Extension:LDAP Authentication

Have a look at the "LDAPAuthentication2" extension for a newer and maintained extension.

About - Requirements - Examples - Configuration Options - Changelog - Roadmap - Suggestions - User provided info - FAQ - Support

**MediaWiki extensions manual**
LDAP Authentication Release status: stable
Implementation	User identity
Description	Provides LDAP authentication, and some authorization functionality for MediaWiki
Author(s)	Ryan Lane (Ryan lane^talk)
Latest version	2.1.0 (2018-10-11)
Compatibility policy	master
MediaWiki	1.19-1.26
Database changes	Yes
License	GNU General Public License 2.0 or later
Download	Download extension Git ^[?]: Download Git master browse repository (GitHub) commit history repository contributors (GitHub) code review
Parameters $wgLDAPAutoAuthUsername $wgLDAPGroupsUseMemberOf $wgLDAPDomainNames $wgLDAPEncryptionType $wgLDAPSearchAttributes $wgLDAPGroupUseFullDN $wgLDAPPort $wgLDAPWriterPassword $wgLDAPUserBaseDNs $wgLDAPGroupBaseDNs $wgLDAPUseLDAPGroups $wgLDAPAutoAuthDomain $wgLDAPWriteLocation $wgLDAPProxyAgentPassword $wgLDAPUseLocal $wgLDAPLockPasswordPolicy $wgLDAPLockOnBlock $wgLDAPLocallyManagedGroups $wgLDAPAddLDAPUsers $wgLDAPProxyAgent $wgLDAPServerNames $wgLDAPPasswordHash $wgLDAPAuthAttribute $wgLDAPGroupSearchNestedGroups $wgLDAPExcludedGroups $wgLDAPGroupNameAttribute $wgLDAPRequiredGroups $wgLDAPBaseDNs $wgLDAPGroupAttribute $wgLDAPOptions $wgLDAPGroupsPrevail $wgLDAPDisableAutoCreate $wgLDAPGroupObjectclass $wgLDAPLowerCaseUsername $wgLDAPUpdateLDAP $wgLDAPDebug $wgLDAPMailPassword $wgLDAPSearchStrings $wgLDAPPreferences $wgLDAPActiveDirectory $wgLDAPGroupUseRetrievedUsername $wgLDAPGroupSearchPosixPrimaryGroup $wgLDAPWriterDN
Hooks used BlockIpComplete LoadExtensionSchemaUpdates UnblockUserComplete
Hooks provided ChainAuth LDAPSetCreationValues LDAPRetrySetCreationValues LDAPUpdateUser SetUsernameAttributeFromLDAP
Translate the LDAP Authentication extension if it is available at translatewiki.net
Check usage and version matrix.
Issues	Open tasks · Report a bug

Warning: The extension has not been fully updated for MediaWiki 1.27+ (AuthManager); LdapAutoAuthentication will not work with that version. See gerrit:286705 for details.

About this documentation[edit]

The documentation has been updated to reflect version 1.1c and higher[edit]

Caution:

Some options changed from 1.1b to 1.1c, make sure when configuring a new version that the options you are currently using are still valid. The changelog mentions which options have changed.

Post support questions on the discussion page or on the mediawiki-enterprise list[edit]

Please post all support questions on this page's discussion page or on the mediawiki-enterprise list. If a problem needs special attention, I can contact you directly by email. Posting the questions on the discussion page allows everyone to see how the problem was resolved.

Posting anywhere else will usually cause your problem to be ignored, or cause people to get upset with you.

Features[edit]

This plugin should be scalable for use in small to large organizations, and provides the following functionality:

Single and multi domain authentication (including local database)
- Simple bind authentication
- Proxy bind authentication
- Smartcard/CAC/PKI Soft Certificate authentication
- Kerberos authentication
- SSL/TLS or non-SSL/TLS binding allowed
- Nested/Unnested Group based restriction support
- Filter based restriction support
Retrieval of user information from LDAP
- Email address
- Real name
- Nickname
- Language
Synchronization of LDAP groups to MediaWiki security groups (LDAP->MediaWiki only)
- Nested group support available in 1.2b+
Storing preferences in LDAP
- Update passwords ^[1]
- Mail me a password ^[1]
- Update all preferences that are currently retrievable
Creation and modification of users in LDAP

Requirements[edit]

Please see the Requirements page.

Installation[edit]

Please see the configuration and options pages.

Compatibility[edit]

The current version has been tested on:

MediaWiki
- MediaWiki 1.31
- MediaWiki 1.32
- MediaWiki 1.33
- MediaWiki 1.34
- BlueSpice 1.1

Operating Systems
- Debian GNU/Linux 8 ("Jessie")
- Debian GNU/Linux 9 ("Stretch")
- Debian GNU/Linux 10 ("Buster")
- Ubuntu 7.04, 8.04, 8.10, 9.04, 10.04, and 12.04
- Red Hat Enterprise Linux v4 AS, ES, and WS
- Red Hat Enterprise Linux v5 Server and Desktop
- Fedora Core 6, Fedora 8, 10, 11, 12, 13, 19
- Solaris 10
- Suse Linux Enterprise Server 10
- Suse Linux Enterprise Server 10 Service-Pack 2
- Suse Linux Enterprise Server 12
- openSUSE 11.4
- Microsoft Windows 2003, 2008 R2
- Gentoo Linux (extension revision 20306)
- CentOS 4-7
- Novell NetWare 6.5 SP7
- FreeBSD 6.3-STABLE
LDAP Directories
- CA Directory (eTrust Directory)
- Sun Directory Server Enterprise Edition 5.2, 6.1, 6.2, and 6.3
- Active Directory 2003, 2008
- Novell eDirectory (NDS) v8.7.3, v8.8.2
- OpenLDAP v2.2.13, v2.3.43, v2.4.19
- Mac OS X Open Directory v10.4.9
- Fedora Directory Server 1.0.4
- ApacheDS 1.5.2
- OpenDJ 2.4
- IBM Lotus Domino 8.5 LDAP
Web Servers
- Apache 2.2
- Apache 2.4
- IIS6+PHP ISAPI
- IIS7.5+PHP

If you have a working wiki with a working version of the patch on something not listed above, please add it to the list!

Supporting the extension (donations)[edit]

Proper support of this extension requires quite a few resources. For a proper testing environment, I need to be able to run multiple directory servers (OpenLDAP, Sun Directory Server, Red Hat Directory Server, Active Directory, etc.), multiple web servers (Apache, and IIS mostly), Kerberos servers (MIT, AD), etc. Due to limited resources, I am unable to test many things concurrently.

If you would like to help support the extension, donation of a good laptop with lots of RAM (Macbook Pro preferably).

External Links[edit]

Ejemplo en español.

Notes[edit]

↑ ^1.0 ^1.1 Does not work with Active Directory