Authenticating against Windows-Domain using SSPI
Contents
For running moin in corporate environment access restrictions has to be enforced reliably. Generally, in these environments, centralized domain authentication is the preferred method. Fortunately, this is easy to set up with moin with the help of the SSPI-plugin for Apache.
For general information, see HelpOnAuthentication
System Requirements
a Windows Domain Controller
Windows 2000, XP, or greater (including server). with...
Apache 2.0.xx or Apache 2.2.xx with a working install of a MoinMoin wiki
- Apache doesn't require Windows Server (unlike IIS), so it's a great way to use an old desktop without requiring a Server license!
- mod_auth_sspi.so requires running Apache2 on Windows (Note: on Linux, one would use mod_auth_kerb instead of mod_auth_sspi)
Installing & Configuring
The following section is broken into:
downloading & installing the sspi module
- Configuring Apache http.conf file
- Configuring Moin wikiconfig.py file
- changing the user preference so it's more logical and relevant to domain authentication
Download & Install mod_auth_sspi
Before proceeding, make sure that you have a working and tested MoinMoin installation. The last thing you want is to install it all at once, have something not working, and try to reverse-diagnose what went wrong and where.
http://sourceforge.net/projects/mod-auth-sspi/ (choose the right version for your apache version)
Unzip the sspi file, copy the mod_auth_sspi.so file into the Apache modules folder (generally located here: c:\Program Files\Apache Group\Apache2\modules\
Apache Configuration
Edit your http.conf file (usually found in c:\Program Files\Apache Group\Apache2\conf\). Use an appropriate text editor (such as Notepad++), avoid using NotePad.
Scroll down to the LoadModule section, and add the line at the bottom of this section (this tells Apache to load the mod_auth_sspi.so module):
LoadModule sspi_auth_module modules/mod_auth_sspi.so
Now, scroll down to the bottom of the http.conf file, and add the following:
# ## Domain authentication using mod_auth_sspi.so # <IfModule !mod_auth_sspi.c> LoadModule sspi_auth_module modules/mod_auth_sspi.so </IfModule> # Change /mywiki in the line below to match what you have in the separate ScriptAlias line. # If you explicitly followed the directions on ApacheOnWin32, this will be /mywiki <Location /mywiki> AuthType SSPI AuthName "Company Internal Wiki - Login using your DOMAIN username and password" Require valid-user SSPIAuth On SSPIAuthoritative On # replace the IP address below with the IP of your domain controller: SSPIDomain 192.168.1.15 SSPIOmitDomain On SSPIOfferBasic On # note that with "SSPIBasicPreferred On" it will show the http basic auth dialogue box to enter user/password, no autologin # with "SSPIBasicPreferred Off" it will autologin domain users without asking them (using negotiate auth) SSPIBasicPreferred Off # this setting was "Off" in the original version of this howto, no idea why: SSPIofferSSPI On </Location>
Wiki Configuration
Now you will need to modify your Moin configuration so that user accounts are automatically created based on their domain authentication. Using an appropriate text editor, open the wikiconfig.py configuration file in the root of your moin install (if you followed the instructions on HowTo/WindowsWithApacheServer explicitly, this file will be here C:\Moin\mywiki\wikiconfig.py).
## MoinMoin 1.9 - Domain Authentication using mod_auth_sspi.so from MoinMoin.auth import GivenAuth auth = [GivenAuth(autocreate=1)]
## MoinMoin 1.5 - Domain Authentication using mod_auth_sspi.so from MoinMoin.auth.http import HTTPAuth auth = [HTTPAuth(autocreate=1)]
At this point, test your wiki and make sure you can successfully login (see the Logging in section below). Congratulations if all is well!
Optionally, you may want to add further modifications now that you are successfully using domain authentication. These directives remove links and fields that are no longer relevant with domain authentication. Back in the wikiconfig.py add following in the User Preferences section:
# Remove the 'logout' link at the top of every page, since it no longer works with domain authentication: show_login = 0 # # Remove irrelevant fields from the user preferences: user_form_remove = ['password', 'password2', 'logout',] # # Remove irrelevant checkboxes from the user preferences (disable at Domain Server instead): user_checkbox_remove = [ 'disabled', ]
Customize user preferences
As administrator (you did add yourself as superuser in wikiconfig.py, right?! ), you will want to customize the user preferences dialogues, since most of them is no longer relevant.
In the dist archive under wiki/config/more_samples is a config snippet that shows how to customize user preferences, please see there!
Auto-email completion
Because we're on a domain (and presumably everyone has the same email domain), wouldn't it be neat to auto-fill in the email address for our users?
See MoinMoinPatch/HttpAuthAutoEmail for a patch!
Logging in
If all works as good as it can, you will be auto-logged in (if you use a windows client machine and you authenticated with the domain controller when logging into that machine), no need to enter username and password again.
If you get a user/password box you have to enter 'domain\username' as username and your password. Only IE shows a dialog with three fields (sometimes) instead of two: name, domain, password.
If you get that box, it might be due to missing browser configuration, see below.
Internet Explorer
- Internet Options
- [X] activate integrated windows authentication
Firefox
enter about:config into url line
enter ntlm into the filter line, then set network.automatic-ntlm-auth.trusted-uris = servername