Extension:LDAP Authentication/AD Configuration Examples

From MediaWiki.org
Jump to: navigation, search

About - Requirements - Examples - Configuration Options - Changelog - Roadmap - Suggestions - User provided info - FAQ - Support

Group and Preferences Examples - Generic LDAP Examples - Active Directory Examples - Smartcard Examples - Kerberos Examples


MediaWiki extensions manual
Crystal Clear action run.png
LDAP Authentication

Release status: stable

Implementation User identity
Description Provides LDAP authentication, and some authorization functionality for MediaWiki
Author(s) Ryan Lane (Ryan lanetalk)
Latest version 2.0d (2012-11-21)
MediaWiki 1.19+
Database changes Yes
License GPL
Download
Hooks used
LoadExtensionSchemaUpdates

Translate the LDAP Authentication/AD Configuration Examples extension if it is available at translatewiki.net

Check usage and version matrix; code metrics

Notes[edit | edit source]

SSL[edit | edit source]

Notice that SSL is enabled in all examples. Your LDAP server may or may not require SSL. If you do not require SSL (if you set AD to not require signed communications), you can set that option to "false". Be aware that doing so will cause your domain user's passwords to be sent across the network in clear text, which makes your system susceptible to man in the middle attacks, replay attacks, and other nasty attacks.

For SSL to work, you must install an SSL certificate on your LDAP server, your wiki's server must trust the LDAP server's CA, and the DNS name of your LDAP server must resolve to the CN field of the certificate issued to your LDAP server.

Remember, if your web server does not use SSL (URL does not start with https://), your password will be transmitted in clear text from the client browser to the web server. This is independent of the SSL settings described below from the web server to the LDAP server.

General Configuration[edit | edit source]

Be sure to enable LDAP support within PHP. Make sure that you have installed the necessary packages for your distro.

  • RedHat EL based distro (CentOS 4.3):
    yum install php-ldap
  • Make sure that /etc/php.d/ldap.ini contains
    extension=ldap.so
  • Ubuntu 6.06.1 (Dapper Drake) and others:
    sudo apt-get install php-ldap

    or possibly:

    sudo apt-get install php5-ldap
  • Other distros:
    Modify php.ini, and uncomment the line:

     ;extension=php_ldap.so

    change to:

    extension=php_ldap.so
  • Windows:
    Modify php.ini, and uncomment the line:

     ;extension=php_ldap.dll

    change to:

    extension=php_ldap.dll

Single Domain Requiring Straight Binding Only[edit | edit source]

In this example, we have an Active Directory (AD) server, and we will be doing straight binds to the directory. This is not how typical LDAP authentication operates as it does not attempt a search first, see "Single Domain Requiring Search Before Binding."

Configuration[edit | edit source]

Our AD servers are "exampleldapserver.example.com" and "exampleldapserver2.example.com", and the domainname is "EXAMPLEDOMAIN". "USER-NAME" is not to be changed as this string is replaced in LdapAuthentication.php.

(In LocalSettings.php)

require_once ("$IP/extensions/LdapAuthentication/LdapAuthentication.php");
 
$wgAuth = new LdapAuthenticationPlugin();
 
$wgLDAPDomainNames = array(
  'exampleADDomain'
);
 
$wgLDAPServerNames = array(
  'exampleADDomain' => 'exampleldapserver.example.com exampleldapserver2.example.com'
);
 
$wgLDAPSearchStrings = array(
  'exampleADDomain' => 'EXAMPLEDOMAIN\\USER-NAME'
);
 
$wgLDAPEncryptionType = array(
  'exampleADDomain' => 'ssl'
);
 
$wgLDAPUseLocal = false;
$wgMinimalPasswordLength = 1;

Extra configuration for AD to allow for preference pulling, group sync, etc.[edit | edit source]

If you want to be able to pull preferences, and such, you'll need to set a couple other options. These other options will allow the plugin to bind as the user, and then search for the user's DN. Without a DN, any extras provided by the extension will fail.

(In LocalSettings.php after your other LDAP configuration)

$wgLDAPBaseDNs = array(
  'exampleADDomain' => 'cn=Users,dc=example,dc=com'
);
 
$wgLDAPSearchAttributes = array(
  'exampleADDomain' => 'sAMAccountName' );

Single Domain Requiring Search Before Binding[edit | edit source]

This is typically how LDAP authentication is performed. First, a search is performed for the identifier presented (username) and a DN is returned. This DN is then used with the password provided to attempt a bind against the LDAP server. This is useful in cases when the username does not match anything in the DN or users are stored in multiple OUs.

Configuration[edit | edit source]

In this situation, you could use the "Single Domain Requiring Straight Binding Only" as AD will search through multiple OUs for you anyway. Using the Straight Binding approach is generally recommended for AD.

Our AD servers are "exampleldapserver.example.com" and "exampleldapserver2.example.com", and the domain is "EXAMPLEDOMAIN".

Our naming attribute for users is "sAMAccountName", some users are kept in "ou=accounting,ou=Users,dc=exampledomain,dc=example,dc=com", and other users are kept in "ou=graphics,ou=Users,dc=exampledomain,dc=example,dc=com".

(In LocalSettings.php)

require_once ("$IP/extensions/LdapAuthentication/LdapAuthentication.php");
 
$wgAuth = new LdapAuthenticationPlugin();
 
$wgLDAPDomainNames = array(
  'exampleADDomain'
);
 
$wgLDAPServerNames = array(
  'exampleADDomain' => 'exampleldapserver.example.com exampleldapserver2.example.com'
);
 
$wgLDAPSearchAttributes = array(
  'exampleADDomain' => 'sAMAccountName'
);
 
$wgLDAPBaseDNs = array(
  'exampleADDomain' => 'dc=exampledomain,dc=example,dc=com'
);
 
$wgLDAPEncryptionType = array(
  'exampleADDomain' => 'ssl'
);
 
$wgMinimalPasswordLength = 1;

Using a Proxy Agent[edit | edit source]

With this approach, if your server doesn't allow anonymous searching (AD doesn't, normally), you'll need to use a proxy agent. The proxy agent is a low privilege domain user service account which should have the rights to enumerate user objects and read their attributes but should not have create/modify/delete rights.

In this example, the proxy agent entry is at "cn=proxyagent,ou=Users,dc=exampledomain,dc=example,dc=com".

Add the following options to your configuration:

(In LocalSettings.php)

$wgLDAPProxyAgent =  array(
  'exampleNonADDomain' => 'cn=proxyagent,ou=Users,dc=exampledomain,dc=example,dc=com'
);
 
$wgLDAPProxyAgentPassword = array(
  'exampleNonADDomain' => 'eX@mP1eP$$wRd'
);

Multiple Domains Requiring Simple Binding Only[edit | edit source]

Configuration[edit | edit source]

If you are using multiple domains, this is your most likely scenario. In this example, we have two different domains that are not part of a single-sign-on enviroment.

The AD domain is called "ADDOMAIN", and has servers named "exampleldapserver.example.com" and "exampleldapserver2.example.com". The non-AD domain is called "NonADDomain", has servers named "nonadserver.example.com", "nonadserver2.example.com", and "nonadserver3.example.com", and users are stored in "ou=people,dc=example,dc=com". In this example, we do not require the ability to change passwords, or create new LDAP users through Mediawiki, just authentication.

(In LocalSettings.php)

require_once "$IP/extensions/LdapAuthentication/LdapAuthentication.php";
 
$wgAuth = new LdapAuthenticationPlugin();
 
$wgLDAPDomainNames = array(
  'exampleADDomain', 'exampleNonADDomain'
);
 
$wgLDAPServerNames = array(
  'exampleADDomain' => 'exampleldapserver.example.com exampleldapserver2.example.com',
  'exampleNonADDomain' => 'nonadserver.example.com nonadserver2.example.com nonadserver3.example.com'
);
 
$wgLDAPSearchStrings = array(
  'exampleADDomain' => 'ADDOMAIN\\USER-NAME', 
  'exampleNonADDomain' => 'uid=USER-NAME,ou=people,dc=example,dc=com'
);
 
$wgLDAPEncryptionType = array(
  'exampleADDomain' => 'ssl',
  'exampleNonADDomain' => 'ssl'
);
 
$wgMinimalPasswordLength = 1;