Extension:LDAP Authentication/Examples
About - Requirements - Examples - Configuration Options - Changelog - Roadmap - Suggestions - User provided info - FAQ - Support
Group and Preferences Examples - Generic LDAP Examples - Active Directory Examples - Smartcard Examples - Kerberos Examples
![]() | This extension is currently not actively maintained! Although it may still work, any bug reports or feature requests will more than likely be ignored. |
![]() Release status: unmaintained |
|
---|---|
Implementation | User identity |
Description | Provides LDAP authentication, and some authorization functionality for MediaWiki |
Author(s) | Ryan Lane (Ryan lanetalk) |
Latest version | 2.1.0 (2018-10-11) |
Compatibility policy | Snapshots releases along with MediaWiki. Master is not backward compatible. |
MediaWiki | 1.19-1.26 |
Database changes | Yes |
License | GNU General Public License 2.0 or later |
Download | |
|
|
Issues | Open tasks · Report a bug |
Group configuration[edit]
Configuration for non-AD domains[edit]
Example one[edit]
Note: I created this sub-section since below example is working on a production environment, and it's quite hard to find out examples for OpenLDAP rather than Active Directory LDAP servers
LDAP server | OpenLDAP (2.4.31-1ubuntu2) |
Binding mechanism | Requires binding user (anonymous queries not allowed) |
TLS | Yes |
Example group | ldapwiki |
Example user | LDAP_USER_1 |
LDAP objects:
# LDAP user
dn: cn=LDAP_USER_1,ou=people,dc=example,dc=com
cn: LDAP_USER_1
gidnumber: 10001
givenname: Name
homedirectory: /home/LDAP_USER_1
loginshell: /bin/bash
mail: LDAP_USER_1@example.com
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: top
sn: Surename
uid: LDAP_USER_1
uidnumber: 10001
userpassword: ******
# LDAP group
dn: cn=ldapwiki,ou=groups,dc=example,dc=com
cn: ldapwiki
gidnumber: 10004
memberuid: LDAP_USER_1
memberuid: LDAP_USER_2
objectclass: posixGroup
objectclass: top
Mediawiki config (LocalSettings.php):
First, enable the LdapAuthentication plugin:
For MediaWiki < 1.27:
require_once( "$IP/extensions/LdapAuthentication/LdapAuthentication.php" );
require_once ('includes/AuthPlugin.php');
$wgAuth = new LdapAuthenticationPlugin();
For MediaWiki >= 1.27:
require_once( "$IP/extensions/LdapAuthentication/LdapAuthentication.php" );
$wgAuthManagerAutoConfig['primaryauth'] += [
LdapPrimaryAuthenticationProvider::class => [
'class' => LdapPrimaryAuthenticationProvider::class,
'args' => [[
'authoritative' => true, // don't allow local non-LDAP accounts
]],
'sort' => 50, // must be smaller than local pw provider
],
];
Then, add the rest of the configuration:
# LDAP
$wgLDAPDomainNames = array(
'openldap_example_com',
);
$wgLDAPServerNames = array(
'openldap_example_com' => 'ldap.example.com',
);
$wgLDAPUseLocal = false;
$wgLDAPEncryptionType = array(
'openldap_example_com' => 'tls',
);
$wgLDAPPort = array(
'openldap_example_com' => 389,
);
$wgLDAPProxyAgent = array(
'openldap_example_com' => 'cn=readonly,dc=example,dc=com',
);
$wgLDAPProxyAgentPassword = array(
'openldap_example_com' => '*****',
);
$wgLDAPSearchAttributes = array(
'openldap_example_com' => 'uid'
);
$wgLDAPBaseDNs = array(
'openldap_example_com' => 'dc=example,dc=com',
);
# To pull e-mail address from LDAP
$wgLDAPPreferences = array(
'openldap_example_com' => array( 'email' => 'mail')
);
# Group based restriction
$wgLDAPGroupUseFullDN = array( "openldap_example_com"=>false );
$wgLDAPGroupObjectclass = array( "openldap_example_com"=>"posixgroup" );
$wgLDAPGroupAttribute = array( "openldap_example_com"=>"memberuid" );
$wgLDAPGroupSearchNestedGroups = array( "openldap_example_com"=>false );
$wgLDAPGroupNameAttribute = array( "openldap_example_com"=>"cn" );
$wgLDAPRequiredGroups = array( "openldap_example_com"=>array("cn=ldapwiki,ou=groups,dc=example,dc=com"));
$wgLDAPLowerCaseUsername = array(
'openldap_example_com' => true,
);
Example two[edit]
You may need to modify the options depending on your environment. The below example is a configuration to find "testuser" in the following group:
dn: cn=testgroup,ou=groups,dc=LDAP,dc=example,dc=com cn: testgroup objectclass: groupofuniquenames uniqueMember: uid=testuser,ou=people,dc=LDAP,dc=example,dc=com uniqueMember: uid=testuser2,ou=people,dc=LDAP,dc=example,dc=com uniqueMember: uid=testuser3,ou=people,dc=LDAP,dc=example,dc=com
Example:
$wgLDAPGroupUseFullDN = array( "testLDAPdomain"=>true );
$wgLDAPGroupObjectclass = array( "testLDAPdomain"=>"groupofuniquenames" );
$wgLDAPGroupAttribute = array( "testLDAPdomain"=>"uniquemember" );
$wgLDAPGroupSearchNestedGroups = array( "testLDAPdomain"=>false );
$wgLDAPGroupNameAttribute = array( "testLDAPdomain"=>"cn" );
$wgLDAPBaseDNs = array( "testLDAPdomain"=>"dc=LDAP,dc=example,dc=com" );
The below example is a configuration to find "testuser" in the following group:
dn: cn=testgroup,ou=groups,dc=LDAP,dc=example,dc=com cn: testgroup objectclass: posixgroup gidnumber: 10000 memberuid: testuser memberuid: testuser2 memberuid: testuser3
Example:
$wgLDAPGroupUseFullDN = array( "testLDAPdomain"=>false );
$wgLDAPGroupObjectclass = array( "testLDAPdomain"=>"posixgroup" );
$wgLDAPGroupAttribute = array( "testLDAPdomain"=>"memberuid" );
$wgLDAPGroupSearchNestedGroups = array( "testLDAPdomain"=>false );
$wgLDAPGroupNameAttribute = array( "testLDAPdomain"=>"cn" );
$wgLDAPBaseDNs = array( "testLDAPdomain"=>"dc=LDAP,dc=example,dc=com" );
Configuration for AD domains[edit]
Notice that if you have a multi-domain or multi-forest environment, you need to make sure your configuration is pointing at your global catalog!
Example:
$wgLDAPGroupUseFullDN = array( "testADLDAPdomain"=>true );
$wgLDAPGroupObjectclass = array( "testADLDAPdomain"=>"group" );
$wgLDAPGroupAttribute = array( "testADLDAPdomain"=>"member" );
$wgLDAPGroupSearchNestedGroups = array( "testADLDAPdomain"=>true );
$wgLDAPGroupNameAttribute = array( "testADLDAPdomain"=>"cn" );
$wgLDAPBaseDNs = array( "testADLDAPdomain"=>"dc=ADLDAP,dc=example,dc=com" );
$wgLDAPActiveDirectory = array( "testADLDAPdomain"=>true );
If you are using AD-style straight binds (DOMAIN\\USER-NAME or USER-NAME@DOMAIN), you'll need one more option to make this work correctly:
$wgLDAPSearchAttributes = array( "testADLDAPdomain"=>"sAMAccountName" );
This allows the extension to find the user's full DN for searching groups. Without finding the user's full DN, the extension will search groups with (member=DOMAIN\username), which is not what is in your groups.
Group based restrictions[edit]
To restrict access to specific groups, use $wgLDAPRequiredGroups:
#DNs in $wgLDAPRequiredGroups must be lowercase, as search result attribute values are...
$wgLDAPRequiredGroups = array( "<domain>"=>array("cn=testgroup,ou=groups,dc=LDAP,dc=example,dc=com") );
Group synchronization[edit]
To use group synchronization you'll need to use $wgLDAPGroupNameAttribute:
$wgLDAPUseLDAPGroups = array( "<domain>"=>true );
$wgLDAPGroupNameAttribute = array( "<domain>"=>"cn" );
You would of course need to change "<domain>" to whatever was appropriate.
Notice that $wgLDAPGroupNameAttribute is set to "cn" for every example because in every example, the naming attribute for the groups is "cn", if for some reason you had a group that looked like:
dn: group=testgroup,ou=groups,dc=adldap,dc=example,dc=com member: samaccountname=testuser,ou=users,dc=adldap,dc=example,dc=com
you would set $wgLDAPGroupNameAttribute like this instead:
$wgLDAPGroupNameAttribute = array( "testLDAPdomain"=>"group" );
If you only want to synchronize groups, and not do group based login restriction as well, just remove the $wgLDAPRequiredGroups
option.
Pulling preferences[edit]
The following four attributes are used when pulling user preferences:
- mail (email address)
- displayName (nickname)
- cn (real name)
- preferredLanguage (language)
preferredLanguage must use the language code as it would be found in "languages/Names.php".
To enable preference pulling, add the following to LocalSettings.php:
$wgLDAPRetrievePrefs = array( 'testADDomain' => true );
To use custom attributes:
$wgLDAPPreferences = array('testADdomain'=>array( "email"=>"mail","realname"=>"cn","nickname"=>"sAMAccountName"));
Example Configuration for OS X Open Directory (10.10.5)[edit]
Ensure that you run the maintenance upgrade script:
php maintenance/update.php
Add the below to LocalSettings.php
First, enable the LdapAuthentication plugin:
For MediaWiki < 1.27:
require_once( "$IP/extensions/LdapAuthentication/LdapAuthentication.php" );
require_once ('includes/AuthPlugin.php');
$wgAuth = new LdapAuthenticationPlugin();
For MediaWiki >= 1.27:
require_once( "$IP/extensions/LdapAuthentication/LdapAuthentication.php" );
$wgAuthManagerAutoConfig['primaryauth'] += [
LdapPrimaryAuthenticationProvider::class => [
'class' => LdapPrimaryAuthenticationProvider::class,
'args' => [[
'authoritative' => true, // don't allow local non-LDAP accounts
]],
'sort' => 50, // must be smaller than local pw provider
],
];
Then, add the rest of the configuration:
$wgLDAPUseLocal = false;
$wgLDAPDomainNames = [ 'myserver' ];
$wgLDAPServerNames = [ 'myserver' => 'myserver.example.com' ];
$wgLDAPEncryptionType = [ 'myserver' => 'clear' ];
$wgLDAPPort = [ 'myserver' => 389 ];
$wgLDAPProxyAgent = [ ];
$wgLDAPProxyAgentPassword = [ ];
$wgLDAPSearchAttributes = [ 'myserver' => 'uid' ];
$wgLDAPBaseDNs = [ 'myserver' => 'dc=myserver,dc=example,dc=com' ];
$wgLDAPGroupBaseDNs = [ 'myserver' => 'cn=groups,dc=myserver,dc=example,dc=com' ];
$wgLDAPUserBaseDNs = [ 'myserver' => 'cn=users,dc=myserver,dc=example,dc=com'];
$wgLDAPPreferences = [ 'myserver' => [
'email' => 'EMailAddress',
'realname' => 'RealName',
]
];
$wgLDAPGroupUseFullDN = [ 'myserver' => false ];
$wgLDAPGroupObjectclass = [ 'myserver' => 'posixGroup' ];
$wgLDAPGroupAttribute = [ 'myserver' => 'memberUid' ];
$wgLDAPGroupNameAttribute = [ 'myserver' => 'cn' ];
$wgLDAPGroupSearchNestedGroups = [ 'myserver' => false ];
$wgLDAPRequiredGroups = [ 'myserver' => ['cn=wikiaccessgroup,cn=groups,dc=myserver,dc=example,dc=com'] ];
$wgLDAPLowerCaseUsername = [ 'myserver' => true ];