Extension:LDAPProvider

This page is a translated version of the page Extension:LDAPProvider and the translation is 68% complete.
Outdated translations are marked like this.
Other languages:
English • ‎Türkçe • ‎français • ‎日本語
MediaWiki Stakeholders' Group Logo.svg Bu uzantı, MediaWiki Paydaşlar Grubu üyesi tarafından sürdürülmektedir.

LDAP Authentication halefi olarak bir stack of LDAP related extensions yaratıldı. Hepsinin uzak bir LDAP kaynağıyla etkileşime girmesi gerekir. Yapılandırma ve bakımı kolaylaştırmak ve birleştirmek için bu uzantı oluşturuldu. To ease and unify configuration and maintenance, this extension was created. LDAP kaynaklarından verileri sorgulamak için sınıflar ve yapılandırma sağlar.

MediaWiki manüel uzantıları
OOjs UI icon advanced.svg
LDAPProvider
Sürüm durumu: kararlı
MWStake LDAPStack Icon.svg
Açıklama Provides a common infrastructure to connect to a LDAP resource and run queries against it.
Yazar(lar) Cindy Cicalese, Mark A. Hershberger, Robert Vogel
En son sürüm 1.0.3
Uyumluluk politikası Snapshots releases along with MediaWiki. Master is not backwards compatible.
MediaWiki 1.31+
Veritabanı değişiklikleri Evet
Lisans GNU Genel Kamu Lisansı 2.0 veya üstü
İndir
  • $LDAPProviderCacheTime
  • $LDAPProviderCacheType
  • $LDAPProviderPreSearchUsernameModifierRegistry
  • $LDAPProviderDefaultDomain
  • $LDAPProviderDomainConfigs
  • $LDAPProviderDomainConfigProvider
  • $LDAPProviderClientRegistry
Translatewiki.net adresinde mevcutsa, LDAPProvider uzantısını çevirin

Kullanım ve sürüm matrisini kontrol edin.

Sorunlar Açık görevler · Hata bildir

Kurulum

  • Download and place the file(s) in a directory called LDAPProvider in your extensions/ folder.
  • LocalSettings.php dosyanızın altına aşağıdaki kodu ekleyin:
    wfLoadExtension( 'LDAPProvider' );
    
  • Run php maintenance/update.php to create the necessary database table(s).
  • Configure as required
  •   Yapıldı – Uzantının başarıyla yüklendiğini doğrulamak için vikinizde Special:Version seçeneğine gidin.

"Extension config" ve "Domain config"

This extensions features two kinds of configuration. On the one side there is the classic "extension configuration". It can be set up by using global variables within the LocalSettings.php. Be aware that those variables do not have a wg prefix. Those settings affect the extension as a whole.

On the other side there is a configuration that is specific to a remote LDAP resource, like connection settings, group membership query mechanism or base DNs. Multiple domains can be configured independently. These settings only affect the communication to the LDAP resource, based on the domain that this resource serves.

Uzantı yapılandırma ayarları

When using them in LocalSettings.php, these variables need to be prefixed with $LDAPProvider
Ad Varsayılan Açıklama
CacheType "CACHE_ANYTHING" The sort of cache to use for the connection information.
CacheTime 500 How long cached items should stick around in seconds.
ClientRegistry [] Allows registration of custom clients. The key is the domain to be handled, the value is a callback that returns an objects which derives from Client.
DomainConfigs "/etc/mediawiki/ldapprovider.json" Stores per domain configuration. Only evaluated if $LDAPProviderDomainConfigProvider is set to use the default LocalJSONFile. See below.
DomainConfigProvider "\\MediaWiki\\Extension\\LDAPProvider\\DomainConfigProvider\\LocalJSONFile::newInstance" Specifies the mechanism for obtaining the domain configuration. Must be a callback that returns an IDomainConfigProvider.
DefaultDomain "" Specifies the domain to fall back in case no domain was found for a user. This is often the case when using Extension:Auth_remoteuser for network based authentication.
PreSearchUsernameModifierRegistry
[
	"removespaces": "\\MediaWiki\\Extension\\LDAPProvider\\PreSearchUsernameModifier\\RemoveSpaces::newInstance",
	"spacetounderscore": "\\MediaWiki\\Extension\\LDAPProvider\\PreSearchUsernameModifier\\SpacesToUnderscores::newInstance",
	"spacestounderscores": "\\MediaWiki\\Extension\\LDAPProvider\\PreSearchUsernameModifier\\SpacesToUnderscores::newInstance",
	"strtolower": "\\MediaWiki\\Extension\\LDAPProvider\\PreSearchUsernameModifier\\ToLower::newInstance",
	"lowercase": "\\MediaWiki\\Extension\\LDAPProvider\\PreSearchUsernameModifier\\ToLower::newInstance"
]
Specifies factory callbacks for objects of type MediaWiki\\Extension\\LDAPProvider\\IPreSearchUsernameModifier. The keys can be used in the domain configuration in the field connection.presearchusernamemodifiers. Example for a custom modifier:
$LDAPProviderPreSearchUsernameModifierRegistry
['custom-prefix-modifier'] = function() {
  return new MediaWiki\Extension\LDAPProvider
  \PreSearchUsernameModifier\GenericCallback(
    function( $username ) {
      return "some_prefix_$username";
  } );
};

Etki alanı yapılandırma ayarları

Ad Varsayılan Açıklama
server - One or more hostnames of the LDAP backend. Separated by a single space.
port 389 The port the LDAP server is listening to
user "" The FQDN of a user who has at least read rights
pass "" The password for the user above
options {} (JSON object or indexed PHP array) LDAP specific options. Must be string literals as key.
enctype clear Must be one of 'ldapi', 'ssl', 'tls', or 'clear'
groupbasedn "" Used for group membership queries
userbasedn "" Used for user info queries. Also for resolving a local username into an appropriate user DN
searchattribute "" Attribute to use in searches for user DN. "uid" and "samaccountname" are common. A "searchstring" will skip this search, if your user's DNs follow a single pattern.
searchstring "" Provides a pattern for user DN, in lieu of searching for it by "searchattribute" and username.

Value should be an example DN with "USER-NAME" in the place of a real username.

e.g.

"CN=USER-NAME,OU=Users,DC=example,DC=com"

grouprequest "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\GroupUniqueMember::factory" Mechanism to fetch user group data. There are four types available:
  • "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\GroupMember::factory"
  • "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\GroupUniqueMember::factory"
  • "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\UserMemberOf::factory"
  • "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\Configurable::factory"

Which one to choose depends on the LDAP backend.


GroupMember searches for "group" objects by "(member=$userDN)", including nested groups, if configured (see "nestedgroups" below).

GroupUniqueMember searches for "groupofUniqueName" objects where "(uniqueMember=$userDN)".

UserMemberOf searches for "memberOf" attributes of the user's own LDAP object.

"Configurable" does a custom search, "(&(objectclass=$objectClass)($groupAttribute=$userDN))". See groupobjectclass and groupattribute, below.

groupobjectclass "" In case Configurable is used in grouprequest the groupobjectclass can be specified here. E.g. group
groupattribute "member" In case Configurable is used in grouprequest the groupattribute can be specified here. E.g. member
presearchusernamemodifiers [] Username modifiers, for the purpose of LDAP-query.
Useful when LDAP usernames do not match MediaWiki username format.
( e.g. LDAP accounts use underscores-instead-of-spaces, or need to be lower-cased )
The modified username will be used with "searchstring" or "searchattribute" methods of determining user DN.


Use one-or-more of the available modifiers:

  • lowercase
  • removespaces
  • spacestounderscores


Sample Usage:
[ "lowercase" ]
[ "removespaces" ]
[ "spacestounderscores", "lowercase" ]

Working Example: Login-User Joe Bloggs will be translated to joe_bloggs LDAP search query,
with config of: [ "spacestounderscores", "lowercase" ]

Additional modifiers can be registered through the $LDAPProviderPreSearchUsernameModifierRegistry (see above) variable.

nestedgroups false Whether to use LDAP_MATCHING_RULE_IN_CHAIN to fetch nested groups. Will only work for Microsoft Active Directory and with grouprequest = MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\GroupMember::factory


Specifically, this is a search for group objects where "(member:1.2.840.113556.1.4.1941:=$userDN)".

Etki alanı yapılandırma sağlayıcıları

By default the domain specific configuration is held in a static JSON file. But one can also use a PHP based (dynamic) configuration. The relevant extension configuration is $LDAPProviderDomainConfigProvider. It needs to be a callback that returns an object of type IDomainConfigProvider.

Statik JSON dosyası

This is the default way. Just set up the extension configuration $LDAPProviderDomainConfigs to point to a valid JSON file (should be outside of web root).

$LDAPProviderDomainConfigs = "$IP/../ldapprovider.json";

Example:

{
	"LDAP": {
		"connection": {
			"server": "ldap.forumsys.com",
			"user": "cn=read-only-admin,dc=example,dc=com",
			"pass": "password",
			"options": {
				"LDAP_OPT_DEREF": 1
			},
			"basedn": "dc=example,dc=com",
			"groupbasedn": "dc=example,dc=com",
			"userbasedn": "dc=example,dc=com",
			"searchattribute": "uid",
			"searchstring": "uid=USER-NAME,dc=example,dc=com",
			"usernameattribute": "uid",
			"realnameattribute": "cn",
			"emailattribute": "mail"
		}
	}
}

Dinamik PHP dizisi

As an alternative to the JSON file one can use a PHP array to configure the domains. In this case, just have the $LDAPProviderDomainConfigs callback return an instance of InlinePHPArray.

Example

$LDAPProviderDomainConfigProvider = function() {
	$config = [
		'LDAP' => [
			'connection' => [
				"server" => "ldap.forumsys.com",
				"user" => "cn=read-only-admin,dc=example,dc=com",
				"pass" => 'password',
				"options" => [
					"LDAP_OPT_DEREF" => 1
				],
				"basedn" => "dc=example,dc=com",
				"groupbasedn" => "dc=example,dc=com",
				"userbasedn" => "dc=example,dc=com",
				"searchattribute" => "uid",
				"searchstring" => "uid=USER-NAME,dc=example,dc=com",
				"usernameattribute" => "uid",
				"realnameattribute" => "cn",
				"emailattribute" => "mail"
			]
		]
	];

	return new \MediaWiki\Extension\LDAPProvider\DomainConfigProvider\InlinePHPArray( $config );
};

Sürüm oluşturma

LDAP Yığın Uzantıları yalnızca MediaWiki LTS sürümleri için hedeflenir/uygundur.
Ancak bu tablo, tüm son sürümlerde hangi uzantı sürümlerinin kullanılacağını belirlemeye yardımcı olur.

MediaWiki Sürümü Önerilen Uzantı Sürümü Test Durumu En Son Test Tarihi
1.31 (LTS) LDAPxxx_REL1_31 Test Edildi, Önerilen Mart 2020
1.32 LDAPxxx_REL1_31 Test Edilmedi -
1.33 LDAPxxx_REL1_31 Test Edildi Mart 2020
1.34 LDAPxxx_REL1_31 Test Edildi Mart 2020
1.35 (LTS Planlı) LDAPxxx_master Test Edildi Mart 2020

Sorun giderme

İstisna: "'XYZ' alanı için yapılandırma yok!"

Please make sure, that the values in the database field ldap_domains.domain_id match with the values set in the first level of the domain-configuration (e.g. in ldapprovider.json, you will need to replace "LDAP" at the top level with your domain. This can be checked by viewing the $_SERVER['USERDOMAIN'] entry in your server's phpinfo() ). If they don't, you can either change the entries in the database using UPDATE ldap_domains SET domain_id = "DomainNameAsInConfiguration"; or adapt the configuration. Attention: In the current version, the domain name is case sensitive.

İstisna: "'LDAP' etki alanı için yapılandırmada 'yetkilendirme' bölümü bulunamadı"

If you enabled the LDAPAuthorization extension (as recommended in the PluggableAuth documentation), you need to add the authorization configuration in the LDAPProvider domain config (more info here)

Uçtan Uca Örnekler