LDAP hub

This page has been created as a result of Future of "Extension:LDAP Authentication" sessions held on Wikimedia Hackathon 2017/ (T165270) and SMWCon. It will contain resources about different topics concerning MediaWiki and LDAP.

Basic overview
The stack provides a multi-step process:



Migrating from old LdapAuthentication

 * Migration from extension LDAPAuthentication
 * Config conversion

Group based login restrictions
The LDAP-Stack can be configured to allow only certain user groups to actually log into the wiki. This means that if a group requirement is not met, a user can not even log into the wiki and no user account is being created in the wiki database. The functionality is implemented in LDAPAuthorization

There are two configuration options:
 * Required groups :
 * Excluded groups :

Group synchronization
Local wiki user groups can automatically be synchronized with groups that are set in LDAP. LDAPGroups takes care of this. By default there are two mechanisms available:
 * MappedGroups: All local user groups that should be synced must be configured explicitly within a mapping in the form of . Groups that are not listed in this mapping will not be synced even if the user is a member on LDAP.
 * AllGroups: All user groups that a user is assigned to in LDAP will be synced to the local database. Instead of the full group DN only the CN part of the DN will be used. It is possible to exclude certain groups (e.g. the  from being synced)

Mapped groups
A mapping can be set up like this:

"groupsync": { "mapping": { "mathematicians": "ou=mathematicians,dc=example,dc=com", "scientists": "ou=scientists,dc=example,dc=com" }

All groups
If all groups should be synced, one must configure

"groupsync": { "mechanism": "MediaWiki\\Extension\\LDAPGroups\\SyncMechanism\\AllGroups::factory"

To prevent certain groups (e.g. "sysop") to be synced, use

"groupsync": { "locally-managed": [ "sysop" ]

Debugging
You can use the following command line scripts to verify your setup:

php extensions/LDAPProvider/maintenance/ShowUserInfo.php --domain YourDomain --username SomeUser php extensions/LDAPProvider/maintenance/ShowUserGroups.php --domain YourDomain --username SomeUser php extensions/LDAPProvider/maintenance/CheckLogin.php --domain YourDomain --username SomeUser

Be aware that  needs to be the exact same value that is specified in the domain config (e.g. the root node of  ).

To enable the debug log you can use

$wgDebugLogGroups['LDAP'] = $wgDebugLogGroups['MediaWiki\\Extension\\LDAPProvider\\Client'] = $wgDebugLogGroups['LDAPGroups'] = $wgDebugLogGroups['LDAPUserInfo'] = $wgDebugLogGroups['LDAPAuthorization'] = '/tmp/LDAP.log';

in your.

Additional

 * Extension:LDAPAuthentication/Hint