Extension:LDAP Authentication/Examples

**MediaWiki extensions manual**
LDAP Authentication; Release status: unmaintained
Implementation	User identity
Description	Provides LDAP authentication, and some authorization functionality for MediaWiki
Author(s)	Ryan Lane (Ryan lanetalk)
Latest version	2.1.0 (2018-10-11)
Compatibility policy	Snapshots releases along with MediaWiki. Master is not backward compatible.
MediaWiki	1.19-1.26
Database changes	Yes
License	GNU General Public License 2.0 or later
Download	Download extension ; Git [?]: Download Git master; browse repository (GitHub); commit history; repository contributors (GitHub); code review;
	Parameters $wgAutoAuthUsername; $wgGroupsUseMemberOf; $wgDomainNames; $wgEncryptionType; $wgSearchAttributes; $wgGroupUseFullDN; $wgPort; $wgWriterPassword; $wgUserBaseDNs; $wgGroupBaseDNs; $wgUseLDAPGroups; $wgAutoAuthDomain; $wgWriteLocation; $wgProxyAgentPassword; $wgUseLocal; $wgLockPasswordPolicy; $wgLockOnBlock; $wgLocallyManagedGroups; $wgAddLDAPUsers; $wgProxyAgent; $wgServerNames; $wgPasswordHash; $wgAuthAttribute; $wgGroupSearchNestedGroups; $wgExcludedGroups; $wgGroupNameAttribute; $wgRequiredGroups; $wgBaseDNs; $wgGroupAttribute; $wgOptions; $wgGroupsPrevail; $wgDisableAutoCreate; $wgGroupObjectclass; $wgLowerCaseUsername; $wgUpdateLDAP; $wgDebug; $wgMailPassword; $wgSearchStrings; $wgPreferences; $wgActiveDirectory; $wgGroupUseRetrievedUsername; $wgGroupSearchPosixPrimaryGroup; $wgWriterDN;
	Hooks used BlockIpComplete; LoadExtensionSchemaUpdates; UnblockUserComplete;
	Hooks provided ChainAuth; LDAPSetCreationValues; LDAPRetrySetCreationValues; LDAPUpdateUser; SetUsernameAttributeFromLDAP;
	Check usage and version matrix.
Issues	Open tasks · Report a bug

About - Requirements - Examples - Configuration Options - Changelog - Roadmap - Suggestions - User provided info - FAQ - Support

Group and Preferences Examples - Generic LDAP Examples - Active Directory Examples - Smartcard Examples - Kerberos Examples

Warning: The extension has not been fully updated for MediaWiki 1.27+ (AuthManager); LdapAutoAuthentication will not work with that version. See gerrit:286705 for details.

Group configuration[edit]

Configuration for non-AD domains[edit]

Example one[edit]

Note: I created this sub-section since below example is working on a production environment, and it's quite hard to find out examples for OpenLDAP rather than Active Directory LDAP servers

LDAP server	OpenLDAP (2.4.31-1ubuntu2)
Binding mechanism	Requires binding user (anonymous queries not allowed)
TLS	Yes

Example group	ldapwiki
Example user	LDAP_USER_1

LDAP objects:

# LDAP user
dn: cn=LDAP_USER_1,ou=people,dc=example,dc=com
cn: LDAP_USER_1
gidnumber: 10001
givenname: Name
homedirectory: /home/LDAP_USER_1
loginshell: /bin/bash
mail: LDAP_USER_1@example.com
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: top
sn: Surename
uid: LDAP_USER_1
uidnumber: 10001
userpassword: ******

# LDAP group
dn: cn=ldapwiki,ou=groups,dc=example,dc=com
cn: ldapwiki
gidnumber: 10004
memberuid: LDAP_USER_1
memberuid: LDAP_USER_2
objectclass: posixGroup
objectclass: top

Mediawiki config (LocalSettings.php):

First, enable the LdapAuthentication plugin:

For MediaWiki < 1.27:

require_once( "$IP/extensions/LdapAuthentication/LdapAuthentication.php" );
require_once ('includes/AuthPlugin.php');
$wgAuth = new LdapAuthenticationPlugin();

For MediaWiki >= 1.27:

require_once( "$IP/extensions/LdapAuthentication/LdapAuthentication.php" );
$wgAuthManagerAutoConfig['primaryauth'] += [
    LdapPrimaryAuthenticationProvider::class => [
        'class' => LdapPrimaryAuthenticationProvider::class,
        'args' => [[
               'authoritative' => true, // don't allow local non-LDAP accounts
           ]],
        'sort' => 50, // must be smaller than local pw provider
    ],
];

Then, add the rest of the configuration:

# LDAP
$wgLDAPDomainNames = array(
  'openldap_example_com',
);
$wgLDAPServerNames = array(
  'openldap_example_com' => 'ldap.example.com',
);
$wgLDAPUseLocal = false;
$wgLDAPEncryptionType = array(
  'openldap_example_com' => 'tls',
);
$wgLDAPPort = array(
  'openldap_example_com' => 389,
);
$wgLDAPProxyAgent = array(
  'openldap_example_com' => 'cn=readonly,dc=example,dc=com',
);
$wgLDAPProxyAgentPassword = array(
  'openldap_example_com' => '*****',
);
$wgLDAPSearchAttributes = array(
  'openldap_example_com' => 'uid'
);
$wgLDAPBaseDNs = array(
  'openldap_example_com' => 'dc=example,dc=com',
);
# To pull e-mail address from LDAP
$wgLDAPPreferences = array(
  'openldap_example_com' => array( 'email' => 'mail')
);
# Group based restriction
$wgLDAPGroupUseFullDN = array( "openldap_example_com"=>false );
$wgLDAPGroupObjectclass = array( "openldap_example_com"=>"posixgroup" );
$wgLDAPGroupAttribute = array( "openldap_example_com"=>"memberuid" );
$wgLDAPGroupSearchNestedGroups = array( "openldap_example_com"=>false );
$wgLDAPGroupNameAttribute = array( "openldap_example_com"=>"cn" );
$wgLDAPRequiredGroups = array( "openldap_example_com"=>array("cn=ldapwiki,ou=groups,dc=example,dc=com"));
$wgLDAPLowerCaseUsername = array(
  'openldap_example_com' => true,
);

Example two[edit]

You may need to modify the options depending on your environment. The below example is a configuration to find "testuser" in the following group:

dn: cn=testgroup,ou=groups,dc=LDAP,dc=example,dc=com
cn: testgroup
objectclass: groupofuniquenames
uniqueMember: uid=testuser,ou=people,dc=LDAP,dc=example,dc=com
uniqueMember: uid=testuser2,ou=people,dc=LDAP,dc=example,dc=com
uniqueMember: uid=testuser3,ou=people,dc=LDAP,dc=example,dc=com

Example:

$wgLDAPGroupUseFullDN = array( "testLDAPdomain"=>true );
$wgLDAPGroupObjectclass = array( "testLDAPdomain"=>"groupofuniquenames" );
$wgLDAPGroupAttribute = array( "testLDAPdomain"=>"uniquemember" );
$wgLDAPGroupSearchNestedGroups = array( "testLDAPdomain"=>false );
$wgLDAPGroupNameAttribute = array( "testLDAPdomain"=>"cn" );
$wgLDAPBaseDNs = array( "testLDAPdomain"=>"dc=LDAP,dc=example,dc=com" );

The below example is a configuration to find "testuser" in the following group:

dn: cn=testgroup,ou=groups,dc=LDAP,dc=example,dc=com
cn: testgroup
objectclass: posixgroup
gidnumber: 10000
memberuid: testuser
memberuid: testuser2
memberuid: testuser3

Example:

$wgLDAPGroupUseFullDN = array( "testLDAPdomain"=>false );
$wgLDAPGroupObjectclass = array( "testLDAPdomain"=>"posixgroup" );
$wgLDAPGroupAttribute = array( "testLDAPdomain"=>"memberuid" );
$wgLDAPGroupSearchNestedGroups = array( "testLDAPdomain"=>false );
$wgLDAPGroupNameAttribute = array( "testLDAPdomain"=>"cn" );
$wgLDAPBaseDNs = array( "testLDAPdomain"=>"dc=LDAP,dc=example,dc=com" );

Configuration for AD domains[edit]

Notice that if you have a multi-domain or multi-forest environment, you need to make sure your configuration is pointing at your global catalog!

Example:

$wgLDAPGroupUseFullDN = array( "testADLDAPdomain"=>true );
$wgLDAPGroupObjectclass = array( "testADLDAPdomain"=>"group" );
$wgLDAPGroupAttribute = array( "testADLDAPdomain"=>"member" );
$wgLDAPGroupSearchNestedGroups = array( "testADLDAPdomain"=>true );
$wgLDAPGroupNameAttribute = array( "testADLDAPdomain"=>"cn" );
$wgLDAPBaseDNs = array( "testADLDAPdomain"=>"dc=ADLDAP,dc=example,dc=com" );
$wgLDAPActiveDirectory = array( "testADLDAPdomain"=>true );

If you are using AD-style straight binds (DOMAIN\\USER-NAME or USER-NAME@DOMAIN), you'll need one more option to make this work correctly:

$wgLDAPSearchAttributes = array( "testADLDAPdomain"=>"sAMAccountName" );

This allows the extension to find the user's full DN for searching groups. Without finding the user's full DN, the extension will search groups with (member=DOMAIN\username), which is not what is in your groups.

Group based restrictions[edit]

To restrict access to specific groups, use $wgLDAPRequiredGroups:

#DNs in $wgLDAPRequiredGroups must be lowercase, as search result attribute values are...
$wgLDAPRequiredGroups = array( "<domain>"=>array("cn=testgroup,ou=groups,dc=LDAP,dc=example,dc=com") );

Group synchronization[edit]

To use group synchronization you'll need to use $wgLDAPGroupNameAttribute:

$wgLDAPUseLDAPGroups = array( "<domain>"=>true );
$wgLDAPGroupNameAttribute = array( "<domain>"=>"cn" );

You would of course need to change "<domain>" to whatever was appropriate.

Notice that $wgLDAPGroupNameAttribute is set to "cn" for every example because in every example, the naming attribute for the groups is "cn", if for some reason you had a group that looked like:

dn: group=testgroup,ou=groups,dc=adldap,dc=example,dc=com
member: samaccountname=testuser,ou=users,dc=adldap,dc=example,dc=com

you would set $wgLDAPGroupNameAttribute like this instead:

$wgLDAPGroupNameAttribute = array( "testLDAPdomain"=>"group" );

If you only want to synchronize groups, and not do group based login restriction as well, just remove the $wgLDAPRequiredGroups option.

Pulling preferences[edit]

The following four attributes are used when pulling user preferences:

mail (email address)

displayName (nickname)

cn (real name)

preferredLanguage (language)

preferredLanguage must use the language code as it would be found in "languages/Names.php".

To enable preference pulling, add the following to LocalSettings.php:

$wgLDAPRetrievePrefs = array( 'testADDomain' => true );

To use custom attributes:

$wgLDAPPreferences = array('testADdomain'=>array( "email"=>"mail","realname"=>"cn","nickname"=>"sAMAccountName"));

Example Configuration for OS X Open Directory (10.10.5)[edit]

Ensure that you run the maintenance upgrade script:

php maintenance/update.php

Add the below to LocalSettings.php

First, enable the LdapAuthentication plugin:

For MediaWiki < 1.27:

require_once( "$IP/extensions/LdapAuthentication/LdapAuthentication.php" );
require_once ('includes/AuthPlugin.php');
$wgAuth = new LdapAuthenticationPlugin();

For MediaWiki >= 1.27:

require_once( "$IP/extensions/LdapAuthentication/LdapAuthentication.php" );
$wgAuthManagerAutoConfig['primaryauth'] += [
    LdapPrimaryAuthenticationProvider::class => [
        'class' => LdapPrimaryAuthenticationProvider::class,
        'args' => [[
               'authoritative' => true, // don't allow local non-LDAP accounts
           ]],
        'sort' => 50, // must be smaller than local pw provider
    ],
];

Then, add the rest of the configuration:

$wgLDAPUseLocal                   = false;
$wgLDAPDomainNames                = [ 'myserver' ];
$wgLDAPServerNames                = [ 'myserver' => 'myserver.example.com' ];
$wgLDAPEncryptionType             = [ 'myserver' => 'clear' ];
$wgLDAPPort                       = [ 'myserver' => 389 ];
$wgLDAPProxyAgent                 = [ ];
$wgLDAPProxyAgentPassword         = [ ];
$wgLDAPSearchAttributes           = [ 'myserver' => 'uid' ];
$wgLDAPBaseDNs                    = [ 'myserver' => 'dc=myserver,dc=example,dc=com' ];
$wgLDAPGroupBaseDNs               = [ 'myserver' => 'cn=groups,dc=myserver,dc=example,dc=com' ];
$wgLDAPUserBaseDNs                = [ 'myserver' => 'cn=users,dc=myserver,dc=example,dc=com'];
$wgLDAPPreferences                = [ 'myserver' => [
                                                 'email' => 'EMailAddress',
                                                 'realname' => 'RealName',
                                               ]
                                    ];
$wgLDAPGroupUseFullDN             = [ 'myserver' => false ];
$wgLDAPGroupObjectclass           = [ 'myserver' => 'posixGroup' ];
$wgLDAPGroupAttribute             = [ 'myserver' => 'memberUid' ];
$wgLDAPGroupNameAttribute         = [ 'myserver' => 'cn' ];
$wgLDAPGroupSearchNestedGroups    = [ 'myserver' => false ];
$wgLDAPRequiredGroups             = [ 'myserver' => ['cn=wikiaccessgroup,cn=groups,dc=myserver,dc=example,dc=com'] ];
$wgLDAPLowerCaseUsername          = [ 'myserver' =>  true ];

LDAP Authentication Release status: unmaintained
Implementation	User identity
Description	Provides LDAP authentication, and some authorization functionality for MediaWiki
Author(s)	Ryan Lane (Ryan lane^talk)
Latest version	2.1.0 (2018-10-11)
Compatibility policy	Snapshots releases along with MediaWiki. Master is not backward compatible.
MediaWiki	1.19-1.26
Database changes	Yes
License	GNU General Public License 2.0 or later
Download	Download extension Git ^[?]: Download Git master browse repository (GitHub) commit history repository contributors (GitHub) code review
Parameters $wgAutoAuthUsername $wgGroupsUseMemberOf $wgDomainNames $wgEncryptionType $wgSearchAttributes $wgGroupUseFullDN $wgPort $wgWriterPassword $wgUserBaseDNs $wgGroupBaseDNs $wgUseLDAPGroups $wgAutoAuthDomain $wgWriteLocation $wgProxyAgentPassword $wgUseLocal $wgLockPasswordPolicy $wgLockOnBlock $wgLocallyManagedGroups $wgAddLDAPUsers $wgProxyAgent $wgServerNames $wgPasswordHash $wgAuthAttribute $wgGroupSearchNestedGroups $wgExcludedGroups $wgGroupNameAttribute $wgRequiredGroups $wgBaseDNs $wgGroupAttribute $wgOptions $wgGroupsPrevail $wgDisableAutoCreate $wgGroupObjectclass $wgLowerCaseUsername $wgUpdateLDAP $wgDebug $wgMailPassword $wgSearchStrings $wgPreferences $wgActiveDirectory $wgGroupUseRetrievedUsername $wgGroupSearchPosixPrimaryGroup $wgWriterDN
Hooks used BlockIpComplete LoadExtensionSchemaUpdates UnblockUserComplete
Hooks provided ChainAuth LDAPSetCreationValues LDAPRetrySetCreationValues LDAPUpdateUser SetUsernameAttributeFromLDAP
Check usage and version matrix.
Issues	Open tasks · Report a bug

Group configuration[edit]

Configuration for non-AD domains[edit]

Example one[edit]

Example two[edit]

Configuration for AD domains[edit]

Group based restrictions[edit]

Group synchronization[edit]

Pulling preferences[edit]

Example Configuration for OS X Open Directory (10.10.5)[edit]

See also[edit]