Extension:AuthRemoteUser
![](https://cdn.statically.io/img/upload.wikimedia.org/wikipedia/commons/thumb/3/3b/PluggableAuth_Icon.svg/32px-PluggableAuth_Icon.svg.png)
![]() Release status: stable |
|
---|---|
Implementation | User identity |
Description | A Mediawiki extension to allow for authentication via webserver's REMOTE_AUTH (i.e. with kerberos) functionality. |
Author(s) | (oetterertalk) |
Latest version | 1.0.0 (2024/06/30) |
MediaWiki | 1.39 |
PHP | 7.1 |
Composer | mediawiki/auth-remote-user |
License | GNU General Public License 2.0 or later |
Download | GitHub: README |
|
|
The AuthRemoteUser extension manages authentication via webserver's REMOTE_AUTH
. Unlike Extension:Auth_RemoteUser where the whole wiki requires a webserver's authentication, this extension only relies upon authentication on one page (Special:AuthRemoteUser).
Installation
[edit]Download
[edit]You can either download this from git
git clone https://github.com/oetterer/AuthRemoteUser
or use composer (in which case, add the following to your composer.local.json
)
{
"require": {
"mediawiki/auth-remote-user": "^1.0"
}
}
Activation
[edit]Add the following to your LocalSettings.php
wfLoadExtension( 'AuthRemoteUser' );
Setting up webserver
[edit]The actual authentication is done by your webserver, so you need to set it up properly. Please refer to your webserver documentation on how to do this.
Apache using MIT kerberos
[edit]mod_auth_gssapi
[edit]<LocationMatch ".*/index\.php">
<If "%{QUERY_STRING} =~ /title=[^:]+:AuthRemoteUser/">
SSLRequireSSL
AuthType GSSAPI
AuthName "Kerberos Login"
GssapiCredStore keytab:/etc/keytabs/krb5.keytab.HTTP
GssapiSSLonly On
GssapiAllowedMech krb5
require valid-user
</If>
</LocationMatch>
mod_auth_kerb
[edit]<LocationMatch ".*/index\.php">
<If "%{QUERY_STRING} =~ /title=[^:]+:AuthRemoteUser/">
SSLRequireSSL
AuthType Kerberos
AuthName "Kerberos Login"
KrbMethodNegotiate On
KrbMethodK5Passwd Off
KrbAuthoritative on
KrbAuthRealms <your krb realms>
KrbVerifyKDC on
Krb5KeyTab /etc/keytabs/krb5.keytab.HTTP
require valid-user
</If>
</LocationMatch>
Note: even, if you are using Short URL schema, you have to match against index.php?title=
, because the authentication special page is accessed internally with the original linking schema.
Configuration parameters
[edit]- $wgAuthRemoteUserDomain
- Specify your domain for remote authentication here. the extension does no domain validation if this variable is left empty..
- $wgAuthRemoteUserUsernameNormalizer
- Use this function for normalizing username, for example 'strtolower'. By default, the kerberos domain is stripped and the remaining username is cast to lowercase..
Authentication button label
[edit]You can specify what text will be shown on the authentication button by editing the mediawiki message MediaWiki:Auth-remote-user-login-button-label
and its localizations.
User rights
[edit]Please see Extension:PluggableAuth