The second issue with wiki and blog software is finding software which is easy to use both for the end-users and for the systems staff. Right now my department of three is responsible for a host of web-based applications including blogs and our soon to be implemented content management system. I want applications that are easy for us to modify and and maintain. This means leveraging our existing skills to their fullest. So I looked at wiki solutions that are PHP/MySQL-based. This builds on what we learned doing the blogging project. The third issue with installing wikis software is giving complete control to the end users. For me this means not only letting people maintain their own wikis but also be able to create their own wikis. This was a goal we never successfully reached with the blog project (much to my chagrin). I’m hoping to be able to overcome this barrier with the wiki project.

Last week I started with installing MediaWiki in wiki-farm mode. How does this differ from the standard MediaWiki install? Well for one thing the standard MediaWiki install is for one wiki rather than many. One way to solve this is to have multiple folders with the MediaWiki files and use a different MySQL database for each wiki. The problem with this is that you have to replace all the MediaWiki files in every directory when there is an upgrade. To solve this check out this page which talks about running a MediaWiki wiki-farm on a Mac.

Once I solve the wiki-farm issue, the next problem I needed to deal with was
authentication. I really don’t want my users to have to remember yet another
username and password. So I started investigating to see if MediaWiki will
work with LDAP. It will and there are directions available that will walk you through the process of installation.
You will need to have PHP must be installed with LDAP and SSL support. The
site doesn’t tell you how to tell if this is the case or if these aren’t installed
how to do it. So here is my basic run down of how to tell if you have the LDAP
and SSL support installed.

1. Check to see if PHP is installed with LDAP and SSL support
2. On your server create a new file name phpinfo.php with the following lines
   <?php
   phpinfo();
   ?>
3. Save the file in your web server directory
4. Open your web browser to the phpinfo.php file on your server
5. This will display information about your installation of PHP. Look for LDAP and OpenSSL. if you don’t see them they are missing and you need to install them

I wish I could write a set of instructions on how to install these modules into PHP but every instance is different. Hopefully you won’t have to install from source. On many Linux systems you can use the package manager (in SUSE this is yast) to install what you need. Look for PHP-LDAP and SSL-PHP. For information on how to install from source a good place to start is http://us3.php.net/install.

One thing that is essential if you choose to do this is make the usernames
and passwords being passed from the user to MediaWiki on to the LDAP server
secure. Sending passwords in the clear is VERY BAD and a BIG security threat.
This means that in your Local_Settings.php file make sure your wgLDAPUseSSL
variable is set to true.

//Use LDAPS (your system may default to using TLS over LDAP instead of LDAPS)

//Recommended!!

$wgLDAPUseSSL = true;

Also in addition to follow the directions on the MediaWiki support site you should configure your server with SSL and LDAP installed and properly configured. I’ve put up a set of directions on how to do this in another post because the instruction are long. Once you’ve followed these steps you need to make sure that every time a user requests the MediaWiki login page that it requested securely. This means a url starting https://. To do this you need to change some settings in Apache. Below are the directions for Apache 2.0 .

1. Open up and edit your default_server.conf file (/etc/apache2/default_server.conf)
2. Add the following lines
   
   RewriteEngine on
   
   RewriteRule ^/wiki_directory/(.*)/index.php/Special:Userlogin(.*) https://%{SERVER_NAME}/wiki_directory/$1/index.php/Special:Userlogin$2 [L,R]
   
   RewriteCond %{QUERY_STRING} ^title=Special:Userlogin
   
   RewriteRule ^/wiki_directory/(.*)/index.php https://%{SERVER_NAME}/wiki_directory/$1/index.php?%{QUERY_STRING} [L,R]
3. Save the file
4. Stop and restart Apache
   apache2ctl stop
   apache2ctl start

This will force all requests for the pages where users login or create logins through a secure connection.

I’ve been able to successfully get this running on the test wiki server and
will likely be porting it to a production environment in the next week. I still
have several issues to solve: RSS feeds, getting email from the wikis to work,
and creating my own layout and design for wikis. Overall, this is a good start
and I’ll keep writing about the wiki project as I make further headway.

The Head of Computer and Networking Systems originally wrote these directions (which are amazing and better than most of what I found on the web) when I wanted to password protect our internal blogs. I’ve updated them to be more generic and posted them because they are relevant if you want to set up LDAP authentication for MediaWiki. Note that steps f to i in the section “Configure LDAPs authentication for Directory access”

Set up SSL on Web Server

1. On the server where you want to perform SSL, Generate Server Private key (one time)
   1. Remove default keys
      cd /etc/apache2/
      rm ssl.key/server.key
      rm ssl.crt/server.crt
   2. Generate new private key
      /usr/bin/openssl genrsa 1024 > /etc/apache2/ssl.key/server.key
   3. Set secure permissions on key file
      chmod go-rwx /etc/apache2/ssl.key/server.key
2. Create self-signed certificate
   1. Create certificate
      
      /usr/bin/openssl req -new -key /etc/apache2/ssl.key/server.key -x509 -days 365 -out
      /etc/apache2/ssl.crt/server.crt

      You are about to be asked to enter information that will be incorporated
      into your certificate request.
      
      What you are about to enter is what is called a Distinguished Name or a DN.
      
      There are quite a few fields but you can leave some blank
      
      For some fields there will be a default value,
      If you enter ‘.’, the field will be left blank.
      —–
      
      Country Name (2 letter code) [AU]:US
      State or Province Name (full name) [Some-State]: State
      Locality Name (eg, city) []: City
      Organization Name (eg, company) [Internet Widgits Pty Ltd]: Some Organization
      Organizational Unit Name (eg, section) []: Some Unit
      Common Name (eg, YOUR name) []: server.webaddress.com
      Email Address []: email@address.com

3. Configure apache for SSL
   1. Tell apache SSL port
      1. Edit /etc/apache2/listen.conf and remove # before:
         Listen 443
      2. Copy virtual host template file (must end in .conf)
         
         cp /etc/apache2/vhosts.d/vhost-ssl.template /etc/apache2/vhosts.d/vhost-ssl.conf
      3. Change the following lines in /etc/apache2/vhosts.d/vhost-ssl.conf

         #<IfDefine SSL>
         
         #<IfDefine !NOSSL>

         <VirtualHost server.webaddress.com:443>

         DocumentRoot “/srv/www/htdocs”
         
         ServerName server.webaddress.com:443
         
         ServerAdmin email@address.com
         
         ErrorLog /var/log/apache2/error_443_log
         
         TransferLog /var/log/apache2/access_443_log
         #</IfDefine>
         
         #</IfDefine>

   2. Restart Apache with new configuration
      
      Apache2ctl stop
      Apache2ctl start
   3. Use Netstat to check to see if httpd is listening on port 443
      netstat -anp |more
   4. Open port on Firewall for 443

1. Test in web browser https://server.webaddress.com

Configure LDAPs authentication for Directory access

1. Import certificate for ldap server into the web server where you want to authenticate via LDAP
   1. Export server certificate from your LDAP server
   2. Open exported certificate file and copy text
   3. Create file /etc/apache2/server-name.crt
   4. Paste certificate text into file
   5. Edit /etc/apache2/default-server.conf and add following lines:

      LDAPTrustedCAType    BASE64_FILE
      LDAP
      TrustedCA                       /etc/apache2/server-name.crt

   6. Edit /etc/apache2/vhosts.d/vhost-ssl.conf
      1. Add lines following between <VirtualHost> and </VirtualHost>
         <Directory /srv/www/htdocs/directory_you_want_to_protect_with_ldap>
         
         AuthType Basic
         AuthName “LDAPs Login”
         
         AuthLDAPEnabled on

         AuthLDAPURL “ldaps://ldapserver.domain.edu:ldapport#/OU=usergroup,DC=subdomain,DC=mydomain,DC=edu?sAMAccountName?sub?(objectClass=*)”
         
         AuthLDAPBindDN “CN=bindaccount,CN=usergroup,DC=subdomain,DC=mydomain,DC=edu”
         
         AuthLDAPBindPassword (bindaccountpassword)
         AuthLDAPAuthoritative off
         require valid-user
         AllowOverride None
         Order deny,allow
         Deny from all
         Allow from IP range you want to allow access from
         </Directory>

   7. Edit /etc/apache2/sysconfig.d/loadmodule.conf and add following
      lines:

      LoadModule ldap_module /usr/lib/apache2/mod_ldap.so
      
      LoadModule auth_ldap_module /usr/lib/apache2/mod_auth_ldap.so

   8. Restart Apache with new configuration

      Apache2ctl stop
      Apache2ctl start

   9. Test in web browser – https://server.webaddress.com/directory_you_want_to_protect_with_ldap