LDAP hub

From MediaWiki.org
Jump to navigation Jump to search
MediaWiki Stakeholders' Group Logo.svg

This page has been created as a result of Future of "Extension:LDAP Authentication" sessions held on Wikimedia Hackathon 2017/ (T165270) and SMWCon. It will contain resources about different topics concerning MediaWiki and LDAP.

Basic overview[edit]

The stack provides a multi-step process:

# Description Track: Network based authentication (NBA) Track: Form based authentication (FBA )
1 Request for Login Auth_remoteuser via SessionProvider

e.g. $_SERVER['REMOTE_USER'] = 'someuser@domain.local'

Username and domain are being extracted from "REMOTE_USER"

LDAPAuthentication2 together with PluggableAuth via HTML form on "Special:UserLogin"

Input fields for username, password and domain

2 Authorization ("group based restrictions") LDAPAuthorization together with Auth_remoteuser. After authentication a check for certain group membership is being performed. If it fails, login is being aborted. User is not created in database. If it succeeds, user is being created if necessary and domain is being added to database. LDAPAuthorization together with PluggableAuth. After authentication a check for certain group membership is being performed. If it fails, login is being aborted. User is not created in database. If it succeeds, user is being created if necessary and domain is being added to database.
3 Group synchronization LDAPGroups via UserLoadAfterLoadFromSession hook; username and domain (table ldap_domains from LDAPAuthentication2) are being read from the database.
4 User info synchronization (e-mail, realname, ...) LDAPUserInfo via UserLoadAfterLoadFromSession hook; username and domain (table ldap_domains from LDAPAuthentication2) are being read from the database.
LDAPStack.svg

Migrating from old LdapAuthentication[edit]

When migrating from "LdapAuthentication" you will need to convert you configuration.

Be aware that you might not need all to the LDAP Stack extensions to fullfill your use case:

I want to have network based authentication (implicit login) (e.g. by using Apache mod_auth_kerb)
You need Extension:Auth_remoteuser
I want to have form based authentication where my user puts in the an username and password that are managed within LDAP
You need Extension:LDAPProvider, Extension:PluggableAuth and Extension:LDAPAuthentication2
I want to restrict login to certain LDAP usergroups or LDAP attribut values
You need Extension:LDAPProvider and Extension:LDAPAuthorization
I sync user groups managed in LDAP into local wiki user groups
You need Extension:LDAPProvider and Extension:LDAPGroups
I sync user info like "realname" or "email" from LDAP into local wiki user properties
You need Extension:LDAPProvider and Extension:LDAPUserInfo

Working with Groups[edit]

Group based login restrictions[edit]

The LDAP-Stack can be configured to allow only certain user groups to actually log into the wiki. This means that if a group requirement is not met, a user can not even log into the wiki and no user account is being created in the wiki database. The functionality is implemented in LDAPAuthorization

There are two configuration options:

Required groups (authorization.rules.groups.required)
Excluded groups (authorization.rules.groups.excluded)

Group synchronization[edit]

Local wiki user groups can automatically be synchronized with groups that are set in LDAP. LDAPGroups takes care of this. By default there are two mechanisms available:

MappedGroups
All local user groups that should be synced must be configured explicitly within a mapping in the form of <localusergroup> --> <group-DN>. Groups that are not listed in this mapping will not be synced even if the user is a member on LDAP.
AllGroups
All user groups that a user is assigned to in LDAP will be synced to the local database. Instead of the full group DN only the CN part of the DN will be used. It is possible to exclude certain groups (e.g. the sysop from being synced)

Mapped groups[edit]

A mapping can be set up like this:

"groupsync": {
	"mapping": {
		"mathematicians": "ou=mathematicians,dc=example,dc=com",
		"scientists": "ou=scientists,dc=example,dc=com"
	}

All groups[edit]

If all groups should be synced, one must configure

"groupsync": {
	"mechanism": "allgroups"

To prevent certain groups (e.g. "sysop") to be synced, use

"groupsync": {
	"locally-managed": [ "sysop" ]

Debugging[edit]

You can use the following command line scripts to verify your setup:

php extensions/LDAPProvider/maintenance/ShowUserInfo.php --domain YourDomain --username SomeUser
php extensions/LDAPProvider/maintenance/ShowUserGroups.php --domain YourDomain --username SomeUser
php extensions/LDAPProvider/maintenance/CheckLogin.php --domain YourDomain --username SomeUser

Be aware that YourDomain needs to be the exact same value that is specified in the domain config (e.g. the root node of ldapprovider.json).

To enable the debug log you can use

$wgDebugLogGroups['PluggableAuth'] = 
$wgDebugLogGroups['LDAP'] = 
$wgDebugLogGroups['MediaWiki\\Extension\\LDAPProvider\\Client'] = 
$wgDebugLogGroups['LDAPGroups'] = 
$wgDebugLogGroups['LDAPUserInfo'] = 
$wgDebugLogGroups['LDAPAuthorization'] = '/tmp/LDAP.log';

in your LocalSettings.php.

Additional[edit]