Movatterモバイル変換

[0]ホーム
URL:

Jump to content
MediaWiki
Search

Extension:AuthRemoteUser

From mediawiki.org
This extension depends on thePluggableAuth extension, which must be installed first.
MediaWiki extensions manual
AuthRemoteUser
Release status: stable
ImplementationUser identity
DescriptionAllows for authentication via the web server's REMOTE_AUTH (i.e., with Kerberos) functionality.
Author(s)Tobias Oetterer (oetterertalk)
Latest version1.0.0 (2024/06/30)
MediaWiki1.39
PHP7.1
Composermediawiki/auth-remote-user
LicenseGNU General Public License 2.0 or later
Download
README
  • $wgAuthRemoteUserDomain
  • $wgAuthRemoteUserUsernameNormalizer

TheAuthRemoteUser extension manages authentication via the web server'sREMOTE_AUTH. UnlikeExtension:Auth remoteuser, where the whole wiki requires a web server's authentication, this extension only relies upon authentication on one page (Special:AuthRemoteUser).

This extension relies on external authentication configured through the web server. Proper setup is required; without it, authentication will not function correctly.(See example in§ Apache using MIT kerberos.)

Installation

[edit]

Download

[edit]

You can either download this extensionfrom Git, using:

gitclonehttps://github.com/oetterer/AuthRemoteUser

or use composer (in which case, add the following to yourcomposer.local.json)

{"require":{"mediawiki/auth-remote-user":"^1.0"}}

Activation

[edit]

Add the following to yourLocalSettings.php

wfLoadExtension('AuthRemoteUser');

Setting up webserver

[edit]

Your webserver does the actual authentication, so you need to set it up properly. Please refer to your webserver documentation for instructions on how to do this.

Apache using MIT kerberos

[edit]

mod_auth_gssapi

[edit]
<LocationMatch".*/index\.php"><If"%{QUERY_STRING} =~ /title=[^:]+:AuthRemoteUser/">SSLRequireSSLAuthTypeGSSAPIAuthName"Kerberos Login"GssapiCredStorekeytab:/etc/keytabs/krb5.keytab.HTTPGssapiSSLonlyOnGssapiAllowedMechkrb5requirevalid-user</If></LocationMatch>

mod_auth_kerb

[edit]
<LocationMatch".*/index\.php"><If"%{QUERY_STRING} =~ /title=[^:]+:AuthRemoteUser/">SSLRequireSSLAuthTypeKerberosAuthName"Kerberos Login"KrbMethodNegotiateOnKrbMethodK5PasswdOffKrbAuthoritativeonKrbAuthRealms<yourkrbrealms>KrbVerifyKDConKrb5KeyTab/etc/keytabs/krb5.keytab.HTTPrequirevalid-user</If></LocationMatch>

Note: even, if you are usingShort URL schema, you have to match againstindex.php?title=, because the authentication special page is accessed internally with the original linking schema.

Configuration parameters

[edit]
$wgAuthRemoteUserDomain
Specify your domain for remote authentication here. The extension does not validate the domain if this variable is left empty.
$wgAuthRemoteUserUsernameNormalizer
Use this function for normalizing username, for example 'strtolower'. By default, the kerberos domain is stripped and the remaining username is cast to lowercase..

Authentication button label

[edit]

You can specify what text will be shown on the authentication button by editing the MediaWiki messageMediaWiki:Auth-remote-user-login-button-label and its localizations.

User rights

[edit]

Please seeExtension:PluggableAuth

See also

[edit]
Authentication extensions
Authorization extensions
Retrieved from "https://www.mediawiki.org/w/index.php?title=Extension:AuthRemoteUser&oldid=7854592"
Categories:
Hidden categories:
[8]ページ先頭
©2009-2025 Movatter.jp