If this is what you'll need, you're going to need to write a custom
extension. None of the existing auth extensions do this.
On Tue, Feb 9, 2016 at 2:35 PM, François St-Arnaud <fstarn...@logisphere.ca>
wrote:
> Thanks, I'll take a closer look at your extension.
>
> Well, although I understand that using LDAP against AD is supposed to work
> mostly seamlessly, I've had troubles trying to use it in our client's
> domain, mostly due to GPOs and other security constraints. For one thing,
> LDAP, even TLS-secured, is not authorized for authentication in the domain.
> Also, LDAP starts to feel like a wart -- or an overkill -- when I have to
> require and configure a PHP LDAP client on the Web server and send LDAP
> requests when I know that the web server I'm sitting on, IIS, has already
> authentified the user via Negotiate/Kerberos and already knows the user's
> AD group membership and other such information.
>
> Hence, I feel that the approach of a simple loopback call from the
> extension back to a .NET ASHX web handler -- which is readily available via
> an API in that environment -- is more elegant. For example, to get the AD
> group membership of the currently logged-in user (some lines removed for
> clarity):
>
> In PHP, using curl:
>
> $curl = curl_init();
> curl_setopt($curl, CURLOPT_URL, 'roles.ashx');
> $result = curl_exec($curl);
> $wgAuth->userADGroups = Array($result);
>
> In C#, in a roles.ashx file deployed with the extension on the IIS server:
>
> public void ProcessRequest (HttpContext context) {
> context.Response.ContentType = @"text\json";
> context.Response.Write("[");
> int i = 0;
> int count = Roles.GetRolesForUser().Length;
> foreach (var role in Roles.GetRolesForUser())
> {
> context.Response.Write('"' + role + '"');
> if (++i != count) context.Response.Write(',');
> }
> context.Response.Write(']');
> context.Response.End();
> }
>
> - François
>
> -----Original Message-----
> From: Wikitech-l [mailto:wikitech-l-boun...@lists.wikimedia.org] On
> Behalf Of Ryan Lane
> Sent: Tuesday, February 09, 2016 14:43
> To: Wikimedia developers <wikitech-l@lists.wikimedia.org>
> Subject: Re: [Wikitech-l] Windows Single Sign-On Extension
>
> The best option here is:
> https://www.mediawiki.org/wiki/Extension:LDAP_Authentication
>
> I'm not sure why you think LDAP is a wart on Windows. Active Directory is
> just LDAP with Kerberos.
>
> Anyway, the LDAP Authentication extension has examples of how to do
> auto-auth using kerberos. You still need LDAP for things like group
> membership, username conversion, and other integrations.
>
> - Ryan
>
> On Tue, Feb 9, 2016 at 9:20 AM, François St-Arnaud <
> fstarn...@logisphere.ca>
> wrote:
>
> > Hello,
> >
> > To enable Single Sign-On to a MediaWiki hosted on IIS in a Windows
> > Domain, the best MediaWiki extension I could find was
> NTLMActiveDirectory.
> > https://www.mediawiki.org/wiki/Extension:NTLMActiveDirectory
> >
> > However, I had two peeves with this extension:
> > 1) Its name; I'm not doing NTLM, but Negotiate and Kerberos; and
> > 2) Its use of LDAP; feels too much like a wart on Windows!
> >
> > See, I'm sitting on an IIS box on a Windows domain with Integrated
> > Windows Authentication enabled. By the time the MW extension gets hit,
> > IIS has already authenticated the user, so why not just leverage that
> instead?
> >
> > I therefore used NTLMActiveDirectory as a starting point, but threw
> > out all the LDAP stuff and replaced it with a simple Web call to an
> > IIS-hosted handler to get the AD group membership for the already
> authenticated user.
> > Of NTLMActiveDirectory, I kept the AD / MW group mapping configuration
> > required for authorization.
> >
> > Personally, I find this solution much simpler and intuitive for AD
> > integration when hosting MW on a Windows/IIS box.
> >
> > Does this make sense to others in the community?
> > Do others feel there was a need for a better AD integration extension?
> > Would others in the community benefit from such an extension?
> >
> > If so, I would be happy to share my work, following instructions found
> > here:
> > https://www.mediawiki.org/wiki/Writing_an_extension_for_deployment
> >
> > Regards,
> >
> > François
> >
> > _______________________________________________
> > Wikitech-l mailing list
> > Wikitech-l@lists.wikimedia.org
> > https://lists.wikimedia.org/mailman/listinfo/wikitech-l
> _______________________________________________
> Wikitech-l mailing list
> Wikitech-l@lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
> _______________________________________________
> Wikitech-l mailing list
> Wikitech-l@lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
>
_______________________________________________
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
