AmiWiki:Coordination/MediaWiki auth

From AMI@Work Communities Wiki

The MosaicAuth plugin for MediaWiki takes care of the cookies used by the AMI Communities site. It actually leaves MediaWiki's own cookies intact, since they are part of a stronger security mechanism using session tokens. The plugin does the following:

• Restrict login to users in an apache htpasswd file.
• Detect encryption method for passwords and use the correct one (crypt, md5) for password comparison. The encryption algorithm that is used must be supported by both php and apache's auth module.
• If a user in the htpasswd file logs in (supplies the correct password), create a local wiki user, if necessary.
• Set the MosaicUser and MosaicToken cookies upon each login (see the cookie spec and user name format). If the user has checked remember me, the cookies will be set to expire within 30 days, otherwise only session cookies will be created.
• Clear the Mosaic cookies upon logout.
• Contact BSCW via XML-RPC and retrieve full name and (primary) email address upon local user creation and upon login.
• Prevent users from changing their passwords.
• Make sure that user names are converted to wiki canonical form before attempting to log in. The wiki canonical form is the same as the normalized form (i.e. all lowercase) but with upper-case initial character.
• It currently sends a (fixed) username and password using basic HTTP auth to BSCW. This may have to be changed once we set up BSCW to use cookies for authentication (unless it fails back to basic http auth via script if no cookies are supplied). Anyway, it would be more secure to pass the Mosaic* cookies of the corresponding user instead of using http auth.

[edit] Installation

[edit] Install MosaicAuth.php

• Create <wikidir>/extensions/mosaic
• Copy http://gmuf.com/mosaic/MosaicAuth.php to this directory

[edit] Adjust Localsettings.php

Add something like this to the bottom (but before ?>) of LocalSetting.php:

### MOSAIC unified profile
require_once( "extensions/mosaic/MosaicAuth.php" );

$wgAuth = new MosaicAuth();
$wgHtpasswdFile = "/home/bscw/server/data/htpasswd";
$wgCookieExpiration = 2592000; # 30 days

$wgBscwHost='localhost';
$wgBscwPort='80';
$wgBscwPath='/bscw/bscw.cgi/?op=xmlrpc';
$wgBscwTimeout=15;
$wgBscwUser='someuser';
$wgBscwPass='somepass';