Jump to content

Extension:AuthRemoteUser

From mediawiki.org
This extension depends on the PluggableAuth extension, which must be installed first.
MediaWiki extensions manual
AuthRemoteUser
Release status: stable
Implementation User identity
Description Allows for authentication via the web server's REMOTE_AUTH (i.e., with Kerberos) functionality.
Author(s) Tobias Oetterer (oetterertalk)
Latest version 1.0.0 (2024/06/30)
MediaWiki 1.39
PHP 7.1
Composer mediawiki/auth-remote-user
License GNU General Public License 2.0 or later
Download

GitHub:


README
Parameters
  • $wgAuthRemoteUserDomain
  • $wgAuthRemoteUserUsernameNormalizer

The AuthRemoteUser extension manages authentication via the web server's REMOTE_AUTH. Unlike Extension:Auth remoteuser, where the whole wiki requires a web server's authentication, this extension only relies upon authentication on one page (Special:AuthRemoteUser).

This extension relies on external authentication configured through the web server. Proper setup is required; without it, authentication will not function correctly. (See example in § Apache using MIT kerberos.)

Installation

[edit]

Download

[edit]

You can either download this extension from Git, using: 

git clone https://github.com/oetterer/AuthRemoteUser

or use composer (in which case, add the following to your composer.local.json) 

{ "require": { "mediawiki/auth-remote-user": "^1.0" } }

Activation

[edit]

Add the following to your LocalSettings.php 

wfLoadExtension( 'AuthRemoteUser' );

Setting up webserver

[edit]

Your webserver does the actual authentication, so you need to set it up properly. Please refer to your webserver documentation for instructions on how to do this.

Apache using MIT kerberos

[edit]

mod_auth_gssapi

[edit]
<LocationMatch ".*/index\.php">  <If "%{QUERY_STRING} =~ /title=[^:]+:AuthRemoteUser/">  SSLRequireSSL  AuthType GSSAPI  AuthName "Kerberos Login"  GssapiCredStore keytab:/etc/keytabs/krb5.keytab.HTTP  GssapiSSLonly On  GssapiAllowedMech krb5  require valid-user  </If> </LocationMatch>

mod_auth_kerb

[edit]
<LocationMatch ".*/index\.php">  <If "%{QUERY_STRING} =~ /title=[^:]+:AuthRemoteUser/">  SSLRequireSSL  AuthType Kerberos  AuthName "Kerberos Login"  KrbMethodNegotiate On  KrbMethodK5Passwd Off  KrbAuthoritative on  KrbAuthRealms <your krb realms>  KrbVerifyKDC on  Krb5KeyTab /etc/keytabs/krb5.keytab.HTTP  require valid-user  </If> </LocationMatch>

Note: even, if you are using Short URL schema, you have to match against index.php?title=, because the authentication special page is accessed internally with the original linking schema.

Configuration parameters

[edit]
$wgAuthRemoteUserDomain
Specify your domain for remote authentication here. The extension does not validate the domain if this variable is left empty.
$wgAuthRemoteUserUsernameNormalizer
Use this function for normalizing username, for example 'strtolower'. By default, the kerberos domain is stripped and the remaining username is cast to lowercase..

Authentication button label

[edit]

You can specify what text will be shown on the authentication button by editing the MediaWiki message MediaWiki:Auth-remote-user-login-button-label and its localizations.

User rights

[edit]

Please see Extension:PluggableAuth

See also

[edit]
Retrieved from "https://www.mediawiki.org/w/index.php?title=Extension:AuthRemoteUser&oldid=7854592"