我需要为我们的工程组建立一个 wiki;我们是企业范围的 Windows Active Directory 域的一部分。大多数企业 IT 应用程序使用 NTLM 进行身份验证(通过 Internet Exploder 自动进行);虽然我不是公司 IT 部门的一员,但我认识到单点登录 (SSO) 对于用户接受度非常重要。
我希望找到一个经过充分测试并且可以在 Linux 上托管的免费开源 wiki (参见尾注 1),同时允许企业 Windows 笔记本电脑自动进行身份验证,而无需密码提示。
我见过一些技巧莫因使用 NTLM 进行身份验证请参阅尾注 2,但我不知道这在实践中实际效果如何;因此任何使用 moin + NTLM 的部署经验都是有价值的。我也见过福斯维基, 但FOS Wiki 似乎不支持自动登录。
问题:
简而言之,我正在寻找最好的免费、开源、Linux wiki 实现,并具有本机、自动 NTLM 身份验证支持(参见尾注 3);如果能用我就加分降价或者重构文本。
尾注:
- 如果我想在 Windows 下运行它,我可以使用螺丝旋维基;然而,一想到在 Windows 上托管 Web 服务,我就感到内心肮脏。
- 看维基矩阵上的这篇文章
- 如果真的有这样的事情存在的话
答案1
我最终使用了它moin
,我安装在/opt/moin
...我使用 WSGI 托管它apache2
...我无法执行moin
自动 NTLM 身份验证,除非我在 Windows 下托管它...我在 linux 下托管它,但它仍然根据我们的身份验证NT 域中的本地 LDAP 服务器。
这是/opt/moin/config/wikiconfig.py
...如果您使用它,请理解我清理了配置,并且下面的 LDAP 身份验证代码中的“foo”实际上是我公司的名称...每个人都有不同的 LDAP 设置,因此您可能需要调整一些您环境中的身份验证参数... YMMV...
# -*- coding: iso-8859-1 -*-
# IMPORTANT! This encoding (charset) setting MUST be correct! If you live in a
# western country and you don't know that you use utf-8, you probably want to
# use iso-8859-1 (or some other iso charset). If you use utf-8 (a Unicode
# encoding) you MUST use: coding: utf-8
# That setting must match the encoding your editor uses when you modify the
# settings below. If it does not, special non-ASCII chars will be wrong.
"""
MoinMoin - Configuration for a single wiki
If you run a single wiki only, you can omit the farmconfig.py config
file and just use wikiconfig.py - it will be used for every request
we get in that case.
Note that there are more config options than you'll find in
the version of this file that is installed by default; see
the module MoinMoin.config.multiconfig for a full list of names and their
default values.
Also, the URL http://moinmo.in/HelpOnConfiguration has
a list of config options.
** Please do not use this file for a wiki farm. Use the sample file
from the wikifarm directory instead! **
"""
import os
from MoinMoin.config import multiconfig, url_prefix_static
from MoinMoin.auth.ldap_login import LDAPAuth
from MoinMoin.auth import MoinAuth
class Config(multiconfig.DefaultConfig):
# Critical setup ---------------------------------------------------
# Directory containing THIS wikiconfig:
wikiconfig_dir = os.path.abspath(os.path.dirname(__file__))
# We assume that this config file is located in the instance directory, like:
# instance_dir/
# wikiconfig.py
# data/
# underlay/
# If that's not true, feel free to just set instance_dir to the real path
# where data/ and underlay/ is located:
#instance_dir = '/where/ever/your/instance/is'
instance_dir = '/opt/moin'
# Where your own wiki pages are (make regular backups of this directory):
data_dir = os.path.join(instance_dir, 'data', '') # path with trailing /
# Where system and help pages are (you may exclude this from backup):
data_underlay_dir = os.path.join(instance_dir, 'underlay', '') # path with trailing /
# The URL prefix we use to access the static stuff (img, css, js).
# Note: moin runs a static file server at url_prefix_static path (relative
# to the script url).
# If you run your wiki script at the root of your site (/), just do NOT
# use this setting and it will automatically work.
# If you run your wiki script at /mywiki, you need to use this:
#url_prefix_static = '/mywiki' + url_prefix_static
# Wiki identity ----------------------------------------------------
# Site name, used by default for wiki name-logo [Unicode]
sitename = u'QA Wiki'
# Wiki logo. You can use an image, text or both. [Unicode]
# For no logo or text, use '' - the default is to show the sitename.
# See also url_prefix setting below!
logo_string = u'<img src="%s/common/moinmoin.png" alt="MoinMoin Logo">' % url_prefix_static
# name of entry page / front page [Unicode], choose one of those:
# a) if most wiki content is in a single language
page_front_page = u"DefaultPage"
# b) if wiki content is maintained in many languages
#page_front_page = u"FrontPage"
# The interwiki name used in interwiki links
interwikiname = u'QAWiki'
# Show the interwiki name (and link it to page_front_page) in the Theme,
# nice for farm setups or when your logo does not show the wiki's name.
#show_interwiki = 1
# Security ----------------------------------------------------------
# This is checked by some rather critical and potentially harmful actions,
# like despam or PackageInstaller action:
#superuser = [u"YourName", ]
superuser = [u"Mike_Pennington", ]
# IMPORTANT: grant yourself admin rights! replace YourName with
# your user name. See HelpOnAccessControlLists for more help.
# All acl_rights_xxx options must use unicode [Unicode]
acl_rights_before = u"Mike_Pennington:read,write,delete,revert,admin"
acl_rights_default = u"Mike_Pennington:read,write,delete,revert,admin, Known:read,write All:read"
# The default (ENABLED) password_checker will keep users from choosing too
# short or too easy passwords. If you don't like this and your site has
# rather low security requirements, feel free to DISABLE the checker by:
#password_checker = None # None means "don't do any password strength checks"
password_checker = None
# Link spam protection for public wikis (Uncomment to enable)
# Needs a reliable internet connection.
#from MoinMoin.security.antispam import SecurityPolicy
# Mail --------------------------------------------------------------
# Configure to enable subscribing to pages (disabled by default)
# or sending forgotten passwords.
# SMTP server, e.g. "mail.provider.com" (None to disable mail)
#mail_smarthost = ""
# The return address, e.g u"Jürgen Wiki <[email protected]>" [Unicode]
#mail_from = u""
# "user pwd" if you need to use SMTP AUTH
#mail_login = ""
# User interface ----------------------------------------------------
# Add your wikis important pages at the end. It is not recommended to
# remove the default links. Leave room for user links - don't use
# more than 6 short items.
# You MUST use Unicode strings here, but you need not use localized
# page names for system and help pages, those will be used automatically
# according to the user selected language. [Unicode]
navi_bar = [
# If you want to show your page_front_page here:
#u'%(page_front_page)s',
u'DefaultPage',
u'SiteIndex',
u'RecentChanges',
u'FindPage',
u'HelpContents',
]
# The default theme anonymous or new users get
theme_default = 'modernized'
# Language options --------------------------------------------------
# See http://moinmo.in/ConfigMarket for configuration in
# YOUR language that other people contributed.
# The main wiki language, set the direction of the wiki pages
language_default = 'en'
# the following regexes should match the complete name when used in free text
# the group 'all' shall match all, while the group 'key' shall match the key only
# e.g. CategoryFoo -> group 'all' == CategoryFoo, group 'key' == Foo
# moin's code will add ^ / $ at beginning / end when needed
# You must use Unicode strings here [Unicode]
page_category_regex = ur'(?P<all>Category(?P<key>(?!Template)\S+))'
page_dict_regex = ur'(?P<all>(?P<key>\S+)Dict)'
page_group_regex = ur'(?P<all>(?P<key>\S+)Group)'
page_template_regex = ur'(?P<all>(?P<key>\S+)Template)'
# Content options ---------------------------------------------------
# Show users hostnames in RecentChanges
show_hosts = 1
# Enable graphical charts, requires gdchart.
#chart_options = {'width': 600, 'height': 300}
# LDAP authentication ---------------------------------------------------
ldap_authenticator1 = LDAPAuth(
server_uri='ldap://10.16.16.237/',
bind_dn = r'Americas\%(username)s',
base_dn='dc=amer,dc=foo,dc=com',
bind_pw='%(password)s',
scope=2,
referrals=0, # LDAP REFERRALS (0 needed for AD)
search_filter='(sAMAccountName=%(username)s)',
givenname_attribute='givenName',
surname_attribute='sn',
aliasname_attribute='displayname',
email_attribute='mail',
email_callback=None, # callback function called to make up email address
coding='utf-8', # coding used for ldap queries and result values
timeout=10, # how long we wait for the ldap server [s]
start_tls=0, # usage of Transport Layer Security 0 = No, 1 = Try, 2 = Required
tls_cacertdir=None,
tls_cacertfile=None,
tls_certfile=None,
tls_keyfile=None,
tls_require_cert=0, # 0 == ldap.OPT_X_TLS_NEVER (needed for self-signed certs)
bind_once=True, # set to True to only do one bind - useful if configured to bind as the user on the first attempt
autocreate=True, # set to True to automatically create/update user profiles
#name='ldap', # use e.g. 'ldap_pdc' and 'ldap_bdc' (or 'ldap1' and 'ldap2') if you auth against 2 ldap servers
report_invalid_credentials=True, # whether to emit "invalid username or password" msg at login time or not
)
auth = [ldap_authenticator1,] # this is a list, you may have multiple ldap authenticators
# as well as other authenticators
cookie_lifetime = (0, 4) # no anon user sessions, 1h session lifetime for logged-in users
# customize user preferences (optional, see MoinMoin/config/multiconfig for internal defaults)
# you maybe want to use user_checkbox_remove, user_checkbox_defaults, user_form_defaults,
# user_form_disable, user_form_remove.
('checkbox_defaults',
{
'mailto_author': 0,
'edit_on_doubleclick': 1,
'remember_last_visit': 0,
'show_comments': 0,
'show_nonexist_qm': False,
'show_page_trail': 1,
'show_toolbar': 1,
'show_topbottom': 0,
'show_fancy_diff': 1,
'wikiname_add_spaces': 0,
'remember_me': 1,
},
"Defaults for user preferences, see HelpOnConfiguration/UserPreferences.")
我正在使用 wsgi 和 moin,所以我需要/opt/moin/moin.wsgi
# -*- coding: iso-8859-1 -*-
"""
MoinMoin - mod_wsgi driver script
To use this, add those statements to your Apache's VirtualHost definition:
# you will invoke your moin wiki at the root url, like http://servername/FrontPage:
WSGIScriptAlias / /some/path/moin.wsgi
# create some wsgi daemons - use someuser.somegroup same as your data_dir:
WSGIDaemonProcess daemonname user=someuser group=somegroup processes=5 threads=10 maximum-requests=1000 umask=0007
# use the daemons we defined above to process requests!
WSGIProcessGroup daemonname
@copyright: 2008 by MoinMoin:ThomasWaldmann
@license: GNU GPL, see COPYING for details.
"""
import sys, os
# a) Configuration of Python's code search path
# If you already have set up the PYTHONPATH environment variable for the
# stuff you see below, you don't need to do a1) and a2).
# a1) Path of the directory where the MoinMoin code package is located.
# Needed if you installed with --prefix=PREFIX or you didn't use setup.py.
#sys.path.insert(0, 'PREFIX/lib/python2.3/site-packages')
# a2) Path of the directory where wikiconfig.py / farmconfig.py is located.
# See wiki/config/... for some sample config files.
#sys.path.insert(0, '/path/to/wikiconfigdir')
sys.path.insert(0, '/opt/moin')
sys.path.insert(0, '/opt/moin/code')
sys.path.insert(0, '/opt/moin/config')
# b) Configuration of moin's logging
# If you have set up MOINLOGGINGCONF environment variable, you don't need this!
# You also don't need this if you are happy with the builtin defaults.
# See wiki/config/logging/... for some sample config files.
#from MoinMoin import log
#log.load_config('/path/to/logging_configuration_file')
from code.MoinMoin.web.serving import make_application
# Creating the WSGI application
# use shared=True to have moin serve the builtin static docs
# use shared=False to not have moin serve static docs
# use shared='/my/path/to/htdocs' to serve static docs from that path
application = make_application(shared=True)
FWIW,这是我的 apache 配置文件....../etc/apache2/conf.d/moin.conf
# Create some wsgi daemons - use these parameters for a simple setup
WSGIDaemonProcess moin user=www-data group=www-data processes=5 threads=10 maximum-requests=1000 umask=0007
#
WSGIProcessGroup moin
这是/etc/apache2/sites-available/netwiki
...
<VirtualHost *:80>
ServerName netwiki.us.foo.com
RewriteEngine on
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://netwiki.us.foo.com/$1 [L,R]
DocumentRoot /opt/moin/code/
WSGIScriptAlias / /opt/moin/moin.wsgi
</VirtualHost>
<VirtualHost *:443>
ServerName netwiki.us.foo.com
DocumentRoot /opt/moin/code/
WSGIScriptAlias / /opt/moin/moin.wsgi
# Generate with...
# openssl req -new -x509 -days 365 -nodes -out netwiki.pem -keyout netwiki.key
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/netwiki.pem
SSLCertificateKeyFile /etc/apache2/ssl/netwiki.key
</VirtualHost>
答案2
我也有同样的情况,并且我运行 MediaWiki。 NTLM 身份验证在 Apache 中通过以下方式处理PyAuthenNTLM2mod-python 上的模块; MediaWiki 通过以下方式登录用户(并在第一次自动为其创建 wiki 帐户):自动aREMOTE_USER扩大。
我的体验非常好:SSO 工作正常,用户根本不会注意到 wiki 不属于 Windows 域,而且 IT 人员很高兴密码得到安全保护。
免责声明:我是 PyAuthenNTLM2 的作者,我写这个插件是因为我之前使用的 Apache 插件 (Apache2::AuthenNTLM2) 没有维护,并且无法与 Windows 7 默认(且合理)安全策略 (NTLMv2) 配合使用。
答案3
我们用MindTouch 核心(开源版)。在 Mono 下的 Linux VM 上运行,使用 AD 进行身份验证。自 2009 年以来一直在全公司范围内使用。
答案4
您可能想检查 http://www.jasig.org/cas
它提供企业单点登录服务。