Extension:LDAPGroups

This extension is part of the LDAP Stack and requires the LDAPProvider extension to be installed first.

This extension allows to sync user groups from a LDAP resource, when a user logs into the wiki.

MediaWiki extensions manual
LDAPGroups
Release status: stable
Author(s) Cindy Cicalese, Mark A. Hershberger, Robert Vogel
Latest version 3.0.0-alpha
Compatibility policy Snapshots releases along with MediaWiki. Master is not backward compatible.
MediaWiki 1.31+
Composer mediawiki/ldap-groups
License GNU General Public License 2.0
Download
  • $wgSyncMechanismRegistry
Quarterly downloads 215 (Ranked 27th)
Translate the LDAPGroups extension if it is available at translatewiki.net

Extension config settings

edit
When using them in LocalSettings.php, these variables need to be prefixed with $LDAPGroups
Name Default Description
SyncMechanismRegistry
{
	"mappedgroups": "MediaWiki\\Extension\\LDAPGroups\\SyncMechanism\\MappedGroups::factory",
	"allgroups": "MediaWiki\\Extension\\LDAPGroups\\SyncMechanism\\AllGroups::factory"
}
Allows registration of custom group sync mechanisms.


The factory callbacks must return an object of type ISyncMechanism.

Domain config settings

edit
Name Default Description
groupsync.mechanism "mappedgroups" The key of the sync mechanism (see above) to be used. by default there are two available:
  • "mappedgroups": This re-implements the logic of Extension:LdapGroups and allows to assign local user groups based on group DNs the user belongs to in the LDAP resource..
  • "allgroups": This syncs all groups a user is assigned to in the LDAP resource based on their CN. Be aware that only groups are synced that exist in the local wiki configuration ($wgGroupPermissions). This re-implements the behaviour of Extension:LDAP Authentication.
groupsync.locally-managed [] Only used when groupsync.mechanism = allgroups. Takes an array of local user group names (not DNs!) that should not be assigned/unassigned automattically. Groups "sysop", "bureaucrat" and "bot" are implicitly locally managed.
groupsync.mapping {} Only used when groupsync.mechanism = mappedgroups. Example:
{
	"mathematicians": "ou=mathematicians,dc=example,dc=com",
	"scientists": "ou=scientists,dc=example,dc=com"
}

If you want to configure this in LocalSettings.php you can extend the configuration for LDAPProvider like in this example:

$LDAPProviderDomainConfigProvider = function() {
	$config = [
		'LDAP' => [
			'connection' => [
				...
			],
			'groupsync' => [
				"mechanism" => "allgroups",
				"locally-managed" => [ "local", "wiki", "group", "names" ]
			]
		]
	];
...

Using LDAPGroups without LDAP authentication

edit

LDAPGroups needs to have information about which LDAP domain configuration to use for a user logging in. For this it uses a table in the database (ldap_domains). When using Extension:LDAPAuthentication2 this table automatically gets the necessary data filled in.

If you use another type of authentication (e.g. Auth_remoteuser or SimpleSAMLphp) you have to find another way of feeding this table. If you are using only one LDAP domain you can e.g. add this to your LocalSettings.php (again based on the example config for LDAPProvider):

function onUserLoggedIn_AddToDomain( $domain, $user ) {
	$userDomainStore = new MediaWiki\Extension\LDAPProvider\UserDomainStore(
		\MediaWiki\MediaWikiServices::getInstance()->getDBLoadBalancer()
	);

	$currentDomain = $userDomainStore->getDomainForUser( $user );

	if ( !$currentDomain || $currentDomain != $domain ) {
		$userDomainStore->setDomainForUser( $user, $domain );
	}
}
$wgHooks['UserLoggedIn'][] = 'onUserLoggedIn_AddToDomain';

Versioning

edit
LDAP Stack Extensions are targeted/qualified for MediaWiki LTS releases only.
However, this table helps to determine which extension-releases to use across all recent versions.

MediaWiki Release Recommended Extension Version Test Status Latest Test Date
1.35 (LTS) LDAPxxx_master Tested March 2020