MediaWiki Api + LDAPAuthentication

Question

I'm trying to implement a SSO between an account management website and a MediaWiki site.

The MediaWiki site uses LDAP to authenticate, limiting login to administrators (to restrict administrative rights such as editing, moving, etc., but 5000 users need to log into the account management site to renew accounts, view disk space, etc.

So far, I can successfully connect to Mediawiki using the following functions, but I am unable to authenticate using my username and password:

function do_post_request($url, $data, $optional_headers = null)   {
   $params = array('http' => array(
                     'method' => 'POST',
                     'content' => $data));

   if ($optional_headers !== null) {
      $params['http']['header'] = $optional_headers;
   }

   $ctx = stream_context_create($params);

   if (!$fp = @fopen($url, 'r', false, $ctx)) return FALSE;
   $response = @stream_get_contents($fp);

   return $response;   
}

function mediawiki_login($username, $password) {
      /*
       *  STEP 1: request mediawiki login via api
       */

       $url='/wiki/api.php'; // EDIT THIS TO POINT TO YOUR WIKI API!
      $data=http_build_query(array('format'=>'json',
           'action'   =>'login',
           'lgname'   =>$username,
           'lgpassword'=>$password));
  $headers="Content-type: application/x-www-form-urlencoded\r\n".
        "Content-length: ".strlen($data)."\r\n".
        "Connection: close\r\n";

  $contents=do_post_request($url, $data, $headers);                  
  if ($contents===FALSE) return FALSE;

  $mwdata = json_decode($contents, true);    
  // check if the api answers as expected
  if($mwdata["login"]["result"] != "NeedToken"){
     return FALSE;         
  }

  $token=         $mwdata['login']['token'];
  $cookieprefix=   $mwdata['login']['cookieprefix'];
  $sessionid=      $mwdata['login']['sessionid'];

  /*
   *  STEP 2: send token using sessionid cookie
   */
  $data=http_build_query(array('format'=>'json',
                 'action' =>'login',
                 'lgname'   =>$username,
                 'lgpassword'=>$password,
                 'lgtoken' => $token));

  $headers="Content-type: application/x-www-form-urlencoded\r\n".
              "Content-length: ".strlen($data)."\r\n".
              "Cookie: ".$cookieprefix."_session=".$sessionid."\r\n".
              "Connection: close\r\n";

  $contents=do_post_request($url, $data, $headers);
  if ($contents===FALSE) return FALSE;

  $mwdata = json_decode($contents, true);
  if($mwdata["login"]["result"] != "Success") return FALSE;

  // login success, set the mediawiki cookies
  $cookieprefix=   $mwdata['login']['cookieprefix'];
  $sessionid=      $mwdata['login']['sessionid'];
  $userid=      $mwdata['login']['lguserid'];
  $username=      $mwdata['login']['lgusername'];
  setcookie($cookieprefix.'UserID', $userid, 0, '/', '.yourdomain.tld', FALSE, TRUE);     // INSERT YOUR DOMAIN
  setcookie($cookieprefix.'UserName', $username, 0, '/', '.yourdomain.tld', FALSE, TRUE);
  setcookie($cookieprefix.'_session', $sessionid, 0, '/', '.yourdomain.tld', FALSE, TRUE);

  return TRUE;
} 

After adding in my own debugging values, I found that I was returning WrongPass after the second do_post_request Since we're using the LDAPAuthentication Extension for MediaWiki, I believe that the API isn't using the Extension to authenticate, and thus is not finding the username password combination in the users database used by MediaWiki

Has anyone successfully used the MediaWiki API to authenticate a user while using LDAP authentication?

What changes to the code above, or to LocalSettings.php, or to api.php to make this possible?

Answer 1

After spending a week looking into this problem, I abandoned the option above. I created an extension to create an authentication cookie for the account management website as part of the MediaWiki login function. One problem that I encountered, that others might find useful, is that after using the 'setcookie' function, the cookie wouldn't actually be set until refreshing the page becasue there was already html written to the page, so for authentication purposes I had to write new authentication code for the Account Management website, and then use that as a filter before the admin Mediawiki login.

Answer 2

I was just facing a similar problem. The solution was to include an extra parameter lgdomain in my POST data, set to the correct LDAP domain.

It's mentioned very briefly on the MediaWiki API documentation. Looks like it's missing from your sample code. Without that parameter, you'll get "WrongPass" as your login result.