One of my current projects involves creating an internal knowledge base. Wiki’s being a natural for this sort of collaborative content building, I started exploring MediaWiki the engine behind Wikipedia.
An intranet implies a much more closed community than that of the typical Wiki implementation. That being the case, our requirements were;
- Authenticate users using their standard Windows Domain username/password.
- Resrtict access (read, write) to only authenticated users
I wasn’t sure if domain authentication would be possible using the standard LAMP setup. So, instead I opted to use IIS 6. A great step by step guide for installing MediaWiki on Windows 2003 can be found at http://meta.wikimedia.org/wiki/Installing_MediaWiki_on_Windows_Server_2003_SP1
After getting PHP, MySql, IIS, and MediaWiki installed, you can start configuring LocalSettings.php in the root directory of your wiki installation. To perform the following, simple append the code snippet to LocalSettings.php.
1. Restrict edit to logged in users
$wgGroupPermissions[‘*’][‘edit’] = false;
$wgGroupPermissions[‘user’][‘edit’] = true;
2. Prevent new registrations from anonymous users (Sysops can still create new account)
$wgGroupPermissions[‘*’][‘createaccount’] = false;
3. Define the pages un-authenticate users can see. This is crucial. Otherwise, there’s no way for people to login.
$wgWhitelistRead = array( "Main Page", "Special:Userlogin", "-", "MediaWiki:Monobook.css" );
$wgGroupPermissions[‘*’ ][‘read’] = false;
4. Authenticate users from an Active Directory.
You will need to download LDAPauthenticate.php from http://bugzilla.wikipedia.org/show_bug.cgi?id=814 to the includes directory in the root of your wiki installation. Details on this file and its usage can be found at http://meta.wikimedia.org/wiki/LDAP. There are links to some configuration examples. However I found the one for AD did not work without modifcation. Here is what I eventually had success with. In my example, the AD name is ad_name.org and the hostname of the server hosting the AD (domain controller) is DC1 and the domain is Domain_name. Subsitute your AD name and Hostname in the following code. In some cases the Active Directory name and Domain name may be the same.
require_once( ‘LdapAuthentication.php’ );
$wgAuth = new LdapAuthenticationPlugin();
$wgLDAPDomainNames = array( "ad_name.org" );
$wgLDAPServerNames = array( "ad_name.org"=>"dc1" );
$wgLDAPUseSSL = false;
$wgLDAPUseLocal = false;
$wgLDAPAddLDAPUsers = false;
$wgLDAPUpdateLDAP = false;
$wgLDAPMailPassword = false;
$wgLDAPRetrievePrefs = true;
$wgMinimalPasswordLength = 1;
$wgLDAPSearchStrings = array( "ad_name.org"=>"Domain_name\\USER-NAME" );
Viola. Your wiki is now restricted to only users with valid domain accounts. The lines, $wgLDAPAddLDAPUsers = false; and $wgLDAPUpdateLDAP = false; restrict users from updating their LDAP info via the wiki interface.
Unfortunately there are two things I have not had success with. I have not had success populating the fields (name, email, etc) in the preferences tab after a user has logged in. The tag $wgLDAPRetrievePrefs = true; is supposed to make this happen but it does not.
Additional, I have yet to secure authentication by implementing SSL. Note – $wgLDAPUseSSL = false; This I fairly important and should be done before rolling this out to my users.
I’ll update this post with any additonal information I find. Please let me know if you have an success with these last two items.
3/20/2007 – There is a new version (1.1) of the LDAPauthentication extension. Some of this article may be outmoded as a result. See Part 3 of the series.