adarsh bhat’s blog

Ever since I wrote about the authentication plugin for MediaWiki, the plguin on the Bangalore intranet site stopped working. Boo hoo…

Update: Fixed!

It was just yesterday that rotund Chief Minister Dharam Singh was threatening BMP authorities for not having fixed Bangalore’s roads. And today he’s rolling on the ground (note the physical impossibility of him falling flat), because his supporters yanked the carpet from under him.

All leading newspapers make it seem as if Kumaraswamy staged a coup against his father, the great son of the soil, Deve Gowda. Deve Gowda, himself, seems to be terribly saddened by this. As he said to the Hindu,

Even when I relinquished the office of the Prime Minister I was not at all sad. But today, the commitment with which I had all along fought has been shattered by a group of legislators of the party. It is a very sad day in my life. I feel betrayed.

This all seems to me like a very well stage managed family drama. Here is the case for my conspiracy theory.

• As always, everyone wants to seize power, and Deve Gowda wasn’t getting anywhere in the current setup.
• Deve Gowda had recently struck discordant notes by making negative statements about the IT industry and Narayana Murthy. If and when he became Chief Minister, he could not continue to take that stand. He would look foolish if he did a 180 degree turn on his political ideals. Also, being a Chief Minister after his stint as Prime Minister would not appeal to his false prestige.
• The only way out was to have one of his sons take over the chair. But had it been on friendly terms, the change in political idealogy would have not been possible. So a party split logically follows.
• The BJP, always the underdog in Karnataka politics, seized this opportunity so that they could have some participation in the government before they died.

All this nasty smokescreen politics makes me sick. The 20 month – 20 month leadership sharing arrangement between Kumaraswamy’s party and the BJP cannot in any way be in the interest of the people. Both parties would just try to grab enough money for themselves during their short regimes, and then offer too little time as the excuse for not doing any useful work.

God save us all.

One of the first challenges we faced was making Mediawiki work with windows credentials on our intranet.

Before we go about it, I would like to point out that we don’t exactly authenticate against ADS although that is what the title may suggest. Our goal was, of course, to make it seem like we authenticate against ADS/LDAP. The illusion is pretty good.

Mediawiki provides you a way by which you can hook in your own authentication plugin. The purpose of this exercise is to create an authentication plugin. We call our plugin IwovAuthPlugin. Let us create a new blank file called IwovAuthPlugin.php under the includes directory of your Mediawiki installation.

In the same directory, you can find a file name AuthPlugin.php. This file contains a class called AuthPlugin. We would sub class AuthPlugin to create IwovAuthPlugin. The documentation in the AuthPlugin.php file is pretty self explanatory.

Here is the content of my IwovAuthPlugin.php.

 < ? php 

require_once("AuthPlugin.php"); 

class IwovAuthPlugin extends AuthPlugin
{
  function userExists( $username )
  {
    $userFoundInLdap = false;
    $ldap_conn = ldap_connect("ldap.domain.com");
    if ($ldap_conn)
    {
      ldap_set_option($ds,
          LDAP_OPT_PROTOCOL_VERSION, 3);
      ldap_bind($ldap_conn,
                'domainuser',
                'password');
      $results = ldap_search(
          $ldap_conn,
          "OU=Domain Users, DC=Domain, DC=com",
          "sAMAccountName=$username");
      $info = ldap_get_entries($ldap_conn,$results);
      if ($info["count"] > 0)
      {
        $userFoundInLdap = true;
      }
      ldap_close($ldap_conn);
    }
    return $userFoundInLdap;
  }   

  function authenticate( $username, $password )
  {
    return false;
  }   

  function autoCreate()
  {
    return true;
  }   

  function strict()
  {
    return false;
  }   

  function initUser( &$user )
  {
    $ldap_conn = ldap_connect("ldap.domain.com");
    if ($ldap_conn)
    {
      ldap_set_option($ds,
          LDAP_OPT_PROTOCOL_VERSION, 3);
      ldap_bind($ldap_conn,
                'domainuser',
                'password');
      $userId = $user->getName();
      $results = ldap_search($ldap_conn,
          "OU=Domain Users, DC=Domain, DC=com",
          "sAMAccountName=$userId");
      $info = ldap_get_entries($ldap_conn,$results);
      if ($info["count"] > 0)
      {
        $entry = $info[0];
        $user->setRealName($entry["name"][0]);
        $user->setEmail($entry["mail"][0]);
      }
      ldap_close($ldap_conn);
    }
  }
}   

? >

That looks formidable, but let me try to make it very easy for you.

First of all, look at the function called authenticate(). Note that it always returns false. Which means that whenever a user tries to login, our authentication system always denies permission. This may seem weird, but read on. We override a function called strict(). This function returns false, which indicates to Mediawiki that native DB authentication may follow if the external authentication fails. Since our plugin always fails to authenticate, we always rely on the default authentication that Mediawiki provides.

So what, you may ask, is the point of writing this whole plugin thing?

• We don’t let all and sundry log in.
• We make sure that the account names that people choose matches their login IDs.
• We pull in user information (full name, email) from LDAP.

Our plugin does useful work only when a user logs into the system for the first time. The userExists() function searches LDAP to make sure that the user id that the user is requesting actually exists in the LDAP structure; thus preventing the use of random IDs. If the requested user id does not exist in LDAP, then an error message is displayed to the user. Also, note that the autoCreate() function returns true, which causes an account to be silently created. As a result, people don’t have to sign up – they can log in to the system straight away, thus creating the illusion that windows authentication is magically working. As is quite obvious, the initUser() function populates user information into the database from the LDAP directory.

Although this looks like a hack, it works quite well in practice.

Not to forget, we added the following entries to LocalSettings.php.

# user must login to edit.
$wgWhitelistEdit = true;   

# ldap checks
$wgAuth = new IwovAuthPlugin();

Add to this some changes to your UI skin to remove the ‘Create account’ link and such ilk, and you are ready to go!

interwoven, mediawiki, software

About that long ago, I wrote about the Bangalore Intranet project. The wiki has taken off really well. There’s also a bunch of cool customizations that Sivashankar and I have done. I’d like to write about these customizations over the next few posts. Yes, at the expense of boring you, but it is important to document them somewhere before I forget. So please bear with me if you find these boring.

mediawiki, software

Folks,

I am looking for a 2 bed room rented house at Bangalore. This is an urgent requirement. Please let me know if you know about houses/flats that are available. That would be a great favour.

I have a Jayanagarish area in mind, but that is flexible.