User:Nick Parrott

= PluggableAuth with Active-Directory LDAP = With the evolution of Extension:PluggableAuth and LDAP Stack, getting integrated with Active-Directory LDAP can be daunting.

A full configuration example is provided here, to demonstrate a minimal-configuration which provides exteral-only login.

Objective

 * Mediawiki reads all LDAP configuration from a single file - ldap.json
 * Mediawiki will perform LDAP-binds to MS Active-Directory Global-Catalogue Servers (a.k.a. domain-controllers ).
 * Users can login with AD Primary-Email or SAMAccountName.

Method

 * LDAP Stack will use a few LDAP attributes to auto-configure the Mediawiki User: SAMAccountName, DisplayName, Mail.
 * LDAP Stack will use the memberof LDAP values to determine if any Security-Groups / Distribution-Lists map to Mediawiki Groups

Recommended Mediawiki Version

 * Tested LTS versions are shown to the right.
 * Alternatively, choose an LTS version from Version lifecycle
 * Check that all of the LDAP extensions below are available for the chosen release.
 * An index of all released extensions is at  https://extdist.wmflabs.org/dist/extensions/ 

Required Extensions

 * Extension:LDAPAuthorization
 * Extension:LDAPAuthentication2
 * Extension:LDAPGroups
 * Extension:LDAPProvider
 * Extension:LDAPUserInfo
 * Extension:PluggableAuth

Sample LDAP Context
Large MS-AD configurations vary, so some defaults are detailed here, and used in the example config.

Replace the default-values with your own, be careful as DNs are case-sensitive.

= Example 1 : Login via Domain UPN = This example works for a small single-domain forest, or multi-domain forest ( by using the parent domain )


 * A critical piece of configuration is the acme.com key in line#2 of the JSON.
 * Replace this with your forest root Domain

Stage 1 - Mediawiki and Extensions

 * 1) Install Mediawiki, perform initial install and upgrade routines.
 * 2) Install all required LDAP / PluggableAuth extensions listed above into the /extensions/ directory.
 * 3) Configuration of LocalSettings.php is described a little later in Stage 3

Stage 2 - Prepare ldap.json
Create an LDAP configuration file. For simplicity, we place this new file at /var/www/ldap.json then protect it for reading by the web-server.