Extension:LDAP Authentication/Configuration
From MediaWiki.org
About - Requirements - Configuration - Options - Changelog - Roadmap - Suggestions - User provided info - FAQ - Support
General configuration - Generic LDAP Examples - Active Directory Examples - Smartcard Examples - Kerberos Examples
 Release status: stable |
|
|---|---|
| Implementation | User identity |
| Description | Provides LDAP authentication, and some authorization functionality for MediaWiki |
| Author(s) | Ryan Lane (Ryan laneTalk) |
| Last Version | 1.2a (2009-05-06) |
| MediaWiki | 1.6+ |
| License | GPL |
| Download | Download snapshot |
Contents |
[edit] Group based restrictions
[edit] Configuration for non-AD domains
You may need to modify the options depending on your environment. The below example is a configuration to find "testuser" in the following group:
dn: cn=testgroup,ou=groups,dc=LDAP,dc=example,dc=com cn: testgroup objectclass: groupofuniquenames uniqueMember: uid=testuser,ou=people,dc=LDAP,dc=example,dc=com uniqueMember: uid=testuser2,ou=people,dc=LDAP,dc=example,dc=com uniqueMember: uid=testuser3,ou=people,dc=LDAP,dc=example,dc=com
Example:
$wgLDAPRequiredGroups = array( "testLDAPdomain"=>array("cn=testgroup,ou=groups,dc=LDAP,dc=example,dc=com") ); $wgLDAPGroupUseFullDN = array( "testLDAPdomain"=>true ); $wgLDAPGroupObjectclass = array( "testLDAPdomain"=>"groupofuniquenames" ); $wgLDAPGroupAttribute = array( "testLDAPdomain"=>"uniquemember" ); $wgLDAPGroupSearchNestedGroups = array( "testLDAPdomain"=>false ); $wgLDAPGroupNameAttribute = array( "testLDAPdomain"=>"cn" ); $wgLDAPBaseDNs = array( "testLDAPdomain"=>"dc=LDAP,dc=example,dc=com" );
The below example is a configuration to find "testuser" in the following group:
dn: cn=testgroup,ou=groups,dc=LDAP,dc=example,dc=com cn: testgroup objectclass: posixgroup gidnumber: 10000 memberuid: testuser memberuid: testuser2 memberuid: testuser3
Example:
$wgLDAPRequiredGroups = array( "testLDAPdomain"=>array("cn=testgroup,ou=group,dc=LDAP,dc=example,dc=com") ); $wgLDAPGroupUseFullDN = array( "testLDAPdomain"=>false ); $wgLDAPGroupObjectclass = array( "testLDAPdomain"=>"posixgroup" ); $wgLDAPGroupAttribute = array( "testLDAPdomain"=>"memberuid" ); $wgLDAPGroupSearchNestedGroups = array( "testLDAPdomain"=>false ); $wgLDAPGroupNameAttribute = array( "testLDAPdomain"=>"cn" ); $wgLDAPBaseDNs = array( "testLDAPdomain"=>"dc=LDAP,dc=example,dc=com" );
[edit] Configuration for AD domains
Notice that if you have a multi-domain or multi-forest environment, you need to make sure your configuration is pointing at your global catalog!
Example:
#DNs in $wgLDAPRequiredGroups must be lowercase, as search result attribute values are... $wgLDAPRequiredGroups = array( "testADLDAPdomain"=>array("cn=testgroup,ou=groups,dc=adldap,dc=example,dc=com") ); $wgLDAPGroupUseFullDN = array( "testADLDAPdomain"=>true ); $wgLDAPGroupObjectclass = array( "testADLDAPdomain"=>"group" ); $wgLDAPGroupAttribute = array( "testADLDAPdomain"=>"member" ); $wgLDAPGroupSearchNestedGroups = array( "testADLDAPdomain"=>true ); $wgLDAPGroupNameAttribute = array( "testADLDAPdomain"=>"cn" ); $wgLDAPBaseDNs = array( "testADLDAPdomain"=>"dc=ADLDAP,dc=example,dc=com" );
If you are using AD-style straight binds (DOMAIN\\USER-NAME or USER-NAME@DOMAIN), you'll need one more option to make this work correctly:
$wgLDAPSearchAttributes = array( "testADLDAPdomain"=>"sAMAccountName" );
This allows the extension to find the user's full DN for searching groups. Without finding the user's full DN, the extension will search groups with (member=DOMAIN\username), which is not what is in your groups.
[edit] Group based restrictions (Old method - DEPRECATED)
[edit] Configuration for non-AD Directory Servers
To use the group based restrictions with a non-AD directory, add:
$wgLDAPGroupDN = "cn=test,ou=groups,dc=mycompany,dc=com";
where "cn=test,ou=groups,dc=mycompany,dc=com" is the dn of the group you wish to restrict access to.
Note: The extension searches for users in the "member" attribute in groups. If you are not using the "member" attribute for your group members, then you will have to change what attribute is being searched for in the extension.
[edit] Configuration for AD
Although the extension does support group and role based restrictions (in version 1.0c), it was really written for non-AD style groups. It is actually pretty hard to write this for AD and non-AD style since AD uses groups in a smart way (although hard to use for other purposes way). AD does use the "member" attribute like used in the script, but it stores the members as their actual entry in the directory server ie:
cn=Lane\, Ryan,ou=Test_Group,ou=Domain_users,dc=example,dc=com
The problem lies in finding this member based upon the user's uid (or sAMAccountName). Now, this is possible if you add some code to the patch. If you pull preferences already, this should be pretty easy. If you do not pull preferences, you'll have to pull one. You'll need to pull the user's "distinguishedName" attribute, and search for that as a member in the function that checks for group membership. So, you could make the following changes:
(this example shows how to change the extension to work with AD when you are not already pulling preferences, although it will work even if you are pulling preferences, just not as efficiently)
At the class definition, change:
class LdapAuthenticationPlugin extends AuthPlugin { var $email, $lang, $realname, $nickname, $SearchType;
to
class LdapAuthenticationPlugin extends AuthPlugin { var $distinguishedName, $email, $lang, $realname, $nickname, $SearchType;
In function "authenticate" change:
if ($wgLDAPGroupDN) { return $this->isMemberOfLdapGroup($ldapconn, $userdn, $wgLDAPGroupDN); }
to:
if ($wgLDAPGroupDN) { $entry = @ldap_read($ldapconn, $userdn, "objectclass=*"); $info = @ldap_get_entries($ldapconn, $entry); $this->distinguishedName = $info[0]["distinguishedname"][0]; return $this->isMemberOfLdapGroup($ldapconn, $userdn, $wgLDAPGroupDN); }
In function "isMemberOfLdapGroup" change
//we need to do a subbase search for the entry $filter = "(member=".$userDN.")";
to:
//we need to do a subbase search for the entry $filter = "(member=".$this->distinguishedName.")";
In LocalSettings.php add:
$wgLDAPGroupDN = "cn=test,ou=groups,dc=mycompany,dc=com";
where "cn=test,ou=groups,dc=mycompany,dc=com" is the dn of the group you wish to restrict access to.
Let me know if this is working for you or not.
- 2006-04-26 : it was not working for because I used this configuration in LocalSettings.php :
$wgLDAPSearchStrings = array( "domain"=>"USER-NAME@domain" );
So the modification in the file LDAPAuthentication.php, the function "authenticate" was not working for me (wgLDAPSearchStrings does not return the user DN but the userPrincipalName) I changed the modification to :
global $wgLDAPBaseDNs; $entry = @ldap_search($ldapconn,$wgLDAPBaseDNs[$_SESSION['wsDomain']], "(&(objectclass=*)(userPrincipalName=$userdn))"); $info = @ldap_get_entries($ldapconn, $entry); $this->distinguishedName = $info[0]["distinguishedname"][0]; return $this->isMemberOfLdapGroup($ldapconn, $userdn, $wgLDAPGroupDN);
and it is now working for me.
See also: German explanation
[edit] Group synchronization
To use group synchronization, you'll set up the extension just like new style group based restrictions, and add the following two options to any of the examples from Extension:LDAP_Authentication#Group_based_restrictions_.28NEW.29:
$wgLDAPUseLDAPGroups = array( "testLDAPdomain"=>true ); $wgLDAPGroupNameAttribute = array( "testLDAPdomain"=>"cn" );
You would of course need to change "testLDAPdomain" to whatever was appropriate.
Notice that $wgLDAPGroupNameAttribute is set to "cn" for every example because in every example, the naming attribute for the groups is "cn", if for some reason you had a group that looked like:
dn: group=testgroup,ou=groups,dc=adldap,dc=example,dc=com member: samaccountname=testuser,ou=users,dc=adldap,dc=example,dc=com
you would instead set $wgLDAPGroupNameAttribute like this instead:
$wgLDAPGroupNameAttribute = array( "testLDAPdomain"=>"group" );
If you only want to synchronize groups, and not do group based login restriction as well, just remove the $wgLDAPRequiredGroups option.
[edit] Pulling preferences
The following four attributes are used when pulling user preferences:
- mail (email address)
- displayName (nickname)
- cn (real name)
- preferredLanguage (language)
preferredLanguage must use the language code as it would be found in "languages/Names.php".
To enable preference pulling, add the following to LocalSettings.php:
$wgLDAPRetrievePrefs = array( 'testADDomain' => true );
To use custom attributes:
$wgLDAPPreferences = array('testADdomain'=>array( "email"=>"mail","realname"=>"cn","nickname"=>"sAMAccountName"));
