Right. As mentioned in my first post, I already have created a custom extension using this approach and NTLMActiveDirectory as a starting point. Now, I wonder if it is worth sharing with the community, if others would benefit from an LDAP-less SSO solution for MW hosted on IIS?
-----Original Message----- From: Wikitech-l [mailto:[email protected]] On Behalf Of Ryan Lane Sent: Tuesday, February 09, 2016 17:41 To: Wikimedia developers <[email protected]> Subject: Re: [Wikitech-l] Windows Single Sign-On Extension If this is what you'll need, you're going to need to write a custom extension. None of the existing auth extensions do this. On Tue, Feb 9, 2016 at 2:35 PM, François St-Arnaud <[email protected]> wrote: > Thanks, I'll take a closer look at your extension. > > Well, although I understand that using LDAP against AD is supposed to > work mostly seamlessly, I've had troubles trying to use it in our > client's domain, mostly due to GPOs and other security constraints. > For one thing, LDAP, even TLS-secured, is not authorized for authentication > in the domain. > Also, LDAP starts to feel like a wart -- or an overkill -- when I have > to require and configure a PHP LDAP client on the Web server and send > LDAP requests when I know that the web server I'm sitting on, IIS, has > already authentified the user via Negotiate/Kerberos and already knows > the user's AD group membership and other such information. > > Hence, I feel that the approach of a simple loopback call from the > extension back to a .NET ASHX web handler -- which is readily > available via an API in that environment -- is more elegant. For > example, to get the AD group membership of the currently logged-in > user (some lines removed for > clarity): > > In PHP, using curl: > > $curl = curl_init(); > curl_setopt($curl, CURLOPT_URL, 'roles.ashx'); $result = > curl_exec($curl); $wgAuth->userADGroups = Array($result); > > In C#, in a roles.ashx file deployed with the extension on the IIS server: > > public void ProcessRequest (HttpContext context) { > context.Response.ContentType = @"text\json"; > context.Response.Write("["); > int i = 0; > int count = Roles.GetRolesForUser().Length; > foreach (var role in Roles.GetRolesForUser()) > { > context.Response.Write('"' + role + '"'); > if (++i != count) context.Response.Write(','); > } > context.Response.Write(']'); > context.Response.End(); > } > > - François > > -----Original Message----- > From: Wikitech-l [mailto:[email protected]] On > Behalf Of Ryan Lane > Sent: Tuesday, February 09, 2016 14:43 > To: Wikimedia developers <[email protected]> > Subject: Re: [Wikitech-l] Windows Single Sign-On Extension > > The best option here is: > https://www.mediawiki.org/wiki/Extension:LDAP_Authentication > > I'm not sure why you think LDAP is a wart on Windows. Active Directory > is just LDAP with Kerberos. > > Anyway, the LDAP Authentication extension has examples of how to do > auto-auth using kerberos. You still need LDAP for things like group > membership, username conversion, and other integrations. > > - Ryan > > On Tue, Feb 9, 2016 at 9:20 AM, François St-Arnaud < > [email protected]> > wrote: > > > Hello, > > > > To enable Single Sign-On to a MediaWiki hosted on IIS in a Windows > > Domain, the best MediaWiki extension I could find was > NTLMActiveDirectory. > > https://www.mediawiki.org/wiki/Extension:NTLMActiveDirectory > > > > However, I had two peeves with this extension: > > 1) Its name; I'm not doing NTLM, but Negotiate and Kerberos; and > > 2) Its use of LDAP; feels too much like a wart on Windows! > > > > See, I'm sitting on an IIS box on a Windows domain with Integrated > > Windows Authentication enabled. By the time the MW extension gets > > hit, IIS has already authenticated the user, so why not just > > leverage that > instead? > > > > I therefore used NTLMActiveDirectory as a starting point, but threw > > out all the LDAP stuff and replaced it with a simple Web call to an > > IIS-hosted handler to get the AD group membership for the already > authenticated user. > > Of NTLMActiveDirectory, I kept the AD / MW group mapping > > configuration required for authorization. > > > > Personally, I find this solution much simpler and intuitive for AD > > integration when hosting MW on a Windows/IIS box. > > > > Does this make sense to others in the community? > > Do others feel there was a need for a better AD integration extension? > > Would others in the community benefit from such an extension? > > > > If so, I would be happy to share my work, following instructions > > found > > here: > > https://www.mediawiki.org/wiki/Writing_an_extension_for_deployment > > > > Regards, > > > > François > > > > _______________________________________________ > > Wikitech-l mailing list > > [email protected] > > https://lists.wikimedia.org/mailman/listinfo/wikitech-l > _______________________________________________ > Wikitech-l mailing list > [email protected] > https://lists.wikimedia.org/mailman/listinfo/wikitech-l > _______________________________________________ > Wikitech-l mailing list > [email protected] > https://lists.wikimedia.org/mailman/listinfo/wikitech-l > _______________________________________________ Wikitech-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikitech-l _______________________________________________ Wikitech-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikitech-l
