> Is it possible to use MediaWiki with Kerberos? > Yes, the LDAP plugin has support for this:
http://www.mediawiki.org/wiki/Extension:LDAP_Authentication/Kerberos_Con figuration_Examples However, if you don't want to use LDAP, you can still stick with the HTTP_AUTH plugin; it may just need to be slightly modified. > I am currently using the MediaWiki HTTP_AUTH plugin and authenicating > via Apache (which uses mod_auth_kerb as it's backend). This > works find > passing a password, which is checked against the Kerberos > server because > Apache authenicates and PHP provides the userID via > $_SERVER[PHP_AUTH_USER]. This is then used by HTTP_AUTH. > > The problem arsies if you do a kinit and use your kerberos ticket to > authenticate with Apache. For some reason, although authentication is > sucessful PHP does not put the userID into $_SERVER[PHP_AUTH_USER]. > Therefore HTTP_AUTH does not get the userID and log you in. > As far as I can tell, it puts the user into $_SERVER["REMOTE_USER"]. Notice that the username will be in the form "<username>@<DOMAIN>.<TLD>". MediaWiki can't handle this format. I handle this in the LDAP plugin by turning this into a configuration option that is populated in LocalSettings.php: $wgLDAPAutoAuthUsername = preg_replace( '/@.*/', '', $_SERVER["REMOTE_USER"] ); I use $wgLDAPAutoAuthUsername everywhere else. > So, I guess the questions are: > > 1) Why doesn't $_SERVER[PHP_AUTH_USER] get populated (I > understand it's > something to do with different HTTP headers being used > between password > auth (which is just BASIC auth) and ticket negociation)? > > 2) Is there a way that PHP can detect if Apache has carried out a > sucessful Kerberos authentication? > If you are requiring Kerberos authentication, you can be assured that the authentication was successful if the user got to the protected resource. > 3) Is there another/better way to make MediaWiki play with > Kerberos? I > understand there's a not terribly free as in Freedon PHP > extention that > allows PHP to play with Kerberos but I'd like to steer clear of it. > See the LDAP plugin; just remember that you'll also have to configure LDAP (which can be a PITA depending on your environment). V/r, Ryan Lane _______________________________________________ MediaWiki-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
