Extension:AuthRemoteUser

**MediaWiki extensions manual**
AuthRemoteUser; Release status: stable
Implementation	User identity
Description	Allows for authentication via the web server's REMOTE_AUTH (i.e., with Kerberos) functionality.
Author(s)	Tobias Oetterer (oetterertalk)
Latest version	1.0.0 (2024/06/30)
MediaWiki	1.39
PHP	7.1
Composer	mediawiki/auth-remote-user
License	GNU General Public License 2.0 or later
Download	GitHub: project page; git repository URL [help]; commit history; ; ; README
	Parameters $wgAuthRemoteUserDomain; $wgAuthRemoteUserUsernameNormalizer;

This extension requires the PluggableAuth extension to be installed first.

The AuthRemoteUser extension manages authentication via the web server's REMOTE_AUTH. Unlike Extension:Auth_RemoteUser, where the whole wiki requires a web server's authentication, this extension only relies upon authentication on one page (Special:AuthRemoteUser).

This extension relies upon external authentication by your web server. You are required to set this up properly, or your authentication won't work (see example below).

Installation

Download

You can either download this from git

git clone https://github.com/oetterer/AuthRemoteUser

or use composer (in which case, add the following to your composer.local.json)

{
	"require": {
		"mediawiki/auth-remote-user": "^1.0"
	}
}

Activation

Add the following to your LocalSettings.php

wfLoadExtension( 'AuthRemoteUser' );

Setting up webserver

Your webserver does the actual authentication, so you need to set it up properly. Please refer to your webserver documentation for instructions on how to do this.

Apache using MIT kerberos

mod_auth_gssapi

<LocationMatch ".*/index\.php">
    <If "%{QUERY_STRING} =~ /title=[^:]+:AuthRemoteUser/">
        SSLRequireSSL
        AuthType GSSAPI
        AuthName "Kerberos Login"
        GssapiCredStore keytab:/etc/keytabs/krb5.keytab.HTTP
        GssapiSSLonly On
        GssapiAllowedMech krb5
        require valid-user
    </If>
</LocationMatch>

mod_auth_kerb

<LocationMatch ".*/index\.php">
    <If "%{QUERY_STRING} =~ /title=[^:]+:AuthRemoteUser/">
        SSLRequireSSL
        AuthType Kerberos
        AuthName "Kerberos Login"
        KrbMethodNegotiate On
        KrbMethodK5Passwd Off
        KrbAuthoritative on
        KrbAuthRealms <your krb realms>
        KrbVerifyKDC on
        Krb5KeyTab /etc/keytabs/krb5.keytab.HTTP
        require valid-user
    </If>
</LocationMatch>

Note: even, if you are using Short URL schema, you have to match against index.php?title=, because the authentication special page is accessed internally with the original linking schema.

Configuration parameters

$wgAuthRemoteUserDomain: Specify your domain for remote authentication here. The extension does not validate the domain if this variable is left empty.
$wgAuthRemoteUserUsernameNormalizer: Use this function for normalizing username, for example 'strtolower'. By default, the kerberos domain is stripped and the remaining username is cast to lowercase..

Authentication button label

You can specify what text will be shown on the authentication button by editing the MediaWiki message MediaWiki:Auth-remote-user-login-button-label and its localizations.

User rights

Please see Extension:PluggableAuth

AuthRemoteUser Release status: stable
Implementation	User identity
Description	Allows for authentication via the web server's REMOTE_AUTH (i.e., with Kerberos) functionality.
Author(s)	Tobias Oetterer (oetterer^talk)
Latest version	1.0.0 (2024/06/30)
MediaWiki	1.39
PHP	7.1
Composer	mediawiki/auth-remote-user
License	GNU General Public License 2.0 or later
Download	GitHub: project page git repository URL ^{[help ]} commit history README
Parameters $wgAuthRemoteUserDomain $wgAuthRemoteUserUsernameNormalizer