Extension:LDAPProvider

En tant que successeur de LDAP Authentication un $2 a été créé. They all need to interact with a remote LDAP resource. To ease and unify configuration and maintenance, this extension was created. It provides classes and configuration to query data from LDAP resources.
![]() État de la version : stable |
|
---|---|
![]() |
|
Description | Provides a common infrastructure to connect to a LDAP resource and run queries against it. |
Auteur(s) | |
Dernière version | 1.0.5 |
Politique de compatibilité | Versions ponctuelles alignées avec MediaWiki. Le master n'est pas compatible arrière. |
MediaWiki | >= 1.35.0 |
Modifie la base de données |
Oui |
Composer | mediawiki/ldap-provider |
Licence | Licence publique générale GNU v2.0 ou ultérieur |
Téléchargement | |
|
|
Quarterly downloads | 1,081 (Ranked 5th) |
Traduire l’extension LDAPProvider sur translatewiki.net si elle y est disponible | |
Problèmes | Tâches ouvertes · Signaler un bogue |
Installation
- Téléchargez et placez le(s) fichier(s) dans un répertoire appelé
LDAPProvider
dans votre dossierextensions/
. - Ajoutez le code suivant à la fin de votre fichier
LocalSettings.php
:wfLoadExtension( 'LDAPProvider' );
- Run
php maintenance/update.php
to create the necessary database table(s). - Configure as required
- Fait – Accédez à Special:Version sur votre wiki pour vérifier que l'extension a bien été installée.
Configuration
« Extension config » avec « Domain config »
This extension features two kinds of configuration.
On the one side there is the classic "extension configuration".
It can be set up by using global variables within the LocalSettings.php
.
Be aware that those variables do not have a wg
prefix.
Those settings affect the extension as a whole.
On the other side there is a configuration that is specific to a remote LDAP resource, like connection settings, group membership query mechanism or base DNs. Multiple domains can be configured independently. These settings only affect the communication to the LDAP resource, based on the domain that this resource serves.
Paramètres de configuration des extensions
Nom | Valeur par défaut | Description |
---|---|---|
CacheType
|
"CACHE_ANYTHING"
|
The sort of cache to use for the connection information. |
CacheTime
|
500
|
How long cached items should stick around in seconds. |
ClientRegistry
|
[]
|
Allows registration of custom clients. The key is the domain to be handled, the value is a callback that returns an objects which derives from Client .
|
DomainConfigs
|
"/etc/mediawiki/ldapprovider.json"
|
Stores per domain configuration. Only evaluated if $LDAPProviderDomainConfigProvider is set to use the default LocalJSONFile . See below.
|
DomainConfigProvider
|
"\\MediaWiki\\Extension\\LDAPProvider\\DomainConfigProvider\\LocalJSONFile::newInstance"
|
Specifies the mechanism for obtaining the domain configuration. Must be a callback that returns an IDomainConfigProvider .
|
DefaultDomain
|
""
|
Specifies the domain to fall back in case no domain was found for a user. This is often the case when using Extension:Auth_remoteuser for network based authentication. |
PreSearchUsernameModifierRegistry
|
[ "removespaces": "\\MediaWiki\\Extension\\LDAPProvider\\PreSearchUsernameModifier\\RemoveSpaces::newInstance", "spacetounderscore": "\\MediaWiki\\Extension\\LDAPProvider\\PreSearchUsernameModifier\\SpacesToUnderscores::newInstance", "spacestounderscores": "\\MediaWiki\\Extension\\LDAPProvider\\PreSearchUsernameModifier\\SpacesToUnderscores::newInstance", "strtolower": "\\MediaWiki\\Extension\\LDAPProvider\\PreSearchUsernameModifier\\ToLower::newInstance", "lowercase": "\\MediaWiki\\Extension\\LDAPProvider\\PreSearchUsernameModifier\\ToLower::newInstance" ] |
Specifies factory callbacks for objects of type MediaWiki\Extension\LDAPProvider\IPreSearchUsernameModifier . The keys can be used in the domain configuration in the field connection.presearchusernamemodifiers . Example for a custom modifier:
$LDAPProviderPreSearchUsernameModifierRegistry ['custom-prefix-modifier'] = function() { return new MediaWiki\Extension\LDAPProvider \PreSearchUsernameModifier\GenericCallback( function( $username ) { return "some_prefix_$username"; } ); }; |
Paramètres de configuration du domaine
Nom | Valeur par défaut | Description |
---|---|---|
server
|
- | One or more hostnames of the LDAP backend. Separated by a single space. |
port
|
389
|
The port the LDAP server is listening to |
user
|
""
|
The FQDN of a user who has at least read rights |
pass
|
""
|
The password for the user above |
options
|
{} (JSON object or indexed PHP array)
|
LDAP specific options. Must be string literals as key. |
enctype
|
clear
|
Must be one of 'ldapi' , 'ssl' , 'tls' , or 'clear'
|
groupbasedn
|
""
|
Used for group membership queries |
userbasedn
|
""
|
Used for user info queries. Also for resolving a local username into an appropriate user DN |
searchattribute
|
""
|
Attribute to use in searches for user DN. "uid" and "samaccountname" are common. A "searchstring" will skip this search, if your user's DNs follow a single pattern. |
searchstring
|
""
|
Provides a pattern for user DN, in lieu of searching for it by "searchattribute" and username.
Value should be an example DN with "USER-NAME" in the place of a real username. e.g. "CN=USER-NAME,OU=Users,DC=example,DC=com" |
grouprequest
|
"MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\GroupUniqueMember::factory"
|
Mechanism to fetch user group data. There are five types available:
Which one to choose depends on the LDAP backend.
GroupUniqueMember searches for "groupofUniqueName" objects where "(uniqueMember=$userDN)". UserMemberOf searches for "memberOf" attributes of the user's own LDAP object. "Configurable" does a custom search, "(&(objectclass=$objectClass)($groupAttribute=$userDN))". See groupobjectclass and groupattribute, below. GroupMemberUid searches for "posixGroup" objects by "(member=$userUid)", or nested groups, if configured (see "nestedgroups" below). |
groupobjectclass
|
""
|
In case Configurable is used in grouprequest the groupobjectclass can be specified here. E.g. group
|
groupattribute
|
"member"
|
In case Configurable is used in grouprequest the groupattribute can be specified here. E.g. member
|
presearchusernamemodifiers
|
[]
|
Username modifiers, for the purpose of LDAP-query. Useful when LDAP usernames do not match MediaWiki username format. ( e.g. LDAP accounts use underscores-instead-of-spaces, or need to be lower-cased ) The modified username will be used with "searchstring" or "searchattribute" methods of determining user DN.
|
nestedgroups
|
false
|
Whether to use LDAP_MATCHING_RULE_IN_CHAIN to fetch nested groups. Will only work for Microsoft Active Directory and with grouprequest = MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\GroupMember::factory
|
Fournisseurs de configuration de domaines
By default the domain specific configuration is held in a static JSON file.
But one can also use a PHP based (dynamic) configuration.
The relevant extension configuration is $LDAPProviderDomainConfigProvider
.
It needs to be a callback that returns an object of type IDomainConfigProvider
.
Fichier JSON statique
This is the default way.
Just set up the extension configuration $LDAPProviderDomainConfigs
to point to a valid JSON file (should be outside of web root).
$LDAPProviderDomainConfigs = "$IP/../ldapprovider.json";
Example:
{
"LDAP": {
"connection": {
"server": "ldap.forumsys.com",
"user": "cn=read-only-admin,dc=example,dc=com",
"pass": "password",
"options": {
"LDAP_OPT_DEREF": 1
},
"basedn": "dc=example,dc=com",
"groupbasedn": "dc=example,dc=com",
"userbasedn": "dc=example,dc=com",
"searchattribute": "uid",
"searchstring": "uid=USER-NAME,dc=example,dc=com",
"usernameattribute": "uid",
"realnameattribute": "cn",
"emailattribute": "mail"
}
}
}
Tableau PHP dynamique
As an alternative to the JSON file one can use a PHP array to configure the domains.
In this case, just have the $LDAPProviderDomainConfigs
callback return an instance of InlinePHPArray.
Example
$LDAPProviderDomainConfigProvider = function() {
$config = [
'LDAP' => [
'connection' => [
"server" => "ldap.forumsys.com",
"user" => "cn=read-only-admin,dc=example,dc=com",
"pass" => 'password',
"options" => [
"LDAP_OPT_DEREF" => 1
],
"basedn" => "dc=example,dc=com",
"groupbasedn" => "dc=example,dc=com",
"userbasedn" => "dc=example,dc=com",
"searchattribute" => "uid",
"searchstring" => "uid=USER-NAME,dc=example,dc=com",
"usernameattribute" => "uid",
"realnameattribute" => "cn",
"emailattribute" => "mail"
]
]
];
return new \MediaWiki\Extension\LDAPProvider\DomainConfigProvider\InlinePHPArray( $config );
};
Versions
Versions MediaWiki | Recommended Extension Version | Etat du test | Date du dernier test |
---|---|---|---|
1.35 (LTS) | LDAPxxx_master | Testé | mars 2020 |
Guide de dépannage
Exception: « Pas de configuration disponible pour le domaine 'XYZ'! »
Please make sure, that the values in the database field ldap_domains.domain_id
match with the values set in the first level of the domain-configuration (e.g. in ldapprovider.json
, you will need to replace "LDAP" at the top level with your domain.
This can be checked by viewing the $_SERVER['USERDOMAIN']
entry in your server's phpinfo()
).
If they don't, you can either change the entries in the database using UPDATE ldap_domains SET domain = "DomainNameAsInConfiguration";
or adapt the configuration.
Attention: In the current version, the domain name is case sensitive.
Exception: « Pas de section 'authorization' trouvée dans la configuration pour le domaine 'LDAP' »
If you enabled the LDAPAuthorization extension (as recommended in the PluggableAuth documentation), you need to add the authorization configuration in the LDAPProvider domain config (more info here)
Warning: The supplied credentials are not associated with any user on this wiki.
Check that "userbasedn" and "searchattribute" are correct.
Exemples de bout en bout
Cette extension est incluse dans les paquets et / ou les fermes de wikis suivants : Cette liste ne fait pas autorité. Certaine fermes de wikis ou d'hébergeurs peuvent contenir ce extension même s'ils ne figurent pas ici. Vérifiez toujours cela dans votre environement avant de confirmer. |