In the documentation the line:
require_once "$IP/extensions/LDAPAuthorization/LDAPAuthorization.php";
is misleading (maybe is obvious to everyone, but took me a while to figure out).
It should be:
wfLoadExtension('LDAPAuthorization');
Extension talk:LDAP Authorization
Thank you for the reminder. The page has been updated. Please note that the extension was recently updated significantly to make use of Extension:LDAPProvider.
I have MW 1.31 with PluggableAuth and SimpleSAMLphp extensions working and looking to validate authorization based on AD group membership. Can I see an example of the settings to allow members of the WikiUsers security group to be authorized?
There is no example that I know of specific to AD group membership. You would need to find out what the LDAP attribute name and value are that you want to filter on by querying your LDAP directory. Then you would need to configure LDAP Authorization with something like:
$LDAPAuthorization_Rules = [ "group" => "WikiUsers" ];
I'm still struggling with this. Can you clarify if I need to provide a $LDAPAuthorization_Filter? Are you able map the settings I used in the LDAP Authentication extension to the new LDAP Authorization settings?
$wgLDAPGroupAttribute = array( "removed"=>"member" );
$wgLDAPGroupNameAttribute = array( "removed"=>"cn" );
$wgLDAPGroupObjectclass = array( "removed"=>"group" );
$wgLDAPRequiredGroups = array( "<removed>"=>array("cn=WikiUsers,ou=groups,dc=removed,dc=com") );
I think this should be the filter:
$LDAPAuthorization_Filter = "(memberOf=cn=WikiUsers,dc=removed,dc=com)";
I still don't know what to enter for the rules to look for the user in the filter.
Using ldapsearch, I know I'm able to bind to the server and search for a specific user of that WikiUsers group.
ldapsearch -x -h servername.removed.com -D ldapuser -W -b "dc=removed,dc=com" "(&(objectClass=user)(sAMAccountName=jeff)(memberOf=cn=WikiUsers,dc=removed,dc=com))"
I just don't know how to translate this to the ldap authorization settings.
I still can't get this to authorize me, but I'm now thinking the filter should be similar to the one below, where USERNAME will be pulled from the simplesaml extension setting: $wgSimpleSAMLphp_UsernameAttribute. Is that correct? I'm putting aside the search for group membership until I can get a user authorized. Instead I'm looking for department IT.
require_once "$IP/extensions/LDAPAuthorization/LDAPAuthorization.php";
$LDAPAuthorization_ServerName = "ldap://servername.removed.com";
$LDAPAuthorization_ServerPort = "389";
$LDAPAuthorization_UseTLS = false;
$LDAPAuthorization_SearchString = "dc=removed,dc=com";
$LDAPAuthorization_Filter = "(sAMAccountName=USERNAME)";
$LDAPAuthorization_Rules = [
"department" => "IT"
];
There is a new version of LDAP Authorization that will be released imminently and that changes the configuration. It is part of a suite of LDAP extensions that share configuration to simplify their use together. You may want to wait and go with the new version. @Osnard is working on preparing the release now.
@Cindy.cicalese, What do we need to set for $wgPluggableAuth_Class for the Extension:PluggableAuth?
You need to set it to the name of the authentication plugin that you are using with PluggableAuth (e.g. OpenIDConnect, SimpleSAMLphp, or PluggableSSO). Note that LDAP Authorization is an authorization plugin to PluggableAuth, not an authentication plugin. PluggableAuth requires exactly one authentication plugin and zero or more authorization plugins.
Cindy.cicalese, got it. I expected that this extension is the replacement of LDAP Authentication. But it is obviously not. As i understand there is currently no way to use LDAP for authentication on a MW 1.28 or is there?
Not currently, but there is a group that began work at the recent Hackathon to reimplement LDAP Authentication, most likely on top of PluggableAuth.
Hi is there any news on the LDAP Authentication with MW 1.29? Thanks
Yes, @Osnard is actively working on this.
Thanks for the quick reply, I'll get in touch with him.
Hello,
any news about reimplement LDAP Authentication? I see some information on the @Osnard page, but nothing about a new working way use a LDAP autnehtication method. Thanks!
I've been working with @Osnard on the LDAP extensions and have gotten them to the point where they work for authentication and group management.
I've published a cookbook for this that I would love to get feedback on.
Hello Cindy,
it is possible to use both plugins at the same time? We want authorize internal user with LDAP and external User with eMail.
Kind Regards
Ralle
Hello Ralle,
It *should* work. I haven't tested it, but the logic of the way hooks are processed should support that. That was my original intention, but you're the first to actually request that behavior. If you try it, could you please report back here whether or not it works? If it does not, I can look at what it would take to support that use case.
Cindy
Hello Cindy,
thanks for your reply, I'll report.
Ralle
Is there someway of getting debug information? Logfile somewhere? Cloud you specify name of logfile in configuration?
There currently are not any debugging statements embedded in the extension. That would be a good enhancement. In the meantime, you could embed some wfDebug() or wfDebugLog() statements in LDAPAuthorization.class.php as described at https://www.mediawiki.org/wiki/Manual:How_to_debug#Creating_custom_log_groups.
Have you tried this with Activate Directory with TLS enabled?
No, that has not been tested.
There are no older topics