Contact
subscribe to this post

Semi-anonymous users in MediaWiki using the LDAP Authentication extension

Jun 18, 2009
Ryan Lane
LDAP, MediaWiki

For some corporate wikis, it is beneficial to allow anonymous edits; however, anonymous edits in MediaWiki track IP addresses, and in most corporate environments, it is simple to identify a user simply by knowing what IP address they came from. Also, most corporate environments are opposed to allowing non-authenticated write-access to any resource (for good reason).

So, if you wanted to have a wiki, like a wiki for polls, that needed some form of anonymity for users to trust using it, using the LDAP Authentication extension in a clever way can allow you to do this.

Enable the extension and test authentication

First and foremost, you should ensure that LDAP authentication is configured and working properly; see part 1 and part 2 of the series of articles for using the LDAP plugin for MediaWiki.

Configure the SetUsernameAttributeFromLDAP hook

The LDAP extension has a configuration hook that allows you to set the username used in MediaWiki to any of the user’s attributes in LDAP. We’ll use this to create a semi-anonymous username based off one of the user’s attributes.

Notice that I am saying semi-anonymous for a reason. Unless you want to create a new user for someone every time they log in, you have to create the username in such a way that it is the same every time. Put the following into the bottom of LocalSettings.php:

// This hook is called by the LdapAuthentication plugin. It is a configuration hook. Here we
// are specifying what attibute we want to use for a username in the wiki.
// The hook calls the function defined below.
$wgHooks['SetUsernameAttributeFromLDAP'][] = 'SetUsernameAttribute';

// This function allows you to get the username from LDAP however you need to do it.
function SetUsernameAttribute(&$LDAPUsername, $info) {
    $LDAPUsername = $info[0]['cn'][0];
    $LDAPUsername = $LDAPUsername . "MySuperSecretAppendedString0230932740982738khewfjkshd";
    // How usernames are created should not be disclosed, otherwise
    // the psuedo-anonymity will be lost.
    $LDAPUsername = 'pseudo.' . md5($LDAPUsername);
    // All hooks have to return a boolean in MediaWiki
    return true;
}

You should change the attribute pulled, the “MySuperSecret…” string, and (possibly) the hashing function to something else. You should probably leave the “pseudo.” string alone. Notice that it is important that whatever hash function you use creates a username that is allowed by MediaWiki; I am using md5 above for this reason.

As you can see, the wiki system administrator, and anyone else that knows how you are hashing the usernames, can figure out who anonymous users are. It is important to keep this information secret.

Test login to ensure the username gets hashed

When you log in, you should have a semi-anonymous username. Log out and log in again; you should have the same semi-anonymous username; if not, your hashing function isn’t working properly.

Give your semi-anonymous user admin privileges

Notice that every user, including your admin user, is now semi-anonymous. Unfortunately, this means you are no longer an admin. To fix this:

  1. Log out
  2. Disable the semi-anonymous configuration
  3. Log in as your admin user
  4. Give admin privileges to your new semi-anonymous user
  5. (Optionally) merge your old admin user with your new semi-anonymous user

I should probably mention that your admin user will likely no longer be anonymous after giving yourself admin privileges (after all, most people probably know who the wiki admin is).

An alternative to these steps is to not hash your admin’s username in the above function.

Feedback

Let me know if this is or isn’t working for you, or if you have a better way of making users anonymous.

Update (06/29/2009): Looks like this isn’t working right now unless you are using auto-authentication. I’ll try to have an update for the LDAP extension soon that’ll address this.

Related posts:

  1. Using the LDAP Authentication Plugin for MediaWiki – The Basics (Part 3)
  2. Using the LDAP Authentication Plugin for MediaWiki – The Basics (Part 1)
  3. Using the LDAP Authentication Plugin for MediaWiki – The Basics (Part 2)
  4. Announcing the Plotters extension for MediaWiki
  5. LdapAuthentication 1.2b released – Security fix for register_globals users
4 Comments
Tags , ,

4 Responses to “Semi-anonymous users in MediaWiki using the LDAP Authentication extension”

  1. David Macdonald says:
    July 6, 2009 at 12:48 am

    Hi Ryan,

    I’ve tried it out and, as you have noted, it doesn’t appear to work. Is the fix simple, i.e. can I make it myself, or is it in the current development version? I really need this feature soon…

    Reply
  2. Phadric says:
    November 18, 2009 at 12:09 am

    is there anything new about that problem?

    Reply
    • David Macdonald says:
      November 23, 2009 at 5:15 am

      Hi Phadric,

      I modified LdapAuthentication.php to get this functionality working. In addition to the customised Ldapauthentication.php, it requires a single line change to the Mediawiki core.

      I sent a patch to Ryan, but I don’t think it was included in the official release. It was a bit of a messy fix, unfortunately.

      I can send you my modified version, if you like.

      Reply
Leave a Comment