Extension:LDAP Authentication/Examples
About - Requirements - Examples - Configuration Options - Changelog - Roadmap - Suggestions - User provided info - FAQ - Support
Group and Preferences Examples - Generic LDAP Examples - Active Directory Examples - Smartcard Examples - Kerberos Examples
 Release status: stable |
|||
|---|---|---|---|
| Implementation | User identity | ||
| Description | Provides LDAP authentication, and some authorization functionality for MediaWiki | ||
| Author(s) | Ryan Lane (Ryan lanetalk) | ||
| Last version | 2.0d (2012-11-21) | ||
| MediaWiki | 1.19+ | ||
| Database changes | yes | ||
| License | GPL | ||
| Download | |||
|
|||
| Check usage and version matrix | |||
Contents |
Group configuration [edit]
Configuration for non-AD domains [edit]
You may need to modify the options depending on your environment. The below example is a configuration to find "testuser" in the following group:
dn: cn=testgroup,ou=groups,dc=LDAP,dc=example,dc=com cn: testgroup objectclass: groupofuniquenames uniqueMember: uid=testuser,ou=people,dc=LDAP,dc=example,dc=com uniqueMember: uid=testuser2,ou=people,dc=LDAP,dc=example,dc=com uniqueMember: uid=testuser3,ou=people,dc=LDAP,dc=example,dc=com
Example:
$wgLDAPGroupUseFullDN = array( "testLDAPdomain"=>true ); $wgLDAPGroupObjectclass = array( "testLDAPdomain"=>"groupofuniquenames" ); $wgLDAPGroupAttribute = array( "testLDAPdomain"=>"uniquemember" ); $wgLDAPGroupSearchNestedGroups = array( "testLDAPdomain"=>false ); $wgLDAPGroupNameAttribute = array( "testLDAPdomain"=>"cn" ); $wgLDAPBaseDNs = array( "testLDAPdomain"=>"dc=LDAP,dc=example,dc=com" );
The below example is a configuration to find "testuser" in the following group:
dn: cn=testgroup,ou=groups,dc=LDAP,dc=example,dc=com cn: testgroup objectclass: posixgroup gidnumber: 10000 memberuid: testuser memberuid: testuser2 memberuid: testuser3
Example:
$wgLDAPGroupUseFullDN = array( "testLDAPdomain"=>false ); $wgLDAPGroupObjectclass = array( "testLDAPdomain"=>"posixgroup" ); $wgLDAPGroupAttribute = array( "testLDAPdomain"=>"memberuid" ); $wgLDAPGroupSearchNestedGroups = array( "testLDAPdomain"=>false ); $wgLDAPGroupNameAttribute = array( "testLDAPdomain"=>"cn" ); $wgLDAPBaseDNs = array( "testLDAPdomain"=>"dc=LDAP,dc=example,dc=com" );
Configuration for AD domains [edit]
Notice that if you have a multi-domain or multi-forest environment, you need to make sure your configuration is pointing at your global catalog!
Example:
$wgLDAPGroupUseFullDN = array( "testADLDAPdomain"=>true ); $wgLDAPGroupObjectclass = array( "testADLDAPdomain"=>"group" ); $wgLDAPGroupAttribute = array( "testADLDAPdomain"=>"member" ); $wgLDAPGroupSearchNestedGroups = array( "testADLDAPdomain"=>true ); $wgLDAPGroupNameAttribute = array( "testADLDAPdomain"=>"cn" ); $wgLDAPBaseDNs = array( "testADLDAPdomain"=>"dc=ADLDAP,dc=example,dc=com" );
If you are using AD-style straight binds (DOMAIN\\USER-NAME or USER-NAME@DOMAIN), you'll need one more option to make this work correctly:
$wgLDAPSearchAttributes = array( "testADLDAPdomain"=>"sAMAccountName" );
This allows the extension to find the user's full DN for searching groups. Without finding the user's full DN, the extension will search groups with (member=DOMAIN\username), which is not what is in your groups.
Group based restrictions [edit]
To restrict access to specific groups, use $wgLDAPRequiredGroups:
#DNs in $wgLDAPRequiredGroups must be lowercase, as search result attribute values are... $wgLDAPRequiredGroups = array( "<domain>"=>array("cn=testgroup,ou=groups,dc=LDAP,dc=example,dc=com") );
Group synchronization [edit]
To use group synchronization you'll need to use $wgLDAPGroupNameAttribute:
$wgLDAPUseLDAPGroups = array( "<domain>"=>true ); $wgLDAPGroupNameAttribute = array( "<domain>"=>"cn" );
You would of course need to change "<domain>" to whatever was appropriate.
Notice that $wgLDAPGroupNameAttribute is set to "cn" for every example because in every example, the naming attribute for the groups is "cn", if for some reason you had a group that looked like:
dn: group=testgroup,ou=groups,dc=adldap,dc=example,dc=com member: samaccountname=testuser,ou=users,dc=adldap,dc=example,dc=com
you would set $wgLDAPGroupNameAttribute like this instead:
$wgLDAPGroupNameAttribute = array( "testLDAPdomain"=>"group" );
If you only want to synchronize groups, and not do group based login restriction as well, just remove the $wgLDAPRequiredGroups option.
Pulling preferences [edit]
The following four attributes are used when pulling user preferences:
- mail (email address)
- displayName (nickname)
- cn (real name)
- preferredLanguage (language)
preferredLanguage must use the language code as it would be found in "languages/Names.php".
To enable preference pulling, add the following to LocalSettings.php:
$wgLDAPRetrievePrefs = array( 'testADDomain' => true );
To use custom attributes:
$wgLDAPPreferences = array('testADdomain'=>array( "email"=>"mail","realname"=>"cn","nickname"=>"sAMAccountName"));
See also [edit]
- General LDAP Authentication Information for Linux/Unix and Windows (using Samba)
- Part 1 of a guide for using this extension
- Part 2 of a guide for using this extension
- Part 3 of a guide for using this extension
- Semi-anonymous users in MediaWiki using the LDAP Authentication extension
- HOWTO: Enable LDAP/Active Directory Authentication with MediaWiki – Part 1
