Extension talk:SSL authentication
Contents
- 1 hiding logout button slightly broken with MW-1.19
- 2 how to map USER_PRINCIPAL_NAME under X509_EXTENSION with AD - UserPrincipalName attribute
- 3 I have been searched about this issues for a while ===========
- 4 Problems with SSLRequire apache configuration and email/realname import
- 5 (apache config) SSLVerifyClient=optional and no user cert present causes (harmless) errors on viewed page
hiding logout button slightly broken with MW-1.19[edit | edit source]
I've just installed mediawiki-1.19.0beta1 and added the 1.19 version of SSLAuthPlugin.php. End result: working well except that the logout button has been replaced with "AMPlt;0AMPgt;" (I replaced the ampersands with AMP as I don't know what would happen to them in this editor).
Must be a slight bug in something? Also, MW still asks to confirm the email address - can the code also take that into account? i.e. a cert with an email address should be treated as validated?
Thanks - this was VERY easy to get up and running!
Jason
--Paran7 (talk) 21:52, 23 March 2012 (UTC)
- The logout link problem exists with 1.18 as well. The problem is that the logout url is set to null rather than being removed. The following patch fixed the problem for me:
--- a/SSLAuthPlugin.php +++ b/SSLAuthPlugin.php @@ -227,7 +227,7 @@ function SSLAuthSetup() { /* No logout link in MW */ function NoLogout(&$personal_urls, $title) { - $personal_urls['logout'] = null; + unset($personal_urls['logout']); return true; }
- Would be great if somebody else could test this. If it works then I guess I should just change the code in the main article.
how to map USER_PRINCIPAL_NAME under X509_EXTENSION with AD - UserPrincipalName attribute[edit | edit source]
I am able to implement this extension. After that, I need to map USER_PRINCIPAL_NAME to AD UserPrincipalName to get more data back from Active Directory. Do you have some example code I could reference?
I have been searched about this issues for a while ===========[edit | edit source]
only to find the PHP Bug #60388 about openssl_x509_parse extensions=>subjectAltName. If you are able to find any workaround, I would love to learn how..
Problems with SSLRequire apache configuration and email/realname import[edit | edit source]
Hi,
I´m new in mediawiki, and i´ve used this extension for client register/autentication but i found several problems in configuration:
_First, the line "SSLRequire %{SSL_CLIENT_S_DN} =~ m/.*serialNumber=<personnumber>$/" in apache config doesn´t work and i have replaced by tree lines "SSLVerifyClient require/SSLVerifyDepth 2/SSLRequire %{SSL_CLIENT_VERIFY} eq "SUCCESS"" and works well, but i don´t understand why doesn´t work the first one and if this configuration is optimal for the extension.
_Second, when i login with my client certificate (which has my own CA), the user is created fine, but the email and the realname aren´t written to the user´s profile.SOLVED, i´ve set ssl_map_info=true
My version of mediawiki is 1.20 and i´ve used "SSLAuthPlugin.php (MW 1.20)"
Can anyone help me with this problems?
Thanks in advance,
Carlos
(apache config) SSLVerifyClient=optional and no user cert present causes (harmless) errors on viewed page[edit | edit source]
I've discovered that when a user certificate is not presented (when SSLVerifyClient=optional, otherwise SSLVerifyClient=off should never have this extension) then three errors are dumped to any viewed page corresponding to the certificate information extraction lines in LocalSettings.php.
I've added a test for each to determine if the value is not set before using the values.
Liamdennehy (talk) 17:17, 27 July 2014 (UTC)
