I have MW 1.31 with PluggableAuth and SimpleSAMLphp extensions working and looking to validate authorization based on AD group membership. Can I see an example of the settings to allow members of the WikiUsers security group to be authorized?
Topic on Extension talk:LDAP Authorization
There is no example that I know of specific to AD group membership. You would need to find out what the LDAP attribute name and value are that you want to filter on by querying your LDAP directory. Then you would need to configure LDAP Authorization with something like:
$LDAPAuthorization_Rules = [ "group" => "WikiUsers" ];
I'm still struggling with this. Can you clarify if I need to provide a $LDAPAuthorization_Filter? Are you able map the settings I used in the LDAP Authentication extension to the new LDAP Authorization settings?
$wgLDAPGroupAttribute = array( "removed"=>"member" );
$wgLDAPGroupNameAttribute = array( "removed"=>"cn" );
$wgLDAPGroupObjectclass = array( "removed"=>"group" );
$wgLDAPRequiredGroups = array( "<removed>"=>array("cn=WikiUsers,ou=groups,dc=removed,dc=com") );
I think this should be the filter:
$LDAPAuthorization_Filter = "(memberOf=cn=WikiUsers,dc=removed,dc=com)";
I still don't know what to enter for the rules to look for the user in the filter.
Using ldapsearch, I know I'm able to bind to the server and search for a specific user of that WikiUsers group.
ldapsearch -x -h servername.removed.com -D ldapuser -W -b "dc=removed,dc=com" "(&(objectClass=user)(sAMAccountName=jeff)(memberOf=cn=WikiUsers,dc=removed,dc=com))"
I just don't know how to translate this to the ldap authorization settings.
I still can't get this to authorize me, but I'm now thinking the filter should be similar to the one below, where USERNAME will be pulled from the simplesaml extension setting: $wgSimpleSAMLphp_UsernameAttribute. Is that correct? I'm putting aside the search for group membership until I can get a user authorized. Instead I'm looking for department IT.
require_once "$IP/extensions/LDAPAuthorization/LDAPAuthorization.php";
$LDAPAuthorization_ServerName = "ldap://servername.removed.com";
$LDAPAuthorization_ServerPort = "389";
$LDAPAuthorization_UseTLS = false;
$LDAPAuthorization_SearchString = "dc=removed,dc=com";
$LDAPAuthorization_Filter = "(sAMAccountName=USERNAME)";
$LDAPAuthorization_Rules = [
"department" => "IT"
];
There is a new version of LDAP Authorization that will be released imminently and that changes the configuration. It is part of a suite of LDAP extensions that share configuration to simplify their use together. You may want to wait and go with the new version. @Osnard is working on preparing the release now.