Extension:LDAP Authentication

I've added 6 options to DefaultSettings.php and LocalSettings.php which are the following when used by an admin:

DefaultSettings.php:

$wgUseLDAP = false; $wgLDAPDomainNames = array(""); $wgLDAPServerNames = array(""); $wgLDAPSearchStrings = array(""); $wgLDAPUseSSL = true; $wgLDAPUseLocal = false;

LocalSettings.php (example):

$wgUseLDAP = true; $wgLDAPDomainNames = array("testADdomain","testLDAPdomain"); $wgLDAPServerNames = array("testADdomain"=>"testADserver.example.com","testLDAPdomain"=>"testLDAPserver.example.com testLDAPserver2.example.com"); $wgLDAPSearchStrings = array("testADdomain"=>"TDOMAIN\\USER-NAME", "testLDAPdomain"=>"cn=USER-NAME,ou=people,dc=example,dc=com"); $wgLDAPUseSSL = true; $wgLDAPUseLocal = true;

In this example, there are three different domains, one is local, one is an Active Directory domain, and the other is a normal LDAP domain (Sun directory server, openLDAP, etc). The user must provide the search string for a user's distinguished name (USER-NAME is substituted in SpecialUserLogin.php with the actual user's loginname). Using SSL is optional (although it is the default) and so is using the local domain (which is the wiki itself, and is not on by default). Of course, using LDAP is off by default.

When using LDAP, passwords are not stored in the database (unless users create accounts on the local domain). Blank passwords are no longer allowed since we wouldn't want people using the local domain logging in as domain users.

The interface for logging in is slightly different when using LDAP as well. Since the LDAP directory will be managing user accounts and passwords, I have removed the "mail me a new password" button, and the validate password field (unless $wgLDAPUseLocal is true). I have added a selection box that will allow users to choose which domain they wish to authenticate against (in the above example, the options would be "testADdomain", "testLDAPdomain", and "local").

A few problems i have are not how I have it currently implemented, but with features that could be added later. For instance, large sites (wikipedia, and the like) i'm sure do not want to handle user accounts manually; small sites, and organizations that use it internally probably do. A feature that could be added to the basic LDAP authentication is the ability for the wiki to add user accounts and manage passwords like it does currently (locally). The problem with this is that most LDAP directories cannot work in this fashion. For instance, if the wiki was to mail a new password to a user, it would need to change the password on the LDAP directory which would cause the user's old password to no longer work. Obviously this is a huge DoS situation. Adding user accounts is less of a problem, but because of time considerations, I cannot implement it.