The (terrible) doc/ppt/xls Microsoft Office document formats all have the same MIME type. This causes a lot of grief when using MediaWiki, as MediaWiki checks MIME types against file extensions for security purposes. In this article I’ll describe how to allow uploading for these file types, and how to get around the “The file is corrupt or has an incorrect extension” problem.

Allow doc/ppt/xls to be uploaded

Add the following lines to your LocalSettings.php to allow these formats:

Configuring the LDAP Authentication plugin for MediaWiki can be a daunting task. In this series of posts, I’ll go over the basics of configuring the plugin for common environments. In a later series of posts, I’ll go into each environment in detail.

Part 1 will discuss basic password authentication for Active Directory (AD). Part 2 will discuss basic password authentication for LDAP domains with the posix schema. Part 3 will discuss enabling group restrictions and synchronization, and retrieving preferences for AD. Part 4 will discuss group restrictions and synchronization, and retrieving preferences for LDAP domains with the posix schema.

I occasionally get a newsletter from the Louisiana Technology Council (LTC). The most recent newsletter I received was too good not to post about. Here’s the newsletter:

http://www.ltc-la.org/en/art/422/

I’ll pull a few great quotes out of it for you…

You are invited to participate in a survey designed to learn about business blog. A business blog is a novel way of publishing information by or with the support of an organization where entries are made in journal style and displayed in a reverse chronological order.

This is the Louisiana Technology Council right? Did this come out of a dictionary? Is this really the best way to describe a blog?

In part 1 I discussed how to configure NSS and OpenSSL. In part 2, I discussed how to configure pam_pkcs11 and how to test a smartcard against the NSS database we set up. In this part, I’ll discuss how to add pam_krb5 into the mix to automatically get a Kerberos ticket from an Active Directory domain using PKINIT.

Notice that this post will discuss a package that is yet to be officially released by Red Hat. Whenever this is officially released, it may have different configuration options, or different functionality. I’ll update this post at that time.

At some point in time, Red Hat snuck in experimental support for NSS in OpenSSH. What does that give us? Smart Card support! This article will describe how to use it.

In another blog post, I mentioned how to configure NSS and OpenSSL; you should take a look at that if you are unfamiliar with the process, because I assume that is prerequisite knowledge. I will also assume you have a basic understanding of how public key authentication in SSH works.

Here are the steps to the process:

1. Copy the NSS databases to .ssh

In part 1 I discussed how to configure NSS and OpenSSL. In this part, I’ll discuss how to configure pam_pkcs11 and how to test a smartcard against the NSS database we set up.

What does pam_pkcs11 do for me?

The pam_pkcs11 module will do a couple things for us:

1. Allow/Require smartcard login
2. Map an attribute from the card to a login name

For a basic configuration, we’ll have to edit three files; /etc/pam_pkcs11/pam_pkcs11.conf, /etc/pam_pkcs11/cn_map, and /etc/pam.d/system-auth.

Configuring pam_pkcs11 and testing smart card access

Edit /etc/pam_pkcs11/pam_pkcs11.conf; this file is kind of long, so I’ll just touch on specific configuration lines, and only the basic configuration lines needed to get the authentication working.

Starting with Red Hat Enterprise Linux version 5 (RHEL 5), Red Hat added native support for PKI with pam_pkcs11, NSS, ccid, coolkey, and pcsc-lite. RHEL 5 also added rudimentary support for PKINIT in their Kerberos client, mostly based upon the CITI and Heimdal implementation (in pkinit-nss). Coming in a future update to RHEL 5 (maybe 5.3 or 5.4) you can expect better PKINIT support, with more MIT based PKINIT support.

This series of articles will cover how to configure a RHEL 5 system to allow users to log in with a smartcard, while also getting a Kerberos ticket from an Active Directory domain.

So, I finally broke down and made a Blog. I’m not a terribly big fan of blogging; however, I needed a place to post some information about my MediaWiki plugins that shouldn’t normally be posted at mediawiki.org.

I was considering using my MediaWiki site for the blog, but since I’m lazy, and wordpress is easy, I decided to go that route.

I’ll be posting mostly technology related info here; specifically, I’ll probably post a lot about MediaWiki and LDAP.