• Fixed bug when sgallery was used as a tag
• Fixed bug with use of the parser to recursively parse tags
• Fixed bug with descriptions. Descriptions can now be displayed, and wikitext can be used in them.

Share:

Related posts:

1. New MediaWiki extension JSBreadCrumbs 0.1 released
2. LdapAuthentication 1.2b released – Security fix for register_globals users
3. LdapAuthentication 1.2c released

Another common usability failure is to allow users to present multiple client certificates when your site only trusts a certain type of certificate. The user has no idea which certificate they need to present, and they shouldn’t need to. The common solution to this problem is to provide documentation as to which certificate should be used. This is a poor solution.

In this article, I’ll describe how to configure Apache to require SSL client authentication in a polite, usable way.

Politely requiring SSL client authentication

I’m using “require” somewhat loosely here, as that’s the first thing we are going to change in our configuration. When you use the SSLVerifyClient directive with the require value, it really means require. So, how do we get around this?

We change the SSLVerifyClient directive to the optional value. The key is making optional still mean require. Our goal is to redirect users to help documentation when SSL client authentication fails. We can do this by using mod_rewrite and environment variables from mod_ssl. Here’s how to configure this in Apache:

SSLOptions +StdEnvVars
SSLVerifyClient optional
SSLVerifyDepth 3
RewriteEngine On
RewriteCond %{SSL:SSL_CLIENT_VERIFY} !^SUCCESS$
RewriteRule .* /help/ssl-client-auth-required.html [L]

In this configuration, any request that doesn’t have a valid client certificate will be redirected to a help file. Optional, yet required politely. Don’t forget to be polite internationally, if that is a requirement! You should configure Apache to serve the help document based on the user’s language. I’m going to avoid this portion of the topic for now. I’ll go into this in a future article.

Selectively accepting client certificates

If your users have multiple types of client certificates; for email, client authentication, and encryption from different intermediate CAs; for instance; and your application needs a specific type of certificate; then you shouldn’t force your users to guess which certificate is required. There are a few options here:

1. Provide documentation to educate users on which certificate to choose prior to them accessing the site
2. Use the above method to educate users when they fail to choose the correct certificate
3. Use both options 1 and 2
4. Only allow users to choose the correct certificate by limiting which certificates your site will accept

The obvious choice from a usability perspective is option 4. It is less confusing, requires less documentation to be written and read, and is fairly easy to configure.

The first step is to identify which certificate authorities (CA)s you wish to trust. The next step is to append all of the public CA certificates into a single file. The final step is to configure Apache to use this file to restrict certificates. To configure this in Apache, use the following directive:

SSLCADNRequestFile /etc/pki/tls/certs/client-trust-bundle.cer

Unfortunately, option 4 will only be a viable option if the different certificate types were created by different CAs (which, hopefully, you are doing for security reasons). If you are unable to use option 4, you should use option 3.

Share:

Another train ride, some more coding… This is a bugfix release. The following has changed since 0.4:

• Changed the display of site names to (site name) from site name: to make a visual difference between project namespace, and site name

Hopefully, this will make it clearer that the site name isn’t a namespace, but a different wiki.

To download the extension, do so via the extension distributor on the extension’s page at mediawiki.org.

Share:

Related posts:

1. JSBreadCrumbs 0.4 released
2. New MediaWiki extension JSBreadCrumbs 0.1 released
3. JSBreadCrumbs 0.3 released

I was on the train for a long time yesterday, and got a chance to fix some bugs. This is a feature and bugfix release. The following has changed since 0.3:

• Added different site name support (when breadcrumbs are enabled on wiki farms, and they share the same cookie path)
• Added support for preferences
  • Users can enable/disable bread crumbs
  • Users can enable/disable the prepending of site name onto titles
  • Users can set the number of bread crumbs to display
• Delete cookies on log out
• Removed some global preferences (replaced with default user options)
• Fixed localization issue with namespaces
• Only output Javascript/CSS when using the Vector skin

The usual methods should be used to download. See the extension’s page on mediawiki.org for download options.

Share:

Related posts:

1. JSBreadCrumbs 0.5 released
2. New MediaWiki extension JSBreadCrumbs 0.1 released
3. JSBreadCrumbs 0.3 released

• Display wgTitle instead of wgPage to avoid url encoded titles
• Fix issue where wgJSBreadCrumbsMaxCrumbs + 1 number of bread crumbs were shown instead wgJSBreadCrumbsMaxCrumbs
• Strip empty title and url when it exists
• Change the output of the leading description to look like “Leading description:” instead of “Leading description ” + wgJSBreadCrumbsSeparator, to make it more clear that it isn’t part of the history.
• Change the character used to split and join in cookies to ‘|’ since it is illegal in urls and page titles, and therefore is guaranteed to work, unlike using the user overridable separator
• Make addResources in JSBreadCrumbs.hooks.php public and static to get rid of php warning
• Allow the separator character to be localized
• Add preceding string to the breadcrumbs to describe their purpose on initial page load

For more information, see the extension page.

Share:

Related posts:

1. New MediaWiki extension JSBreadCrumbs 0.1 released
2. JSBreadCrumbs 0.4 released
3. JSBreadCrumbs 0.5 released

The breadcrumbs can follow users across wikis in a wiki farm, if those wikis share the same domain. This is the default behavior, but can be changed. The other configurable options are the number of breadcrumbs shown, and the separator between the breadcrumbs.

Since this extension is simply Javascript and CSS, it can be added to your wiki as a gadget, if you use the Gadgets extension.

To get more information, or to download the extension, please see the extension’s page on mediawiki.org.

Share:

• Fixed issue with single domains, and non-auto-authentication domains being non-operational due to security fix in 1.2b
• Fixed another issue with mail me a password not working properly

To download this version, please use the extension distributor (http://www.mediawiki.org/wiki/Special:ExtensionDistributor/LdapAuthentication), select “Development version (trunk)”, and click “Continue”.

Share:

Related posts:

1. LdapAuthentication 1.2b released – Security fix for register_globals users
2. JSBreadCrumbs 0.4 released
3. JSBreadCrumbs 0.5 released

The following has changed since 1.2a:

• Fixed issue with group synchronization and nested groups
• Added support for exclusion groups in addition to required groups
  • Configured via $wgLDAPExcludedGroups; syntax the same as $wgLDAPRequiredGroups
• Fixed check for returns with no entries
• Added memberOf support
• Added patch for getting user’s primary group when using memberOf
• Fixed group synchronization issue with memberOf support (patch by Teddy Reed)
• Fixed problem with usernames containing parenthesis
• Fixed warnings in PHP 5.2.10 when some entries weren’t returned
• Fixed issue with $wgLDAPGroupsPrevail
• Fixed issue with mail temporary password button when email me a password support was enabled
• Added support for non-standard ports
  • Configured via $wgLDAPPort – see options documentation
• Changed debug to output to a file
  • Configured via $wgDebugLogGroups["ldap"] – see options documentation
• Added support for modifying LDAP options when connecting
  • Configured via $wgLDAPOptions – see options documentation
• Added a security fix for register_globals users (seriously, turn register_globals off, if you have it on)

To download this version, please use the extension distributor, select “Development version (trunk)”, and click “Continue”.

Share:

Related posts:

1. LdapAuthentication 1.2c released
2. JSBreadCrumbs 0.4 released
3. Using the LDAP Authentication Plugin for MediaWiki – The Basics (Part 3)

Instead of using XDMCP, you can use X11 forwarding to run your graphical environments across SSH. Doing so also allows you to log in via smart cards, if your version of SSH has PKCS11 support.

I’ve written a script called remote-graphical-login to make this much easier. Note that this script has smartcard support built in, and may not work properly if the libraries do not exist on your system. In a future version I’ll make this configurable so that it can be used with identity files, or without an agent. Here’s the usage:

Usage: remote-graphical-login.sh [-s session] [-I cardlib] [-l username] [username@][hostname]
        -s      kde or gnome (default)
        -I      coolkey or activclient (default)
        -l      Username to login with
Example: remote-graphical-login.sh -s kde testuser@testhost

There may be a few bugs in the script. Let me know if you run into any.

Update (06/14/10): Fixed some issues in the script. Notably, the X launcher did exactly the opposite of what it was intended to do. If an X server was already running, it would re-use that server. The intended action was for the script to start a new X server on another display number. This is now fixed. Also, an informational message will now be shown to users when they do not specify a username or hostname, mentioning the ability to do so.

Share:

Related posts:

1. Using ActivClient or Coolkey with SSH for Smart Card Login using Cygwin