Extension:LDAP Authentication/Examples

From mediawiki.org
Jump to navigation Jump to search

About - Requirements - Examples - Configuration Options - Changelog - Roadmap - Suggestions - User provided info - FAQ - Support

Group and Preferences Examples - Generic LDAP Examples - Active Directory Examples - Smartcard Examples - Kerberos Examples


MediaWiki extensions manual
OOjs UI icon advanced.svg
LDAP Authentication
Release status: stable
Implementation User identity
Description Provides LDAP authentication, and some authorization functionality for MediaWiki
Author(s) Ryan Lane (Ryan lanetalk)
Latest version 2.1.0 (2018-10-11)
Compatibility policy Snapshots releases along with MediaWiki. Master is not backwards compatible.
MediaWiki 1.19-1.26
MediaWiki 1.36 Not formally tested
MediaWiki 1.34 Not formally tested
MediaWiki 1.32 Not formally tested
Database changes Yes
License GNU General Public License 2.0 or later
Download
Download extension
Git [?]:
Parameters
  • $wgLDAPAutoAuthUsername
  • $wgLDAPGroupsUseMemberOf
  • $wgLDAPDomainNames
  • $wgLDAPEncryptionType
  • $wgLDAPSearchAttributes
  • $wgLDAPGroupUseFullDN
  • $wgLDAPPort
  • $wgLDAPWriterPassword
  • $wgLDAPUserBaseDNs
  • $wgLDAPGroupBaseDNs
  • $wgLDAPUseLDAPGroups
  • $wgLDAPAutoAuthDomain
  • $wgLDAPWriteLocation
  • $wgLDAPProxyAgentPassword
  • $wgLDAPUseLocal
  • $wgLDAPLockPasswordPolicy
  • $wgLDAPLockOnBlock
  • $wgLDAPLocallyManagedGroups
  • $wgLDAPAddLDAPUsers
  • $wgLDAPProxyAgent
  • $wgLDAPServerNames
  • $wgLDAPPasswordHash
  • $wgLDAPAuthAttribute
  • $wgLDAPGroupSearchNestedGroups
  • $wgLDAPExcludedGroups
  • $wgLDAPGroupNameAttribute
  • $wgLDAPRequiredGroups
  • $wgLDAPBaseDNs
  • $wgLDAPGroupAttribute
  • $wgLDAPOptions
  • $wgLDAPGroupsPrevail
  • $wgLDAPDisableAutoCreate
  • $wgLDAPGroupObjectclass
  • $wgLDAPLowerCaseUsername
  • $wgLDAPUpdateLDAP
  • $wgLDAPDebug
  • $wgLDAPMailPassword
  • $wgLDAPSearchStrings
  • $wgLDAPPreferences
  • $wgLDAPActiveDirectory
  • $wgLDAPGroupUseRetrievedUsername
  • $wgLDAPGroupSearchPosixPrimaryGroup
  • $wgLDAPWriterDN
Hooks used
Hooks provided

Check usage and version matrix.

Issues Open tasks · Report a bug
Warning Warning: The extension has not been fully updated for MediaWiki 1.27+ (AuthManager); LdapAutoAuthentication will not work with that version. See gerrit:286705 for details.


Group configuration[edit]

Configuration for non-AD domains[edit]

Example one[edit]

Note: I created this sub-section since below example is working on a production environment, and it's quite hard to find out examples for OpenLDAP rather than Active Directory LDAP servers

LDAP server OpenLDAP (2.4.31-1ubuntu2)
Binding mechanism Requires binding user (anonymous queries not allowed)
TLS Yes
Example group ldapwiki
Example user LDAP_USER_1

LDAP objects: 

# LDAP user
dn: cn=LDAP_USER_1,ou=people,dc=example,dc=com
cn: LDAP_USER_1
gidnumber: 10001
givenname: Name
homedirectory: /home/LDAP_USER_1
loginshell: /bin/bash
mail: LDAP_USER_1@example.com
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: top
sn: Surename
uid: LDAP_USER_1
uidnumber: 10001
userpassword: ******

# LDAP group
dn: cn=ldapwiki,ou=groups,dc=example,dc=com
cn: ldapwiki
gidnumber: 10004
memberuid: LDAP_USER_1
memberuid: LDAP_USER_2
objectclass: posixGroup
objectclass: top

Mediawiki config (LocalSettings.php):

First, enable the LdapAuthentication plugin:

For MediaWiki < 1.27: 

require_once( "$IP/extensions/LdapAuthentication/LdapAuthentication.php" );
require_once ('includes/AuthPlugin.php');
$wgAuth = new LdapAuthenticationPlugin();

For MediaWiki >= 1.27: 

require_once( "$IP/extensions/LdapAuthentication/LdapAuthentication.php" );
$wgAuthManagerAutoConfig['primaryauth'] += [
    LdapPrimaryAuthenticationProvider::class => [
        'class' => LdapPrimaryAuthenticationProvider::class,
        'args' => [[
               'authoritative' => true, // don't allow local non-LDAP accounts
           ]],
        'sort' => 50, // must be smaller than local pw provider
    ],
];

Then, add the rest of the configuration: 

# LDAP
$wgLDAPDomainNames = array(
  'openldap_example_com',
);
$wgLDAPServerNames = array(
  'openldap_example_com' => 'ldap.example.com',
);
$wgLDAPUseLocal = false;
$wgLDAPEncryptionType = array(
  'openldap_example_com' => 'tls',
);
$wgLDAPPort = array(
  'openldap_example_com' => 389,
);
$wgLDAPProxyAgent = array(
  'openldap_example_com' => 'cn=readonly,dc=example,dc=com',
);
$wgLDAPProxyAgentPassword = array(
  'openldap_example_com' => '*****',
);
$wgLDAPSearchAttributes = array(
  'openldap_example_com' => 'uid'
);
$wgLDAPBaseDNs = array(
  'openldap_example_com' => 'dc=example,dc=com',
);
# To pull e-mail address from LDAP
$wgLDAPPreferences = array(
  'openldap_example_com' => array( 'email' => 'mail')
);
# Group based restriction
$wgLDAPGroupUseFullDN = array( "openldap_example_com"=>false );
$wgLDAPGroupObjectclass = array( "openldap_example_com"=>"posixgroup" );
$wgLDAPGroupAttribute = array( "openldap_example_com"=>"memberuid" );
$wgLDAPGroupSearchNestedGroups = array( "openldap_example_com"=>false );
$wgLDAPGroupNameAttribute = array( "openldap_example_com"=>"cn" );
$wgLDAPRequiredGroups = array( "openldap_example_com"=>array("cn=ldapwiki,ou=groups,dc=example,dc=com"));
$wgLDAPLowerCaseUsername = array(
  'openldap_example_com' => true,
);

Example two[edit]

You may need to modify the options depending on your environment. The below example is a configuration to find "testuser" in the following group: 

dn: cn=testgroup,ou=groups,dc=LDAP,dc=example,dc=com
cn: testgroup
objectclass: groupofuniquenames
uniqueMember: uid=testuser,ou=people,dc=LDAP,dc=example,dc=com
uniqueMember: uid=testuser2,ou=people,dc=LDAP,dc=example,dc=com
uniqueMember: uid=testuser3,ou=people,dc=LDAP,dc=example,dc=com

Example: 

$wgLDAPGroupUseFullDN = array( "testLDAPdomain"=>true );
$wgLDAPGroupObjectclass = array( "testLDAPdomain"=>"groupofuniquenames" );
$wgLDAPGroupAttribute = array( "testLDAPdomain"=>"uniquemember" );
$wgLDAPGroupSearchNestedGroups = array( "testLDAPdomain"=>false );
$wgLDAPGroupNameAttribute = array( "testLDAPdomain"=>"cn" );
$wgLDAPBaseDNs = array( "testLDAPdomain"=>"dc=LDAP,dc=example,dc=com" );

The below example is a configuration to find "testuser" in the following group: 

dn: cn=testgroup,ou=groups,dc=LDAP,dc=example,dc=com
cn: testgroup
objectclass: posixgroup
gidnumber: 10000
memberuid: testuser
memberuid: testuser2
memberuid: testuser3

Example: 

$wgLDAPGroupUseFullDN = array( "testLDAPdomain"=>false );
$wgLDAPGroupObjectclass = array( "testLDAPdomain"=>"posixgroup" );
$wgLDAPGroupAttribute = array( "testLDAPdomain"=>"memberuid" );
$wgLDAPGroupSearchNestedGroups = array( "testLDAPdomain"=>false );
$wgLDAPGroupNameAttribute = array( "testLDAPdomain"=>"cn" );
$wgLDAPBaseDNs = array( "testLDAPdomain"=>"dc=LDAP,dc=example,dc=com" );

Configuration for AD domains[edit]

Notice that if you have a multi-domain or multi-forest environment, you need to make sure your configuration is pointing at your global catalog!

Example: 

$wgLDAPGroupUseFullDN = array( "testADLDAPdomain"=>true );
$wgLDAPGroupObjectclass = array( "testADLDAPdomain"=>"group" );
$wgLDAPGroupAttribute = array( "testADLDAPdomain"=>"member" );
$wgLDAPGroupSearchNestedGroups = array( "testADLDAPdomain"=>true );
$wgLDAPGroupNameAttribute = array( "testADLDAPdomain"=>"cn" );
$wgLDAPBaseDNs = array( "testADLDAPdomain"=>"dc=ADLDAP,dc=example,dc=com" );
$wgLDAPActiveDirectory = array( "testADLDAPdomain"=>true );

If you are using AD-style straight binds (DOMAIN\\USER-NAME or USER-NAME@DOMAIN), you'll need one more option to make this work correctly: 

$wgLDAPSearchAttributes = array( "testADLDAPdomain"=>"sAMAccountName" );

This allows the extension to find the user's full DN for searching groups. Without finding the user's full DN, the extension will search groups with (member=DOMAIN\username), which is not what is in your groups.

Group based restrictions[edit]

To restrict access to specific groups, use $wgLDAPRequiredGroups: 

#DNs in $wgLDAPRequiredGroups must be lowercase, as search result attribute values are...
$wgLDAPRequiredGroups = array( "<domain>"=>array("cn=testgroup,ou=groups,dc=LDAP,dc=example,dc=com") );

Group synchronization[edit]

To use group synchronization you'll need to use $wgLDAPGroupNameAttribute: 

$wgLDAPUseLDAPGroups = array( "<domain>"=>true );
$wgLDAPGroupNameAttribute = array( "<domain>"=>"cn" );

You would of course need to change "<domain>" to whatever was appropriate.

Notice that $wgLDAPGroupNameAttribute is set to "cn" for every example because in every example, the naming attribute for the groups is "cn", if for some reason you had a group that looked like: 

dn: group=testgroup,ou=groups,dc=adldap,dc=example,dc=com
member: samaccountname=testuser,ou=users,dc=adldap,dc=example,dc=com

you would set $wgLDAPGroupNameAttribute like this instead: 

$wgLDAPGroupNameAttribute = array( "testLDAPdomain"=>"group" );

If you only want to synchronize groups, and not do group based login restriction as well, just remove the $wgLDAPRequiredGroups option.

Pulling preferences[edit]

The following four attributes are used when pulling user preferences:

mail (email address)
displayName (nickname)
cn (real name)
preferredLanguage (language)

preferredLanguage must use the language code as it would be found in "languages/Names.php".

To enable preference pulling, add the following to LocalSettings.php: 

$wgLDAPRetrievePrefs = array( 'testADDomain' => true );

To use custom attributes: 

$wgLDAPPreferences = array('testADdomain'=>array( "email"=>"mail","realname"=>"cn","nickname"=>"sAMAccountName"));

Example Configuration for OS X Open Directory (10.10.5)[edit]

Ensure that you run the maintenance upgrade script:

php maintenance/update.php

Add the below to LocalSettings.php

First, enable the LdapAuthentication plugin:

For MediaWiki < 1.27: 

require_once( "$IP/extensions/LdapAuthentication/LdapAuthentication.php" );
require_once ('includes/AuthPlugin.php');
$wgAuth = new LdapAuthenticationPlugin();

For MediaWiki >= 1.27: 

require_once( "$IP/extensions/LdapAuthentication/LdapAuthentication.php" );
$wgAuthManagerAutoConfig['primaryauth'] += [
    LdapPrimaryAuthenticationProvider::class => [
        'class' => LdapPrimaryAuthenticationProvider::class,
        'args' => [[
               'authoritative' => true, // don't allow local non-LDAP accounts
           ]],
        'sort' => 50, // must be smaller than local pw provider
    ],
];

Then, add the rest of the configuration: 

$wgLDAPUseLocal                   = false;
$wgLDAPDomainNames                = [ 'myserver' ];
$wgLDAPServerNames                = [ 'myserver' => 'myserver.example.com' ];
$wgLDAPEncryptionType             = [ 'myserver' => 'clear' ];
$wgLDAPPort                       = [ 'myserver' => 389 ];
$wgLDAPProxyAgent                 = [ ];
$wgLDAPProxyAgentPassword         = [ ];
$wgLDAPSearchAttributes           = [ 'myserver' => 'uid' ];
$wgLDAPBaseDNs                    = [ 'myserver' => 'dc=myserver,dc=example,dc=com' ];
$wgLDAPGroupBaseDNs               = [ 'myserver' => 'cn=groups,dc=myserver,dc=example,dc=com' ];
$wgLDAPUserBaseDNs                = [ 'myserver' => 'cn=users,dc=myserver,dc=example,dc=com'];
$wgLDAPPreferences                = [ 'myserver' => [
                                                 'email' => 'EMailAddress',
                                                 'realname' => 'RealName',
                                               ]
                                    ];
$wgLDAPGroupUseFullDN             = [ 'myserver' => false ];
$wgLDAPGroupObjectclass           = [ 'myserver' => 'posixGroup' ];
$wgLDAPGroupAttribute             = [ 'myserver' => 'memberUid' ];
$wgLDAPGroupNameAttribute         = [ 'myserver' => 'cn' ];
$wgLDAPGroupSearchNestedGroups    = [ 'myserver' => false ];
$wgLDAPRequiredGroups             = [ 'myserver' => ['cn=wikiaccessgroup,cn=groups,dc=myserver,dc=example,dc=com'] ];
$wgLDAPLowerCaseUsername          = [ 'myserver' =>  true ];

See also[edit]

Retrieved from "https://www.mediawiki.org/w/index.php?title=Extension:LDAP_Authentication/Examples&oldid=3907536"