

I just did a lot of digging, looks like my best bet is to use an Http Auth
extension and figure out how to just not have it check a password. There are
a couple extensions out there that claim to accomplish this but they seem to
fail. I don't have a whole lot of experiance in PHP or I'd code it myself. I
was hopeing someone had an idea on how to do it with existing code.

My idea is to make it so when a user logs in they need no password and if
they don't have an account one is created for them. Any other ideas ?

Thanks for your advice, it got me going on this !

--
Thank You and Sincerely,
Jon

On Fri, Jun 20, 2008 at 10:03 AM, Lane, Ryan <Ryan.Lane [at] ocean>
wrote:

> > Another quick question concerning authentication in
> > Mediawiki. It would
> > apear as though we are seeking a system where the user doesn't need a
> > password and doesn't have to register. I do have all of the
> > users on an LDAP
> > server which is at my disposal. I guess two questions stem from this :
> >
> > 1. Is there a way for mediawiki to just ask the user a
> > username and not a
> > password without using LDAP? I know that sounds wierd.... but
> > it's kinda the
> > end goal.
> > 2. If I use LDAP is there a way to just tell it always to
> > accept the PW
> > without botherin to check if it's right?
> > 3. My only other idea is to enable httpauth and figure out
> > how to leave the
> > auth open..
> >
> > The wiki is on a private network FYI so security isn't really
> > an issue.
>
> You could write an auth plugin that always returns true in the
> authenticate function.
>
> You may also be able to use this extension:
>
> http://www.mediawiki.org/wiki/Extension:NetworkAuth
>
> I'm not totally sure it will fufill your purpose though.
>
> V/r,
>
> Ryan Lane
>
> _______________________________________________
> MediaWiki-l mailing list
> MediaWiki-l [at] lists
> https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
>
_______________________________________________
MediaWiki-l mailing list
MediaWiki-l [at] lists
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l

Ryan.Lane at ocean

Jun 20, 2008, 11:43 AM

Post #5 of 12 (3018 views)
Permalink

Re: Authentication [In reply to]

> I just did a lot of digging, looks like my best bet is to use
> an Http Auth
> extension and figure out how to just not have it check a
> password. There are
> a couple extensions out there that claim to accomplish this
> but they seem to
> fail. I don't have a whole lot of experiance in PHP or I'd
> code it myself. I
> was hopeing someone had an idea on how to do it with existing code.
>
> My idea is to make it so when a user logs in they need no
> password and if
> they don't have an account one is created for them. Any other ideas ?
>
> Thanks for your advice, it got me going on this !
>

A custom authentication plugin is probably the easiest way to go.
Really, this is pretty simply to do...

In a file called "NoAuthPlugin.php":

<?php
/**
*/
# Copyright (C) 2004 Ryan Lane <rlane32 AtT gmail d0t com>
# http://www.mediawiki.org/
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
along
# with this program; if not, write to the Free Software Foundation,
Inc.,
# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
# http://www.gnu.org/copyleft/gpl.html

require_once( 'AuthPlugin.php' );

class NoAuthPlugin extends AuthPlugin {
function userExists( $username ) {
return true;
}

function authenticate( $username, $password ) {
return true;
}

function modifyUITemplate( &$template ) {
$template->set( 'usedomain', false );
$template->set( 'ignorepassword', true );
}

function setDomain( $domain ) {
$this->domain = $domain;
}

function validDomain( $domain ) {
return true;
}

function updateUser( &$user ) {
return true;
}

function autoCreate() {
return true;
}

function allowPasswordChange() {
return false;
}

function setPassword( $user, $password ) {
return true;
}

function updateExternalDB( $user ) {
return true;
}

function canCreateAccounts() {
return false;
}

function addUser( $user, $password, $email='', $realname='' ) {
return true;
}

function strict() {
return false;
}

function initUser( $user, $autocreate=false ) {
}

function getCanonicalName( $username ) {
return $username;
}

}
?>

Now patch the Userlogin.php template in includes/templates:

--- Userlogin.php.old 2008-06-20 13:32:04.000000000 -0500
+++ Userlogin.php 2008-06-20 13:41:51.000000000 -0500
@@ -40,6 +40,7 @@
value="<?php $this->text('name')
?>" size='20' />
</td>
</tr>
+ <?php if( !$this->data['ignorepassword'] ) {
<tr>
<td align='right'><label for='wpPassword1'><?php
$this->msg('yourpassword') ?></label></td>
<td align='left'>
@@ -48,6 +49,7 @@
value="" size='20' />
</td>
</tr>
+ <?php } ?>
<?php if( $this->data['usedomain'] ) {
$doms = "";
foreach( $this->data['domainnames'] as $dom ) {

Now set the following in LocalSettings.php:

require_once( 'extensions/NoAuthPlugin.php' );
$wgMinimalPasswordLength = 0;

Now when users click the login button, it should only show a username
box; when the user logs in for the first time, it'll automatically
create an account for them.

Btw, if the format of the email gets botched (which is likely), email me
directly, and I can send you attachments.

V/r,

Ryan Lane

_______________________________________________
MediaWiki-l mailing list
MediaWiki-l [at] lists
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l

Tobias.Heilmannseder at liebherr

Jun 23, 2008, 1:04 AM

Post #6 of 12 (2978 views)
Permalink

Re: Authentication [In reply to]

Hi,

when you want to use MW with the mod_auth_sspi Module, there are some Problems with Posting Data in Wiki.
There is also a Bugreport on Sourceforge about this.
I first also used this Apache Module, but after several Problems uploading or editing Pages I turned around to http://www.mediawiki.org/wiki/Ldap

And this LDAP Extension in use by 2 Wikis from me....
I never had any Problem.

-----Urspr�ngliche Nachricht-----
Von: mediawiki-l-bounces [at] lists [mailto:mediawiki-l-bounces [at] lists] Im Auftrag von Jon Welters
Gesendet: Freitag, 20. Juni 2008 15:58
An: MediaWiki announcements and site admin list
Betreff: [Mediawiki-l] Authentication

All,

Another quick question concerning authentication in Mediawiki. It would
apear as though we are seeking a system where the user doesn't need a
password and doesn't have to register. I do have all of the users on an LDAP
server which is at my disposal. I guess two questions stem from this :

1. Is there a way for mediawiki to just ask the user a username and not a
password without using LDAP? I know that sounds wierd.... but it's kinda the
end goal.
2. If I use LDAP is there a way to just tell it always to accept the PW
without botherin to check if it's right?
3. My only other idea is to enable httpauth and figure out how to leave the
auth open..

The wiki is on a private network FYI so security isn't really an issue.

--
Thank You and Sincerely,
Jon
_______________________________________________
MediaWiki-l mailing list
MediaWiki-l [at] lists
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l

_______________________________________________
MediaWiki-l mailing list
MediaWiki-l [at] lists
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l

Ryan.Lane at ocean

May 11, 2009, 11:40 AM

Post #7 of 12 (2359 views)
Permalink

Re: Authentication [In reply to]

> session_start();
> if ((!empty($_SERVER['PHP_AUTH_USER']) &&
> !empty($_SERVER['REMOTE_USER'])) || $_COOKIE['fpwiki_en_UserID']) {
> require_once("$IP/extensions/HttpAuthPlugin.php");
> $wgAuth = new HttpAuthPlugin();
> $wgHooks['UserLoadFromSession'][] =
> array($wgAuth,'autoAuthenticate');
> }
>

This looks kind of strange. That if line is saying "if the user is
authenticated by the web server, or the user has a cookie set, enable the
plugin". I think that $_COOKIE['fpwiki_en_UserID'] part is wrong. The
cookies assigned by your wiki wouldn't likely be 'fpwiki_en_UserID'; Try:

$_COOKIE[$wgDBserver . "UserID"]

Which, I think, is the default way MediaWiki sets cookies.

That said, I really don't even understand the point of the if statement or
the session_start() line. Why isn't the plugin doing this stuff for you?

> I then added the following lines to http.conf:
> <Location /w/Special:UserLogin>
> AuthType "basic"
> AuthName "wiki"
> AuthPAM_Enabled on
> AuthPAM_FallThrough Off
> SSLRequireSSL
> Require valid-user
> </Location>
>

This looks fine.

> The result is that when users visit Special:UserLogin, they
> get a pop-up screen and must authenticate using PAM. They
> can then see the Special:UserLogin screen and must login
> again (which isn't compared to our external database). This
> isn't quite what I wanted. I am new to Apache and web
> administration. Does anyone have any advice?
>

I'm very much betting it's that cookie line...

V/r,

Ryan Lane

melissa.a.soriano at jpl

May 11, 2009, 3:57 PM

Post #8 of 12 (2343 views)
Permalink

Re: Authentication [In reply to]

Hi Ryan,

Thanks for your response! You were right. I changed my if statement in LocalSettings.php to:

session_start();
if ((!empty($_SERVER['PHP_AUTH_USER']) && !empty($_SERVER['REMOTE_USER'])) || $_COOKIE[$wgDBserver . "UserID"]) {
require_once("$IP/extensions/HttpAuthPlugin.php");
$wgAuth = new HttpAuthPlugin();
$wgHooks['UserLoadFromSession'][] = array($wgAuth,'autoAuthenticate');

using $_COOKIE[$wgDBserver . "UserID"] rather than $_COOKIE['fpwiki_en_UserID'] as you suggested.

This is working much better now. I enabled pretty URLs using $wgUsePathInfo = true; I removed the "Create an Account or Login" link in the top right-hand corner of every page by editing Monobook.php as described in the FAQ. As I showed in my previous e-mail, Special:UserLogin is protected by SSL and PAM. This authentication is working great.

I have one small problem now. When a user visits Special:UserLogin, the user sees a pop-up screen and is prompted for a username and password, which is validated against the external database. If this validation is successful, the user is logged in, and can see this in the top-right hand corner of the page. However, the user then sees the Special:UserLogin page, which makes it seem as if the user needs to login AGAIN, which is not the case. Do you have any advice? I am thinking that my two main options are 1) to replace the text and layout of Special:UserLogin with something else (like "Welcome") or 2) redirect to the Main Page. There is some code on http://www.mediawiki.org/wiki/Extension:HttpAuth under "Allowing Anonymous Browsing" describing how to handle this redirectiong but I haven't been able to get it to work yet.

Thank you again for your time and help!

Regards,
Melissa Soriano

_______________________________________________
MediaWiki-l mailing list
MediaWiki-l [at] lists
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l

Ryan.Lane at ocean

May 12, 2009, 6:39 AM

Post #9 of 12 (2325 views)
Permalink

Re: Authentication [In reply to]

> I have one small problem now. When a user visits
> Special:UserLogin, the user sees a pop-up screen and is
> prompted for a username and password, which is validated
> against the external database. If this validation is
> successful, the user is logged in, and can see this in the
> top-right hand corner of the page. However, the user then
> sees the Special:UserLogin page, which makes it seem as if
> the user needs to login AGAIN, which is not the case. Do you
> have any advice? I am thinking that my two main options are
> 1) to replace the text and layout of Special:UserLogin with
> something else (like "Welcome") or 2) redirect to the Main
> Page. There is some code on
> http://www.mediawiki.org/wiki/Extension:HttpAuth under
> "Allowing Anonymous Browsing" describing how to handle this
> redirectiong but I haven't been able to get it to work yet.
>

I'd recommend redirecting. You should be able to do this in Apache by
changing:

<Location /w/Special:UserLogin>
AuthType "basic"
AuthName "wiki"
AuthPAM_Enabled on
AuthPAM_FallThrough Off
SSLRequireSSL
Require valid-user
</Location>

To:

<Location /w/Special:UserLogin>
AuthType "basic"
AuthName "wiki"
AuthPAM_Enabled on
AuthPAM_FallThrough Off
SSLRequireSSL
Require valid-user

Redirect /w/Special:UserLogin https://<servername>/wiki/Main_Page
</Location>

V/r,

Ryan Lane

melissa.a.soriano at jpl

May 19, 2009, 9:31 AM

Post #10 of 12 (2244 views)
Permalink

Re: Authentication [In reply to]

Dear Ryan,

Thanks for your help. I tried redirecting by adding "Redirect /w/Special:UserLogin https://<servername>/wiki/Main_Page" to http.conf.
The pop-up box came up, I typed in my name and password, and was redirected to the Main Page, but I don't seem to be logged in. I don't see the usual logged-in icons on the top right and I don't see the option to edit pages.

Any advice?

Thanks again,
Melissa

> -----Original Message-----
> From: mediawiki-l-bounces [at] lists [mailto:mediawiki-l-
> bounces [at] lists] On Behalf Of Lane, Ryan
> Sent: Tuesday, May 12, 2009 6:40 AM
> To: MediaWiki announcements and site admin list
> Subject: Re: [Mediawiki-l] Authentication
>
> > I have one small problem now. When a user visits Special:UserLogin,
> > the user sees a pop-up screen and is prompted for a username and
> > password, which is validated against the external database. If this
> > validation is successful, the user is logged in, and can see this in
> > the top-right hand corner of the page. However, the user then sees
> > the Special:UserLogin page, which makes it seem as if the user needs
> > to login AGAIN, which is not the case. Do you have any advice? I am
> > thinking that my two main options are
> > 1) to replace the text and layout of Special:UserLogin with something
> > else (like "Welcome") or 2) redirect to the Main Page. There is some
> > code on http://www.mediawiki.org/wiki/Extension:HttpAuth under
> > "Allowing Anonymous Browsing" describing how to handle this
> > redirecting but I haven't been able to get it to work yet.
> >
>
> I'd recommend redirecting. You should be able to do this in Apache by
> changing:
>
> <Location /w/Special:UserLogin>
> AuthType "basic"
> AuthName "wiki"
> AuthPAM_Enabled on
> AuthPAM_FallThrough Off
> SSLRequireSSL
> Require valid-user
> </Location>
>
> To:
>
> <Location /w/Special:UserLogin>
> AuthType "basic"
> AuthName "wiki"
> AuthPAM_Enabled on
> AuthPAM_FallThrough Off
> SSLRequireSSL
> Require valid-user
>
> Redirect /w/Special:UserLogin https://<servername>/wiki/Main_Page
> </Location>
>
> V/r,
>
> Ryan Lane

_______________________________________________
MediaWiki-l mailing list
MediaWiki-l [at] lists
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l

Ryan.Lane at ocean

May 19, 2009, 2:30 PM

Post #11 of 12 (2249 views)
Permalink

Re: Authentication [In reply to]

> Thanks for your help. I tried redirecting by adding
> "Redirect /w/Special:UserLogin
> https://<servername>/wiki/Main_Page" to http.conf.
> The pop-up box came up, I typed in my name and password, and
> was redirected to the Main Page, but I don't seem to be
> logged in. I don't see the usual logged-in icons on the top
> right and I don't see the option to edit pages.
>
> Any advice?
>

After thinking about this, the redirect is occuring before hitting
MediaWiki, and as such, the authentication plugin isn't logging the user in.
After the redirect occurs, the user is on a page that doesn't require
authentication, so Apache isn't sending the "REMOTE_USER" variable to PHP...

I'm assuming you want the login link to work, which is why you are doing the
Location directive on /w/Special:UserLogin. So, what you can do is the
following:

Redirect /w/Special:UserLogin https://<servername>/wiki/HttpAuthRedirect

<Location /wiki/HttpAuthRedirect>
AuthType "basic"
AuthName "wiki"
AuthPAM_Enabled on
AuthPAM_FallThrough Off
SSLRequireSSL
Require valid-user
</Location>

Then protect and edit HttpAuthRedirect, and put the following line into the
page:

#REDIRECT [[Main Page]]

Your users will get two redirects when they log in, but it should work.

V/r,

Ryan Lane

melissa.a.soriano at jpl

May 20, 2009, 1:25 PM

Post #12 of 12 (2226 views)
Permalink

Re: Authentication [In reply to]

Thanks for your advice, Ryan! This worked great for my needs.

Regards,
Melissa

> I'm assuming you want the login link to work, which is why you are
> doing the Location directive on /w/Special:UserLogin. So, what you can
> do is the
> following:
>
> Redirect /w/Special:UserLogin
> https://<servername>/wiki/HttpAuthRedirect
>
> <Location /wiki/HttpAuthRedirect>
> AuthType "basic"
> AuthName "wiki"
> AuthPAM_Enabled on
> AuthPAM_FallThrough Off
> SSLRequireSSL
> Require valid-user
> </Location>
>
> Then protect and edit HttpAuthRedirect, and put the following line into
> the
> page:
>
> #REDIRECT [[Main Page]]
>
> Your users will get two redirects when they log in, but it should work.
>
> V/r,
>
> Ryan Lane

_______________________________________________
MediaWiki-l mailing list
MediaWiki-l [at] lists
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads