Topic on Extension talk:LDAPGroups

LDAP Group Sync

2 comments • 12:42, 31 May 2022 1 year ago
2
PKvin (talkcontribs)

Hello, i am newbie in mediawiki and i am setting up ldap. I managed to connect the active directory database with media wiki and it works perfectly. However, I still can't sync AD groups with mediawiki groups.

My goal is that only users from the bureaucrat and sysop groups can edit the wiki. Others can only read.

Do you know how to do it? Here is my ldap.json:


{

   "xbeta.local": {

       "connection": {

           "server": "172.45.0.1",

           "port": "3268",

           "user": "CN=svc_wiki,OU=Cmpt_Serveurs,DC=xbeta,DC=local",

           "pass": "//masked",

           "enctype": "clear",

           "options": {

               "LDAP_OPT_DEREF": 1

           },

           "basedn": "dc=xbeta,dc=local",

           "userbasedn": "dc=xbeta,dc=local",

           "groupbasedn": "dc=xbeta,dc=local",

           "searchattribute": "samaccountname",

           "usernameattribute": "samaccountname",

           "realnameattribute": "cn",

           "emailattribute": "mail",

           "grouprequest": "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\UserMemberOf::factory",

           "presearchusernamemodifiers": [ "spacestounderscores", "lowercase" ]

       },

       "userinfo": [],

       "authorization": [],

       "groupsync": {

           "mapping": {

               "sysop": "OU=Architecture,OU=DSI,DC=xbeta,DC=local",

               "bureaucrat": "OU=Support,OU=DSI,DC=xbeta,DC=local"

           }

       }

   }

}

And a part of my localsetting.php :


// Create Wiki-Group 'engineering' from default user group

$wgGroupPermissions['engineering'] = $wgGroupPermissions['user'];

// Private Wiki. External LDAP login. Default NS requires login.

$wgEmailConfirmToEdit = false;

$wgGroupPermissions['*']['edit'] = false;

$wgGroupPermissions['*']['read'] = true;

$wgGroupPermissions['*']['createaccount'] = false;

$wgGroupPermissions['sysop']['createaccount'] = false;

$wgGroupPermissions['*']['autocreateaccount'] = true;

$wgBlockDisablesLogin = true;

// Load LDAP Config from JSON

$ldapJsonFile = "$IP/ldap.json";

$ldapConfig = false;

if (is_file($ldapJsonFile) && is_dir("$IP/extensions/LDAPProvider")) {

  $testJson = @json_decode(file_get_contents($ldapJsonFile),true);

  if (is_array($testJson)) {

   $ldapConfig = true;

  } else {

   error_log("Found invalid JSON in file: $IP/ldap.json");

  }

}

// Activate Extension

if ( $ldapConfig ) {

  wfLoadExtension( 'PluggableAuth' );

  wfLoadExtension( 'LDAPProvider' );

  wfLoadExtension( 'LDAPAuthentication2' );

  wfLoadExtension( 'LDAPAuthorization' );

  wfLoadExtension( 'LDAPUserInfo' );

  wfLoadExtension( 'LDAPGroups' );

  $LDAPProviderDomainConfigs = $ldapJsonFile;

  $wgPluggableAuth_ButtonLabel = "Log in";

  // Force LDAPGroups to sync by choosing a domain ( e.g. first JSON object in ldap.json )

  $LDAPProviderDefaultDomain = "xbeta.local";

  if ($wikiRequestSafe) { $LDAPAuthentication2AllowLocalLogin = true; }

}

# End of automatically generated settings.

# Add more configuration options below.


Thanks a lot for your help !

Reply 08:05, 31 May 2022 1 year ago
Osnard (talkcontribs)

Looks good in general. Have you checked if the following CLI scripts work properly?

  • php extensions/LDAPProvider/maintenance/CheckLogin.php --domain xbeta.local --username <someusername>
  • php extensions/LDAPProvider/maintenance/ShowUserInfo.php --domain xbeta.local --username <someusername>
  • php extensions/LDAPProvider/maintenance/ShowGroups.php --domain xbeta.local --username <someusername>
Reply 12:42, 31 May 2022 1 year ago
Reply to "LDAP Group Sync"
Retrieved from "https://www.mediawiki.org/wiki/Topic:Wwk2p6i7l5d98ab6"