Extension:LDAP Authentication/Examples

From MediaWiki.org
Jump to navigation Jump to search

About - Requirements - Examples - Configuration Options - Changelog - Roadmap - Suggestions - User provided info - FAQ - Support

Group and Preferences Examples - Generic LDAP Examples - Active Directory Examples - Smartcard Examples - Kerberos Examples


MediaWiki extensions manual
Crystal Clear action run.svg
LDAP Authentication
Release status: stable
Implementation User identity
Description Provides LDAP authentication, and some authorization functionality for MediaWiki
Author(s) Ryan Lane (Ryan lanetalk)
Latest version 2.1.0 (2014-03-28)
Compatibility policy master
MediaWiki 1.19+
Database changes Yes
License GNU General Public License 2.0 or later
Download
Hooks used
LoadExtensionSchemaUpdates
Translate the LDAP Authentication extension if it is available at translatewiki.net
Check usage and version matrix.
Issues Open tasks · Report a bug

Group configuration[edit]

Configuration for non-AD domains[edit]

Example one[edit]

Note: I created this sub-section since below example is working on a production environment, and it's quite hard to find out examples for OpenLDAP rather than Active Directory LDAP servers

LDAP server OpenLDAP (2.4.31-1ubuntu2)
Binding mechanism Requires binding user (anonymous queries not allowed)
TLS Yes
Example group ldapwiki
Example user LDAP_USER_1

LDAP objects:

# LDAP user
dn: cn=LDAP_USER_1,ou=people,dc=example,dc=com
cn: LDAP_USER_1
gidnumber: 10001
givenname: Name
homedirectory: /home/LDAP_USER_1
loginshell: /bin/bash
mail: LDAP_USER_1@example.com
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: top
sn: Surename
uid: LDAP_USER_1
uidnumber: 10001
userpassword: ******

# LDAP group
dn: cn=ldapwiki,ou=groups,dc=example,dc=com
cn: ldapwiki
gidnumber: 10004
memberuid: LDAP_USER_1
memberuid: LDAP_USER_2
objectclass: posixGroup
objectclass: top

Mediawiki config (LocalSettings.php):

# LDAP
require_once ('extensions/LdapAuthentication/LdapAuthentication.php');
require_once ('includes/AuthPlugin.php');
$wgAuth = new LdapAuthenticationPlugin();
$wgLDAPDomainNames = array(
  'openldap_example_com',
);
$wgLDAPServerNames = array(
  'openldap_example_com' => 'ldap.example.com',
);
$wgLDAPUseLocal = false;
$wgLDAPEncryptionType = array(
  'openldap_example_com' => 'tls',
);
$wgLDAPPort = array(
  'openldap_example_com' => 389,
);
$wgLDAPProxyAgent = array(
  'openldap_example_com' => 'cn=readonly,dc=example,dc=com',
);
$wgLDAPProxyAgentPassword = array(
  'openldap_example_com' => '*****',
);
$wgLDAPSearchAttributes = array(
  'openldap_example_com' => 'uid'
);
$wgLDAPBaseDNs = array(
  'openldap_example_com' => 'dc=example,dc=com',
);
# To pull e-mail address from LDAP
$wgLDAPPreferences = array(
  'openldap_example_com' => array( 'email' => 'mail')
);
# Group based restriction
$wgLDAPGroupUseFullDN = array( "openldap_example_com"=>false );
$wgLDAPGroupObjectclass = array( "openldap_example_com"=>"posixgroup" );
$wgLDAPGroupAttribute = array( "openldap_example_com"=>"memberuid" );
$wgLDAPGroupSearchNestedGroups = array( "openldap_example_com"=>false );
$wgLDAPGroupNameAttribute = array( "openldap_example_com"=>"cn" );
$wgLDAPRequiredGroups = array( "openldap_example_com"=>array("cn=ldapwiki,ou=groups,dc=example,dc=com"));
$wgLDAPLowerCaseUsername = array(
  'openldap_example_com' => true,
);

Example two[edit]

You may need to modify the options depending on your environment. The below example is a configuration to find "testuser" in the following group:

dn: cn=testgroup,ou=groups,dc=LDAP,dc=example,dc=com
cn: testgroup
objectclass: groupofuniquenames
uniqueMember: uid=testuser,ou=people,dc=LDAP,dc=example,dc=com
uniqueMember: uid=testuser2,ou=people,dc=LDAP,dc=example,dc=com
uniqueMember: uid=testuser3,ou=people,dc=LDAP,dc=example,dc=com

Example:

$wgLDAPGroupUseFullDN = array( "testLDAPdomain"=>true );
$wgLDAPGroupObjectclass = array( "testLDAPdomain"=>"groupofuniquenames" );
$wgLDAPGroupAttribute = array( "testLDAPdomain"=>"uniquemember" );
$wgLDAPGroupSearchNestedGroups = array( "testLDAPdomain"=>false );
$wgLDAPGroupNameAttribute = array( "testLDAPdomain"=>"cn" );
$wgLDAPBaseDNs = array( "testLDAPdomain"=>"dc=LDAP,dc=example,dc=com" );

The below example is a configuration to find "testuser" in the following group:

dn: cn=testgroup,ou=groups,dc=LDAP,dc=example,dc=com
cn: testgroup
objectclass: posixgroup
gidnumber: 10000
memberuid: testuser
memberuid: testuser2
memberuid: testuser3

Example:

$wgLDAPGroupUseFullDN = array( "testLDAPdomain"=>false );
$wgLDAPGroupObjectclass = array( "testLDAPdomain"=>"posixgroup" );
$wgLDAPGroupAttribute = array( "testLDAPdomain"=>"memberuid" );
$wgLDAPGroupSearchNestedGroups = array( "testLDAPdomain"=>false );
$wgLDAPGroupNameAttribute = array( "testLDAPdomain"=>"cn" );
$wgLDAPBaseDNs = array( "testLDAPdomain"=>"dc=LDAP,dc=example,dc=com" );

Configuration for AD domains[edit]

Notice that if you have a multi-domain or multi-forest environment, you need to make sure your configuration is pointing at your global catalog!

Example:

$wgLDAPGroupUseFullDN = array( "testADLDAPdomain"=>true );
$wgLDAPGroupObjectclass = array( "testADLDAPdomain"=>"group" );
$wgLDAPGroupAttribute = array( "testADLDAPdomain"=>"member" );
$wgLDAPGroupSearchNestedGroups = array( "testADLDAPdomain"=>true );
$wgLDAPGroupNameAttribute = array( "testADLDAPdomain"=>"cn" );
$wgLDAPBaseDNs = array( "testADLDAPdomain"=>"dc=ADLDAP,dc=example,dc=com" );
$wgLDAPActiveDirectory = array( "testADLDAPdomain"=>true );

If you are using AD-style straight binds (DOMAIN\\USER-NAME or USER-NAME@DOMAIN), you'll need one more option to make this work correctly:

$wgLDAPSearchAttributes = array( "testADLDAPdomain"=>"sAMAccountName" );

This allows the extension to find the user's full DN for searching groups. Without finding the user's full DN, the extension will search groups with (member=DOMAIN\username), which is not what is in your groups.

Group based restrictions[edit]

To restrict access to specific groups, use $wgLDAPRequiredGroups:

#DNs in $wgLDAPRequiredGroups must be lowercase, as search result attribute values are...
$wgLDAPRequiredGroups = array( "<domain>"=>array("cn=testgroup,ou=groups,dc=LDAP,dc=example,dc=com") );

Group synchronization[edit]

To use group synchronization you'll need to use $wgLDAPGroupNameAttribute:

$wgLDAPUseLDAPGroups = array( "<domain>"=>true );
$wgLDAPGroupNameAttribute = array( "<domain>"=>"cn" );

You would of course need to change "<domain>" to whatever was appropriate.

Notice that $wgLDAPGroupNameAttribute is set to "cn" for every example because in every example, the naming attribute for the groups is "cn", if for some reason you had a group that looked like:

dn: group=testgroup,ou=groups,dc=adldap,dc=example,dc=com
member: samaccountname=testuser,ou=users,dc=adldap,dc=example,dc=com

you would set $wgLDAPGroupNameAttribute like this instead:

$wgLDAPGroupNameAttribute = array( "testLDAPdomain"=>"group" );

If you only want to synchronize groups, and not do group based login restriction as well, just remove the $wgLDAPRequiredGroups option.

Pulling preferences[edit]

The following four attributes are used when pulling user preferences:

mail (email address)
displayName (nickname)
cn (real name)
preferredLanguage (language)

preferredLanguage must use the language code as it would be found in "languages/Names.php".

To enable preference pulling, add the following to LocalSettings.php:

$wgLDAPRetrievePrefs = array( 'testADDomain' => true );

To use custom attributes:

$wgLDAPPreferences = array('testADdomain'=>array( "email"=>"mail","realname"=>"cn","nickname"=>"sAMAccountName"));

Example Configuration for OS X Open Directory (10.10.5)[edit]

Ensure that you run the maintenance upgrade script:

php maintenance/update.php

Add the below to LocalSettings.php

// LocalSettings.php

require_once( "$IP/extensions/LdapAuthentication/LdapAuthentication.php" );

$wgAuth                           = new LdapAuthenticationPlugin();
$wgLDAPUseLocal                   = false;
$wgLDAPDomainNames                = [ 'myserver' ];
$wgLDAPServerNames                = [ 'myserver' => 'myserver.example.com' ];
$wgLDAPEncryptionType             = [ 'myserver' => 'clear' ];
$wgLDAPPort                       = [ 'myserver' => 389 ];
$wgLDAPProxyAgent                 = [ ];
$wgLDAPProxyAgentPassword         = [ ];
$wgLDAPSearchAttributes           = [ 'myserver' => 'uid' ];
$wgLDAPBaseDNs                    = [ 'myserver' => 'dc=myserver,dc=example,dc=com' ];
$wgLDAPGroupBaseDNs               = [ 'myserver' => 'cn=groups,dc=myserver,dc=example,dc=com' ];
$wgLDAPUserBaseDNs                = [ 'myserver' => 'cn=users,dc=myserver,dc=example,dc=com'];
$wgLDAPPreferences                = [ 'myserver' => [
                                                 'email' => 'EMailAddress',
                                                 'realname' => 'RealName',
                                               ]
                                    ];
$wgLDAPGroupUseFullDN             = [ 'myserver' => false ];
$wgLDAPGroupObjectclass           = [ 'myserver' => 'posixGroup' ];
$wgLDAPGroupAttribute             = [ 'myserver' => 'memberUid' ];
$wgLDAPGroupNameAttribute         = [ 'myserver' => 'cn' ];
$wgLDAPGroupSearchNestedGroups    = [ 'myserver' => false ];
$wgLDAPRequiredGroups             = [ 'myserver' => ['cn=wikiaccessgroup,cn=groups,dc=myserver,dc=example,dc=com'] ];
$wgLDAPLowerCaseUsername          = [ 'myserver' =>  true ];

See also[edit]