Extension:LDAP Authentication/Examples

From MediaWiki.org
Jump to: navigation, search

About - Requirements - Examples - Configuration Options - Changelog - Roadmap - Suggestions - User provided info - FAQ - Support

Group and Preferences Examples - Generic LDAP Examples - Active Directory Examples - Smartcard Examples - Kerberos Examples


MediaWiki extensions manualManual:Extensions
Crystal Clear action run.png
LDAP Authentication

Release status:Extension status stable

ImplementationTemplate:Extension#type User identity
DescriptionTemplate:Extension#description Provides LDAP authentication, and some authorization functionality for MediaWiki
Author(s)Template:Extension#username Ryan Lane (Ryan lanetalk)
Latest versionTemplate:Extension#version 2.1.0 (2014-03-28)
Compatibility policyCompatibility#mediawiki_extensions master
MediaWikiTemplate:Extension#mediawiki 1.19+
Database changesTemplate:Extension#needs-updatephp Yes
LicenseTemplate:Extension#license GNU General Public License 2.0 or later
Download
Hooks usedTemplate:Extension#hook
LoadExtensionSchemaUpdatesManual:Hooks/LoadExtensionSchemaUpdates

Translate the LDAP Authentication extension if it is available at translatewiki.net

Check usage and version matrix.

IssuesPhabricator

Open tasks · Report a bug

Group configuration[edit]

Configuration for non-AD domains[edit]

Example one[edit]

Note: I created this sub-section since below example is working on a production environment, and it's quite hard to find out examples for OpenLDAP rather than Active Directory LDAP servers

LDAP server OpenLDAP (2.4.31-1ubuntu2)
Binding mechanism Requires binding user (anonymous queries not allowed)
TLS Yes
Example group ldapwiki
Example user LDAP_USER_1

LDAP objects:

# LDAP user
dn: cn=LDAP_USER_1,ou=people,dc=example,dc=com
cn: LDAP_USER_1
gidnumber: 10001
givenname: Name
homedirectory: /home/LDAP_USER_1
loginshell: /bin/bash
mail: LDAP_USER_1@example.com
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: top
sn: Surename
uid: LDAP_USER_1
uidnumber: 10001
userpassword: ******

# LDAP group
dn: cn=ldapwiki,ou=groups,dc=example,dc=com
cn: ldapwiki
gidnumber: 10004
memberuid: LDAP_USER_1
memberuid: LDAP_USER_2
objectclass: posixGroup
objectclass: top

Mediawiki config (LocalSettings.php):

# LDAP
require_once ('extensions/LdapAuthentication/LdapAuthentication.php');
require_once ('includes/AuthPlugin.php');
$wgAuth = new LdapAuthenticationPlugin();
$wgLDAPDomainNames = array(
  'openldap_example_com',
);
$wgLDAPServerNames = array(
  'openldap_example_com' => 'ldap.example.com',
);
$wgLDAPUseLocal = false;
$wgLDAPEncryptionType = array(
  'openldap_example_com' => 'tls',
);
$wgLDAPPort = array(
  'openldap_example_com' => 389,
);
$wgLDAPProxyAgent = array(
  'openldap_example_com' => 'cn=readonly,dc=example,dc=com',
);
$wgLDAPProxyAgentPassword = array(
  'openldap_example_com' => '*****',
);
$wgLDAPSearchAttributes = array(
  'openldap_example_com' => 'uid'
);
$wgLDAPBaseDNs = array(
  'openldap_example_com' => 'dc=example,dc=com',
);
# To pull e-mail address from LDAP
$wgLDAPPreferences = array(
  'openldap_example_com' => array( 'email' => 'mail')
);
# Group based restriction
$wgLDAPGroupUseFullDN = array( "openldap_example_com"=>false );
$wgLDAPGroupObjectclass = array( "openldap_example_com"=>"posixgroup" );
$wgLDAPGroupAttribute = array( "openldap_example_com"=>"memberuid" );
$wgLDAPGroupSearchNestedGroups = array( "openldap_example_com"=>false );
$wgLDAPGroupNameAttribute = array( "openldap_example_com"=>"cn" );
$wgLDAPRequiredGroups = array( "openldap_example_com"=>array("cn=ldapwiki,ou=groups,dc=example,dc=com"));
$wgLDAPLowerCaseUsername = array(
  'openldap_example_com' => true,
);

Example two[edit]

You may need to modify the options depending on your environment. The below example is a configuration to find "testuser" in the following group:

dn: cn=testgroup,ou=groups,dc=LDAP,dc=example,dc=com
cn: testgroup
objectclass: groupofuniquenames
uniqueMember: uid=testuser,ou=people,dc=LDAP,dc=example,dc=com
uniqueMember: uid=testuser2,ou=people,dc=LDAP,dc=example,dc=com
uniqueMember: uid=testuser3,ou=people,dc=LDAP,dc=example,dc=com

Example:

$wgLDAPGroupUseFullDN = array( "testLDAPdomain"=>true );
$wgLDAPGroupObjectclass = array( "testLDAPdomain"=>"groupofuniquenames" );
$wgLDAPGroupAttribute = array( "testLDAPdomain"=>"uniquemember" );
$wgLDAPGroupSearchNestedGroups = array( "testLDAPdomain"=>false );
$wgLDAPGroupNameAttribute = array( "testLDAPdomain"=>"cn" );
$wgLDAPBaseDNs = array( "testLDAPdomain"=>"dc=LDAP,dc=example,dc=com" );

The below example is a configuration to find "testuser" in the following group:

dn: cn=testgroup,ou=groups,dc=LDAP,dc=example,dc=com
cn: testgroup
objectclass: posixgroup
gidnumber: 10000
memberuid: testuser
memberuid: testuser2
memberuid: testuser3

Example:

$wgLDAPGroupUseFullDN = array( "testLDAPdomain"=>false );
$wgLDAPGroupObjectclass = array( "testLDAPdomain"=>"posixgroup" );
$wgLDAPGroupAttribute = array( "testLDAPdomain"=>"memberuid" );
$wgLDAPGroupSearchNestedGroups = array( "testLDAPdomain"=>false );
$wgLDAPGroupNameAttribute = array( "testLDAPdomain"=>"cn" );
$wgLDAPBaseDNs = array( "testLDAPdomain"=>"dc=LDAP,dc=example,dc=com" );

Configuration for AD domains[edit]

Notice that if you have a multi-domain or multi-forest environment, you need to make sure your configuration is pointing at your global catalog!

Example:

$wgLDAPGroupUseFullDN = array( "testADLDAPdomain"=>true );
$wgLDAPGroupObjectclass = array( "testADLDAPdomain"=>"group" );
$wgLDAPGroupAttribute = array( "testADLDAPdomain"=>"member" );
$wgLDAPGroupSearchNestedGroups = array( "testADLDAPdomain"=>true );
$wgLDAPGroupNameAttribute = array( "testADLDAPdomain"=>"cn" );
$wgLDAPBaseDNs = array( "testADLDAPdomain"=>"dc=ADLDAP,dc=example,dc=com" );
$wgLDAPActiveDirectory = array( "testADLDAPdomain"=>true );

If you are using AD-style straight binds (DOMAIN\\USER-NAME or USER-NAME@DOMAIN), you'll need one more option to make this work correctly:

$wgLDAPSearchAttributes = array( "testADLDAPdomain"=>"sAMAccountName" );

This allows the extension to find the user's full DN for searching groups. Without finding the user's full DN, the extension will search groups with (member=DOMAIN\username), which is not what is in your groups.

Group based restrictions[edit]

To restrict access to specific groups, use $wgLDAPRequiredGroups:

#DNs in $wgLDAPRequiredGroups must be lowercase, as search result attribute values are...
$wgLDAPRequiredGroups = array( "<domain>"=>array("cn=testgroup,ou=groups,dc=LDAP,dc=example,dc=com") );

Group synchronization[edit]

To use group synchronization you'll need to use $wgLDAPGroupNameAttribute:

$wgLDAPUseLDAPGroups = array( "<domain>"=>true );
$wgLDAPGroupNameAttribute = array( "<domain>"=>"cn" );

You would of course need to change "<domain>" to whatever was appropriate.

Notice that $wgLDAPGroupNameAttribute is set to "cn" for every example because in every example, the naming attribute for the groups is "cn", if for some reason you had a group that looked like:

dn: group=testgroup,ou=groups,dc=adldap,dc=example,dc=com
member: samaccountname=testuser,ou=users,dc=adldap,dc=example,dc=com

you would set $wgLDAPGroupNameAttribute like this instead:

$wgLDAPGroupNameAttribute = array( "testLDAPdomain"=>"group" );

If you only want to synchronize groups, and not do group based login restriction as well, just remove the $wgLDAPRequiredGroups option.

Pulling preferences[edit]

The following four attributes are used when pulling user preferences:

mail (email address)
displayName (nickname)
cn (real name)
preferredLanguage (language)

preferredLanguage must use the language code as it would be found in "languages/Names.php".

To enable preference pulling, add the following to LocalSettings.php:

$wgLDAPRetrievePrefs = array( 'testADDomain' => true );

To use custom attributes:

$wgLDAPPreferences = array('testADdomain'=>array( "email"=>"mail","realname"=>"cn","nickname"=>"sAMAccountName"));

Example Configuration for OS X Open Directory (10.10.5)[edit]

Ensure that you run the maintenance upgrade script:

php maintenance/update.php

Add the below to LocalSettings.php

// LocalSettings.php

require_once( "$IP/extensions/LdapAuthentication/LdapAuthentication.php" );

$wgAuth                           = new LdapAuthenticationPlugin();
$wgLDAPUseLocal                   = false;
$wgLDAPDomainNames                = [ 'myserver' ];
$wgLDAPServerNames                = [ 'myserver' => 'myserver.example.com' ];
$wgLDAPEncryptionType             = [ 'myserver' => 'clear' ];
$wgLDAPPort                       = [ 'myserver' => 389 ];
$wgLDAPProxyAgent                 = [ ];
$wgLDAPProxyAgentPassword         = [ ];
$wgLDAPSearchAttributes           = [ 'myserver' => 'uid' ];
$wgLDAPBaseDNs                    = [ 'myserver' => 'dc=myserver,dc=example,dc=com' ];
$wgLDAPGroupBaseDNs               = [ 'myserver' => 'cn=groups,dc=myserver,dc=example,dc=com' ];
$wgLDAPUserBaseDNs                = [ 'myserver' => 'cn=users,dc=myserver,dc=example,dc=com'];
$wgLDAPPreferences                = [ 'myserver' => [
                                                 'email' => 'EMailAddress',
                                                 'realname' => 'RealName',
                                               ]
                                    ];
$wgLDAPGroupUseFullDN             = [ 'myserver' => false ];
$wgLDAPGroupObjectclass           = [ 'myserver' => 'posixGroup' ];
$wgLDAPGroupAttribute             = [ 'myserver' => 'memberUid' ];
$wgLDAPGroupNameAttribute         = [ 'myserver' => 'cn' ];
$wgLDAPGroupSearchNestedGroups    = [ 'myserver' => false ];
$wgLDAPRequiredGroups             = [ 'myserver' => ['cn=wikiaccessgroup,cn=groups,dc=myserver,dc=example,dc=com'] ];
$wgLDAPLowerCaseUsername          = [ 'myserver' =>  true ];

See also[edit]