Extension:LDAP Authentication/AD Configuration Examples

Single Domain Requiring Straight Binding Only
In this example, we have an Active Directory (AD) server, and we will be doing straight binds to the directory. This is not how typical LDAP authentication operates as it does not attempt a search first, see "Single Domain Requiring Search Before Binding."

Configuration
Our AD servers are "exampleldapserver.example.com" and "exampleldapserver2.example.com", and the domainname is "EXAMPLEDOMAIN". "USER-NAME" is not to be changed as this string is replaced in LdapAuthentication.php.

(In LocalSettings.php)

Extra configuration for AD to allow for preference pulling, group sync, etc.
If you want to be able to pull preferences, and such, you'll need to set a couple other options. These other options will allow the plugin to bind as the user, and then search for the user's DN. Without a DN, any extras provided by the extension will fail.

(In LocalSettings.php after your other LDAP configuration)

Single Domain Requiring Search Before Binding
This is typically how LDAP authentication is performed. First, a search is performed for the identifier presented (username) and a DN is returned. This DN is then used with the password provided to attempt a bind against the LDAP server. This is useful in cases when the username does not match anything in the DN or users are stored in multiple OUs.

Configuration
In this situation, you could use the "Single Domain Requiring Straight Binding Only" as AD will search through multiple OUs for you anyway. Using the Straight Binding approach is generally recommended for AD.

Our AD servers are "exampleldapserver.example.com" and "exampleldapserver2.example.com", and the domain is "EXAMPLEDOMAIN".

Our naming attribute for users is "sAMAccountName", some users are kept in "ou=accounting,ou=Users,dc=exampledomain,dc=example,dc=com", and other users are kept in "ou=graphics,ou=Users,dc=exampledomain,dc=example,dc=com".

(In LocalSettings.php)

Using a Proxy Agent
With this approach, if your server doesn't allow anonymous searching (AD doesn't, normally), you'll need to use a proxy agent. The proxy agent is a low privilege domain user service account which should have the rights to enumerate user objects and read their attributes but should not have create/modify/delete rights.

In this example, the proxy agent entry is at "cn=proxyagent,ou=Users,dc=exampledomain,dc=example,dc=com".

Add the following options to your configuration:

(In LocalSettings.php)

Configuration
If you are using multiple domains, this is your most likely scenario. In this example, we have two different domains that are not part of a single-sign-on enviroment.

The AD domain is called "ADDOMAIN", and has servers named "exampleldapserver.example.com" and "exampleldapserver2.example.com". The non-AD domain is called "NonADDomain", has servers named "nonadserver.example.com", "nonadserver2.example.com", and "nonadserver3.example.com", and users are stored in "ou=people,dc=example,dc=com". In this example, we do not require the ability to change passwords, or create new LDAP users through Mediawiki, just authentication.

(In LocalSettings.php)