using ldap with mediawiki at rit

| 1 Comment

This summer I'm not over-committed, which means I'm getting to indulge my inner geek with web implementation challenges.

First up was figuring out how to install a wiki that could be used only by specific RIT faculty and staff members, without requiring them to create (and remember) yet another user ID and login.

RIT has a centralized authentication database (an LDAP server) that can be queried by other on-campus servers, so I wanted to be able to tap into that for authentication on the wiki. Happily, there's a plugin for Mediawiki (the open source wiki software used by Wikipedia) to enable LDAP authentication. Less happily, it took a while to find documentation for it. Even less happily than that, RIT provides no public documentation of their LDAP server, so I had to do a lot of trial-and-error to get things working. Here's what I ended up doing:

1) Downloaded and installed the latest version of Mediawiki in my account on the departmental web server. (Note: don't bother trying this on Gibson; you won't be able to proceed past this step.)

2) Set up a wiki database in mySQL for Mediawiki to use, and ran the Mediawiki installation. Gave the default admin user for the wiki the same username as my RIT login (ellics) -- this is important.

3) Disabled anonymous access to the wiki, by adding these lines to LocalSettings.php:

The last line makes it possible for an unauthenticated user to view the main page and the login page (and the logout page, which is necessary for users who are authenticated but not trusted, as described in later steps).

4) Installed the Mediawiki LDAPAuthentication plugin in the extensions directory of my Mediawiki directory.

5) Configured the plugin using these instructions provided by the developer (which, puzzlingly, aren't linked anywhere from the plugin page). Do not use the "Part 1" instructions, which are for AD (Active Directory) LDAP installations. For RIT's server, you must use the Part 2 instructions for Posix LDAP installations. Here are the lines I added to my LocalSettings.php file to enable authentication:

At this point, anyone with a valid RIT account could log into the wiki using their standard RIT login and password. However, we want to restrict access to only faculty and staff in our department. I evaluated and discarded two approaches to this problem--first, getting a custom group established in LDAP to authenticate against (bad because it requires going through central IT for any changes), and second, using .htaccess to limit access (bad because it requires two logins and https URLs). I finally settled on using a custom group within Mediawiki to distinguish between trusted and untrusted users.

6) First, I disabled access to most functionality for all users:

(This is why I needed to include the logout page in the whitelist--otherwise untrusted users could log in, but not log out.)

7) Then I re-enabled that access for members of a new group called Trusted:

Because Mediawiki uses the most permissive group you belong to when determining access, this (or administrator access) overrides the restrictions from the previous step.

8) Anyone with administrative access has the ability to assign a user to a group, which means that once a faculty or staff member has logged into the wiki for the first time, an administrator has to grant them full access.

And that's it. It seems to be working well on one server right now; I'm going to move it to a different server this week and see if it holds up. If so, I'm hoping these instructions will help others facing the same problem in the future.

1 Comment

The documentation should be really easy to find. You find it the same place you do as the extension. See the configuration section, the options section and the FAQ.

My blog posts are really meant more as how-tos than documentation. BTW, those are linked to from the configuration section.

Leave a comment

About this Entry

This page contains a single entry published on May 30, 2010 11:36 AM.

links for 2010-05-29 was the previous entry in this blog.

summertime, summertime, sum-sum-summertime is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.

Archives

Category Archives