[MediaWiki-l] Active Directory Integration for Access Management

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

[MediaWiki-l] Active Directory Integration for Access Management

Kevin Holleran
Good afternoon,

I was wondering if this was possible before I invest a lot of time into it.

I am using an instance of MediaWiki as an internal knowledge base.  I have
a variety of categories for different functions.  I was wondering if I
could do one of the following:

1.) Integrate with Active Directory.  If the user is in the Wiki-ReadOnly
group, they can only read pages and NOT change them.  If they are in the
Wiki-Write group, they can read & edit pages.

OR (the gold state)

2.) Have different read and write groups for each category.  For instance,
I use the wiki to document how we go about malware analysis and would like
some people to be able to see this to use as a reference when working a
case, but most people do not need to see this.


Is this possible?

Thanks!

Kevin
_______________________________________________
MediaWiki-l mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Reply | Threaded
Open this post in threaded view
|

Re: Active Directory Integration for Access Management

Larry Silverman
You'll want https://www.mediawiki.org/wiki/Extension:LDAP_Authentication

I don't believe you'll have much luck with access controls based on
categories, but I could be wrong. Category membership is controlled by
wikitext in the page content itself. I haven't seen any access control
mechanisms that can work with categories.

Namespaces would be a better place to attempt access controls.

I've done this in my own wiki. I'd be happy to share how we did it.

Larry Silverman
Chief Technology Officer
TrackAbout, Inc.


On Thu, Jul 31, 2014 at 11:44 AM, Kevin Holleran <[hidden email]>
wrote:

> Good afternoon,
>
> I was wondering if this was possible before I invest a lot of time into it.
>
> I am using an instance of MediaWiki as an internal knowledge base.  I have
> a variety of categories for different functions.  I was wondering if I
> could do one of the following:
>
> 1.) Integrate with Active Directory.  If the user is in the Wiki-ReadOnly
> group, they can only read pages and NOT change them.  If they are in the
> Wiki-Write group, they can read & edit pages.
>
> OR (the gold state)
>
> 2.) Have different read and write groups for each category.  For instance,
> I use the wiki to document how we go about malware analysis and would like
> some people to be able to see this to use as a reference when working a
> case, but most people do not need to see this.
>
>
> Is this possible?
>
> Thanks!
>
> Kevin
> _______________________________________________
> MediaWiki-l mailing list
> To unsubscribe, go to:
> https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
>
_______________________________________________
MediaWiki-l mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Reply | Threaded
Open this post in threaded view
|

Re: Active Directory Integration for Access Management

Kevin Holleran
Fantastic, I'll look into that.  I would love to hear about your
implementation but I have to look into what Namespaces even mean in the
MediaWiki realm (very green).

Thanks again.


--
Kevin Holleran
Master of Science, Computer Information Systems
Grand Valley State University
Master of Business Administration
Western Michigan University
CISSP, GISP, GXPN, GCFA, GCFE, PCIP, PCI ISA, Cisco CCNA, ICCP ISA,
Microsoft MCSA

"If you have responsibility for security, but no authority to make changes,
then you're just there to take the blame when something goes wrong" Gene
Spafford - Spafford's First Law of Security

"Do today what others won't, do tomorrow what others can't" - SEALFit

"We are what we repeatedly do. Excellence, then, is not an act, but a
habit." - Aristotle


On Thu, Jul 31, 2014 at 12:57 PM, Larry Silverman <[hidden email]
> wrote:

> You'll want https://www.mediawiki.org/wiki/Extension:LDAP_Authentication
>
> I don't believe you'll have much luck with access controls based on
> categories, but I could be wrong. Category membership is controlled by
> wikitext in the page content itself. I haven't seen any access control
> mechanisms that can work with categories.
>
> Namespaces would be a better place to attempt access controls.
>
> I've done this in my own wiki. I'd be happy to share how we did it.
>
> Larry Silverman
> Chief Technology Officer
> TrackAbout, Inc.
>
>
> On Thu, Jul 31, 2014 at 11:44 AM, Kevin Holleran <[hidden email]
> >
> wrote:
>
> > Good afternoon,
> >
> > I was wondering if this was possible before I invest a lot of time into
> it.
> >
> > I am using an instance of MediaWiki as an internal knowledge base.  I
> have
> > a variety of categories for different functions.  I was wondering if I
> > could do one of the following:
> >
> > 1.) Integrate with Active Directory.  If the user is in the Wiki-ReadOnly
> > group, they can only read pages and NOT change them.  If they are in the
> > Wiki-Write group, they can read & edit pages.
> >
> > OR (the gold state)
> >
> > 2.) Have different read and write groups for each category.  For
> instance,
> > I use the wiki to document how we go about malware analysis and would
> like
> > some people to be able to see this to use as a reference when working a
> > case, but most people do not need to see this.
> >
> >
> > Is this possible?
> >
> > Thanks!
> >
> > Kevin
> > _______________________________________________
> > MediaWiki-l mailing list
> > To unsubscribe, go to:
> > https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
> >
> _______________________________________________
> MediaWiki-l mailing list
> To unsubscribe, go to:
> https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
>
_______________________________________________
MediaWiki-l mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Reply | Threaded
Open this post in threaded view
|

Re: Active Directory Integration for Access Management

Luis Dantas
In reply to this post by Larry Silverman
I definitely want to learn about that, if it is not too much trouble for
you.


On Thu, Jul 31, 2014 at 1:57 PM, Larry Silverman <[hidden email]>
wrote:

> You'll want https://www.mediawiki.org/wiki/Extension:LDAP_Authentication
>
> I don't believe you'll have much luck with access controls based on
> categories, but I could be wrong. Category membership is controlled by
> wikitext in the page content itself. I haven't seen any access control
> mechanisms that can work with categories.
>
> Namespaces would be a better place to attempt access controls.
>
> I've done this in my own wiki. I'd be happy to share how we did it.
>
> Larry Silverman
> Chief Technology Officer
> TrackAbout, Inc.
>
>
> On Thu, Jul 31, 2014 at 11:44 AM, Kevin Holleran <[hidden email]
> >
> wrote:
>
> > Good afternoon,
> >
> > I was wondering if this was possible before I invest a lot of time into
> it.
> >
> > I am using an instance of MediaWiki as an internal knowledge base.  I
> have
> > a variety of categories for different functions.  I was wondering if I
> > could do one of the following:
> >
> > 1.) Integrate with Active Directory.  If the user is in the Wiki-ReadOnly
> > group, they can only read pages and NOT change them.  If they are in the
> > Wiki-Write group, they can read & edit pages.
> >
> > OR (the gold state)
> >
> > 2.) Have different read and write groups for each category.  For
> instance,
> > I use the wiki to document how we go about malware analysis and would
> like
> > some people to be able to see this to use as a reference when working a
> > case, but most people do not need to see this.
> >
> >
> > Is this possible?
> >
> > Thanks!
> >
> > Kevin
> > _______________________________________________
> > MediaWiki-l mailing list
> > To unsubscribe, go to:
> > https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
> >
> _______________________________________________
> MediaWiki-l mailing list
> To unsubscribe, go to:
> https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
>



--
----------------------------------------
MSN Messenger: [hidden email]
http://www.dantas.com
http://dantas.editme.com/textos
http://luisdantas.zip.net

"It is no measure of health to be well adjusted to a profoundly sick
society" - Atribuído a Krishnamurti, Bodhipaksa, 28 de Dezembro de 2007

Nunca use uma solução Shojo para um problema Seinen.  E se possível, nem
vice-versa.
_______________________________________________
MediaWiki-l mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Reply | Threaded
Open this post in threaded view
|

Re: Active Directory Integration for Access Management

Larry Silverman
I'll write something up. Traveling today, but will try to get to it this
week.
On Aug 3, 2014 9:16 PM, "Luis Dantas" <[hidden email]> wrote:

> I definitely want to learn about that, if it is not too much trouble for
> you.
>
>
> On Thu, Jul 31, 2014 at 1:57 PM, Larry Silverman <
> [hidden email]>
> wrote:
>
> > You'll want https://www.mediawiki.org/wiki/Extension:LDAP_Authentication
> >
> > I don't believe you'll have much luck with access controls based on
> > categories, but I could be wrong. Category membership is controlled by
> > wikitext in the page content itself. I haven't seen any access control
> > mechanisms that can work with categories.
> >
> > Namespaces would be a better place to attempt access controls.
> >
> > I've done this in my own wiki. I'd be happy to share how we did it.
> >
> > Larry Silverman
> > Chief Technology Officer
> > TrackAbout, Inc.
> >
> >
> > On Thu, Jul 31, 2014 at 11:44 AM, Kevin Holleran <
> [hidden email]
> > >
> > wrote:
> >
> > > Good afternoon,
> > >
> > > I was wondering if this was possible before I invest a lot of time into
> > it.
> > >
> > > I am using an instance of MediaWiki as an internal knowledge base.  I
> > have
> > > a variety of categories for different functions.  I was wondering if I
> > > could do one of the following:
> > >
> > > 1.) Integrate with Active Directory.  If the user is in the
> Wiki-ReadOnly
> > > group, they can only read pages and NOT change them.  If they are in
> the
> > > Wiki-Write group, they can read & edit pages.
> > >
> > > OR (the gold state)
> > >
> > > 2.) Have different read and write groups for each category.  For
> > instance,
> > > I use the wiki to document how we go about malware analysis and would
> > like
> > > some people to be able to see this to use as a reference when working a
> > > case, but most people do not need to see this.
> > >
> > >
> > > Is this possible?
> > >
> > > Thanks!
> > >
> > > Kevin
> > > _______________________________________________
> > > MediaWiki-l mailing list
> > > To unsubscribe, go to:
> > > https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
> > >
> > _______________________________________________
> > MediaWiki-l mailing list
> > To unsubscribe, go to:
> > https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
> >
>
>
>
> --
> ----------------------------------------
> MSN Messenger: [hidden email]
> http://www.dantas.com
> http://dantas.editme.com/textos
> http://luisdantas.zip.net
>
> "It is no measure of health to be well adjusted to a profoundly sick
> society" - Atribuído a Krishnamurti, Bodhipaksa, 28 de Dezembro de 2007
>
> Nunca use uma solução Shojo para um problema Seinen.  E se possível, nem
> vice-versa.
> _______________________________________________
> MediaWiki-l mailing list
> To unsubscribe, go to:
> https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
>
_______________________________________________
MediaWiki-l mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Reply | Threaded
Open this post in threaded view
|

Re: Active Directory Integration for Access Management

Larry Silverman
Airplane wifi for the win. I've done a writeup. Due to the sensitive nature
of sharing our wiki's security configuration, I'll only send it directly to
individuals who request it. I'll also ask that you please not post the
configuration or otherwise share it publicly. Thank you!

Larry Silverman
Chief Technology Officer
TrackAbout, Inc.


On Mon, Aug 4, 2014 at 6:06 AM, Larry Silverman <[hidden email]>
wrote:

> I'll write something up. Traveling today, but will try to get to it this
> week.
> On Aug 3, 2014 9:16 PM, "Luis Dantas" <[hidden email]> wrote:
>
>> I definitely want to learn about that, if it is not too much trouble for
>> you.
>>
>>
>> On Thu, Jul 31, 2014 at 1:57 PM, Larry Silverman <
>> [hidden email]>
>> wrote:
>>
>> > You'll want
>> https://www.mediawiki.org/wiki/Extension:LDAP_Authentication
>> >
>> > I don't believe you'll have much luck with access controls based on
>> > categories, but I could be wrong. Category membership is controlled by
>> > wikitext in the page content itself. I haven't seen any access control
>> > mechanisms that can work with categories.
>> >
>> > Namespaces would be a better place to attempt access controls.
>> >
>> > I've done this in my own wiki. I'd be happy to share how we did it.
>> >
>> > Larry Silverman
>> > Chief Technology Officer
>> > TrackAbout, Inc.
>> >
>> >
>> > On Thu, Jul 31, 2014 at 11:44 AM, Kevin Holleran <
>> [hidden email]
>> > >
>> > wrote:
>> >
>> > > Good afternoon,
>> > >
>> > > I was wondering if this was possible before I invest a lot of time
>> into
>> > it.
>> > >
>> > > I am using an instance of MediaWiki as an internal knowledge base.  I
>> > have
>> > > a variety of categories for different functions.  I was wondering if I
>> > > could do one of the following:
>> > >
>> > > 1.) Integrate with Active Directory.  If the user is in the
>> Wiki-ReadOnly
>> > > group, they can only read pages and NOT change them.  If they are in
>> the
>> > > Wiki-Write group, they can read & edit pages.
>> > >
>> > > OR (the gold state)
>> > >
>> > > 2.) Have different read and write groups for each category.  For
>> > instance,
>> > > I use the wiki to document how we go about malware analysis and would
>> > like
>> > > some people to be able to see this to use as a reference when working
>> a
>> > > case, but most people do not need to see this.
>> > >
>> > >
>> > > Is this possible?
>> > >
>> > > Thanks!
>> > >
>> > > Kevin
>> > > _______________________________________________
>> > > MediaWiki-l mailing list
>> > > To unsubscribe, go to:
>> > > https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
>> > >
>> > _______________________________________________
>> > MediaWiki-l mailing list
>> > To unsubscribe, go to:
>> > https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
>> >
>>
>>
>>
>> --
>> ----------------------------------------
>> MSN Messenger: [hidden email]
>> http://www.dantas.com
>> http://dantas.editme.com/textos
>> http://luisdantas.zip.net
>>
>> "It is no measure of health to be well adjusted to a profoundly sick
>> society" - Atribuído a Krishnamurti, Bodhipaksa, 28 de Dezembro de 2007
>>
>> Nunca use uma solução Shojo para um problema Seinen.  E se possível, nem
>> vice-versa.
>> _______________________________________________
>> MediaWiki-l mailing list
>> To unsubscribe, go to:
>> https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
>>
>
_______________________________________________
MediaWiki-l mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Reply | Threaded
Open this post in threaded view
|

Re: Active Directory Integration for Access Management

Luis Dantas
Thanks for your generosity. May I have a copy of your writeup?


On Mon, Aug 4, 2014 at 1:22 PM, Larry Silverman <[hidden email]>
wrote:

> Airplane wifi for the win. I've done a writeup. Due to the sensitive nature
> of sharing our wiki's security configuration, I'll only send it directly to
> individuals who request it. I'll also ask that you please not post the
> configuration or otherwise share it publicly. Thank you!
>
> Larry Silverman
> Chief Technology Officer
> TrackAbout, Inc.
>
>
> On Mon, Aug 4, 2014 at 6:06 AM, Larry Silverman <[hidden email]
> >
> wrote:
>
> > I'll write something up. Traveling today, but will try to get to it this
> > week.
> > On Aug 3, 2014 9:16 PM, "Luis Dantas" <[hidden email]> wrote:
> >
> >> I definitely want to learn about that, if it is not too much trouble for
> >> you.
> >>
> >>
> >> On Thu, Jul 31, 2014 at 1:57 PM, Larry Silverman <
> >> [hidden email]>
> >> wrote:
> >>
> >> > You'll want
> >> https://www.mediawiki.org/wiki/Extension:LDAP_Authentication
> >> >
> >> > I don't believe you'll have much luck with access controls based on
> >> > categories, but I could be wrong. Category membership is controlled by
> >> > wikitext in the page content itself. I haven't seen any access control
> >> > mechanisms that can work with categories.
> >> >
> >> > Namespaces would be a better place to attempt access controls.
> >> >
> >> > I've done this in my own wiki. I'd be happy to share how we did it.
> >> >
> >> > Larry Silverman
> >> > Chief Technology Officer
> >> > TrackAbout, Inc.
> >> >
> >> >
> >> > On Thu, Jul 31, 2014 at 11:44 AM, Kevin Holleran <
> >> [hidden email]
> >> > >
> >> > wrote:
> >> >
> >> > > Good afternoon,
> >> > >
> >> > > I was wondering if this was possible before I invest a lot of time
> >> into
> >> > it.
> >> > >
> >> > > I am using an instance of MediaWiki as an internal knowledge base.
>  I
> >> > have
> >> > > a variety of categories for different functions.  I was wondering
> if I
> >> > > could do one of the following:
> >> > >
> >> > > 1.) Integrate with Active Directory.  If the user is in the
> >> Wiki-ReadOnly
> >> > > group, they can only read pages and NOT change them.  If they are in
> >> the
> >> > > Wiki-Write group, they can read & edit pages.
> >> > >
> >> > > OR (the gold state)
> >> > >
> >> > > 2.) Have different read and write groups for each category.  For
> >> > instance,
> >> > > I use the wiki to document how we go about malware analysis and
> would
> >> > like
> >> > > some people to be able to see this to use as a reference when
> working
> >> a
> >> > > case, but most people do not need to see this.
> >> > >
> >> > >
> >> > > Is this possible?
> >> > >
> >> > > Thanks!
> >> > >
> >> > > Kevin
> >> > > _______________________________________________
> >> > > MediaWiki-l mailing list
> >> > > To unsubscribe, go to:
> >> > > https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
> >> > >
> >> > _______________________________________________
> >> > MediaWiki-l mailing list
> >> > To unsubscribe, go to:
> >> > https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
> >> >
> >>
> >>
> >>
> >> --
> >> ----------------------------------------
> >> MSN Messenger: [hidden email]
> >> http://www.dantas.com
> >> http://dantas.editme.com/textos
> >> http://luisdantas.zip.net
> >>
> >> "It is no measure of health to be well adjusted to a profoundly sick
> >> society" - Atribuído a Krishnamurti, Bodhipaksa, 28 de Dezembro de 2007
> >>
> >> Nunca use uma solução Shojo para um problema Seinen.  E se possível, nem
> >> vice-versa.
> >> _______________________________________________
> >> MediaWiki-l mailing list
> >> To unsubscribe, go to:
> >> https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
> >>
> >
> _______________________________________________
> MediaWiki-l mailing list
> To unsubscribe, go to:
> https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
>



--
----------------------------------------
MSN Messenger: [hidden email]
http://www.dantas.com
http://dantas.editme.com/textos
http://luisdantas.zip.net

"It is no measure of health to be well adjusted to a profoundly sick
society" - Atribuído a Krishnamurti, Bodhipaksa, 28 de Dezembro de 2007

Nunca use uma solução Shojo para um problema Seinen.  E se possível, nem
vice-versa.
_______________________________________________
MediaWiki-l mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l