From MediaWiki.org
Jump to navigation Jump to search
MediaWiki extensions manual
OOjs UI icon advanced.svg
Release status: beta
Implementation User identity
Description Manage MediaWiki group membership in LDAP
Author(s) Mark A. Hershberger (MarkAHershbergertalk)
Latest version 0.1.0 (2016-11-07)
MediaWiki 1.26+
Database changes No
License GNU General Public License 3.0 or later
Translate the LdapGroups extension if it is available at translatewiki.net
Check usage and version matrix.
Issues Open tasks · Report a bug

This is MediaWiki extension to allow users to manage the membership of their MediaWiki groups using a directory server via LDAP such as Microsoft's ActiveDirectory.


  • Download and place the file(s) in a directory called LdapGroups in your extensions/ folder.


ini file[edit]

You need to specify connection parameters for your LDAP server. Since you may want to use a different LDAP server for different environments (e.g. dev, prod), the credentials are stored in a separate file in ini file format. These will be used to connect to the directory server. Specify the ini file in by pointing to it in your LocalSettings.php file by setting:

$LdapGroupsIniFile = "full-path-to-file";

The file takes the following format:

	server = ServerName

	; quotes are required to keep php from getting confused about
	; the extra equals sign
	user = 'UserName or DN

	pass = password

	basedn = 'Base DN'

Group mapping[edit]

Your mapping of MediaWiki groups to the distinguished names (dn) of the groups on your directory server should be provided in the $LdapGroupsMap variable. For example:

    = [ "AWSUsers" =>
            "cn=aws-production,ou=security group,o=top"
        "NavAndGuidance" =>

Nested groups[edit]

Nested groups are correctly resolved using LDAP_MATCHING_RULE_IN_CHAIN queries if you add the following to your LocalSettings.php:

$LdapGroupsUseMatchingRuleInChainQuery = true;


I also plan to have a Special Page to set up to allow for group mappings soon.

See also[edit]