Topic on Extension talk:LDAP Authentication

Controlling edit rights by AD group?

3 comments • 23:10, 6 June 2020 3 years ago
3
Maiden taiwan (talkcontribs)

We use LDAPauthentication successfully to limit logins to members of certain AD groups, using $wgLDAPRequiredGroups. Now we want to change things: let all AD users log into the wiki, but limit edit rights to those certain AD groups. How can this be accomplished with LDAPauthentication?

I'm guessing that we need to set $wgLDAPUseLDAPGroups to synchronize MW and AD groups, which will somehow mirror those AD groups as MW groups, and then set in LocalSettings.php:

$wgGroupPermissions['*']['edit'] = false;
$wgGroupPermissions['AD group name 1']['edit'] = true;
$wgGroupPermissions['AD group name 2']['edit'] = true;
// ...etc...

However, I am limited in my understanding of LDAPauthentication group synchronization. Does it actually create wiki groups that mirror the AD groups? Should these AD groups now show up in Special:UserRights? (I never see them there.) How can one see that group synchronization is actually working: what is the visible effect?

Here is our current LDAPauthentication config that restricts logins:

$wgLDAPDomainNames = array( 'ourdomain' );
$wgLDAPServerNames = array( 'ourdomain' => 'server1.domain  server2.domain' );
$wgLDAPSearchStrings = array( 'ourdomain' => sprintf("%s\\USER-NAME", 'ourdomain') );
$wgLDAPLowerCaseUsername = array( 'ourdomain' => true );
$wgLDAPUseLocal = false;
$wgLDAPEncryptionType = array( 'ourdomain' => "ssl" );
$wgLDAPRequiredGroups = array( 'ourdomain' => $groupArrayInTheAppropriateFormat );
$wgLDAPBaseDNs = array( 'ourdomain' => "dc=example,dc=net" );
$wgLDAPSearchAttributes = array( 'ourdomain' => "sAMAccountName" );
$wgLDAPGroupUseFullDN = array( 'ourdomain' => true );
$wgLDAPGroupObjectclass = array( 'ourdomain' => "group" );
$wgLDAPGroupAttribute = array( 'ourdomain' => "member" );
$wgLDAPGroupNameAttribute = array( 'ourdomain' => "cn" );
$wgLDAPUseLDAPGroups = array( 'ourdomain' => true );
$wgLDAPAutoAuthUsername   = preg_replace( '/@.*/', '', $_SERVER["REMOTE_USER"] );
$wgLDAPAutoAuthDomain     = 'ourdomain';
$wgLDAPProxyAgent         = array('ourdomain' => 'CN=blah blah blah' );
$wgLDAPProxyAgentPassword = array('ourdomain' => 'password here' );
$wgLDAPSearchStrings      = null;

Thank you very much for any insights.

Reply 14:22, 15 May 2014 9 years ago
Maiden taiwan (talkcontribs)

This is with MediaWiki 1.22.5 and LDAPauthentication 2.0c.

Reply 18:24, 15 May 2014 9 years ago
84.246.165.57 (talkcontribs)

Any updates?

Reply 23:10, 6 June 2020 3 years ago
Reply to "Controlling edit rights by AD group?"
Retrieved from "https://www.mediawiki.org/wiki/Topic:Rurwt6bsd7w90ufo"