The best option here is: https://www.mediawiki.org/wiki/Extension:LDAP_Authentication
I'm not sure why you think LDAP is a wart on Windows. Active Directory is just LDAP with Kerberos. Anyway, the LDAP Authentication extension has examples of how to do auto-auth using kerberos. You still need LDAP for things like group membership, username conversion, and other integrations. - Ryan On Tue, Feb 9, 2016 at 9:20 AM, François St-Arnaud <[email protected]> wrote: > Hello, > > To enable Single Sign-On to a MediaWiki hosted on IIS in a Windows Domain, > the best MediaWiki extension I could find was NTLMActiveDirectory. > https://www.mediawiki.org/wiki/Extension:NTLMActiveDirectory > > However, I had two peeves with this extension: > 1) Its name; I'm not doing NTLM, but Negotiate and Kerberos; and > 2) Its use of LDAP; feels too much like a wart on Windows! > > See, I'm sitting on an IIS box on a Windows domain with Integrated Windows > Authentication enabled. By the time the MW extension gets hit, IIS has > already authenticated the user, so why not just leverage that instead? > > I therefore used NTLMActiveDirectory as a starting point, but threw out > all the LDAP stuff and replaced it with a simple Web call to an IIS-hosted > handler to get the AD group membership for the already authenticated user. > Of NTLMActiveDirectory, I kept the AD / MW group mapping configuration > required for authorization. > > Personally, I find this solution much simpler and intuitive for AD > integration when hosting MW on a Windows/IIS box. > > Does this make sense to others in the community? > Do others feel there was a need for a better AD integration extension? > Would others in the community benefit from such an extension? > > If so, I would be happy to share my work, following instructions found > here: > https://www.mediawiki.org/wiki/Writing_an_extension_for_deployment > > Regards, > > François > > _______________________________________________ > Wikitech-l mailing list > [email protected] > https://lists.wikimedia.org/mailman/listinfo/wikitech-l _______________________________________________ Wikitech-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikitech-l
