Extension:External Data/LDAP

From mediawiki.org

You can use External Data to get data from an LDAP server.

As of version 3.2, the recommended way to retrieve database data is to use one of the display functions (#external_value, #for_external_table, etc.), passing in the necessary parameters for the data retrieval, most notably "source=". You can also retrieve database data by calling the #get_db_data function, or (for version 3.0 and higher) #get_external_data. In all of these cases, you must specify the information, including login information, for the database in the variable $wgExternalDataSources in LocalSettings.php.

For any of these parser functions, you can also call its corresponding Lua function.

A note about security: If you are going to retrieve LDAP data you should think hard about the security implications. Configuring an LDAP server in LocalSettings.php will allow anyone with edit access to your wiki to run queries against that server. You should use a domain user that has the minimum permissions for what you are trying to achieve. Wiki users could run queries to extract all sorts of information about your domain. You should know what you are doing before enabling this function.


The PHP extension ldap must be enabled. You need to configure each LDAP server in LocalSettings.php. Add the following stanza for each server:

$wgExternalDataSources['domain'] = [
	'server'	=> 'myldapserver.com',
	'base dn'	=> '[basedn]',
	'user'		=> 'myDomainUser',
	'password'	=> 'myDomainPassword'


  • domain is a label to be used when calling #get_ldap_data
  • myDomainuser and myDomainPassword are credentials used to bind to the LDAP server
  • [basedn] is the base DN used for the search.


$wgExternalDataSources['domain'] = [
	'server'	=> 'foobar.com',
	'base dn'	=> 'OU=Users,dc=foobar,dc=com',
	'user'		=> 'u12345',
	'password'	=> 'mypassword'


The examples below refer to #get_ldap_data. To retrieve LDAP data using any of the other parser (or Lua) functions, you can use all of the same parameters, but specify "source=", instead of "domain=", for the ID stored in LocalSettings.php.

Here is the standard call for #get_ldap_data:

 domain=domain. This parameter can be passed as 'source' or even anonymously, provided there are no equal signs in it
 |filter=LDAP filter
 |data=data mappings


  • domain is the label used in LocalSettings.php
  • filter is the LDAP filter used for the search
  • data is the mappings of LDAP attributes to local variables
  • if all is not added, the query will retrieve only one result.


An example that retrieves a user from a Win2003/AD system, using a user ID passed to a template: