Thanks, I'll take a closer look at your extension.
Well, although I understand that using LDAP against AD is supposed to work
mostly seamlessly, I've had troubles trying to use it in our client's domain,
mostly due to GPOs and other security constraints. For one thing, LDAP, even
TLS-secured, is not authorized for authentication in the domain. Also, LDAP
starts to feel like a wart -- or an overkill -- when I have to require and
configure a PHP LDAP client on the Web server and send LDAP requests when I
know that the web server I'm sitting on, IIS, has already authentified the user
via Negotiate/Kerberos and already knows the user's AD group membership and
other such information.
Hence, I feel that the approach of a simple loopback call from the extension
back to a .NET ASHX web handler -- which is readily available via an API in
that environment -- is more elegant. For example, to get the AD group
membership of the currently logged-in user (some lines removed for clarity):
In PHP, using curl:
$curl = curl_init();
curl_setopt($curl, CURLOPT_URL, 'roles.ashx');
$result = curl_exec($curl);
$wgAuth->userADGroups = Array($result);
In C#, in a roles.ashx file deployed with the extension on the IIS server:
public void ProcessRequest (HttpContext context) {
context.Response.ContentType = @"text\json";
context.Response.Write("[");
int i = 0;
int count = Roles.GetRolesForUser().Length;
foreach (var role in Roles.GetRolesForUser())
{
context.Response.Write('"' + role + '"');
if (++i != count) context.Response.Write(',');
}
context.Response.Write(']');
context.Response.End();
}
- François
-----Original Message-----
From: Wikitech-l [mailto:[email protected]] On Behalf Of
Ryan Lane
Sent: Tuesday, February 09, 2016 14:43
To: Wikimedia developers <[email protected]>
Subject: Re: [Wikitech-l] Windows Single Sign-On Extension
The best option here is:
https://www.mediawiki.org/wiki/Extension:LDAP_Authentication
I'm not sure why you think LDAP is a wart on Windows. Active Directory is just
LDAP with Kerberos.
Anyway, the LDAP Authentication extension has examples of how to do auto-auth
using kerberos. You still need LDAP for things like group membership, username
conversion, and other integrations.
- Ryan
On Tue, Feb 9, 2016 at 9:20 AM, François St-Arnaud <[email protected]>
wrote:
> Hello,
>
> To enable Single Sign-On to a MediaWiki hosted on IIS in a Windows
> Domain, the best MediaWiki extension I could find was NTLMActiveDirectory.
> https://www.mediawiki.org/wiki/Extension:NTLMActiveDirectory
>
> However, I had two peeves with this extension:
> 1) Its name; I'm not doing NTLM, but Negotiate and Kerberos; and
> 2) Its use of LDAP; feels too much like a wart on Windows!
>
> See, I'm sitting on an IIS box on a Windows domain with Integrated
> Windows Authentication enabled. By the time the MW extension gets hit,
> IIS has already authenticated the user, so why not just leverage that instead?
>
> I therefore used NTLMActiveDirectory as a starting point, but threw
> out all the LDAP stuff and replaced it with a simple Web call to an
> IIS-hosted handler to get the AD group membership for the already
> authenticated user.
> Of NTLMActiveDirectory, I kept the AD / MW group mapping configuration
> required for authorization.
>
> Personally, I find this solution much simpler and intuitive for AD
> integration when hosting MW on a Windows/IIS box.
>
> Does this make sense to others in the community?
> Do others feel there was a need for a better AD integration extension?
> Would others in the community benefit from such an extension?
>
> If so, I would be happy to share my work, following instructions found
> here:
> https://www.mediawiki.org/wiki/Writing_an_extension_for_deployment
>
> Regards,
>
> François
>
> _______________________________________________
> Wikitech-l mailing list
> [email protected]
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
_______________________________________________
Wikitech-l mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
_______________________________________________
Wikitech-l mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
