Extension:LDAP Authentication/Generic LDAP Configuration Examples

Single Domain Requiring Straight Binding Only
In this example, we have a non AD based LDAP server, and we will be doing straight binds to the directory. This is not how typical LDAP authentication plugins operate as it does not attempt a search first, see "Single Domain Requiring Search Before Binding."

Configuration
Our LDAP servers are "exampleldapserver.example.com" and "exampleldapserver2.example.com" ,and the domain is "exampledomain.example.com". In this example, we do not require the ability to change passwords, or create new LDAP users through Mediawiki, we just require authentication.

Our naming attribute for users is "uid", and all users are kept in "ou=people,dc=exampledomain,dc=example,dc=com".

(In LocalSettings.php) require_once 'extensions/LdapAuthentication.php';

$wgAuth = new LdapAuthenticationPlugin;

$wgLDAPDomainNames = array( 'exampleNonADDomain' );

$wgLDAPServerNames = array( 'exampleNonADDomain' => 'exampleldapserver.example.com exampleldapserver2.example.com' );

$wgLDAPSearchStrings = array( 'exampleNonADDomain' => 'uid=USER-NAME,ou=people,dc=exampledomain,dc=example,dc=com' );

$wgLDAPEncryptionType = array( 'exampleNonADDomain' => 'ssl' );

$wgMinimalPasswordLength = 1;

Single Domain Requiring Search Before Binding
This is typically how LDAP authentication is performed. First, a search is performed for the identifier presented (username) and a DN is returned. This DN is then used with the password provided to attempt a bind against the LDAP server. This is useful in cases when the username does not match anything in the DN or users are stored in multiple OUs.

Configuration
Our LDAP servers are "exampleldapserver.example.com" and "exampleldapserver2.example.com" ,and the domain is "exampledomain.example.com". In this example, we do not require the ability to change passwords, or create new LDAP users through Mediawiki, we just require authentication.

Our naming attribute for users is "uid", some users are kept in "ou=accounting,ou=people,dc=exampledomain,dc=example,dc=com", and other users are kept in "ou=graphics,ou=people,dc=exampledomain,dc=example,dc=com".

(In LocalSettings.php) require_once 'extensions/LdapAuthentication.php';

$wgAuth = new LdapAuthenticationPlugin;

$wgLDAPDomainNames = array( 'exampleNonADDomain' );

$wgLDAPServerNames = array( 'exampleNonADDomain' => 'exampleldapserver.example.com exampleldapserver2.example.com' );

$wgLDAPSearchAttributes = array( 'exampleNonADDomain' => 'uid' );

$wgLDAPBaseDNs = array( 'exampleNonADDomain' => 'dc=exampledomain,dc=example,dc=com' );

$wgLDAPEncryptionType = array( 'exampleNonADDomain' => 'ssl' );

$wgMinimalPasswordLength = 1;

Using a Proxy Agent
With this approach, if your server doesn't allow anonymous searching, you'll need to use a proxy agent.

In this example the proxy agent entry is at "cn=proxyagent,ou=people,dc=exampledomain,dc=example,dc=com".

Add the following options to your configuration:

(In LocalSettings.php) $wgLDAPProxyAgent = array(  'exampleNonADDomain' => 'cn=proxyagent,ou=people,dc=exampledomain,dc=example,dc=com' );

$wgLDAPProxyAgentPassword = array( 'exampleNonADDomain' => 'eX@mP1eP$$wRd' );

Configuration
If you are using multiple domains, this is your most likely scenario. In this example, we have two different domains that are not part of a single-sign-on enviroment.

The AD domain is called "ADDOMAIN", and has servers named "exampleldapserver.example.com" and "exampleldapserver2.example.com". The non-AD domain is called "NonADDomain", has servers named "nonadserver.example.com", "nonadserver2.example.com", and "nonadserver3.example.com", and users are stored in "ou=people,dc=example,dc=com". In this example, we do not require the ability to change passwords, or create new LDAP users through Mediawiki, just authentication.

(In LocalSettings.php) require_once 'extensions/LdapAuthentication.php';

$wgAuth = new LdapAuthenticationPlugin;

$wgLDAPDomainNames = array( 'exampleADDomain', 'exampleNonADDomain' );

$wgLDAPServerNames = array( 'exampleADDomain' => 'exampleldapserver.example.com exampleldapserver2.example.com',  'exampleNonADDomain' => 'nonadserver.example.com nonadserver2.example.com nonadserver3.example.com', );

$wgLDAPSearchStrings = array( 'exampleADDomain' => 'ADDOMAIN\\USER-NAME', 'exampleNonADDomain' => 'uid=USER-NAME,ou=people,dc=example,dc=com' );

$wgLDAPEncryptionType = array( 'exampleADDomain' => 'ssl', 'exampleNonADDomain' => 'ssl' );

$wgMinimalPasswordLength = 1;