Difference between revisions of "Cool Solution - Setting up MediaWiki with LDAP authentication"

From Univention Wiki

Jump to: navigation, search
(QA done)
(Replaced content with "This page has been moved to the Knowledge Base Cool Solutions in the Forum. [https://help.univention.com/t/cool-solution-setting-up-mediawiki-with-ldap-authentication/118...")
Tag: Replaced
Line 1: Line 1:
This page has been moved to the Knowledge Base Cool Solutions in the Forum.
{{Cool Solutions Disclaimer}}
|title={{#replace:{{#replace:{{#replace:{{#replace:{{FULLPAGENAME}}|'|'}}|&|&}}|"|"}}|Cool Solution - |}} - {{SITENAME}}
This article describes the installation and setup of MediaWiki 1.31.0 in UCS 4.3.
[https://help.univention.com/t/cool-solution-setting-up-mediawiki-with-ldap-authentication/11822 Cool Solution - Setting up MediaWiki with LDAP authentication]
== Prerequisites  ==
Install the needed packages (Note: ImageMagick is recommended for [https://www.mediawiki.org/wiki/Manual:Image_administration#Image_thumbnailing Image thumbnailing]):
univention-install univention-mysql libapache2-mod-php php php-common \
php-json php-xml php-cli php-curl php-readline php-mbstring php-intl \
php-mysql php-ldap imagemagick php-imagick
Download the MediaWiki and the LDAP extension and extract them to the webserver directory (Note: You can change the wiki paths by editing the first two variables):
<syntaxhighlight lang="bash">
wiki_path="/var/lib/mediawiki/" # The directory your wiki will rest inside
wiki_web_path="/mediawiki" # The future web subdirectory your wiki will be accessible through
tmpdir=$(mktemp -d) # A temporary working directory
mkdir $wiki_path
# Download the Mediawiki and extract it
wget --show-progress -O $tmpdir/mediawiki-1.31.0.tar.gz https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.0.tar.gz
tar -xvzf $tmpdir/mediawiki-1.31.0.tar.gz -C $wiki_path --strip-components=1
# Download the Mediawiki LDAP extension and extract it
wget --show-progress -O $tmpdir/LdapAuthentication-REL1_31-b19888c.tar.gz  https://extdist.wmflabs.org/dist/extensions/LdapAuthentication-REL1_31-b19888c.tar.gz
tar -xvzf $tmpdir/LdapAuthentication-REL1_31-b19888c.tar.gz -C $wiki_path/extensions/
# Create a symbolic link towards the Wiki folder
ln -s $wiki_path /var/www/$wiki_web_path
# Set the correct folder and file permissions
find $wiki_path -type f -exec chmod 644 {} \;
find $wiki_path -type d -exec chmod 755 {} \;
# Remove the temporary working directory again
rm -R $tmpdir
== Installing MediaWiki ==
Now the actual installation of MediaWiki is in order. Use the following Script to generate your LocalSettings file:
<syntaxhighlight lang="bash">
# Please set the name of the wiki, the language and your future local Admin password here
wiki_lang="en" # About possible code languages can be read here: https://www.mediawiki.org/wiki/Manual:$wgLanguageCode
# Generate your database password according to your machine password policy
eval "$(ucr --shell search machine/password/length machine/password/complexity)"
if [ -z "$machine_password_length" ]; then machine_password_length=20; fi
if [ -z "$machine_password_complexity" ]; then machine_password_complexity="scn"; fi
# Create the database and generate the local settings file
php /var/lib/mediawiki/maintenance/install.php \
--confpath="$wiki_path" \
--scriptpath="$wiki_web_path" \
--installdbuser="root" \
--installdbpass="$(cat /etc/mysql.secret)" \
--dbserver="localhost" \
--dbname="mediawiki" \
--dbuser="mediawiki" \
--dbpass="$(pwgen -1 -${machine_password_complexity} ${machine_password_length} | tee /etc/mysql-mediawiki.secret)" \
--server="http://$(hostname -f)" \
--lang="$wiki_lang" \
--with-extensions \
--pass="$admin_password" \
"$wiki_name" \
You can reach your mediawiki by visiting the given URL.
=== Setting up LDAP authentication ===
Use the following script to generate the needed settings for your LocalSettings.php file. <br>
You will need a '''simple authentication account''' for mediawiki to authenticate your members. Follow the [https://wiki.univention.de/index.php/Cool_Solution_-_LDAP_search_user LDAP search user] Cool Solution to create one.
<syntaxhighlight lang="bash">
# Please set the data of an simple authentication account here.
# Instructions how one is created can be found here: https://wiki.univention.de/index.php/Cool_Solution_-_LDAP_search_user
# Obtain global domain configuration data
eval "$(ucr --shell search domainname \
ldap/base \
ldap/server/port \
ldap/server/name \
if [ -z "$ldap_server_port" ]; then ldap_server_port=7389; fi
if [ -z "$ldap_server_addition" ]; then
    ldap_hosts=$(echo "$ldap_server_name" | sed "s/'\|\"//g")
    ldap_hosts=$(echo "$ldap_server_name $ldap_server_addition" | sed "s/'\|\"//g")
# Adds your final LDAP extension Configuration to the end of your $wiki_path/LocalSettings.php configuration file:
echo """
# Univention LDAP Configuration
require_once ('extensions/LdapAuthentication/LdapAuthentication.php');
\$wgAuth = new LdapAuthenticationPlugin();
\$wgLDAPDomainNames = array( '${domainname}' );
\$wgLDAPServerNames = array( '${domainname}' => '${ldap_hosts}' );
\$wgLDAPUseLocal = false;
\$wgLDAPEncryptionType = array( '${domainname}' => 'tls' );
\$wgLDAPPort = array( '${domainname}' => ${ldap_server_port} );
\$wgLDAPProxyAgent = array( '${domainname}' => '${ldap_search_user}' );
\$wgLDAPProxyAgentPassword = array( '${domainname}' => '${ldap_search_password}' );
\$wgLDAPSearchAttributes = array( '${domainname}' => 'uid' );
\$wgLDAPBaseDNs = array( '${domainname}' => '${ldap_base}' );
\$wgLDAPUserBaseDNs = array( '${domainname}' => 'cn=users,${ldap_base}' );
\$wgLDAPGroupBaseDNs = array( '${domainname}' => 'cn=groups,${ldap_base}' );
# Map specific LDAP attributes like e-mail addresses
\$wgLDAPPreferences = array( '${domainname}' => array('email' => 'mailPrimaryAddress', 'realname' => 'displayName', 'nickname' => 'cn' ) );
# Group based restriction:
\$wgLDAPGroupUseFullDN = array( '${domainname}' => false );
\$wgLDAPGroupObjectclass = array( '${domainname}' => 'univentionGroup' );
\$wgLDAPGroupAttribute = array( '${domainname}' => 'memberUid' );
\$wgLDAPGroupSearchNestedGroups = array( '${domainname}' => false );
\$wgLDAPGroupNameAttribute = array( '${domainname}' => 'cn' );
\$wgLDAPLowerCaseUsername = array( '${domainname}' => true );
""" >> $wiki_path/LocalSettings.php
Please confirm the validity of the content of the LocalSettings.php file after executing the script.
You can also run the following command once, to make sure that the needed database table is correctly created, before testing the login:
<syntaxhighlight lang="bash">
php $wiki_path/maintenance/update.php
=== Optional LDAP settings ===
If you want to force MediaWiki to deny access to users who aren't member of one or more specific group(s), execute the following command after changing <GROUP DN> to the full DN of the your desired group:
<syntaxhighlight lang="bash">
echo """
\$wgLDAPRequiredGroups = array( '${domainname}' => array( '<GROUP DN>' ) );
""" >> $wiki_path/LocalSettings.php
Further configuration options can be found in the [https://www.mediawiki.org/wiki/Extension:LDAP_Authentication/Configuration_Options Official extension manual].
== Add MediaWiki to web services ==
You can add a MediaWiki Service link to your system web portal using the following command. <br>
Please note that this command uses the value ''wiki_web_path'', which has been defined above.
<syntaxhighlight lang="bash">
ucr set \
ucs/web/overview/entries/service/mediawiki/label="MediaWiki" \
ucs/web/overview/entries/service/mediawiki/label/de="MediaWiki" \
ucs/web/overview/entries/service/mediawiki/description="MediaWiki" \
ucs/web/overview/entries/service/mediawiki/description/de="MediaWiki" \
ucs/web/overview/entries/service/mediawiki/link="$wiki_web_path" \
== Known Problems ==
* The installation script automatically sets the [https://www.mediawiki.org/wiki/Manual:$wgServer $wgServer] variable to <code>'http://$(hostname -f)'</code>. The user will be redirected to the given base URL, which can be breakable under certain situations. <br> This can easily be resolved by adjusting it to the correct value or by commenting the variable out inside the ''LocalSettings.php'' file. MediaWiki will automatically detect and set the possible server names, if the value is not set.
== BlueSpice MediaWiki ==
BlueSpice is an enterprise distribution which provides a working MediaWiki installation out of the box. <br>
You can get it directly from the [https://www.univention.com/products/univention-app-center/app-catalog/bluespice/ Univention App Center] where you can choose between a free and commercial license.
== Further links ==
* [https://www.mediawiki.org/wiki/Manual:Installing_MediaWiki Manual: Installing MediaWiki]
* [https://www.mediawiki.org/wiki/Manual:Installation_requirements Manual: MediaWiki installation requirements]
* [https://wiki.univention.de/index.php/Cool_Solution_-_LDAP_search_user UCS - Creating a LDAP search user]
* [https://www.mediawiki.org/wiki/Extension:LDAP_Authentication MediaWiki Extension LDAP Authentication]
* [https://www.mediawiki.org/wiki/Extension:LDAP_Authentication/Configuration_Options MediaWiki Extension LDAP Authentication - Configuration Options Explained]
== Archive ==
* There is a version of this article for [https://wiki.univention.de/index.php?title=Cool_Solution_-_Setting_up_MediaWiki_with_LDAP_authentication&oldid=13411 UCS 4.1 and 4.2].

Latest revision as of 10:33, 12 April 2019

This page has been moved to the Knowledge Base Cool Solutions in the Forum.

Cool Solution - Setting up MediaWiki with LDAP authentication

Personal tools