If this is what you'll need, you're going to need to write a custom extension. None of the existing auth extensions do this.
On Tue, Feb 9, 2016 at 2:35 PM, François St-Arnaud <fstarn...@logisphere.ca> wrote: > Thanks, I'll take a closer look at your extension. > > Well, although I understand that using LDAP against AD is supposed to work > mostly seamlessly, I've had troubles trying to use it in our client's > domain, mostly due to GPOs and other security constraints. For one thing, > LDAP, even TLS-secured, is not authorized for authentication in the domain. > Also, LDAP starts to feel like a wart -- or an overkill -- when I have to > require and configure a PHP LDAP client on the Web server and send LDAP > requests when I know that the web server I'm sitting on, IIS, has already > authentified the user via Negotiate/Kerberos and already knows the user's > AD group membership and other such information. > > Hence, I feel that the approach of a simple loopback call from the > extension back to a .NET ASHX web handler -- which is readily available via > an API in that environment -- is more elegant. For example, to get the AD > group membership of the currently logged-in user (some lines removed for > clarity): > > In PHP, using curl: > > $curl = curl_init(); > curl_setopt($curl, CURLOPT_URL, 'roles.ashx'); > $result = curl_exec($curl); > $wgAuth->userADGroups = Array($result); > > In C#, in a roles.ashx file deployed with the extension on the IIS server: > > public void ProcessRequest (HttpContext context) { > context.Response.ContentType = @"text\json"; > context.Response.Write("["); > int i = 0; > int count = Roles.GetRolesForUser().Length; > foreach (var role in Roles.GetRolesForUser()) > { > context.Response.Write('"' + role + '"'); > if (++i != count) context.Response.Write(','); > } > context.Response.Write(']'); > context.Response.End(); > } > > - François > > -----Original Message----- > From: Wikitech-l [mailto:wikitech-l-boun...@lists.wikimedia.org] On > Behalf Of Ryan Lane > Sent: Tuesday, February 09, 2016 14:43 > To: Wikimedia developers <wikitech-l@lists.wikimedia.org> > Subject: Re: [Wikitech-l] Windows Single Sign-On Extension > > The best option here is: > https://www.mediawiki.org/wiki/Extension:LDAP_Authentication > > I'm not sure why you think LDAP is a wart on Windows. Active Directory is > just LDAP with Kerberos. > > Anyway, the LDAP Authentication extension has examples of how to do > auto-auth using kerberos. You still need LDAP for things like group > membership, username conversion, and other integrations. > > - Ryan > > On Tue, Feb 9, 2016 at 9:20 AM, François St-Arnaud < > fstarn...@logisphere.ca> > wrote: > > > Hello, > > > > To enable Single Sign-On to a MediaWiki hosted on IIS in a Windows > > Domain, the best MediaWiki extension I could find was > NTLMActiveDirectory. > > https://www.mediawiki.org/wiki/Extension:NTLMActiveDirectory > > > > However, I had two peeves with this extension: > > 1) Its name; I'm not doing NTLM, but Negotiate and Kerberos; and > > 2) Its use of LDAP; feels too much like a wart on Windows! > > > > See, I'm sitting on an IIS box on a Windows domain with Integrated > > Windows Authentication enabled. By the time the MW extension gets hit, > > IIS has already authenticated the user, so why not just leverage that > instead? > > > > I therefore used NTLMActiveDirectory as a starting point, but threw > > out all the LDAP stuff and replaced it with a simple Web call to an > > IIS-hosted handler to get the AD group membership for the already > authenticated user. > > Of NTLMActiveDirectory, I kept the AD / MW group mapping configuration > > required for authorization. > > > > Personally, I find this solution much simpler and intuitive for AD > > integration when hosting MW on a Windows/IIS box. > > > > Does this make sense to others in the community? > > Do others feel there was a need for a better AD integration extension? > > Would others in the community benefit from such an extension? > > > > If so, I would be happy to share my work, following instructions found > > here: > > https://www.mediawiki.org/wiki/Writing_an_extension_for_deployment > > > > Regards, > > > > François > > > > _______________________________________________ > > Wikitech-l mailing list > > Wikitech-l@lists.wikimedia.org > > https://lists.wikimedia.org/mailman/listinfo/wikitech-l > _______________________________________________ > Wikitech-l mailing list > Wikitech-l@lists.wikimedia.org > https://lists.wikimedia.org/mailman/listinfo/wikitech-l > _______________________________________________ > Wikitech-l mailing list > Wikitech-l@lists.wikimedia.org > https://lists.wikimedia.org/mailman/listinfo/wikitech-l > _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l