Central user administration with MediaWiki

1. What is LDAP and what is AD?

The Lightweight Directory Access Protocol (LDAP) is a network protocol, on our specific case a certain exchange format of data between the Wiki and a central user directory. It is comparable to a standardized language such as SQL. Just as certain databases such as MySQL can be addressed with SQL, there are also user directory services that can be controlled via LDAP.

The Active Directory (AD) is the user directory service from Microsoft, which contains the concrete rights management of a company and which in turn provides an LDAP interface.

There are several alternatives to Microsoft’s AD, especially in the Open Source area, such as Apache Directory Server, Novell eDirectory or OpenLDAP. As long as these systems support the LDAP protocol, a connection does not represent a major hurdle here either.

2. Why should a wiki be connected to a central user administration via LDAP?

On the one hand, this makes sense because the user administration is not organized separately in the wiki, but access can be regulated centrally and uniformly. For example, a user of a certain group may only see or not see the things relevant for this group in the Wiki.

On the other hand, the user can also use his company-wide password to log in to the wiki, so he/she only has to remember the user name and password once. This is very useful, especially if you are dealing with password policies in your company that force users to change their passwords frequently.

3. What is single sign-on?

This is another helpful feature that can be implemented if the wiki has already been connected via LDAP: The user only has to log on to the company network once and is automatically logged in to the wiki, meaning he or she not only has a single password but also saves having to enter this password in the wiki.

4. How does a registration via a connected wiki work?

In the first step the user is authenticated by requesting user name and password. If correct, the user is granted access to the wiki.

Then comes the second step in the form of authorization: one looks at how the user’s path is structured, what attributes he or she has, and from this, for example, the groups, the language, the e-mail address and additional attributes are drawn, with which the wiki users are then managed – from the “central office”, so to speak.

Sometimes the wiki users are already authenticated. However, the administration of the users and their permissions must then be carried out in the wiki.

5. What are group rights? Can group rights be transferred from LDAP/AD?

In the wiki as well as in the central user directory, user permissions (e.g. read or write permissions) are defined via groups to which the respective users are assigned. When connecting to the wiki, it is recommended that the groups are taken over from the “central” and then provided in the wiki with the special rights set, e.g. deleting Wiki articles. If this transfer is not desired, the administration of user rights can still be done in the wiki.

6. Are there also disadvantages in connecting a wiki, e.g. in terms of security?

The connection only has read-only access to the directory service (e.g. to the AD), And the information that runs between the wiki server and the directory server is queried via secure connections and is not passed directly outside. Of course, any connection to external systems carries the risk of additional security gaps, but the precautions taken for protection are in line with current standards and misuse of the data is not to be expected.

The organizational argument against an LDAP connection often outweighs this: depending on how the company is structured, the user administration of the wiki is placed in centralized hands. And a directory server is naturally a sensitive instrument. This means that typically not everyone has easy access, not even the individual departments, but only a specific administrator, who then creates the users, sets up the rights and so on. And that means that in order to create a user, you have to initiate a process that can be very complex and lengthy. It’s simply a question of the constitution of a company. If it is unproblematic and can be processed quickly, it is not an issue.

7. To what extent must the MediaWiki itself be prepared for the connection?

The MediaWiki needs an extension that communicates with the directory server. The basic installation of MediaWiki cannot do this. At most it provides so-called hooks. These are designated places in the code where you can attach the various authentication extensions (also for other systems such as OpenID, WordPress etc.). This LDAP extension has already been developed by the community, is available on mediawiki.org and must be installed before the connection is made.

8. What are the main difficulties and hurdles in connection?

Some companies have very complex user directories. A user’s path, which is always the same, e.g. by account name, department, country name and domain, is relatively easy to connect. But the user directories of the companies have often been structured according to other criteria or have grown historically. Then, for example, difficult requirements arise in which users from different places should be able to access the wiki, and we have to consider the distinctive criteria that identify these users. Or the company has a collective user (i.e. an account that is used by several natural persons) that is to be broken down into individual users in the wiki.

Overall, the query for users who can log in should be formulated as precisely as possible. Especially in large international companies, this requires a contact person on the customer side who knows the local directory services well and can tell us the significant attributes that should be queried. Otherwise, performance can suffer.

Another challenge is the distribution of user administration on different servers, for example if a company merger has taken place and the users of all involved companies (with different directories and servers) should access the wiki. Here, for example, a preliminary inquiry in the form of a switch can be used to clarify from which organization the user comes and which server is to be accessed by the wiki accordingly.

9. Which information does Hallo Welt! need before starting the connection?

Of course we need the address and path to the directory server (“LDAP server”) and typically a so-called proxy user. This is a (non-real) user, whose password never expires and who has the task and the authorization to read all information about certain users from the directory service – he takes over the communication with the directory service, so to speak.

10. Is technical knowledge necessary for the connection?

Absolutely. In principle, such a connection should only be tackled by an expert. Or at least by someone who already has experience in LDAP and AD.