Extension:LDAPGroups
This extension is part of the LDAP Stack and requires the LDAPProvider extension to be installed first.This extension allows to sync user groups from a LDAP resource, when a user logs into the wiki.
 Release status: stable |
|
|---|---|
|
|
| Author(s) | Cindy Cicalese, Mark A. Hershberger, Robert Vogel |
| Latest version | 3.0.0-alpha |
| Compatibility policy | Snapshots releases along with MediaWiki. Master is not backward compatible. |
| MediaWiki | 1.31+ |
| Composer | mediawiki/ldap-groups |
| License | GNU General Public License 2.0 |
| Download | |
|
|
| Quarterly downloads | 256 (Ranked 23rd) |
| Translate the LDAPGroups extension if it is available at translatewiki.net | |
Extension config settings
edit| Name | Default | Description |
|---|---|---|
SyncMechanismRegistry
|
{
"mappedgroups": "MediaWiki\\Extension\\LDAPGroups\\SyncMechanism\\MappedGroups::factory",
"allgroups": "MediaWiki\\Extension\\LDAPGroups\\SyncMechanism\\AllGroups::factory"
}
|
Allows registration of custom group sync mechanisms.
|
Domain config settings
edit| Name | Default | Description |
|---|---|---|
groupsync.mechanism
|
"mappedgroups"
|
The key of the sync mechanism (see above) to be used. by default there are two available:
|
groupsync.locally-managed
|
[]
|
Only used when groupsync.mechanism = allgroups. Takes an array of local user group names (not DNs!) that should not be assigned/unassigned automattically. Groups "sysop", "bureaucrat" and "bot" are implicitly locally managed.
|
groupsync.mapping
|
{}
|
Only used when groupsync.mechanism = mappedgroups.
Example:{
"mathematicians": "ou=mathematicians,dc=example,dc=com",
"scientists": "ou=scientists,dc=example,dc=com"
}
|
If you want to configure this in LocalSettings.php you can extend the configuration for LDAPProvider like in this example:
$LDAPProviderDomainConfigProvider = function() {
$config = [
'LDAP' => [
'connection' => [
...
],
'groupsync' => [
"mechanism" => "allgroups",
"locally-managed" => [ "local", "wiki", "group", "names" ]
]
]
];
...
Using LDAPGroups without LDAP authentication
editLDAPGroups needs to have information about which LDAP domain configuration to use for a user logging in. For this it uses a table in the database (ldap_domains). When using Extension:LDAPAuthentication2 this table automatically gets the necessary data filled in.
If you use another type of authentication (e.g. Auth_remoteuser or SimpleSAMLphp) you have to find another way of feeding this table. If you are using only one LDAP domain you can e.g. add this to your LocalSettings.php (again based on the example config for LDAPProvider):
function onUserLoggedIn_AddToDomain( $domain, $user ) {
$userDomainStore = new MediaWiki\Extension\LDAPProvider\UserDomainStore(
\MediaWiki\MediaWikiServices::getInstance()->getDBLoadBalancer()
);
$currentDomain = $userDomainStore->getDomainForUser( $user );
if ( !$currentDomain || $currentDomain != $domain ) {
$userDomainStore->setDomainForUser( $user, $domain );
}
}
$wgHooks['UserLoggedIn'][] = 'onUserLoggedIn_AddToDomain';
Versioning
edit| MediaWiki Release | Recommended Extension Version | Test Status | Latest Test Date |
|---|---|---|---|
| 1.35 (LTS) | LDAPxxx_master | Tested | March 2020 |
| This extension is included in the following wiki farms/hosts and/or packages: This is not an authoritative list. Some wiki farms/hosts and/or packages may contain this extension even if they are not listed here. Always check with your wiki farms/hosts or bundle to confirm. |