Add support for SSL client certificates
Closed, DeclinedPublic
Actions

Assigned To

Authored By

	Osnard
	Aug 3 2021, 9:55 AM

Description

From https://gerrit.wikimedia.org/r/c/mediawiki/extensions/LDAPAuthentication2/+/698964

Added support for SSL client certificates

Now it is possible to use SSL client certificate auth, together with LDAP.
After the webserver authenticated and validated the client certificate,
a configurable field can be used as username for the LDAP authentication.
The username extracted from SSL client certificate is matched through the
LDAP routines and makes it possible to login passwordless. If this is not
prefered by the user, the password can be reeanbled as a second authorisation
rule. Also a complete auto login is possible, if a client certificate is
detected. This is configurable through LocalSettings.php. If the webserver
doesn't detect a client certificate a fallback to the default login is done.

Event Timeline

Osnard created this task.Aug 3 2021, 9:55 AM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 3 2021, 9:55 AM

Osnard claimed this task.Aug 3 2021, 9:55 AM

Hi Oliver Welter!

Thanks for you contribution!

Are you aware of Extension:Auth_remoteuser? To me it looks like this may be better suited for SSL certificate based login scenarios.
One can still use Extension:LDAPAuthorizaion to enforce LDAP group based restrictons if required.

Adding such functionality to Extension:LDAPAuthenticaton2 feels a little bit strange.
The only difference that I can currently see to just using a setup with Extension:Auth_remoteuser it the part with "the password can be reeanbled as a second authorisation".

No feedback since more than a year. Closing.

Add support for SSL client certificatesClosed, DeclinedPublicActions

Description

Event Timeline

Add support for SSL client certificates
Closed, DeclinedPublic
Actions