Cool Solution - Setting up MediaWiki with LDAP authentication

From Univention Wiki

Jump to: navigation, search
Produktlogo UCS Version 4.3

Note: Cool Solutions are articles documenting additional functionality based on Univention products. Not all of the shown steps in the article are covered by Univention Support. For questions about your support coverage contact your contact person at Univention before you want to implement one of the shown steps.

Also regard the legal notes at Terms of Service.

This article describes the installation and setup of MediaWiki 1.31.0 in UCS 4.3.

Prerequisites

Install the needed packages (Note: ImageMagick is recommended for Image thumbnailing):

univention-install univention-mysql libapache2-mod-php php php-common \
 php-json php-xml php-cli php-curl php-readline php-mbstring php-intl \
 php-mysql php-ldap imagemagick php-imagick

Download the MediaWiki and the LDAP extension and extract them to the webserver directory (Note: You can change the wiki paths by editing the first two variables):

wiki_path="/var/lib/mediawiki/" # The directory your wiki will rest inside
wiki_web_path="/mediawiki" # The future web subdirectory your wiki will be accessible through
tmpdir=$(mktemp -d) # A temporary working directory
mkdir $wiki_path

# Download the Mediawiki and extract it
wget --show-progress -O $tmpdir/mediawiki-1.31.0.tar.gz https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.0.tar.gz
tar -xvzf $tmpdir/mediawiki-1.31.0.tar.gz -C $wiki_path --strip-components=1

# Download the Mediawiki LDAP extension and extract it
wget --show-progress -O $tmpdir/LdapAuthentication-REL1_31-b19888c.tar.gz  https://extdist.wmflabs.org/dist/extensions/LdapAuthentication-REL1_31-b19888c.tar.gz
tar -xvzf $tmpdir/LdapAuthentication-REL1_31-b19888c.tar.gz -C $wiki_path/extensions/

# Create a symbolic link towards the Wiki folder
ln -s $wiki_path /var/www/$wiki_web_path

# Set the correct folder and file permissions
find $wiki_path -type f -exec chmod 644 {} \;
find $wiki_path -type d -exec chmod 755 {} \;

# Remove the temporary working directory again
rm -R $tmpdir

Installing MediaWiki

Now the actual installation of MediaWiki is in order. Use the following Script to generate your LocalSettings file:

# Please set the name of the wiki, the language and your future local Admin password here
wiki_name="<YOUR_WIKI_NAME>"
wiki_lang="en" # About possible code languages can be read here: https://www.mediawiki.org/wiki/Manual:$wgLanguageCode
admin_username="Admin"
admin_password="<YOUR_ADMIN_PASSWORD>"

# Generate your database password according to your machine password policy
eval "$(ucr --shell search machine/password/length machine/password/complexity)"
if [ -z "$machine_password_length" ]; then machine_password_length=20; fi
if [ -z "$machine_password_complexity" ]; then machine_password_complexity="scn"; fi

# Create the database and generate the local settings file
php /var/lib/mediawiki/maintenance/install.php \
 --confpath="$wiki_path" \
 --scriptpath="$wiki_web_path" \
 --installdbuser="root" \
 --installdbpass="$(cat /etc/mysql.secret)" \
 --dbserver="localhost" \
 --dbname="mediawiki" \
 --dbuser="mediawiki" \
 --dbpass="$(pwgen -1 -${machine_password_complexity} ${machine_password_length} | tee /etc/mysql-mediawiki.secret)" \
 --server="http://$(hostname -f)" \
 --lang="$wiki_lang" \
 --with-extensions \
 --pass="$admin_password" \
 "$wiki_name" \
 "$admin_username"

You can reach your mediawiki by visiting the given URL.

Setting up LDAP authentication

Use the following script to generate the needed settings for your LocalSettings.php file.
You will need a simple authentication account for mediawiki to authenticate your members. Follow the LDAP search user Cool Solution to create one.

# Please set the data of an simple authentication account here.
# Instructions how one is created can be found here: https://wiki.univention.de/index.php/Cool_Solution_-_LDAP_search_user
ldap_search_user="uid=mediawiki-search,cn=users,<YOUR_LDAP_BASE>"
ldap_search_password="<YOUR_LDAP_SEARCH_PASSWORD>"

# Obtain global domain configuration data
eval "$(ucr --shell search domainname \
ldap/base \
ldap/server/port \
ldap/server/name \
ldap/server/addition)"

if [ -z "$ldap_server_port" ]; then ldap_server_port=7389; fi
if [ -z "$ldap_server_addition" ]; then 
    ldap_hosts=$(echo "$ldap_server_name" | sed "s/'\|\"//g")
else 
    ldap_hosts=$(echo "$ldap_server_name $ldap_server_addition" | sed "s/'\|\"//g") 
fi

# Adds your final LDAP extension Configuration to the end of your $wiki_path/LocalSettings.php configuration file:
echo """
# Univention LDAP Configuration
require_once ('extensions/LdapAuthentication/LdapAuthentication.php');

\$wgAuth = new LdapAuthenticationPlugin();
\$wgLDAPDomainNames = array( '${domainname}' );
\$wgLDAPServerNames = array( '${domainname}' => '${ldap_hosts}' );
\$wgLDAPUseLocal = false;
\$wgLDAPEncryptionType = array( '${domainname}' => 'tls' );
\$wgLDAPPort = array( '${domainname}' => ${ldap_server_port} );
\$wgLDAPProxyAgent = array( '${domainname}' => '${ldap_search_user}' );
\$wgLDAPProxyAgentPassword = array( '${domainname}' => '${ldap_search_password}' );
\$wgLDAPSearchAttributes = array( '${domainname}' => 'uid' );
\$wgLDAPBaseDNs = array( '${domainname}' => '${ldap_base}' );
\$wgLDAPUserBaseDNs = array( '${domainname}' => 'cn=users,${ldap_base}' );
\$wgLDAPGroupBaseDNs = array( '${domainname}' => 'cn=groups,${ldap_base}' );

# Map specific LDAP attributes like e-mail addresses
\$wgLDAPPreferences = array( '${domainname}' => array('email' => 'mailPrimaryAddress', 'realname' => 'displayName', 'nickname' => 'cn' ) );

# Group based restriction:
\$wgLDAPGroupUseFullDN = array( '${domainname}' => false );
\$wgLDAPGroupObjectclass = array( '${domainname}' => 'univentionGroup' );
\$wgLDAPGroupAttribute = array( '${domainname}' => 'memberUid' );
\$wgLDAPGroupSearchNestedGroups = array( '${domainname}' => false );
\$wgLDAPGroupNameAttribute = array( '${domainname}' => 'cn' );
\$wgLDAPLowerCaseUsername = array( '${domainname}' => true );
""" >> $wiki_path/LocalSettings.php

Please confirm the validity of the content of the LocalSettings.php file after executing the script.

You can also run the following command once, to make sure that the needed database table is correctly created, before testing the login:

php $wiki_path/maintenance/update.php

Optional LDAP settings

If you want to force MediaWiki to deny access to users who aren't member of one or more specific group(s), execute the following command after changing <GROUP DN> to the full DN of the your desired group:

echo """
\$wgLDAPRequiredGroups = array( '${domainname}' => array( '<GROUP DN>' ) );
""" >> $wiki_path/LocalSettings.php

Further configuration options can be found in the Official extension manual.

Add MediaWiki to web services

You can add a MediaWiki Service link to your system web portal using the following command.
Please note that this command uses the value wiki_web_path, which has been defined above.

ucr set \
ucs/web/overview/entries/service/mediawiki/label="MediaWiki" \
ucs/web/overview/entries/service/mediawiki/label/de="MediaWiki" \
ucs/web/overview/entries/service/mediawiki/description="MediaWiki" \
ucs/web/overview/entries/service/mediawiki/description/de="MediaWiki" \
ucs/web/overview/entries/service/mediawiki/link="$wiki_web_path" \
ucs/web/overview/entries/service/mediawiki/icon="$wiki_web_path/resources/assets/mediawiki.png"

Known Problems

  • The installation script automatically sets the $wgServer variable to 'http://$(hostname -f)'. The user will be redirected to the given base URL, which can be breakable under certain situations.
    This can easily be resolved by adjusting it to the correct value or by commenting the variable out inside the LocalSettings.php file. MediaWiki will automatically detect and set the possible server names, if the value is not set.

BlueSpice MediaWiki

BlueSpice is an enterprise distribution which provides a working MediaWiki installation out of the box.
You can get it directly from the Univention App Center where you can choose between a free and commercial license.

Further links

Archive

Personal tools