Difference between revisions of "Cool Solution - Setting up MediaWiki with LDAP authentication"

From Univention Wiki

Jump to: navigation, search
(Updated to UCS 4.3)
Line 1: Line 1:
{{Version|UCS=4.1}}
+
{{Version|UCS=4.3}}
{{Version|UCS=4.2}}
 
 
{{Cool Solutions Disclaimer}}
 
{{Cool Solutions Disclaimer}}
 
{{#seo:
 
{{#seo:
Line 8: Line 7:
 
{{Review-Status}}
 
{{Review-Status}}
  
This article describes the installation and setup of MediaWiki 1.30.0 in UCS 4.2.
+
This article describes the installation and setup of MediaWiki 1.31.0 in UCS 4.3.
  
 
== Prerequisites  ==
 
== Prerequisites  ==
  
Install needed packages and afterwards restart PHP:
+
Install the needed packages (Note: ImageMagick is recommended for [https://www.mediawiki.org/wiki/Manual:Image_administration#Image_thumbnailing Image thumbnailing]):
 
<pre>
 
<pre>
univention-install univention-mysql php5-mysql php5 php5-ldap
+
univention-install univention-mysql libapache2-mod-php php php-common php-json php-xml php-cli php-curl php-readline php-mbstring php-intl php-mysql php-ldap imagemagick php-imagick
 
</pre>
 
</pre>
  
The MySQL database module must be included in PHP. Add the following line into the /etc/php5/apache2/php.ini file:
+
Enable the needed packages and reload the apache2 service
 
<pre>
 
<pre>
extension=mysql.so
+
phpenmod mbstring intl imagick
 +
systemctl reload apache2.service
 
</pre>
 
</pre>
  
Download MediaWiki and extract it to the webserver directory:
+
Download the MediaWiki and the LDAP extension and extract them to the webserver directory (Note: You can change the wiki paths by editing the first two variables):
 +
<syntaxhighlight lang="bash">
 +
wiki_path="/var/lib/mediawiki/" # The directory your wiki will rest inside
 +
wiki_web_path="/mediawiki" # The future web subdirectory your wiki will be accessible through
 +
tmpdir=$(mktemp -d) # A temporary working directory
 +
mkdir $wiki_path
  
<pre>
+
# Download the Mediawiki and extract it
cd /var/www
+
wget --show-progress -O $tmpdir/mediawiki-1.31.0.tar.gz https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.0.tar.gz
wget https://releases.wikimedia.org/mediawiki/1.30/mediawiki-1.30.0.tar.gz
+
tar -xvzf $tmpdir/mediawiki-1.31.0.tar.gz -C $wiki_path --strip-components=1
tar xzf mediawiki-1.30.0.tar.gz
 
mv mediawiki-1.30.0 <MEDIAWIKI FOLDER>
 
</pre>
 
 
 
Hint: Change <MEDIAWIKI FOLDER> to a name of your choice
 
 
 
== Setting up a database ==
 
Create MySQL database and corresponding user for MediaWiki:
 
 
 
<pre>
 
mysql -uroot -p$(cat /etc/mysql.secret)
 
  
create user '<DATABASE USER>'@'localhost' identified by '<DATABASE USER PASSWORD>';
+
# Download the Mediawiki LDAP extension and extract it
 +
wget --show-progress -O $tmpdir/LdapAuthentication-REL1_31-b19888c.tar.gz  https://extdist.wmflabs.org/dist/extensions/LdapAuthentication-REL1_31-b19888c.tar.gz
 +
tar -xvzf $tmpdir/LdapAuthentication-REL1_31-b19888c.tar.gz -C $wiki_path/extensions/
  
create database <DATABASE NAME>;
+
# Create a symbolic link towards the Wiki folder
 +
ln -s $wiki_path /var/www/$wiki_web_path
  
grant all on <DATABASE NAME>.* to '<DATABASE USER>'@'localhost';
+
# Set the correct folder and file permissions
 +
find $wiki_path -type f -exec chmod 644 {} \;
 +
find $wiki_path -type d -exec chmod 755 {} \;
  
quit
+
# Remove the temporary working directory again
</pre>
+
rm -R $tmpdir
 +
</syntaxhighlight>
  
 
== Installing MediaWiki ==
 
== Installing MediaWiki ==
  
Now the actual installation of MediaWiki is in order. Open this address in your browser and change <FQDN or IP> to the FQDN or IP of your server. The FQDN can be obtained with
+
Now the actual installation of MediaWiki is in order. Use the following Script to generate your LocalSettings file:
 
+
<syntaxhighlight lang="bash">
<pre>
+
# Please set the name of the wiki, the language and your future local Admin password here
hostname -f
+
wiki_name="YOUR_WIKI_NAME"
</pre>
+
wiki_lang="en" # About possible code languages can be read here: https://www.mediawiki.org/wiki/Manual:$wgLanguageCode
 
+
admin_username="Admin"
''<FQDN or IP>/<MEDIAWIKI FOLDER>/mw-config/index.php''
+
admin_password="YOUR_ADMIN_PASSWORD"
 
 
 
 
Pick the language for the actual wiki and for the installation process, click ''Continue''.
 
 
 
 
 
MediaWiki performs environmental checks now. If it finds any issues, they will be listed on this page. If everything is alright, the page will display a text saying ''The environment has been checked. You can install MediaWiki.''. If so, click Continue, otherwise adress the issues and reload the page.
 
 
 
The next page asks for database credentials create in the steps above. Provide MediaWiki with the database host, database name, prefix (if wanted), database username and password and click ''Continue''.
 
  
Now you have to tell MediaWiki what kind of database shall be created. We recommend applying the default values:
+
# Generate your database password according to your machine password policy
 +
eval "$(ucr --shell search machine/password/length machine/password/complexity)"
 +
if [ -z "$machine_password_length" ]; then machine_password_length=20; fi
 +
if [ -z "$machine_password_complexity" ]; then machine_password_complexity="scn"; fi
  
{| class=wikitable
+
# Create the database and generate the local settings file
! Option                                                      || Value
+
php /var/lib/mediawiki/maintenance/install.php \
|-
+
--confpath="$wiki_path" \
| Storage engine                                  || InnoDB
+
--scriptpath="$wiki_web_path" \
|-
+
--installdbuser="root" \
| Database character set                                            || Binary
+
--installdbpass="$(cat /etc/mysql.secret)" \
|-
+
--dbserver="localhost" \
|}
+
--dbname="mediawiki" \
 +
--dbuser="mediawiki" \
 +
--dbpass="$(pwgen -1 -${machine_password_complexity} ${machine_password_length} | tee /etc/mysql-mediawiki.secret)" \
 +
--server="http://$(hostname -f)" \
 +
--lang="$wiki_lang" \
 +
--with-extensions \
 +
--pass="$admin_password" \
 +
"$wiki_name" \
 +
"$admin_username"
 +
</syntaxhighlight>
  
If you want to extract text information from the MySQL database later, you should choose UTF-8, since information e.g. the content of pages for the search index is stored in binary otherwise and thus not simply usable for other applications.
+
You can reach your mediawiki by visiting the given URL.
Click ''Continue''.
 
  
 +
=== Setting up LDAP authentication ===
  
On the following page you have to give your wiki a name and create an admin user. Provide MediaWiki with all required data and choose whether you want the wizard to ''ask more questions'' (this includes user permissions, the wiki's license, extensions, the wiki's logo, available UIs, file upload configuration) or you are ''bored already, just install the wiki'' and click Continue.
+
Use the following script to generate the needed settings for your LocalSettings.php file. <br>
 +
You will need a '''simple authentication account''' for mediawiki to authenticate your members. Follow the [https://wiki.univention.de/index.php/Cool_Solution_-_LDAP_search_user LDAP search user] Cool Solution to create one.
 +
<syntaxhighlight lang="bash">
 +
# Please set the data of an simple authentication account here. Instructions how one is created can be found here: https://wiki.univention.de/index.php/Cool_Solution_-_LDAP_search_user
 +
ldap_search_user="uid=mediawiki-search,cn=users,<YOUR_LDAP_BASE>"
 +
ldap_search_password="YOUR_LDAP_SEARCH_PASSWORD"
  
 +
# Obtain global domain configuration data
 +
eval "$(ucr --shell search domainname \
 +
ldap/base \
 +
ldap/server/port \
 +
ldap/server/name \
 +
ldap/server/addition)"
  
If you chose to apply further configuration settings provide the wizard with them now and click Continue. If not continue with the next step.
+
if [ -z "$ldap_server_port" ]; then ldap_server_port=7389; fi
 +
if [ -z "$ldap_server_addition" ]; then
 +
    ldap_hosts=$(echo "$ldap_server_name" | sed "s/'\|\"//g")
 +
else
 +
    ldap_hosts=$(echo "$ldap_server_name $ldap_server_addition" | sed "s/'\|\"//g")
 +
fi
  
 +
# Adds your final LDAP extension Configuration to the end of your $wiki_path/LocalSettings.php configuration file:
 +
echo """
 +
# Univention LDAP Configuration
 +
require_once ('includes/AuthPlugin.php');
  
Start the installation by clicking ''Continue''.
 
 
 
The next page provides you with information about what has been done and if all operations succeded.
 
Click Continue.
 
 
The installation is finished. MediaWiki asks and prompts you to download ''LocalSettings.php'' now. Download the file immediately, because it's just temporary and gone once the installation is completed.
 
Copy LocalSettings.php to MediaWiki's directory, which is ''/var/www/mediawiki'' in this case.
 
 
After having copied the file, click on ''enter your wiki''.
 
 
You can also restart the whole installation by clicking on the link ''Restart installation'' on the right.
 
 
== Setting up LDAP authentication ==
 
The most recent version of the LDAP authentication plugin can be found in the [https://www.mediawiki.org/wiki/Extension:LDAP_Authentication MediaWiki wiki].
 
 
You can download snapshots of the extension for various versions [https://www.mediawiki.org/wiki/Special:ExtensionDistributor/LdapAuthentication here].
 
 
Extract the archive to MediaWiki's folder:
 
 
<pre>
 
tar -xzf LdapAuthentication-REL1_26-70ab129.tar.gz -C /var/www/<MEDIAWIKI FOLDER>/extensions
 
</pre>
 
 
Hint: Change <MEDIAWIKI FOLDER> to the folder you installed MediaWiki in.
 
 
To setup the plugin as authentication provider, echo a basic configuration to LocalSettings.php. This configuration uses '''TLS''' and '''ldaps://''' to obtain information.
 
 
You may like to use a simple LDAP search user as described in the following article [https://wiki.univention.de/index.php/Cool_Solution_-_LDAP_search_user].
 
 
Hint: Change <BIND USER DN> and <BIND USER PASSWORD> in the following code section to the credentials you want the system to bind to LDAP with.
 
<pre>
 
echo "require_once \"\$IP/extensions/LdapAuthentication/LdapAuthentication.php\";
 
 
\$wgAuth = new LdapAuthenticationPlugin();
 
\$wgAuth = new LdapAuthenticationPlugin();
 
+
\$wgLDAPDomainNames = array( '${domainname}' );
\$wgLDAPDomainNames = array(
+
\$wgLDAPServerNames = array( '${domainname}' => '${ldap_hosts}' );
  '$(dnsdomainname)'
 
);
 
\$wgLDAPServerNames = array(
 
  '$(dnsdomainname)' => '$(ucr get ldap/master)'
 
);
 
# Only allow LDAP users
 
 
\$wgLDAPUseLocal = false;
 
\$wgLDAPUseLocal = false;
 +
\$wgLDAPEncryptionType = array( '${domainname}' => 'tls' );
 +
\$wgLDAPPort = array( '${domainname}' => ${ldap_server_port} );
 +
\$wgLDAPProxyAgent = array( '${domainname}' => '${ldap_search_user}' );
 +
\$wgLDAPProxyAgentPassword = array( '${domainname}' => '${ldap_search_password}' );
 +
\$wgLDAPSearchAttributes = array( '${domainname}' => 'uid' );
 +
\$wgLDAPBaseDNs = array( '${domainname}' => '${ldap_base}' );
 +
\$wgLDAPUserBaseDNs = array( '${domainname}' => 'cn=users,${ldap_base}' );
 +
\$wgLDAPGroupBaseDNs = array( '${domainname}' => 'cn=groups,${ldap_base}' );
  
\$wgLDAPEncryptionType = array(
+
# Map specific LDAP attributes like e-mail addresses
  \"$(dnsdomainname)\"=>\"tls\"
+
\$wgLDAPPreferences = array( '${domainname}' => array('email' => 'mailPrimaryAddress', 'realname' => 'displayName', 'nickname' => 'cn' ) );
);
 
# User to bind as
 
\$wgLDAPProxyAgent =  array(
 
  '$(dnsdomainname)' => '<BIND USER DN>'
 
);
 
\$wgLDAPProxyAgentPassword = array(
 
  '$(dnsdomainname)' => '<BIND USER PASSWORD>'
 
);
 
  
\$wgLDAPBaseDNs = array(
+
# Group based restriction:
  '$(dnsdomainname)' => '$(ucr get ldap/base)'
+
\$wgLDAPGroupUseFullDN = array( '${domainname}' => false );
);
+
\$wgLDAPGroupObjectclass = array( '${domainname}' => 'univentionGroup' );
\$wgLDAPUserBaseDNs= array(
+
\$wgLDAPGroupAttribute = array( '${domainname}' => 'memberUid' );
  '$(dnsdomainname)' => 'cn=users,$(ucr get ldap/base)'
+
\$wgLDAPGroupSearchNestedGroups = array( '${domainname}' => false );
);
+
\$wgLDAPGroupNameAttribute = array( '${domainname}' => 'cn' );
\$wgLDAPGroupBaseDNs= array(
+
\$wgLDAPLowerCaseUsername = array( '${domainname}' => true );
  '$(dnsdomainname)' => 'cn=groups,$(ucr get ldap/base)'
+
""" >> $wiki_path/LocalSettings.php
);
+
</syntaxhighlight>
  
\$wgLDAPSearchAttributes = array(
+
Please confirm the validity of the content of the LocalSettings.php file after executing the script.
  '$(dnsdomainname)' => 'uid'
 
);
 
  
\$wgLDAPGroupObjectclass = array(
+
You can also run the following command once, to make sure that the needed database table is correctly created, before testing the login:
  \"$(dnsdomainname)\"=>\"univentionGroup\"
+
<syntaxhighlight lang="bash">
);
+
php $wiki_path/maintenance/update.php
# attribute defining a group
+
</syntaxhighlight>
\$wgLDAPGroupNameAttribute = array(
 
  \"$(dnsdomainname)\" => \"cn\"
 
);
 
  
\$wgLDAPGroupAttribute = array(
+
=== Optional LDAP settings ===
  \"$(dnsdomainname)\" => \"uniqueMember\"
 
);
 
  
\$wgLDAPGroupUseFullDN = array(
+
If you want to force MediaWiki to deny access to users who aren't member of one or more specific group(s), execute the following command after changing <GROUP DN> to the full DN of the your desired group:
  \"$(dnsdomainname)\" => true
+
<syntaxhighlight lang="bash">
);
+
echo """
 +
\$wgLDAPRequiredGroups = array( '${domainname}' => array( '<GROUP DN>' ) );
 +
""" >> $wiki_path/LocalSettings.php
 +
</syntaxhighlight>
  
\$wgLDAPLowerCaseUsername = array(
+
Further configuration options can be found in the [https://www.mediawiki.org/wiki/Extension:LDAP_Authentication/Configuration_Options Official extension manual].
  \"$(dnsdomainname)\" => true
 
);
 
  
\$wgLDAPGroupsUseMemberOf = array(
+
== Add MediaWiki to web services ==
  \"$(dnsdomainname)\" => false
+
You can add a MediaWiki Service link to your system web portal using the following command. <br>
);" >> /var/www/<MEDIAWIKI FOLDER>/LocalSettings.php
+
Please note that this command uses the value ''wiki_web_path'', which has been defined above.
</pre>
+
<syntaxhighlight lang="bash">
 +
ucr set \
 +
ucs/web/overview/entries/service/mediawiki/label="MediaWiki" \
 +
ucs/web/overview/entries/service/mediawiki/label/de="MediaWiki" \
 +
ucs/web/overview/entries/service/mediawiki/description="MediaWiki" \
 +
ucs/web/overview/entries/service/mediawiki/description/de="MediaWiki" \
 +
ucs/web/overview/entries/service/mediawiki/link="$wiki_web_path" \
 +
ucs/web/overview/entries/service/mediawiki/icon="$wiki_web_path/resources/assets/mediawiki.png"
 +
</syntaxhighlight>
  
Hint: Change <MEDIAWIKI FOLDER> to the folder you installed MediaWiki in
+
== Known Problems ==
  
Run the following command once, to make sure that the needed database table is created, before testing the login.
+
* The installation script automatically sets the [https://www.mediawiki.org/wiki/Manual:$wgServer $wgServer] variable to <code>'http://$(hostname -f)'</code>. The user will be redirected to the given base URL, which can be breakable under certain situations. <br> This can easily be resolved by adjusting it to the correct value or by commenting the variable out inside the ''LocalSettings.php'' file. MediaWiki will automatically detect and set the possible server names, if the value is not set.
  
<pre>
+
== BlueSpice MediaWiki ==
php /var/www/<MEDIAWIKI FOLDER>/maintenance/update.php
 
</pre>
 
 
 
== Further LDAP settings ==
 
 
 
If you want to force MediaWiki to deny access to users who are not in one or more specific group(s), execute the following command and change <GROUP DN> to the DN of the your desired group:
 
 
 
<pre>
 
echo "\$wgLDAPRequiredGroups = array(
 
  \"$(dnsdomainname)\"=>array(
 
    \"<GROUP DN>\"
 
  )
 
);" >> /var/www/<MEDIAWIKI FOLDER>/LocalSettings.php
 
</pre>
 
 
 
If you do not want to use TLS to connect to LDAP, you need to edit LocalSettings.php.
 
Open the plugin file:
 
 
 
<pre>
 
vim /var/www/<MEDIAWIKI FOLDER>/LocalSettings.php
 
</pre>
 
 
 
search for the LDAPEncryptionType variable
 
 
 
<pre>
 
/LDAPEncryption
 
<Enter>
 
</pre>
 
Vim should find this section
 
<pre>
 
$wgLDAPEncryptionType = array(
 
  "<your domain name>"=> "tls"
 
);
 
</pre>
 
  
Just change '''tls''' to '''ssl'''
+
BlueSpice is an enterprise distribution which provides a working MediaWiki installation out of the box. <br>
 +
You can get it directly from the [https://www.univention.com/products/univention-app-center/app-catalog/bluespice/ Univention App Center] where you can choose between a free and commercial license.
  
<pre>
+
== Further links ==
$wgLDAPEncryptionType = array(
 
  "<your domain name>"=> "ssl"
 
);
 
</pre>
 
  
To enable MediaWiki and LDAP logging to ''/var/log/mediawiki/mw-debug.log'', create a log file and folder with permissions first:
+
* [https://www.mediawiki.org/wiki/Manual:Installing_MediaWiki Manual: Installing MediaWiki]
 +
* [https://www.mediawiki.org/wiki/Manual:Installation_requirements Manual: MediaWiki installation requirements]
 +
* [https://wiki.univention.de/index.php/Cool_Solution_-_LDAP_search_user UCS - Creating a LDAP search user]
 +
* [https://www.mediawiki.org/wiki/Extension:LDAP_Authentication MediaWiki Extension LDAP Authentication]
 +
* [https://www.mediawiki.org/wiki/Extension:LDAP_Authentication/Configuration_Options MediaWiki Extension LDAP Authentication - Configuration Options Explained]
  
<pre>
+
== Archive ==
mkdir /var/log/mediawiki/
 
touch /var/log/mediawiki/mw-debug.log
 
chown www-data:www-data /var/log/mediawiki/*
 
chmod -R 640 /var/log/mediawiki/*
 
</pre>
 
 
 
Then put some code into LocalSettings.php:
 
 
 
<pre>
 
echo "\$wgDebugLogFile = \"/var/log/mediawiki/mw-debug.log\";
 
 
 
\$wgLDAPDebug = 4;
 
\$wgDebugLogGroups = array(
 
  'ldap' => '/var/log/mediawiki/mw-debug.log',
 
);" >> /var/www/<MEDIAWIKI FOLDER>/LocalSettings.php
 
</pre>
 
 
 
Hint: ''$wgLDAPDebug'' describes the loglevel for the LDAP extension. 4 is rather verbose, but a good choice for debugging, when setting up the connection. You may change this value as you like to change the loglevel.
 
 
 
== Add MediaWiki to web services ==
 
 
 
<pre>
 
ucr set \
 
ucs/web/overview/entries/service/mediawiki/description="MediaWiki" \
 
ucs/web/overview/entries/service/mediawiki/icon="/<MEDIAWIKI FOLDER>/resources/assets/mediawiki.png" \
 
ucs/web/overview/entries/service/mediawiki/label/de="MediaWiki" \
 
ucs/web/overview/entries/service/mediawiki/label="MediaWiki" \
 
ucs/web/overview/entries/service/mediawiki/link="/<MEDIAWIKI FOLDER>"
 
</pre>
 
 
 
== BlueSpice MediaWiki ==
 
  
BlueSpice is an enterprise distribution which provides a working MediaWiki installation out of the box. You can install it directly from the Univention App Center [https://www.univention.com/products/univention-app-center/app-catalog/bluespice/] where you can choose between free and commercial license.
+
* There is a version of this article for [https://wiki.univention.de/index.php?title=Cool_Solution_-_Setting_up_MediaWiki_with_LDAP_authentication&oldid=XXXXXX UCS 4.1 und 4.2].

Revision as of 11:06, 12 July 2018

Produktlogo UCS Version 4.3

Note: Cool Solutions are articles documenting additional functionality based on Univention products. Not all of the shown steps in the article are covered by Univention Support. For questions about your support coverage contact your contact person at Univention before you want to implement one of the shown steps.

Also regard the legal notes at Terms of Service.
Note: This article is not yet reviewed.


This article describes the installation and setup of MediaWiki 1.31.0 in UCS 4.3.

Prerequisites

Install the needed packages (Note: ImageMagick is recommended for Image thumbnailing):

univention-install univention-mysql libapache2-mod-php php php-common php-json php-xml php-cli php-curl php-readline php-mbstring php-intl php-mysql php-ldap imagemagick php-imagick

Enable the needed packages and reload the apache2 service

phpenmod mbstring intl imagick
systemctl reload apache2.service

Download the MediaWiki and the LDAP extension and extract them to the webserver directory (Note: You can change the wiki paths by editing the first two variables):

wiki_path="/var/lib/mediawiki/" # The directory your wiki will rest inside
wiki_web_path="/mediawiki" # The future web subdirectory your wiki will be accessible through
tmpdir=$(mktemp -d) # A temporary working directory
mkdir $wiki_path

# Download the Mediawiki and extract it
wget --show-progress -O $tmpdir/mediawiki-1.31.0.tar.gz https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.0.tar.gz
tar -xvzf $tmpdir/mediawiki-1.31.0.tar.gz -C $wiki_path --strip-components=1

# Download the Mediawiki LDAP extension and extract it
wget --show-progress -O $tmpdir/LdapAuthentication-REL1_31-b19888c.tar.gz  https://extdist.wmflabs.org/dist/extensions/LdapAuthentication-REL1_31-b19888c.tar.gz
tar -xvzf $tmpdir/LdapAuthentication-REL1_31-b19888c.tar.gz -C $wiki_path/extensions/

# Create a symbolic link towards the Wiki folder
ln -s $wiki_path /var/www/$wiki_web_path

# Set the correct folder and file permissions
find $wiki_path -type f -exec chmod 644 {} \;
find $wiki_path -type d -exec chmod 755 {} \;

# Remove the temporary working directory again
rm -R $tmpdir

Installing MediaWiki

Now the actual installation of MediaWiki is in order. Use the following Script to generate your LocalSettings file:

# Please set the name of the wiki, the language and your future local Admin password here
wiki_name="YOUR_WIKI_NAME"
wiki_lang="en" # About possible code languages can be read here: https://www.mediawiki.org/wiki/Manual:$wgLanguageCode
admin_username="Admin"
admin_password="YOUR_ADMIN_PASSWORD"

# Generate your database password according to your machine password policy
eval "$(ucr --shell search machine/password/length machine/password/complexity)"
if [ -z "$machine_password_length" ]; then machine_password_length=20; fi
if [ -z "$machine_password_complexity" ]; then machine_password_complexity="scn"; fi

# Create the database and generate the local settings file
php /var/lib/mediawiki/maintenance/install.php \
 --confpath="$wiki_path" \
 --scriptpath="$wiki_web_path" \
 --installdbuser="root" \
 --installdbpass="$(cat /etc/mysql.secret)" \
 --dbserver="localhost" \
 --dbname="mediawiki" \
 --dbuser="mediawiki" \
 --dbpass="$(pwgen -1 -${machine_password_complexity} ${machine_password_length} | tee /etc/mysql-mediawiki.secret)" \
 --server="http://$(hostname -f)" \
 --lang="$wiki_lang" \
 --with-extensions \
 --pass="$admin_password" \
 "$wiki_name" \
 "$admin_username"

You can reach your mediawiki by visiting the given URL.

Setting up LDAP authentication

Use the following script to generate the needed settings for your LocalSettings.php file.
You will need a simple authentication account for mediawiki to authenticate your members. Follow the LDAP search user Cool Solution to create one.

# Please set the data of an simple authentication account here. Instructions how one is created can be found here: https://wiki.univention.de/index.php/Cool_Solution_-_LDAP_search_user
ldap_search_user="uid=mediawiki-search,cn=users,<YOUR_LDAP_BASE>"
ldap_search_password="YOUR_LDAP_SEARCH_PASSWORD"

# Obtain global domain configuration data
eval "$(ucr --shell search domainname \
ldap/base \
ldap/server/port \
ldap/server/name \
ldap/server/addition)"

if [ -z "$ldap_server_port" ]; then ldap_server_port=7389; fi
if [ -z "$ldap_server_addition" ]; then 
    ldap_hosts=$(echo "$ldap_server_name" | sed "s/'\|\"//g")
else 
    ldap_hosts=$(echo "$ldap_server_name $ldap_server_addition" | sed "s/'\|\"//g") 
fi

# Adds your final LDAP extension Configuration to the end of your $wiki_path/LocalSettings.php configuration file:
echo """
# Univention LDAP Configuration
require_once ('includes/AuthPlugin.php');

\$wgAuth = new LdapAuthenticationPlugin();
\$wgLDAPDomainNames = array( '${domainname}' );
\$wgLDAPServerNames = array( '${domainname}' => '${ldap_hosts}' );
\$wgLDAPUseLocal = false;
\$wgLDAPEncryptionType = array( '${domainname}' => 'tls' );
\$wgLDAPPort = array( '${domainname}' => ${ldap_server_port} );
\$wgLDAPProxyAgent = array( '${domainname}' => '${ldap_search_user}' );
\$wgLDAPProxyAgentPassword = array( '${domainname}' => '${ldap_search_password}' );
\$wgLDAPSearchAttributes = array( '${domainname}' => 'uid' );
\$wgLDAPBaseDNs = array( '${domainname}' => '${ldap_base}' );
\$wgLDAPUserBaseDNs = array( '${domainname}' => 'cn=users,${ldap_base}' );
\$wgLDAPGroupBaseDNs = array( '${domainname}' => 'cn=groups,${ldap_base}' );

# Map specific LDAP attributes like e-mail addresses
\$wgLDAPPreferences = array( '${domainname}' => array('email' => 'mailPrimaryAddress', 'realname' => 'displayName', 'nickname' => 'cn' ) );

# Group based restriction:
\$wgLDAPGroupUseFullDN = array( '${domainname}' => false );
\$wgLDAPGroupObjectclass = array( '${domainname}' => 'univentionGroup' );
\$wgLDAPGroupAttribute = array( '${domainname}' => 'memberUid' );
\$wgLDAPGroupSearchNestedGroups = array( '${domainname}' => false );
\$wgLDAPGroupNameAttribute = array( '${domainname}' => 'cn' );
\$wgLDAPLowerCaseUsername = array( '${domainname}' => true );
""" >> $wiki_path/LocalSettings.php

Please confirm the validity of the content of the LocalSettings.php file after executing the script.

You can also run the following command once, to make sure that the needed database table is correctly created, before testing the login:

php $wiki_path/maintenance/update.php

Optional LDAP settings

If you want to force MediaWiki to deny access to users who aren't member of one or more specific group(s), execute the following command after changing <GROUP DN> to the full DN of the your desired group:

echo """
\$wgLDAPRequiredGroups = array( '${domainname}' => array( '<GROUP DN>' ) );
""" >> $wiki_path/LocalSettings.php

Further configuration options can be found in the Official extension manual.

Add MediaWiki to web services

You can add a MediaWiki Service link to your system web portal using the following command.
Please note that this command uses the value wiki_web_path, which has been defined above.

ucr set \
ucs/web/overview/entries/service/mediawiki/label="MediaWiki" \
ucs/web/overview/entries/service/mediawiki/label/de="MediaWiki" \
ucs/web/overview/entries/service/mediawiki/description="MediaWiki" \
ucs/web/overview/entries/service/mediawiki/description/de="MediaWiki" \
ucs/web/overview/entries/service/mediawiki/link="$wiki_web_path" \
ucs/web/overview/entries/service/mediawiki/icon="$wiki_web_path/resources/assets/mediawiki.png"

Known Problems

  • The installation script automatically sets the $wgServer variable to 'http://$(hostname -f)'. The user will be redirected to the given base URL, which can be breakable under certain situations.
    This can easily be resolved by adjusting it to the correct value or by commenting the variable out inside the LocalSettings.php file. MediaWiki will automatically detect and set the possible server names, if the value is not set.

BlueSpice MediaWiki

BlueSpice is an enterprise distribution which provides a working MediaWiki installation out of the box.
You can get it directly from the Univention App Center where you can choose between a free and commercial license.

Further links

Archive

Personal tools