Extension:LDAP Authentication/Examples

Example one
Note: I created this sub-section since below example is working on a production environment, and it's quite hard to find out examples for OpenLDAP rather than Active Directory LDAP servers

LDAP objects:

Mediawiki config (LocalSettings.php):

Example two
You may need to modify the options depending on your environment. The below example is a configuration to find "testuser" in the following group:

dn: cn=testgroup,ou=groups,dc=LDAP,dc=example,dc=com cn: testgroup objectclass: groupofuniquenames uniqueMember: uid=testuser,ou=people,dc=LDAP,dc=example,dc=com uniqueMember: uid=testuser2,ou=people,dc=LDAP,dc=example,dc=com uniqueMember: uid=testuser3,ou=people,dc=LDAP,dc=example,dc=com

Example:

The below example is a configuration to find "testuser" in the following group:

dn: cn=testgroup,ou=groups,dc=LDAP,dc=example,dc=com cn: testgroup objectclass: posixgroup gidnumber: 10000 memberuid: testuser memberuid: testuser2 memberuid: testuser3

Example:

Configuration for AD domains
Notice that if you have a multi-domain or multi-forest environment, you need to make sure your configuration is pointing at your global catalog!

Example:

If you are using AD-style straight binds (DOMAIN\\USER-NAME or USER-NAME@DOMAIN), you'll need one more option to make this work correctly:

This allows the extension to find the user's full DN for searching groups. Without finding the user's full DN, the extension will search groups with (member=DOMAIN\username), which is not what is in your groups.

Group based restrictions
To restrict access to specific groups, use $wgLDAPRequiredGroups:

Group synchronization
To use group synchronization you'll need to use $wgLDAPGroupNameAttribute:

You would of course need to change " " to whatever was appropriate.

Notice that $wgLDAPGroupNameAttribute is set to "cn" for every example because in every example, the naming attribute for the groups is "cn", if for some reason you had a group that looked like:

dn: group=testgroup,ou=groups,dc=adldap,dc=example,dc=com member: samaccountname=testuser,ou=users,dc=adldap,dc=example,dc=com

you would set $wgLDAPGroupNameAttribute like this instead:

If you only want to synchronize groups, and not do group based login restriction as well, just remove the $wgLDAPRequiredGroups option.

Pulling preferences
The following four attributes are used when pulling user preferences:


 * mail (email address)
 * displayName (nickname)
 * cn (real name)
 * preferredLanguage (language)

preferredLanguage must use the language code as it would be found in "languages/Names.php".

To enable preference pulling, add the following to LocalSettings.php:

To use custom attributes:

Example Configuration for OS X Open Directory (10.10.5)
Ensure that you run the maintenance upgrade script: Add the below to LocalSettings.php