Extension:AuthRemoteUser

**MediaWiki extensions manual**
AuthRemoteUser; Release status: stable
Implementation	User identity
Description	A Mediawiki extension to allow for authentication via webserver's REMOTE_AUTH (i.e. with kerberos) functionality.
Author(s)	(oetterertalk)
Latest version	1.0.0 (2024/06/30)
MediaWiki	1.39
PHP	7.1
Composer	mediawiki/auth-remote-user
License	GNU General Public License 2.0 or later
Download	GitHub: project page; git repository URL [help]; commit history; ; ; README
	Parameters $wgAuthRemoteUserDomain; $wgAuthRemoteUserUsernameNormalizer;

This extension requires the PluggableAuth extension to be installed first.

The AuthRemoteUser extension manages authentication via webserver's REMOTE_AUTH. Unlike Extension:Auth_RemoteUser where the whole wiki requires a webserver's authentication, this extension only relies upon authentication on one page (Special:AuthRemoteUser).

This extension relies upon external authentication by your webserver. You are required to set this up properly, or your authentication wont workl (see example below).

Installation

Download

You can either download this from git

git clone https://github.com/oetterer/AuthRemoteUser

or use composer (in which case, add the following to your composer.local.json)

{
	"require": {
		"mediawiki/auth-remote-user": "^1.0"
	}
}

Activation

Add the following to your LocalSettings.php

wfLoadExtension( 'AuthRemoteUser' );

Setting up webserver

The actual authentication is done by your webserver, so you need to set it up properly. Please refer to your webserver documentation on how to do this.

Apache using MIT kerberos

mod_auth_gssapi

<LocationMatch ".*/index\.php">
    <If "%{QUERY_STRING} =~ /title=[^:]+:AuthRemoteUser/">
        SSLRequireSSL
        AuthType GSSAPI
        AuthName "Kerberos Login"
        GssapiCredStore keytab:/etc/keytabs/krb5.keytab.HTTP
        GssapiSSLonly On
        GssapiAllowedMech krb5
        require valid-user
    </If>
</LocationMatch>

mod_auth_kerb

<LocationMatch ".*/index\.php">
    <If "%{QUERY_STRING} =~ /title=[^:]+:AuthRemoteUser/">
        SSLRequireSSL
        AuthType Kerberos
        AuthName "Kerberos Login"
        KrbMethodNegotiate On
        KrbMethodK5Passwd Off
        KrbAuthoritative on
        KrbAuthRealms <your krb realms>
        KrbVerifyKDC on
        Krb5KeyTab /etc/keytabs/krb5.keytab.HTTP
        require valid-user
    </If>
</LocationMatch>

Note: even, if you are using Short URL schema, you have to match against index.php?title=, because the authentication special page is accessed internally with the original linking schema.

Configuration parameters

$wgAuthRemoteUserDomain: Specify your domain for remote authentication here. the extension does no domain validation if this variable is left empty..
$wgAuthRemoteUserUsernameNormalizer: Use this function for normalizing username, for example 'strtolower'. By default, the kerberos domain is stripped and the remaining username is cast to lowercase..

Authentication button label

You can specify what text will be shown on the authentication button by editing the mediawiki message MediaWiki:Auth-remote-user-login-button-label and its localizations.

User rights

Please see Extension:PluggableAuth

AuthRemoteUser Release status: stable
Implementation	User identity
Description	A Mediawiki extension to allow for authentication via webserver's REMOTE_AUTH (i.e. with kerberos) functionality.
Author(s)	(oetterer^talk)
Latest version	1.0.0 (2024/06/30)
MediaWiki	1.39
PHP	7.1
Composer	mediawiki/auth-remote-user
License	GNU General Public License 2.0 or later
Download	GitHub: project page git repository URL ^{[help ]} commit history README
Parameters $wgAuthRemoteUserDomain $wgAuthRemoteUserUsernameNormalizer