Extension:LDAP Authentication/Generic LDAP Configuration Examples

From MediaWiki.org
Jump to navigation Jump to search

About - Requirements - Examples - Configuration Options - Changelog - Roadmap - Suggestions - User provided info - FAQ - Support

Group and Preferences Examples - Generic LDAP Examples - Active Directory Examples - Smartcard Examples - Kerberos Examples


MediaWiki extensions manual
OOjs UI icon advanced.svg
LDAP Authentication
Release status: stable
Implementation User identity
Description Provides LDAP authentication, and some authorization functionality for MediaWiki
Author(s) Ryan Lane (Ryan lanetalk)
Latest version 2.1.0 (2018-10-11)
Compatibility policy master
MediaWiki 1.19+
Database changes Yes
License GNU General Public License 2.0 or later
Download
Hooks used
LoadExtensionSchemaUpdates
Translate the LDAP Authentication extension if it is available at translatewiki.net
Check usage and version matrix.
Issues Open tasks · Report a bug

Notes[edit]

SSL[edit]

Notice that SSL is enabled in all examples. Your LDAP server may or may not require SSL. If you do not require SSL (if you set AD to not require signed communications), you can set that option to "false". Be aware that doing so will cause your domain user's passwords to be sent across the network in clear text, which makes your system susceptible to man in the middle attacks, replay attacks, and other nasty attacks.

For SSL to work, you must install an SSL certificate on your LDAP server, your wiki's server must trust the LDAP server's CA, and the DNS name of your LDAP server must resolve to the CN field of the certificate issued to your LDAP server.

Remember, if your web server does not use SSL (URL does not start with https://), your password will be transmitted in clear text from the client browser to the web server. This is independent of the SSL settings described below from the web server to the LDAP server.

General Configuration[edit]

Be sure to enable LDAP support within PHP. Make sure that you have installed the necessary packages for your distro.

  • RedHat EL based distro (CentOS 4.3):
    yum install php-ldap
  • Make sure that /etc/php.d/ldap.ini contains
    extension=ldap.so
  • Ubuntu 12.04 and others:
    sudo apt-get install php5-ldap

    or possibly, for older versions eg 6.06.1 (Dapper Drake):

    sudo apt-get install php-ldap
  • Other distros:
    Modify php.ini, and uncomment the line:

    ;extension=php_ldap.so

    change to:

    extension=php_ldap.so
  • Windows:
    Verify if you have configured your PHP folder on your PATH Windows.
    Modify php.ini, and uncomment the line:

    ;extension=php_ldap.dll

    change to:

    extension=php_ldap.dll

Single Domain Requiring Straight Binding Only[edit]

In this example we will be doing straight binds to the LDAP directory. This is not how typical LDAP authentication operates as it does not attempt a search first, see "Single Domain Requiring Search Before Binding."

Configuration[edit]

Our LDAP servers are "exampleldapserver.example.com" and "exampleldapserver2.example.com" ,and the domain is "exampledomain.example.com".

Our naming attribute for users is "uid", and all users are kept in "ou=people,dc=exampledomain,dc=example,dc=com".

(In LocalSettings.php)

require_once "$IP/extensions/LdapAuthentication/LdapAuthentication.php";

$wgAuth = new LdapAuthenticationPlugin();

$wgLDAPDomainNames = array(
  'exampleNonADDomain'
);

$wgLDAPServerNames = array(
  'exampleNonADDomain' => 'exampleldapserver.example.com exampleldapserver2.example.com'
);

$wgLDAPSearchStrings = array(
  'exampleNonADDomain' => 'uid=USER-NAME,ou=people,dc=exampledomain,dc=example,dc=com'
);

$wgLDAPEncryptionType = array(
  'exampleNonADDomain' => 'ssl'
);

$wgMinimalPasswordLength = 1;

Single Domain Requiring Search Before Binding[edit]

This is typically how LDAP authentication is performed. First, a search is performed for the identifier presented (username) and a DN is returned. This DN is then used with the password provided to attempt a bind against the LDAP server. This is useful in cases when the username does not match anything in the DN or users are stored in multiple OUs.

Configuration[edit]

Our LDAP servers are "exampleldapserver.example.com" and "exampleldapserver2.example.com", and the domain is "exampledomain.example.com".

Our naming attribute for users is "uid", some users are kept in "ou=accounting,ou=people,dc=exampledomain,dc=example,dc=com", and other users are kept in "ou=graphics,ou=people,dc=exampledomain,dc=example,dc=com".

(In LocalSettings.php)

require_once '$IP/extensions/LdapAuthentication/LdapAuthentication.php';

$wgAuth = new LdapAuthenticationPlugin();

$wgLDAPDomainNames = array(
  'exampleNonADDomain'
);

$wgLDAPServerNames = array(
  'exampleNonADDomain' => 'exampleldapserver.example.com exampleldapserver2.example.com'
);

$wgLDAPSearchAttributes = array(
  'exampleNonADDomain' => 'uid'
);

$wgLDAPBaseDNs = array(
  'exampleNonADDomain' => 'dc=exampledomain,dc=example,dc=com'
);

$wgLDAPEncryptionType = array(
  'exampleNonADDomain' => 'ssl'
);

$wgMinimalPasswordLength = 1;

Using a Proxy Agent[edit]

With this approach, if your server doesn't allow anonymous searching, you'll need to use a proxy agent.

In this example the proxy agent entry is at "cn=proxyagent,ou=people,dc=exampledomain,dc=example,dc=com".

Add the following options to your configuration:

(In LocalSettings.php)

$wgLDAPProxyAgent =  array(
  'exampleNonADDomain' => 'cn=proxyagent,ou=people,dc=exampledomain,dc=example,dc=com'
);

$wgLDAPProxyAgentPassword = array(
  'exampleNonADDomain' => 'eX@mP1eP$$wRd'
);

Multiple Domains Requiring Simple Binding Only[edit]

Configuration[edit]

In this example, we have two different domains that are not part of a single-sign-on environment.

The AD domain is called "ADDOMAIN", and has servers named "exampleldapserver.example.com" and "exampleldapserver2.example.com". The generic LDAP domain is called "NonADDomain", has servers named "nonadserver.example.com", "nonadserver2.example.com", and "nonadserver3.example.com", and users are stored in "ou=people,dc=example,dc=com".

(In LocalSettings.php)

require_once '$IP/extensions/LdapAuthentication/LdapAuthentication.php';

$wgAuth = new LdapAuthenticationPlugin();

$wgLDAPDomainNames = array(
  'exampleADDomain', 'exampleNonADDomain'
);

$wgLDAPServerNames = array(
  'exampleADDomain' => 'exampleldapserver.example.com exampleldapserver2.example.com',
  'exampleNonADDomain' => 'nonadserver.example.com nonadserver2.example.com nonadserver3.example.com',
);

$wgLDAPSearchStrings = array(
  'exampleADDomain' => 'ADDOMAIN\\USER-NAME', 'exampleNonADDomain' => 'uid=USER-NAME,ou=people,dc=example,dc=com'
);

$wgLDAPEncryptionType = array(
  'exampleADDomain' => 'ssl', 'exampleNonADDomain' => 'ssl'
);

$wgMinimalPasswordLength = 1;