Extension:LDAP Authentication/Examples

How-to examples
Examples of how to use this plugin can be found here:


 * Non-AD Configuration Examples
 * AD Configuration Examples
 * Smartcard Configuration Examples
 * Kerberos Configuration Examples

Configuration for non-AD Directory Servers
To use the group based restrictions with a non-AD directory, add:

where "cn=test,ou=groups,dc=mycompany,dc=com" is the dn of the group you wish to restrict access to.

Note: The plugin searches for users in the "member" attribute in groups. If you are not using the "member" attribute for your group members, then you will have to change what attribute is being searched for in the plugin.

Configuration for AD
Although the plugin does support group and role based restrictions (in version 1.0c), it was really written for non-AD style groups. It is actually pretty hard to write this for AD and non-AD style since AD uses groups in a smart way (although hard to use for other purposes way). AD does use the "member" attribute like used in the script, but it stores the members as their actual entry in the directory server ie:

cn=Lane\, Ryan,ou=Test_Group,ou=Domain_users,dc=example,dc=com

The problem lies in finding this member based upon the user's uid (or sAMAccountName). Now, this is possible if you add some code to the patch. If you pull preferences already, this should be pretty easy. If you do not pull preferences, you'll have to pull one. You'll need to pull the user's "distinguishedName" attribute, and search for that as a member in the function that checks for group membership. So, you could make the following changes:

(this example shows how to change the plugin to work with AD when you are not already pulling preferences, although it will work even if you are pulling preferences, just not as efficiently)

At the class definition, change: to In function "authenticate" change: to: In function "isMemberOfLdapGroup" change to: In LocalSettings.php add: where "cn=test,ou=groups,dc=mycompany,dc=com" is the dn of the group you wish to restrict access to.

Let me know if this is working for you or not.

$wgLDAPSearchStrings = array( "domain"=>"USER-NAME@domain" ); So the modification in the file LDAPAuthentication.php, the function "authenticate" was not working for me (wgLDAPSearchStrings does not return the user DN but the userPrincipalName) I changed the modification to : global $wgLDAPBaseDNs; $entry = @ldap_search($ldapconn,$wgLDAPBaseDNs[$_SESSION['wsDomain']], "(&(objectclass=*)(userPrincipalName=$userdn))"); $info = @ldap_get_entries($ldapconn, $entry); $this->distinguishedName = $info[0]["distinguishedname"][0]; return $this->isMemberOfLdapGroup($ldapconn, $userdn, $wgLDAPGroupDN);
 * 2006-04-26 : it was not working for because I used this configuration in LocalSettings.php :

and it is now working for me.

See also: German explanation

Configuration for non-AD domains
You'll need to change around the options some depending on your setup. The below example is a configuration to find "testuser" in the following group:

dn: cn=testgroup,ou=groups,dc=LDAP,dc=example,dc=com cn: testgroup objectclass: groupofuniquenames uniqueMember: uid=testuser,ou=people,dc=LDAP,dc=example,dc=com uniqueMember: uid=testuser2,ou=people,dc=LDAP,dc=example,dc=com uniqueMember: uid=testuser3,ou=people,dc=LDAP,dc=example,dc=com

Example:

The below example is a configuration to find "testuser" in the following group:

dn: cn=testgroup,ou=groups,dc=LDAP,dc=example,dc=com cn: testgroup objectclass: posixgroup gidnumber: 10000 memberuid: testuser memberuid: testuser2 memberuid: testuser3

Example:

Configuration for AD domains
Notice that if you have a multi-domain or multi-forest environment, you need to make sure your configuration is pointing at your global catalog!

Example:

If you are using straight binds to AD, using AD-style straight binds (DOMAIN\\USER-NAME or USER-NAME@DOMAIN), you'll need one more option to make this work correctly:

This allows the plugin to find the user's full DN for searching groups. Without finding the user's full DN, the plugin will search groups with (member=DOMAIN\username), which is not what is in your groups.

Group synchronization
To use group synchronization, you'll set up the plugin just like new style group based restrictions, and add the following two options to any of the examples from Extension:LDAP_Authentication:

You would of course need to change "testLDAPdomain" to whatever was appropriate.

Notice that $wgLDAPGroupNameAttribute is set to "cn" for every example because in every example, the naming attribute for the groups is "cn", if for some reason you had a group that looked like:

dn: group=testgroup,ou=groups,dc=adldap,dc=example,dc=com member: samaccountname=testuser,ou=users,dc=adldap,dc=example,dc=com

you would instead set $wgLDAPGroupNameAttribute like this instead:

If you only want to synchronize groups, and not do group based login restriction as well, just remove the $wgLDAPRequiredGroups option.

LDAP attributes used for preference pulling
The following four attributes can be set in LDAP on a user for the wiki to use as user preferences:


 * mail (email address)
 * displayName (nickname)
 * cn (real name)
 * preferredLanguage (language)

preferredLanguage must use the language code as it would be found in "languages/Names.php".

To use preference pulling:

Above seems depreciated in favor of: