Today, the connection to a central authentication server is the standard for a corporate wiki. In the following introduction, we explain the most important backgrounds, processes and concepts.
Beyond a certain size companies manage users and user groups centrally in one common directory. Of course, MediaWiki can also be connected to such a central directory with the help of LDAP, which greatly simplifies the life of administrators. In this and in the following articles we would like to explain the basics and the current developments. We will start with a few basic questions.
1. What is LDAP and what is the AD?
The Lightweight Directory Access Protocol is a network protocol. That is a specific exchange format of data – in our particular case, between the wiki and a central user directory. It is comparable to other standardized languages such as SQL. Just as you address certain databases like MySQL with SQL, there are also user directory services that can be controlled via LDAP.
The Active Directory is the user directory service from Microsoft, where the specific rights management of a company is located and which in turn provides an LDAP interface.
There are several alternatives to Microsoft’s AD, especially in the open source area, such as Apache Directory Server, Novell eDirectory or OpenLDAP. As long as these systems support the LDAP protocol, a connection faces no major hurdles.
2. Why should a wiki be connected to a central user administration via LDAP?
It makes sense, because in this case the user administration is not organized separately in the wiki but the access can be centrally and uniformly regulated. For example, users of a certain group in the wiki are only allowed to see or not see the things that are relevant for this group in the wiki.
On the other hand, the user can also use his company-wide password to log into the wiki, so he or she only has to remember one username and password. This is a useful function, especially if your company has password policies that force users to change their password frequently.
3. What is single-sign-on?
This is another useful feature that can be implemented if the wikis have already been linked using LDAP: the user only has to log in to the company’s network once and is automatically logged into the wiki. Not only does he have a single password but he also saves himself typing this password in the input mask of the wiki.
4. What are the steps of an automated login?
In the first step the user is authenticated, that is user name and password are queried and it is checked whether the inputs are correct. If so, the user gets access to the wiki.
Then the second step takes the form of authorization: the system looks at how the user’s path is built and which attributes he has. From this, for example, the groups, the language, the e-mail address, and additional attributes are drawn for the wiki.
Sometimes, the central user directory is only used to check usernames and password. In this case, groups and rights can be managed from within the wiki.
5. What are group rights? Can group rights be taken over from the LDAP / AD?
Both in the wiki and in the central user directory, the permissions of the users (e.g. read or write permissions) are defined via groups to which the respective users are assigned. When connecting the wiki, it is recommended that the groups are taken from the “control center” and then in the wiki with the special rights set (for example deleting wiki articles). If this takeover is not desired, user rights management can continue to be done in the wiki.
6. Are there also disadvantages in the connection of a wiki, z. B. safety-technical nature?
The connection only uses the directory service (such as the AD) for read-only purposes and the information that runs between the wiki server, and the directory server is queried via secure connections and is not forwarded directly to the outside. Of course, any connection to external systems carries the risk of additional security vulnerabilities, but the safeguards we have made are in line with current standards and we do not expect the data to be misused.
The organizational argument against LDAP connectivity is more of an issue in many cases: depending on how the organization is structured, the wiki’s user management is most likely used as a centralized service. And a directory server is of course a sensitive tool. That is, typically not everyone has easy access, not even the individual departments, but only a specific administrator, who then creates the users, the rights and so on. And that means you have to initiate a process for creating a user, which can be very time-consuming and tedious. That’s just a matter of building a business. If it is unproblematic and handled quickly, it is not an issue.
7. To what extent does the MediaWiki itself has to be prepared for the connection?
The MediaWiki needs an extension that communicates with the directory server. The basic installation of MediaWiki is not able to do that. At most it provides so-called hooks. These are designated places in the code to which you can attach the various authentication extensions (also for other systems such as OpenID, WordPress, etc.). Said extension has already been developed by the community, is available on mediawiki.org (search for “LDAP”) and needs to be installed before the connection is made.
8. What are the biggest difficulties and hurdles for a connection?
Some companies have very complex user directories. A path of a user, which always follows the same pattern, e.g. account name, department, country name and domain, is relatively easy to connect. But the user domains of companies have often been built up or historically grown according to other criteria. Then there can be difficult requirements, where users from a variety of places should be allowed access to the wiki, and we need to think about what are the distinctive criteria that identify those users. Or the company has a collective user (that is an account that several natural persons use), which is to be resolved in the wiki into individual users.
Overall, the query should be formulated as accurately as possible for the users who can log on. Especially for large international companies you need a contact person on the customer side who knows the local directory services well and can give us the significant attributes that should be queried. Otherwise, the performance may suffer.
Another challenge is the distribution of user management on different servers if for example, a company merger has taken place and users of all companies involved (with different directories and servers) should access the wiki. Here you can clarify, for example, with a pre-query in the form of a switch, which organization the user comes from and which server should be controlled accordingly by the Wiki.
9. What information does Hallo Welt! need before the deployment of a connection?
Of course, we need the address and path to the directory server (“LDAP server”) and typically a so-called proxy user. This is a (non-real) user whose password never expires and who has the task and authorization to read all information about specific users from the directory service – he acts as a kind of communication with the directory service.
10. Is technical knowledge necessary for the connection?
In any case. In principle, such a connection should only be tackled by an expert. Or at least someone who already has experience in the field of LDAP and AD.