LDAP hub/Migration from extension LDAPAuthentication

From MediaWiki.org
Jump to navigation Jump to search

This page holds example configurations of the original Extension:LdapAuthentication and how these need to be rewritten for LDAP Stack.

Full fledged configuration[edit]

Example 1[edit]

  • Allow network based authentication (aka "implicit", e.g. by using Apache's mod_auth_kerb module for Kerberos authentication)
  • Allow form based authentications with local user accounts
  • Allow form based authentications with remote LDAP user accounts
  • Restrict login to certain LDAP user groups
  • Syncronize user info
  • No syncronization of user groups

Given $_SERVER['REMOTE_USER'] = 'someuser@company.local'

Old

require_once( $IP.'/extensions/LdapAuthentication/LdapAuthentication.php' );
$wgLDAPUseLocal = true;
$wgLDAPBaseDNs = [ 'company.local' => 'o=DOMAIN' ];
$wgLDAPDomainNames = [ 'company.local' ];
$wgLDAPSearchAttributes = [ 'company.local' => 'uid' ];
$wgLDAPGroupAttribute = [ 'company.local' => 'member' ];
$wgLDAPRequiredGroups = [ 'company.local' => [ 'cn=WikiAccess,ou=Groups,o=Company' ] ];
$wgLDAPGroupNameAttribute = [ 'company.local' => 'cn' ];
$wgLDAPGroupObjectclass = [ 'company.local' => 'groupOfNames' ];
$wgLDAPGroupUseRetrievedUsername = [ 'company.local' => false ];
$wgLDAPLowerCaseUsername = [ 'company.local' => true ];
$wgLDAPGroupUseFullDN = [ 'company.local' => true ];
$wgLDAPDisableAutoCreate = [ 'company.local' => false ];
$wgLDAPPreferences = [ 'company.local' => [
	'email' => 'mail',
	'realname' => 'fullname'
] ];
$wgLDAPPort = [ 'company.local' => 389);
$wgLDAPEncryptionType = [ 'company.local' => 'clear' ];
$wgLDAPServerNames = [ 'company.local' => 'ldap.company.local' ];
 
$wgAuth = new LdapAuthenticationPlugin();

// Implicit Login
if ( !empty( $_SERVER['REMOTE_USER'] ) ) {
	require_once( $IP.'/extensions/LdapAuthentication/LdapAutoAuthentication.php' );
	$wgLDAPAutoAuthUsername = preg_replace( '|@.*$|', '', $_SERVER['REMOTE_USER'] );
	$wgLDAPAutoAuthDomain = 'company.local';
	AutoAuthSetup();
}

New

wfLoadExtensions( [
	'PluggableAuth',
	'Auth_remoteuser',
	'LDAPProvider',
	'LDAPAuthentication2',
	'LDAPAuthorization',
	'LDAPUserInfo'
] );

$LDAPAuthorizationAutoAuthRemoteUserStringParser = 'username-at-domain';
$LDAPAuthentication2UsernameNormalizer = 'strtolower';
$LDAPAuthentication2AllowLocalLogin = true;
$wgAuthRemoteuserAllowUserSwitch = true;
$wgPluggableAuth_EnableLocalLogin = true;

$wgAuthRemoteuserUserName = function() {
	$user = '';
	if( isset( $_SERVER[ 'REMOTE_USER' ] ) ) {
		$user = strtolower( $_SERVER[ 'REMOTE_USER' ] );
	}

	return $user;
};

$LDAPProviderDomainConfigProvider = function() {
	$config = [
		'company.local' => [
			'connection' => [
				"server" => "ldap.company.local",
				"options" => [
					"LDAP_OPT_DEREF" => 1
				],
				"basedn" => "o=Company",
				"groupbasedn" => "o=Company",
				"userbasedn" => "o=Company",
				"searchattribute" => "uid",
				"usernameattribute" => "uid",
				"realnameattribute" => "fullname",
				"emailattribute" => "mail",
				"grouprequest" => "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\GroupMember::factory"
			],
			'authorization' => [
				'rules' => [
					'groups' => [
						'required' => [
							'cn=WikiAccess,ou=Groups,o=Company'
						]
					]
				]
			],
			'userinfo' => [
				'attributes-map' => [
					'email' => 'mail',
					'realname' => 'fullname'
				]
			]
		]
	];

	return new \MediaWiki\Extension\LDAPProvider\DomainConfigProvider\InlinePHPArray( $config );
};

Particular configuration variables[edit]

$wgLDAPAuthAttribute[edit]

Extension:LDAP_Authentication/Configuration_Options#Search_based_login_restriction_configuration_options

Old

$wgLDAPAuthAttribute = array(
  'testLDAPdomain' => '!(nsaccountlock=true)',
);

New

"authorization":
    "attribute-map": {
        "nsaccountlock": "false"
    }

Auth remoteuser (Kerberos auth) with LDAPProvider features[edit]

The example includes a few extensions from LDAPStack, additional packages that you will need to make it works and some extra code that is not included in the documentation (many thanks to Osnard for his support).

Mediawiki 1.33.0 on Ubuntu 16.04. Apache2, PHP7.0, MySQL 5.7, Kerberos authentication.

LDAPProvider 1.0.1, LDAPGroups 1.0.1, LDAPUserInfo 1.0.0

Packages and apache2 mods: kerberos_packages, mod_krb5, php7.0-ldap in my case.

krb5.conf:

[libdefaults]

default_realm = MY.DOMAIN

[realms]

MY.DOMAIN =

{

kdc = server.my.domain:port

kdc = anotherserver.my.domain:port

admin_server = server.my.domain

default_domain = my.domain

}

[domain_realm]

ad-domain.local = MY.DOMAIN

.ad-domain.local = MY.DOMAIN

[login]

krb4_convert = true

krb4_get_tickets = false

apache2.conf:

...
AccessFileName .htaccess
...

.htaccess:

AuthType Kerberos
AuthName "Kerberos Login"
KrbMethodK5Passwd off #Set this to on if you want to allow wiki logons from outside of your domain (manual input).
Krb5Keytab /path/to/krb5_http.keytab
Require user SomeUser@MY.DOMAIN AnotherUser@MY.DOMAIN

LocalSettings.php:

 1 wfLoadExtensions( [
 2 	'Auth_remoteuser',
 3 	'LDAPProvider',
 4 	'LDAPUserInfo',
 5     'LDAPGroups'
 6 ] );
 7 
 8 $wgAuthRemoteuserUserNameReplaceFilter = [
 9     '@MY.DOMAIN$' => ''
10 ];
11 
12 $LDAPProviderDomainConfigProvider = function() {
13         $config = [
14                 'my.domain' => [
15                         'connection' => [
16                                 "server" => "server.my.domain",
17                                 "user" => "CN=ldapuser,OU=ADOU,DC=my,DC=domain",
18                                 "pass" => 'password',
19                                 "options" => [
20                                         "LDAP_OPT_DEREF" => 1
21                                 ],
22                                 "grouprequest" => "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\UserMemberOf::factory",
23                                 "basedn" => "dc=my,dc=domain",
24                                 "groupbasedn" => "dc=my,dc=domain",
25                                 "userbasedn" => "dc=my,dc=domain",
26                                 "searchattribute" => "samaccountname",
27                                 "searchstring" => "",
28                                 "usernameattribute" => "samaccountname",
29                                 "realnameattribute" => "cn"
30                         ],
31                         'userinfo' => [
32                                 "attributes-map" => [
33                                         "realname" => "cn"
34                                 ]
35                         ],
36                         'groupsync' => [
37                                 "mechanism" => "mappedgroups",
38                                 "mapping" => [
39                                         "sysop" => "CN=ADGroup,OU=ADOU,dc=my,dc=domain",
40                                         "customgroup" => "CN=AnotherADGroup,OU=ADOU,dc=my,dc=domain"
41                                 ]
42                         ]
43                 ]
44         ];
45         return new \MediaWiki\Extension\LDAPProvider\DomainConfigProvider\InlinePHPArray( $config );
46     }

Line 22 is needed for the LDAPGroup extension to work properly, when the "mappedgroups" mechanism is used.


Add $this->domain = 'my.domain'; return true; (third line) to mediawiki/extensions/LDAPProvider/src/Hook/UserLoadAfterLoadFromSession.php to make the LDAPUserInfo work:

1 ...
2 protected function findDomainForUser() {
3         $this->domain = 'my.domain'; return true;
4         $userDomainStore = new UserDomainStore(
5         ...

After the settings above the following command line scripts should work:

php extensions/LDAPProvider/maintenance/ShowUserInfo.php --domain my.domain --username SomeUser
php extensions/LDAPProvider/maintenance/ShowUserGroups.php --domain my.domain --username SomeUser

To enable the debug log you can use (LocalSettings.php):

$wgDebugLogGroups['LDAPUserInfo'] = "/tmp/LDAPUserInfo.log";
$wgDebugLogGroups['LDAPGroups'] = "/tmp/LDAPGroups.log";

Very Simple Auth remoteuser Setup[edit]

The example is a very simple setup (that I may evolve at a later date, but is working now).

Mediawiki 1.31.5 on a late 2012 Mac Mini Server running Yosemite (10.10.5) using Server Internal Apache Version 2.4.16, PHP 7.2.21, MySQL 5.6.22

LDAP Hub Extension(s): Auth_remoteuser REL1_33 (I confirm only this one extension)

apache2.conf:

...
AccessFileName .htaccess
...

At the root of my web server file system I have an .htaccess file which connects to my Yosemite Server Open Directory Service as follows:

.htaccess:

AuthBasicProvider ldap
AuthType Basic
AuthName "OpenDirectory"
AuthBasicAuthoritative off
AuthLDAPURL ldap://<server>.local/cn=users,dc=<machine>,dc=lan?uid
AuthLDAPGroupAttribute memberUID
Require valid-user

LocalSettings.php:

# LDAP Authentication
wfLoadExtension( 'Auth_remoteuser' );

One a user authenticates through Apache's .htaccess/OpenDirectory (OD) and gains access to the server, Auth_remoteuser automatically uses the OD username/credentials as the Mediawiki login/username without any prompting or user interaction.

I plan to test/implement user groups so my setup may change substantially at a later date.