Extension:LDAPAuthorization

From MediaWiki.org
Jump to navigation Jump to search
MediaWiki Stakeholders' Group Logo.svg This extension is maintained by a member of the MediaWiki Stakeholders' Group.
MWStake LDAPStack Icon.svg This extension is part of the LDAP Stack and requires the LDAPProvider extension to be installed first.
PluggableAuth Icon.svg This extension requires the PluggableAuth extension to be installed first.

This extensions checks for certain authorization requirements when logging into a wiki by using Extension:PlugglableAuth or Extension:Auth remoteuser. If one of the requirements are not satisfied the login process will be cancelled.

MediaWiki extensions manual
OOjs UI icon advanced.svg
LDAPAuthorization
Release status: experimental
MWStake LDAPStack Icon.svg
Author(s) Cindy Cicalese, Mark A. Hershberger, Robert Vogel
Latest version 1.0.0-alpha
Compatibility policy release branches
MediaWiki 1.31+
License GNU General Public License 2.0 or later
Download
Translate the LDAPAuthorization extension if it is available at translatewiki.net
Check usage and version matrix.

Installation[edit]

  • Download and place the file(s) in a directory called LDAPAuthorization in your extensions/ folder.
  • Add the following code at the bottom of your LocalSettings.php:
    wfLoadExtension( 'LDAPAuthorization' );
    
  • You must first install the LDAPProvider and PluggableAuth extensions.
  • Configure as required
  • Yes Done – Navigate to Special:Version on your wiki to verify that the extension is successfully installed.

Extension config settings[edit]

When using them in LocalSettings.php, these variables need to be prefixed with $LDAPAuthorization
Name Default Description
AutoAuthRemoteUserStringParserRegistry
{
 "domain-backslash-username": "MediaWiki\\Extension\\LDAPAuthorization\\AutoAuth\\RemoteUserStringParser\\DomainBackslashUsername::factory",
 "username-at-domain": "MediaWiki\\Extension\\LDAPAuthorization\\AutoAuth\\RemoteUserStringParser\\UsernameAtDomain::factory"
}
A registry of factory callbacks for different parsers, that extract domain and username from a provided domain-username.

Must return IRemoteUserStringParser object.


Only used in case of auto-authentication provided by Extension:Auth remoteuser.

AutoAuthRemoteUserStringParser "domain-backslash-username" Configures which parser is needed to extract domain and username from a provided domain-username. By default two kinds of domain-usernames can be configured:
  • "SOMEDOMAIN\\Some username" ("domain-backslash-username")
  • "some.username@somedomain.local" ("username-at-domain")


Only used in case of auto-authentication provided by Extension:Auth remoteuser.

Domain config settings[edit]

Name Default Description
rules.groups.required [] Array of group DNs that are required to complete the login process. Belonging to one group is sufficient (logical OR) to be authorized.
rules.groups.excluded [] Array of group DNs that the user may not be member of to complete the login process. Belonging to one group is sufficient (logical OR) to be forbidden to log in.
rules.attributes {} This implements the "attributes mapping" rule from Extension:LDAP Authentication Example:
{
    "&" : {
    	"status": "active",
    	"|": {
    		"department": [ "100", "200" ],
    		"level": [ "5", "6" ]
    	}
    }
}