Extension talk:LDAP Authentication/Configuration Options
Add topicCustom LDAP configuration options ($wgLDAPOptions)[edit]
After getting the two messages for onle one option set:
1.2e Can't set option to LDAP! Option code and value: 0=4 1.2e Can't set option to LDAP! Option code and value: 1=120
I realised that $wgLDAPOptions is an array and the option is read via constant(), so the example should read
//Custom LDAP configuration options; allows you to set options specified at
// http://www.php.net/manual/en/function.ldap-set-option.php
//Default: none
$wgLDAPOptions = array(
"testADdomain"=>array( "LDAP_OPT_DEREF" => 0 ),
"testLDAPdomain"=>array( "LDAP_OPT_DEREF" => 1 ),
);
and so it worked for me ---Venia 08:08, 26 May 2011 (UTC)
P.S. Nevertheless it worked like charm on Windows Server 2008 R2 using IIS 7.5
Multiple domains that will be using auto authentication ($wgLDAPAutoAuthDomain)[edit]
Dealing with different AD directory servers for the domains using REMOTE_USER. Please watch the three backslashes and define your domains lowercase.
if (isset($_SERVER["REMOTE_USER"])) {
// REMOTE_USER will be in the form DOMAIN\USERNAME
$wgLDAPAutoAuthUsername = preg_replace( '#^.*\\\#', '', $_SERVER["REMOTE_USER"]);
$wgLDAPAutoAuthDomain = strtolower(preg_replace( '#\\\.*$#', '', $_SERVER["REMOTE_USER"]));
} else die("REMOTE_USER?");
---Venia 09:06, 26 May 2011 (UTC)
[edit]
It would be nice to be able to turn off the domain menu on login if you only have one domain to select from.--Pashdown (talk) 18:02, 3 December 2012 (UTC)
Can the Special:ChangePassword be disabled?[edit]
Because my LDAP is read-only to the wiki, I'd like to be able to remove the Special:ChangePassword page. Is there a way to do this with an option to the extension?
OpenLDAP & Ubuntu 12.04 LTS[edit]
On OpenLDAP this will always fail with message "Failed to bind". This won't work. Evar.
Config Equivalency Between This LDAP ext and the Apache Auth Provider "ldap"[edit]
I just thought I would show an equivalent configuration for this extension that matches the same ldap configuration we use in apache httpd.
I've replaced sensitive info with <keyword> substitutions
The apache config:
AuthBasicProvider ldap
AuthLDAPBindDN "CN=<readonlyuser>,CN=Users,DC=<domain>,DC=local"
AuthLDAPBindPassword "<readonlypassword>"
AuthLDAPURL "ldap://<ldapservername>.<domain>.local:3268/CN=Users,DC=<domain>,DC=local?samAccountName?"
AuthzLDAPAuthoritative off
The MW Ldap authentication extensions config:
$wgLDAPDomainNames = array( "<domain>" );
$wgLDAPServerNames = array( "<domain>" => "<ldapservername>.<domain>.local" );
$wgLDAPEncryptionType = array( "<domain>" => "clear" );
$wgLDAPBaseDNs = array( "<domain>" => "CN=Users,DC=<domain>,DC=local" );
$wgLDAPProxyAgent = array( "<domain>" => "CN=<readonlyuser>,CN=Users,DC=<domain>,DC=local" );
$wgLDAPProxyAgentPassword = array( "<domain>" => "<readonlypassword>" );
$wgLDAPSearchAttributes = array('<domain>' => 'samAccountName');
Cheers, Kyle 142.166.3.43 11:41, 4 April 2013 (UTC)
Setting for IBM Lotus Domino 8.5 LDAP[edit]
$wgLDAPServerNames = array(
'DGOA' => 'ldap.dgoa.cn',
);
$wgLDAPUseLocal = true;
$wgLDAPEncryptionType = array(
'DGOA' => 'clear',
);
$wgLDAPPort = array(
'DGOA' => 389,
);
$wgLDAPProxyAgent = array(
'DGOA' => 'CN=ldapuser,O=DG',
);
$wgLDAPProxyAgentPassword = array(
'DGOA' => 'dgldapoA',
);
$wgLDAPSearchAttributes = array(
'DGOA' => 'uid'
);
$wgLDAPDebug = 1;
$wgDebugLogGroups["ldap"] = "/tmp/ldap.log";
This is the setting which can make my wiki works properly with ldap server .It cost me several days.The point is "$wgLDAPProxyAgent" only need values for CN & O, dosen`t need value for OU and DC .
Willemzhai (talk) 08:05, 17 March 2015 (UTC)
Server names in SSL Cert?[edit]
Hi There,
I've got authentication to AD working in cleartext, but am having a lot of trouble connecting over SSL.
As per the guidance below, it looks like my wgLDAPServerNames values must somehow correlate to values retrieved from my domain controller with the openssl s_client -showcerts -connect command? Unfortunately I do not see any server names referenced in my retrieved cert, and the Acceptable client certificate CA names list does not include server names either. Can you clarify this point a bit more?
If you are going to use SSL or StartTLS, it is important that the server names provided here exactly match the name provided by the SSL certificate returned by the server; otherwise, you may have problems.
Use different LDAP fields for login and for Mediawiki username[edit]
How can I convince Mediawiki to allow login via uid and still have it use displayName as Mediawiki username? I made it work (somehow) for a newly added LDAP account with uid "test" and displayName "Testy McTestface", but it doesn't work for LDAP accounts already used in Mediawiki. I thought the SetUsernameAttributeFromLDAP hook would work in this way but obviously I miss something important. Masin Al-Dujaili (WMDE) (talk) 10:09, 20 July 2017 (UTC)
Please fix manual[edit]
In "Enabling the plugin" section: run maintenance/update.php would be after enabling in LocalSettings.php â Preceding unsigned comment added by Sphynkx (talk ⢠contribs)
- The text accompanying the heading states: You must run update.php (only after you've enabled the extension in LocalSettings.php or it will be ignored). What's wrong? --Ciencia Al Poder (talk) 09:25, 15 May 2019 (UTC)