LDAP hub/Migration from extension LDAPAuthentication

This page holds example configurations of the original Extension:LdapAuthentication and how these need to be rewritten for LDAP Stack.

Example 1

 * Allow network based authentication (aka "implicit", e.g. by using Apache's  module for Kerberos authentication)
 * Allow form based authentications with local user accounts
 * Allow form based authentications with remote LDAP user accounts
 * Restrict login to certain LDAP user groups
 * Syncronize user info
 * No syncronization of user groups

Given

Old

New

Example 3 - MediaWiki on CentOS w/ActiveDirectory
New MediaWiki Server: Mediawiki 1.35 + LDAP Stack

Legacy MediaWiki Server: MediaWiki 1.26.0 + LDAP Auth

LDAP Server: Microsoft Active Directory Server(s) domain.

MediaWiki Server: VMware VM, CentOS 8.2004, SELinux, Firewalld, TLS, MariaDB 10.3, Apache 2.4.37 Virtual Hosts, Remi php 7.3

MediaWiki v1.26.0 was the legacy system we upgraded to v1.35.0. We used forms based auth and originally did not require users to login to view pages, only to edit. In the new system that has changed as now they must login to view or edit. We are still using forms based auth and not any Network or Apache/HTTP/s based user auth. We do use TLS for transport encyrption to/from the Apache Virtual Host/site, all backend services are localhosted.

The TLS setup can catch folks (on linux at least) so I suggest looking into update-ca-trust and follow that. Afaik openssl and the system do not really share trust info per/se and use differnet source folders and such.

I did not post any of the data, database, or OS upgrade info here. Basically I setup an entirely new VM with all new software and just did a database backup and restore, which went ok but there were some issues I had to roll around and figure out. I copied over all the files from the images folder naturally so all the uploads would be there too.

v1.26.0 LdapAuthentication LocalSettings.php
Relevant LocalSettings.php parts :


 * Note: all actual domain names CostaRica.Net and server names are fictional. Any name conflicts in the real world are purely coincidental and accidental.

v1.35.0 LDAPStack LocalSettings.php
Just the relevant sections needed. I added the logging section I used as it really helped me figure things out.

v1.35.0 ldapprovider.json
New Ldapprovider.json file in /etc.

v1.35.0 Helpful Scripts and Tools
Along with the mediawiki php scripts to run and test AD Auth and getting groupinfo which are key tests. I created a few of my own outside of the mediawiki realm to help make sure my system itself could do things as needed using required server sub-systems.

These tools are meant to help the Systems Engineer, Sysadmin, or Administrator troubleshoot during setup of MediaWiki LDAPStack and Auth. Using it against Active Directory was my primary use case but they are basically directory indifferent.

You will need to setup your OpenSSL and more importantly your Linux OS TLS setup and add the AD Servers CA to the Trust Anchors in the system.

Bourne Shell Script "test-openssl-starttls.sh"
Test OpenSSL against AD StartTLS:

$wgLDAPAuthAttribute
Extension:LDAP_Authentication/Configuration_Options

Old

New

Auth remoteuser (Kerberos auth) with LDAPProvider features
The example includes a few extensions from LDAPStack, additional packages that you will need to make it works and some extra code that is not included in the documentation (many thanks to Osnard for his support).

Mediawiki 1.33.0 on Ubuntu 16.04. Apache2, PHP7.0, MySQL 5.7, Kerberos authentication.

LDAPProvider 1.0.1, LDAPGroups 1.0.1, LDAPUserInfo 1.0.0

Packages and apache2 mods: kerberos_packages, mod_krb5, php7.0-ldap in my case.

krb5.conf: apache2.conf: .htaccess: LocalSettings.php: Line 22 is needed for the LDAPGroup extension to work properly, when the "mappedgroups" mechanism is used.

Add  (third line) to   to make the LDAPUserInfo work: After the settings above the following command line scripts should work: To enable the debug log you can use (LocalSettings.php):

Very Simple Auth remoteuser Setup
The example is a very simple setup (that I may evolve at a later date, but is working now).

Mediawiki 1.31.5 on a late 2012 Mac Mini Server running Yosemite (10.10.5) using Server Internal Apache Version 2.4.16, PHP 7.2.21, MySQL 5.6.22

LDAP Hub Extension(s): Auth_remoteuser REL1_33  (I confirm only this one extension)

apache2.conf: At the root of my web server file system I have an .htaccess file which connects to my Yosemite Server Open Directory Service as follows:

.htaccess: LocalSettings.php: One a user authenticates through Apache's .htaccess/OpenDirectory (OD) and gains access to the server, Auth_remoteuser automatically uses the OD username/credentials as the Mediawiki login/username without any prompting or user interaction.

I plan to test/implement user groups so my setup may change substantially at a later date.