Never hurts :) On Tue, Feb 9, 2016 at 6:06 PM, François St-Arnaud <[email protected]> wrote:
> Right. As mentioned in my first post, I already have created a custom > extension using this approach and NTLMActiveDirectory as a starting point. > Now, I wonder if it is worth sharing with the community, if others would > benefit from an LDAP-less SSO solution for MW hosted on IIS? > > -----Original Message----- > From: Wikitech-l [mailto:[email protected]] On > Behalf Of Ryan Lane > Sent: Tuesday, February 09, 2016 17:41 > To: Wikimedia developers <[email protected]> > Subject: Re: [Wikitech-l] Windows Single Sign-On Extension > > If this is what you'll need, you're going to need to write a custom > extension. None of the existing auth extensions do this. > > On Tue, Feb 9, 2016 at 2:35 PM, François St-Arnaud < > [email protected]> > wrote: > > > Thanks, I'll take a closer look at your extension. > > > > Well, although I understand that using LDAP against AD is supposed to > > work mostly seamlessly, I've had troubles trying to use it in our > > client's domain, mostly due to GPOs and other security constraints. > > For one thing, LDAP, even TLS-secured, is not authorized for > authentication in the domain. > > Also, LDAP starts to feel like a wart -- or an overkill -- when I have > > to require and configure a PHP LDAP client on the Web server and send > > LDAP requests when I know that the web server I'm sitting on, IIS, has > > already authentified the user via Negotiate/Kerberos and already knows > > the user's AD group membership and other such information. > > > > Hence, I feel that the approach of a simple loopback call from the > > extension back to a .NET ASHX web handler -- which is readily > > available via an API in that environment -- is more elegant. For > > example, to get the AD group membership of the currently logged-in > > user (some lines removed for > > clarity): > > > > In PHP, using curl: > > > > $curl = curl_init(); > > curl_setopt($curl, CURLOPT_URL, 'roles.ashx'); $result = > > curl_exec($curl); $wgAuth->userADGroups = Array($result); > > > > In C#, in a roles.ashx file deployed with the extension on the IIS > server: > > > > public void ProcessRequest (HttpContext context) { > > context.Response.ContentType = @"text\json"; > > context.Response.Write("["); > > int i = 0; > > int count = Roles.GetRolesForUser().Length; > > foreach (var role in Roles.GetRolesForUser()) > > { > > context.Response.Write('"' + role + '"'); > > if (++i != count) context.Response.Write(','); > > } > > context.Response.Write(']'); > > context.Response.End(); > > } > > > > - François > > > > -----Original Message----- > > From: Wikitech-l [mailto:[email protected]] On > > Behalf Of Ryan Lane > > Sent: Tuesday, February 09, 2016 14:43 > > To: Wikimedia developers <[email protected]> > > Subject: Re: [Wikitech-l] Windows Single Sign-On Extension > > > > The best option here is: > > https://www.mediawiki.org/wiki/Extension:LDAP_Authentication > > > > I'm not sure why you think LDAP is a wart on Windows. Active Directory > > is just LDAP with Kerberos. > > > > Anyway, the LDAP Authentication extension has examples of how to do > > auto-auth using kerberos. You still need LDAP for things like group > > membership, username conversion, and other integrations. > > > > - Ryan > > > > On Tue, Feb 9, 2016 at 9:20 AM, François St-Arnaud < > > [email protected]> > > wrote: > > > > > Hello, > > > > > > To enable Single Sign-On to a MediaWiki hosted on IIS in a Windows > > > Domain, the best MediaWiki extension I could find was > > NTLMActiveDirectory. > > > https://www.mediawiki.org/wiki/Extension:NTLMActiveDirectory > > > > > > However, I had two peeves with this extension: > > > 1) Its name; I'm not doing NTLM, but Negotiate and Kerberos; and > > > 2) Its use of LDAP; feels too much like a wart on Windows! > > > > > > See, I'm sitting on an IIS box on a Windows domain with Integrated > > > Windows Authentication enabled. By the time the MW extension gets > > > hit, IIS has already authenticated the user, so why not just > > > leverage that > > instead? > > > > > > I therefore used NTLMActiveDirectory as a starting point, but threw > > > out all the LDAP stuff and replaced it with a simple Web call to an > > > IIS-hosted handler to get the AD group membership for the already > > authenticated user. > > > Of NTLMActiveDirectory, I kept the AD / MW group mapping > > > configuration required for authorization. > > > > > > Personally, I find this solution much simpler and intuitive for AD > > > integration when hosting MW on a Windows/IIS box. > > > > > > Does this make sense to others in the community? > > > Do others feel there was a need for a better AD integration extension? > > > Would others in the community benefit from such an extension? > > > > > > If so, I would be happy to share my work, following instructions > > > found > > > here: > > > https://www.mediawiki.org/wiki/Writing_an_extension_for_deployment > > > > > > Regards, > > > > > > François > > > > > > _______________________________________________ > > > Wikitech-l mailing list > > > [email protected] > > > https://lists.wikimedia.org/mailman/listinfo/wikitech-l > > _______________________________________________ > > Wikitech-l mailing list > > [email protected] > > https://lists.wikimedia.org/mailman/listinfo/wikitech-l > > _______________________________________________ > > Wikitech-l mailing list > > [email protected] > > https://lists.wikimedia.org/mailman/listinfo/wikitech-l > > > _______________________________________________ > Wikitech-l mailing list > [email protected] > https://lists.wikimedia.org/mailman/listinfo/wikitech-l > _______________________________________________ > Wikitech-l mailing list > [email protected] > https://lists.wikimedia.org/mailman/listinfo/wikitech-l > _______________________________________________ Wikitech-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikitech-l
