Extension:LDAP Authorization

From MediaWiki.org
Jump to navigation Jump to search
MediaWiki extensions manual
Crystal Clear action run.svg
LDAPAuthorization
Release status: beta
Implementation User rights
Description Implements the PluggableAuth PluggableAuthUserAuthorization hook to provide authorization using LDAP.
Author(s) Cindy Cicalese, Ian Campbell
Latest version 1.0 (2014-11-11)
Compatibility policy master
MediaWiki 1.23+
PHP 5.3+
License MIT License
Download
Parameters
  • $LDAPAuthorization_ServerName
  • $LDAPAuthorization_ServerPort
  • $LDAPAuthorization_UseTLS
  • $LDAPAuthorization_SearchString
  • $LDAPAuthorization_Filter
  • $LDAPAuthorization_Rules
Hooks used
PluggableAuthUserAuthorization
Translate the LDAP Authorization extension if it is available at translatewiki.net
Check usage and version matrix.
Issues Open tasks · Report a bug

The LDAP Authorization extension implements the PluggableAuth PluggableAuthUserAuthorization hook to provide authorization using LDAP.

Installation[edit]

Note Note: This extension requires PluggableAuth to be installed first.

  • Download and place the file(s) in a directory called LDAPAuthorization in your extensions/ folder.
  • Add the following code at the bottom of your LocalSettings.php:
    require_once "$IP/extensions/LDAPAuthorization/LDAPAuthorization.php";
    
  • Configure as required
  • Yes Done – Navigate to Special:Version on your wiki to verify that the extension is successfully installed.

Configuration parameters[edit]

Flag Default Example Description
$LDAPAuthorization_ServerName no default value "ldap://ldap.mycompany_abc.com" The URL of the LDAP server.
$LDAPAuthorization_ServerPort no default value "389" The port of the LDAP server.
$LDAPAuthorization_UseTLS no default value false Whether or not to use TLS.
$LDAPAuthorization_SearchString no default value "ou=Some Organizational Unit, o=Some Organization" The LDAP search string.
$LDAPAuthorization_Filter no default value "(uid=USERNAME)" The filter to use to find the user being authorized, where USERNAME will be replaced with the username of the user requesting authorization.
$LDAPAuthorization_Rules no default value ["departmentnumber" => "12345"] The rules to use to determine if a given user is authorized.

$LDAPAuthorization_Rules can hold an array of arrays of arbitrary depth representing a complex set of rules to determine user authorization. Each array may hold three types of keys:

Key Value
"&" an array of rules that must be true when evaluated and ANDed together
"|" an array of rules that must be true when evaluated and ORed together
LDAP attribute name a string that must match the value of the given LDAP attribute or an array of string values any one of which must match the value of the given LDAP attribute (that is, in the case of an array, the values in the array are used to form an expression that must be true when ORed together and evaluated with the value of the given LDAP attribute; it is assumed that the LDAP attributes returned have a single value for each key included in the response)

For example, the following rule will authorize any user whose employee status is active and is either in department 100 or 200 or has a level of 5 or 6:

$LDAPAuthorization_Rules = [
	"&" => [
		"status" => "active",
		"|" => [
			"department" => [
				"100",
				"200"
			],
			"level" => [
				"5",
				"6"
			]
		]
	]
];

The top level array is assumed to have the operator AND by default, so the configuration array above may be simplified to:

$LDAPAuthorization_Rules = [
	"status" => "active",
	"|" => [
		"department" => [
			"100",
			"200"
		],
		"level" => [
			"5",
			"6"
		]
	]
];

See also[edit]