Extension:LDAPAuthorization/ja

This page is a translated version of the page Extension:LDAPAuthorization and the translation is 26% complete.
Other languages:
MediaWiki Stakeholders' Group Logo.svg この拡張機能は MediaWiki Stakeholders' Group のメンバーが保守しています。
MWStake LDAPStack Icon.svg この拡張機能は LDAP Stack の一部であり、先に LDAPProvider 拡張機能をインストールする必要があります。
PluggableAuth Icon.svg この拡張機能では、先に PluggableAuth 拡張機能をインストールする必要があります。

This extensions checks for certain authorization requirements when logging into a wiki by using Extension:PluggableAuth or Extension:Auth remoteuser . If one of the requirements are not satisfied the login process will be cancelled.

MediaWiki 拡張機能マニュアル
OOjs UI icon advanced-invert.svg
LDAPAuthorization
リリースの状態: 安定
MWStake LDAPStack Icon.svg
作者 Cindy Cicalese, Mark A. Hershberger, Robert Vogel
最新バージョン 1.0.0
互換性ポリシー MediaWikiとともにリリースされるスナップショット。 master には後方互換性がありません。
MediaWiki 1.31+
Composer mediawiki/ldap-authorization
ライセンス GNU 一般公衆利用許諾書 2.0 以降
ダウンロード
  • $wgAutoAuthUsernameNormalizer
  • $wgAutoAuthRemoteUserStringParser
  • $wgAutoAuthRemoteUserStringParserRegistry
  • $wgAutoAuthBypassWithCookieUsernameRemoteAddrs
translatewiki.net で翻訳を利用できる場合は、LDAPAuthorization 拡張機能の翻訳にご協力ください

使用状況とバージョン マトリクスを確認してください。

インストール

  • Install the LDAPProvider and PluggableAuth extensions.
  • ダウンロードして、ファイルをextensions/フォルダー内のLDAPAuthorizationという名前のディレクトリ内に配置します。
  • 以下のコードをLocalSettings.phpの末尾に追加します:
    wfLoadExtension( 'LDAPAuthorization' );
    
    Configure as required
  •   完了 – ウィキの「Special:Version」に移動して、拡張機能が正しくインストールされたことを確認します。

Extension config settings

When using them in LocalSettings.php, these variables need to be prefixed with $LDAPAuthorization
名前 既定 説明
AutoAuthRemoteUserStringParserRegistry
{
 "domain-backslash-username": "MediaWiki\\Extension\\LDAPAuthorization\\AutoAuth\\RemoteUserStringParser\\DomainBackslashUsername::factory",
 "username-at-domain": "MediaWiki\\Extension\\LDAPAuthorization\\AutoAuth\\RemoteUserStringParser\\UsernameAtDomain::factory"
}
A registry of factory callbacks for different parsers, that extract domain and username from a provided domain-username.

Must return IRemoteUserStringParser object.

Only used in case of auto-authentication provided by Extension:Auth remoteuser .

AutoAuthRemoteUserStringParser "domain-backslash-username" Configures which parser is needed to extract domain and username from a provided domain-username. Allowed values are:
  • "domain-backslash-username" (Use this if $_SERVER['REMOTE_USER'] = "SOMEDOMAIN\\Some username")
  • "username-at-domain" (Use this if $_SERVER['REMOTE_USER'] = "some.username@somedomain.local")

Only used in case of auto-authentication provided by Extension:Auth remoteuser.

AutoAuthUsernameNormalizer "" A callback that allows to modify the username when Extension:Auth_remoteuser is used for network based authentication. E.g. "strtolower". If form based authentication is also enabled though Extension:LDAPAuthentication2 this should have the same value as $LDAPAuthentication2UsernameNormalizer.

Only used in case of auto-authentication provided by Extension:Auth remoteuser .

Domain config settings

名前 既定 説明
rules.groups.required [] Array of group DNs that are required to complete the login process. Belonging to one group is sufficient (logical OR) to be authorized.
rules.groups.excluded [] Array of group DNs that the user may not be member of to complete the login process. Belonging to one group is sufficient (logical OR) to be forbidden to log in.
rules.attributes {} This implements the "attributes mapping" rule from Extension:LDAP Authentication

Example:

{
    "&" : {
    	"status": "active",
    	"|": {
    		"department": [ "100", "200" ],
    		"level": [ "5", "6" ]
    	}
    }
}
rules.query "" Allows to provide a standard LDAP query to be tested against the user. Comparable to $wgLDAPAuthAttribute from Extension:LDAP Authentication

Example:

&(active=TRUE)(permissionAlias=cn=X,ou=Y,ou=accounts,dc=company,dc=local)

If you want to configure this in LocalSettings.php you can extend the configuration for LDAPProvider like in this example:

$LDAPProviderDomainConfigProvider = function() {
	$config = [
		'LDAP' => [
			'connection' => [
				...
			],
			'authorization' => [
				'rules' => [
					'groups' => [
						'required' => [ "groupname" ]
					]
				]
			]
		]
	];
...

Here is a complete example LocalSettings.php configuration for Active Directory:

$LDAPProviderDomainConfigProvider = function()
{
	$config =
	[
		"example.com" =>
		[
			"connection" =>
			[
				"server" => "ldap.example.com",
				"user" => "cn=ldap,cn=Users,dc=example,dc=com",
				"pass" => "password",
				"basedn" => "dc=example,dc=com",
				"groupbasedn" => "dc=example,dc=com",
				"userbasedn" => "dc=example,dc=com",
				"searchattribute" => "samaccountname",
				"searchstring" => "USER-NAME@example.com",
				"usernameattribute" => "samaccountname",
				"realnameattribute" => "cn",
				"emailattribute" => "mail",
				"grouprequest" => "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\GroupMember::factory"
			],
			"authorization" =>
			[
				"rules" =>
				[
					"groups" =>
					[
						"required" => [ "cn=Developers,cn=Users,dc=example,dc=com" ]
					]
				]
			],
			"groupsync" =>
			[
				"mechanism" => "mappedgroups",
				"mapping" =>
				[
					"sysop" => "cn=Developers,cn=Users,dc=example,dc=com",
					"bureaucrat" => "cn=Developers,cn=Users,dc=example,dc=com"
				]
			],
			"userinfo" =>
			[
				"email" => "mail",
				"realname" => "cn",
				"properties.gender" => "gender"
			]
		]
	];

	return new \MediaWiki\Extension\LDAPProvider\DomainConfigProvider\InlinePHPArray( $config );
};

Versioning

LDAP Stack Extensions are targeted/qualified for MediaWiki LTS releases only.
However, this table helps to determine which extension-releases to use across all recent versions.

MediaWiki リリース Recommended Extension Version テストの状態 最終テスト日
1.31 (LTS) LDAPxxx_REL1_31 テスト済、推奨 2020年3月
1.32 LDAPxxx_REL1_31 未テスト -
1.33 LDAPxxx_REL1_31 テスト済 2020年3月
1.34 LDAPxxx_REL1_31 テスト済 2020年3月
1.35 (LTS Planned) LDAPxxx_master テスト済 2020年3月