Extension:LDAPAuthorization

From mediawiki.org
Jump to navigation Jump to search
MediaWiki Stakeholders' Group Logo.svg This extension is maintained by a member of the MediaWiki Stakeholders' Group .
MWStake LDAPStack Icon.svg This extension is part of the LDAP Stack and requires the LDAPProvider extension to be installed first.
PluggableAuth Icon.svg This extension requires the PluggableAuth extension to be installed first.

This extensions checks for certain authorization requirements when logging into a wiki by using Extension:PluggableAuth or Extension:Auth remoteuser. If one of the requirements are not satisfied the login process will be cancelled.

MediaWiki extensions manual
OOjs UI icon advanced.svg
LDAPAuthorization
Release status: stable
MWStake LDAPStack Icon.svg
Author(s) Cindy Cicalese, Mark A. Hershberger, Robert Vogel
Latest version 1.0.0
Compatibility policy release branches
MediaWiki 1.31+
License GNU General Public License 2.0 or later
Download
  • $LDAPAuthorizationAutoAuthUsernameNormalizer
  • $LDAPAuthorizationAutoAuthRemoteUserStringParser
  • $LDAPAuthorizationAutoAuthRemoteUserStringParserRegistry
  • $LDAPAuthorizationAutoAuthBypassWithCookieUsernameRemoteAddrs
Translate the LDAPAuthorization extension if it is available at translatewiki.net
Check usage and version matrix.

Installation[edit]

  • Download and place the file(s) in a directory called LDAPAuthorization in your extensions/ folder.
  • Add the following code at the bottom of your LocalSettings.php:
    wfLoadExtension( 'LDAPAuthorization' );
    
  • You must first install the LDAPProvider and PluggableAuth extensions.
  • Configure as required
  • Yes Done – Navigate to Special:Version on your wiki to verify that the extension is successfully installed.

Extension config settings[edit]

When using them in LocalSettings.php, these variables need to be prefixed with $LDAPAuthorization
Name Default Description
AutoAuthRemoteUserStringParserRegistry
{
 "domain-backslash-username": "MediaWiki\\Extension\\LDAPAuthorization\\AutoAuth\\RemoteUserStringParser\\DomainBackslashUsername::factory",
 "username-at-domain": "MediaWiki\\Extension\\LDAPAuthorization\\AutoAuth\\RemoteUserStringParser\\UsernameAtDomain::factory"
}
A registry of factory callbacks for different parsers, that extract domain and username from a provided domain-username.

Must return IRemoteUserStringParser object.


Only used in case of auto-authentication provided by Extension:Auth remoteuser.

AutoAuthRemoteUserStringParser "domain-backslash-username" Configures which parser is needed to extract domain and username from a provided domain-username. Allowed values are
  • "domain-backslash-username" (Use this if $_SERVER['REMOTE_USER'] = "SOMEDOMAIN\\Some username")
  • "username-at-domain" (Use this if $_SERVER['REMOTE_USER'] = "some.username@somedomain.local")


Only used in case of auto-authentication provided by Extension:Auth remoteuser.

AutoAuthUsernameNormalizer "" A callback that allows to modify the username when Extension:Auth_remoteuser is used for network based authentication. E.g. "strtolower". If form based authentication is also enabled though Extension:LDAPAuthentication2 this should have the same value as $LDAPAuthentication2UsernameNormalizer.

Only used in case of auto-authentication provided by Extension:Auth remoteuser.

Domain config settings[edit]

Name Default Description
rules.groups.required [] Array of group DNs that are required to complete the login process. Belonging to one group is sufficient (logical OR) to be authorized.
rules.groups.excluded [] Array of group DNs that the user may not be member of to complete the login process. Belonging to one group is sufficient (logical OR) to be forbidden to log in.
rules.attributes {} This implements the "attributes mapping" rule from Extension:LDAP Authentication Example:
{
    "&" : {
    	"status": "active",
    	"|": {
    		"department": [ "100", "200" ],
    		"level": [ "5", "6" ]
    	}
    }
}

If you want to configure this in LocalSettings.php you can extend the configuration for LDAPProvider like in this example:

$LDAPProviderDomainConfigProvider = function() {
	$config = [
		'LDAP' => [
			'connection' => [
				...
			],
			'authorization' => [
				'rules' => [
					'groups' => [
						'required' => [ "groupname" ]
					]
				]
			]
		]
	];
...

Here is a complete example LocalSettings.php configuration for Active Directory:

$LDAPProviderDomainConfigProvider = function()
{
	$config =
	[
		"example.com" =>
		[
			"connection" =>
			[
				"server" => "ldap.example.com",
				"user" => "cn=ldap,cn=Users,dc=example,dc=com",
				"pass" => "password",
				"basedn" => "dc=example,dc=com",
				"groupbasedn" => "dc=example,dc=com",
				"userbasedn" => "dc=example,dc=com",
				"searchattribute" => "samaccountname",
				"searchstring" => "USER-NAME@example.com",
				"usernameattribute" => "samaccountname",
				"realnameattribute" => "cn",
				"emailattribute" => "mail",
				"grouprequest" => "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\GroupMember::factory"
			],
			"authorization" =>
			[
				"rules" =>
				[
					"groups" =>
					[
						"required" => [ "cn=Developers,cn=Users,dc=example,dc=com" ]
					]
				]
			],
			"groupsync" =>
			[
				"mechanism" => "mappedgroups",
				"mapping" =>
				[
					"sysop" => "cn=Developers,cn=Users,dc=example,dc=com",
					"bureaucrat" => "cn=Developers,cn=Users,dc=example,dc=com"
				]
			],
			"userinfo" =>
			[
				"email" => "mail",
				"realname" => "cn",
				"properties.gender" => "gender"
			]
		]
	];

	return new \MediaWiki\Extension\LDAPProvider\DomainConfigProvider\InlinePHPArray( $config );
};

Versioning[edit]

LDAP Stack Extensions are targeted/qualified for MediaWiki LTS releases only.
However, this table helps to determine which extension-releases to use across all recent versions.

MediaWiki Release Recommended Extension Version Test Status Latest Test Date
1.31 (LTS) LDAPxxx_REL1_31 Tested, Recommended March 2020
1.32 LDAPxxx_REL1_31 Not Tested -
1.33 LDAPxxx_REL1_31 Tested March 2020
1.34 LDAPxxx_REL1_31 Tested March 2020
1.35 (LTS Planned) LDAPxxx_master Tested March 2020