July 2013


The installation steps below were carried out on CentOS 6.4

Installation

Install MySql server and mysql-php module

yum install mysql-server mysql php-mysql
/sbin/chkconfig --levels 235 mysqld on
/sbin/service mysqld start

Change ‘root’ user password for mysql; Create mysql wiki database and user

mysql -uroot -p
mysql> USE mysql;
mysql> UPDATE user SET Password=PASSWORD('newpassword') WHERE user='root';
mysql> FLUSH PRIVILEGES;
mysql> CREATE DATABASE wiki;
mysql> CREATE USER 'wikiuser'@'localhost' IDENTIFIED BY 'wikipassword';
mysql> GRANT ALL ON wiki.* TO 'wikiuser'@'localhost';
mysql> exit

Download the mediawiki, http://download.wikimedia.org/mediawiki/1.21/mediawiki-1.21.1.tar.gz
At the time of writing the latest version was 1.21.1

wget http://download.wikimedia.org/mediawiki/1.21/mediawiki-1.21.1.tar.gz

Untar the mediawiki to /var/www/html and give write permissions for config folder (Assuming that /var/www/html is the DocumentRoot)

tar -xzvf mediawiki-1.21.1.tar.gz
mv mediawiki-1.21.1 /var/www/html/wiki

Change the ownership of the wiki directory and grant write permissions to the config directory.

chown -R apache:apache /var/www/html/wiki
chmod a+w /var/www/html/wiki/config

Restart the apache server.

/sbin/service httpd restart
Stopping httpd:                                            [  OK  ]
Starting httpd:                                            [  OK  ]

Go to http://localhost/wiki

Follow on screen setup steps to complete the installation

Access wiki http://localhost/wiki

Access Control

MediaWiki has “Anonymous, User, Bot, Sysop, Bureaucrats” groups by default. Change groups rights according to your needs, add following to LocalSettings.php file

## Anonymous
$wgGroupPermissions['*']['read'] = false;
$wgGroupPermissions['*']['edit'] = false;
$wgGroupPermissions['*']['createpage'] = false;
$wgGroupPermissions['*']['createaccount'] = false;
$wgGroupPermissions['*']['createtalk'] = false;
$wgGroupPermissions['*']['writeapi']  = false;

## User
$wgGroupPermissions['user' ]['move']            = false;
$wgGroupPermissions['user' ]['read']            = true;
$wgGroupPermissions['user' ]['edit']            = false;
$wgGroupPermissions['user' ]['createpage']      = false;
$wgGroupPermissions['user' ]['createtalk']      = false;
$wgGroupPermissions['user' ]['upload']          = false;
$wgGroupPermissions['user' ]['reupload']        = false;
$wgGroupPermissions['user' ]['reupload-shared'] = false;
$wgGroupPermissions['user' ]['minoredit']       = false;
$wgGroupPermissions['user' ]['purge']           = false;
$wgGroupPermissions['user' ]['move-subpages']   = false;
$wgGroupPermissions['user' ]['writeapi']        = false;

## Bot
$wgGroupPermissions['bot' ]['move']            = true;
$wgGroupPermissions['bot' ]['read']            = true;
$wgGroupPermissions['bot' ]['edit']            = true;
$wgGroupPermissions['bot' ]['createpage']      = true;
$wgGroupPermissions['bot' ]['createtalk']      = true;
$wgGroupPermissions['bot' ]['upload']          = true;
$wgGroupPermissions['bot' ]['reupload']        = true;
$wgGroupPermissions['bot' ]['reupload-shared'] = true;
$wgGroupPermissions['bot' ]['minoredit']       = true;
$wgGroupPermissions['bot' ]['purge']           = true;
$wgGroupPermissions['bot' ]['move-subpages']   = true;
$wgGroupPermissions['bot' ]['writeapi']        = true;

## Sysop
$wgGroupPermissions['sysop' ]['createaccount']   = false;
$wgGroupPermissions['sysop' ]['move']            = true;
$wgGroupPermissions['sysop' ]['read']            = true;
$wgGroupPermissions['sysop' ]['edit']            = true;
$wgGroupPermissions['sysop' ]['createpage']      = true;
$wgGroupPermissions['sysop' ]['createtalk']      = true;
$wgGroupPermissions['sysop' ]['upload']          = true;
$wgGroupPermissions['sysop' ]['reupload']        = true;
$wgGroupPermissions['sysop' ]['reupload-shared'] = true;
$wgGroupPermissions['sysop' ]['minoredit']       = true;
$wgGroupPermissions['sysop' ]['purge']           = true;
$wgGroupPermissions['sysop' ]['move-subpages']   = true;
$wgGroupPermissions['sysop' ]['writeapi']        = true;

## Bureaucrats
$wgGroupPermissions['bureaucrat' ]['userrights']      = true;
$wgGroupPermissions['bureaucrat' ]['move']            = false;
$wgGroupPermissions['bureaucrat' ]['read']            = false;
$wgGroupPermissions['bureaucrat' ]['edit']            = false;
$wgGroupPermissions['bureaucrat' ]['createpage']      = false;
$wgGroupPermissions['bureaucrat' ]['createtalk']      = false;
$wgGroupPermissions['bureaucrat' ]['upload']          = false;
$wgGroupPermissions['bureaucrat' ]['reupload']        = false;
$wgGroupPermissions['bureaucrat' ]['reupload-shared'] = false;
$wgGroupPermissions['bureaucrat' ]['minoredit']       = false;
$wgGroupPermissions['bureaucrat' ]['purge']           = false;
$wgGroupPermissions['bureaucrat' ]['move-subpages']   = false;
$wgGroupPermissions['bureaucrat' ]['writeapi']        = false;

## Diable autoconfirmed
$wgAutoConfirmAge = 3600 * 24 * 365 * 100;  ## 100 years
$wgGroupPermissions['autoconfirmed']['autoconfirmed'] = false;
$wgGroupPermissions['autoconfirmed']['read']          = false;

LDAP Configuration

LDAP Authentication extension is used to get mediawiki to authtenticate against LDAP. The author of the extension recommends using the tip of the git repository.

cd /var/www/wiki/extensions
git clone https://git.wikimedia.org/git/mediawiki/extensions/LdapAuthentication.git LdapAuthentication

Enable LDAP Authentication

Add following to LocalSettings.php file

require_once( "$IP/extensions/LdapAuthentication/LdapAuthentication.php" );
$wgAuth = new LdapAuthenticationPlugin();

Configure LDAP Authentication

Following will allow members of “cn=wiki,ou=Wiki Groups,ou=groups,dc=chinasystems,dc=com” where wiki group is a groupOfNames type group.
Add following to LocalSettings.php file

$wgLDAPDomainNames        = array('CSUKDomain');
$wgLDAPServerNames        = array('CSUKDomain' => '88.88.88.75');
$wgLDAPPort               = array('CSUKDomain' => 389 );
$wgLDAPLowerCaseUsername  = array('CSUKDomain' => true );
$wgLDAPGroupUseFullDN     = array('CSUKDomain' => true );
$wgLDAPGroupObjectclass   = array('CSUKDomain' => 'groupOfNames' );
$wgLDAPGroupAttribute     = array('CSUKDomain' => 'member' );
$wgLDAPGroupSearchNestedGroups = array('CSUKDomain' => true );
$wgLDAPGroupNameAttribute = array('CSUKDomain' => "cn" );
$wgLDAPBaseDNs            = array('CSUKDomain' => "dc=chinasystems,dc=com" );
$wgLDAPUserBaseDNs        = array('CSUKDomain' => "ou=people,dc=chinasystems,dc=com" );
$wgLDAPGroupBaseDNs       = array('CSUKDomain' => "ou=groups,dc=chinasystems,dc=com" );
$wgLDAPSearchAttributes   = array('CSUKDomain' => "uid" );
$wgLDAPProxyAgent         = array('CSUKDomain' => 'uid=operator,ou=System,ou=people,dc=chinasystems,dc=com');
$wgLDAPProxyAgentPassword = array('CSUKDomain' => 'xxxxxxxx');
$wgLDAPGroupsUseMemberOf  = array('CSUKDomain' => true );
$wgLDAPRequiredGroups     = array('CSUKDomain' => array('cn=wiki,ou=Wiki Groups,ou=groups,dc=chinasystems,dc=com'));
$wgLDAPPreferences        = array('CSUKDomain' => array("email"=>"mail","realname"=>"cn","nickname"=>"uid","language"=>"preferredLanguage"));

Get MediaWiki to use LDAP Groups

Following will get MediaWiki to use wiki-admin group on LDAP and assign permissions of sysop to it
Add following to LocalSettings.php file

$wgLDAPUseLDAPGroups      = array('CSUKDomain' => true );

## wiki-admin
$wgGroupPermissions['wiki-admin'] = $wgGroupPermissions['sysop'];
Advertisements

The installation steps below were carried out on CentOS 6.4

== Installation ==

yum install openldap-servers openldap-clients

== Configuration ==

Edit your ldap.conf file and enter the IP address or domain name of your server:

vi /etc/openldap/ldap.conf
URI ldap://88.88.88.75
BASE dc=my-domain,dc=com

Copy the sample files from /usr/share/openldap to /etc/openldap and var/lib/ldap

cp /usr/share/openldap-servers/slapd.conf.obsolete /etc/openldap/slapd.conf
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

Setup a new LDAP Admin password:

slappasswd
New password:
Re-enter new password:
{SSHA}xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Copy the encrypted password from STDOUT as it will need to be put in to configuration.

=== /etc/openldap/slapd.conf ===

Search and replace the “dc=my-domain” with “dc=my-domain”
replace the rootpw password with above encrypted password so it looks like

rootpw {SSHA}xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Here is the config file in use

#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#

include		/etc/openldap/schema/corba.schema
include		/etc/openldap/schema/core.schema
include		/etc/openldap/schema/cosine.schema
include		/etc/openldap/schema/duaconf.schema
include		/etc/openldap/schema/dyngroup.schema
include		/etc/openldap/schema/inetorgperson.schema
include		/etc/openldap/schema/java.schema
include		/etc/openldap/schema/misc.schema
include		/etc/openldap/schema/nis.schema
include		/etc/openldap/schema/openldap.schema
include		/etc/openldap/schema/ppolicy.schema
include		/etc/openldap/schema/collective.schema

# Allow LDAPv2 client connections.  This is NOT the default.
allow bind_v2

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral	ldap://root.openldap.org

pidfile		/var/run/openldap/slapd.pid
argsfile	/var/run/openldap/slapd.args

loglevel 	-1

# Load dynamic backend modules
# - modulepath is architecture dependent value (32/64-bit system)
# - back_sql.la overlay requires openldap-server-sql package
# - dyngroup.la and dynlist.la cannot be used at the same time

# modulepath /usr/lib/openldap
modulepath /usr/lib64/openldap

# moduleload accesslog.la
# moduleload auditlog.la
# moduleload back_sql.la
# moduleload chain.la
# moduleload collect.la
# moduleload constraint.la
# moduleload dds.la
# moduleload deref.la
# moduleload dyngroup.la
# moduleload dynlist.la
moduleload memberof.la
# moduleload pbind.la
# moduleload pcache.la
# moduleload ppolicy.la
# moduleload refint.la
# moduleload retcode.la
# moduleload rwm.la
# moduleload seqmod.la
# moduleload smbk5pwd.la
# moduleload sssvlv.la
# moduleload syncprov.la
# moduleload translucent.la
# moduleload unique.la
# moduleload valsort.la

# The next three lines allow use of TLS for encrypting connections using a
# dummy test certificate which you can generate by running
# /usr/libexec/openldap/generate-server-cert.sh. Your client software may balk
# at self-signed certificates, however.
TLSCACertificatePath /etc/openldap/certs
#TLSCertificateFile "\"OpenLDAP Server\""
#TLSCertificateKeyFile /etc/openldap/certs/password
TLSCertificateFile /etc/pki/tls/certs/slapd.pem
TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem

# Sample security restrictions
#	Require integrity protection (prevent hijacking)
#	Require 112-bit (3DES or better) encryption for updates
#	Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64

# Sample access control policy:
#	Root DSE: allow anyone to read it
#	Subschema (sub)entry DSE: allow anyone to read it
#	Other DSEs:
#		Allow self write access
#		Allow authenticated users read access
#		Allow anonymous users to authenticate
#	Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
#	by self write
#	by users read
#	by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn.  (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!

# enable on-the-fly configuration (cn=config)
database config
rootdn		"cn=admin,cn=config"
rootpw          {SSHA}xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
access to *
	by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
	by * none

# enable server status monitoring (cn=monitor)
database monitor
access to *
	by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
        by dn.exact="cn=Manager,dc=my-domain,dc=com" read
        by * none

#######################################################################
# database definitions
#######################################################################
database	bdb
suffix		"dc=my-domain,dc=com"
rootdn		"cn=Manager,dc=my-domain,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoided.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# 		secret
# 		{crypt}ijFYNcSNctBYg
rootpw          {SSHA}xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

access to dn.subtree="dc=my-domain,dc=com"
    by self write
    by set="[cn=Administrators,ou=groups,dc=my-domain,dc=com]/member* & user" write
    by set="[cn=Operators,ou=groups,dc=my-domain,dc=com]/member* & user" read
    by * break

access to attrs=userPassword
  by anonymous auth
  by self =rwdx
  by set="user & [cn=Administrators,ou=groups,dc=my-domain,dc=com]/member*" manage
  by dn.children="ou=Special Accounts,dc=my-domain,dc=com" auth

#access to attrs=uid,userPassword,mail
#    by self write
#    by set="[cn=Administrators,ou=group,dc=my-domain,dc=com]/member* & user" manage
#    by set="[cn=Operators,ou=group,dc=my-domain,dc=com]/member* & user" read
#    by * none

#access to *
#  by set="user & [cn=Administrators,ou=groups,dc=my-domain,dc=com]/member*" manage
#  by * break

#access to dn.children="ou=people,dc=my-domain,dc=com"
#  attrs=givenName,sn,displayName,cn,telephoneNumber,fax,postalAddress,homePhone,homePostalAddress,mobile,pager,postalCode,postOfficeBox,preferredLanguage,streetAddress,l,st
#  by self write
#  by * break

#access to dn.children="ou=people,dc=my-domain,dc=com"
#  attrs=uid,uidNumber,gidNumber,mail,telephoneNumber,mobile,departmentNumber,manager,title,initials,givenName,sn,displayName,cn,fax,organizationName,organizationalUnitName,pager,postalAddress,l,st,c
#  by * read

# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory	/var/lib/ldap

# Indices to maintain for this database
index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub

overlay memberof

cachesize 10000
checkpoint	1024 15

# Replicas of this database
#replogfile /var/lib/ldap/openldap-master-replog
#replica host=ldap-1.example.com:389 starttls=critical
#     bindmethod=sasl saslmech=GSSAPI
#     authcId=host/ldap-master.example.com@EXAMPLE.COM

create a new file root.ldif with following content

dn: dc=my-domain,dc=com
objectClass: dcObject
objectClass: organization
dc: my-domain
o: my-domain

dn: ou=groups,dc=my-domain,dc=com
ou: groups
objectClass: organizationalUnit

dn: ou=people,dc=my-domain,dc=com
ou: people
objectClass: organizationalUnit

Remove everything in slapd.d dir and tell the slapd for root.ldif file

rm -rf /etc/openldap/slapd.d/*
slapadd -n 2 -l /root/root.ldif
slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d

Set the appropriate permissions:

chown -R ldap:ldap /var/lib/ldap
chown -R ldap:ldap /etc/openldap/slapd.d

Make sure the service is active on the runlevel 3:

chkconfig --level 235 slapd on
service slapd start

== LDAPS ==

cd /etc/pki/tls/certs
rm slapd.pem
make slapd.pem
chmod 640 slapd.pem
chown :ldap slapd.pem
ln -s /etc/pki/tls/certs/slapd.pem /etc/openldap/cacerts/slapd.pem
vi /etc/sysconfig/ldap
SLAPD_LDAPS=yes
vi /etc/openldap/slapd.conf
TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
TLSCertificateFile /etc/pki/tls/certs/slapd.pem
TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem
vi /etc/openldap/ldap.conf
TLS_CACERTDIR /etc/openldap/cacerts
TLS_REQCERT never

== Test ==

Test if everything is up and working fine:

rm -rf /etc/openldap/slapd.d/*
slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
chown -R ldap:ldap /etc/openldap/slapd.d
service slapd restart

ldapsearch -x -ZZ -h localhost #(TLS)
ldapsearch -x -H ldaps://localhost #(SSL)

CentOS Authenticating to LDAP

system-config-authentication