Extension:LDAP Authentication/Changelog

MediaWiki extensions manual
OOjs UI icon advanced-invert.svg
LDAP Authentication
Release status: unmaintained
Implementation User identity
Description Provides LDAP authentication, and some authorization functionality for MediaWiki
Author(s) Ryan Lane (Ryan lanetalk)
Latest version 2.1.0 (2018-10-11)
Compatibility policy Snapshots releases along with MediaWiki. Master is not backward compatible.
MediaWiki 1.19-1.26
Database changes Yes
License GNU General Public License 2.0 or later
  • $wgAutoAuthUsername
  • $wgGroupsUseMemberOf
  • $wgDomainNames
  • $wgEncryptionType
  • $wgSearchAttributes
  • $wgGroupUseFullDN
  • $wgPort
  • $wgWriterPassword
  • $wgUserBaseDNs
  • $wgGroupBaseDNs
  • $wgUseLDAPGroups
  • $wgAutoAuthDomain
  • $wgWriteLocation
  • $wgProxyAgentPassword
  • $wgUseLocal
  • $wgLockPasswordPolicy
  • $wgLockOnBlock
  • $wgLocallyManagedGroups
  • $wgAddLDAPUsers
  • $wgProxyAgent
  • $wgServerNames
  • $wgPasswordHash
  • $wgAuthAttribute
  • $wgGroupSearchNestedGroups
  • $wgExcludedGroups
  • $wgGroupNameAttribute
  • $wgRequiredGroups
  • $wgBaseDNs
  • $wgGroupAttribute
  • $wgOptions
  • $wgGroupsPrevail
  • $wgDisableAutoCreate
  • $wgGroupObjectclass
  • $wgLowerCaseUsername
  • $wgUpdateLDAP
  • $wgDebug
  • $wgMailPassword
  • $wgSearchStrings
  • $wgPreferences
  • $wgActiveDirectory
  • $wgGroupUseRetrievedUsername
  • $wgGroupSearchPosixPrimaryGroup
  • $wgWriterDN
Issues Open tasks · Report a bug
Warning Warning: The extension has not been fully updated for MediaWiki 1.27+ (AuthManager); LdapAutoAuthentication will not work with that version. See gerrit:286705 for details.


  • Added a security fix related to MediaWiki core related to data leakage and false authentication. As a warning, $wgLDAPUseLocal still has the data leakage problem and shouldn't be used for anything other than transitional purposes.


  • Removed deprecated features
    • Old style preference retrieval has been removed
    • Old style group based restrictions have been removed
  • Removed unused features
    • The username synching was never used, as support wasn't added to core for it, so it's been removed
  • Debug message clean up. Removed redundant messages, clarified other messages
  • Added wrapper functions for all ldap_* functions used; did this to remove usage of @ldap_* in a cleaner way
  • Added non-session based configuration lookups, based on domain.
  • Added a ChainedAuth hook to allow other extensions to hook into the authentication chain.
  • Moved to git
  • Set domain in the user's options
    • When a long-lived session token is used, set the domain in the user's options. Add a new function for getting the user's domain, which tries to pull it from a session, and then from the user's options (if they have a long-lived session token). Also, change the configurationsettings function to pull the domain from this new function, so that configuration settings will always be pulled correctly.


  • Added memcache support for getCanonicalName
  • Added configuration option $wgLDAPLowercaseUsernameScheme
    • Whether to use the old naming scheme where usernames are lowercased, set to true for backwards compatibility
    • In the new scheme, the username will be fetched before authentication
    • This likely only works if you are using a proxy agent for search-before-bind; use caution when enabling this feature, and test
  • Did a major refactoring of configuration options. It's possible there are some bugs here. If you find one, please report.


  • Added fix to make mail me a password work again
  • Added check for PHP bug 55439


  • Added a hook to allow other extensions to update users on creation and login
  • Added new wgLDAPUseFetchedUsername option, which will use the attribute from wgLDAPSearchAttributes as the username, if set
  • Added support for authenticating with one username, but having a different wiki name (ie: login with uid, but have cn be the wiki name)


  • Added explicit request for memberOf attribute, since it is an operation attribute
  • Added a hook to let other extensions modify the loginform through the LDAP extension, since the login form isn't modifyable
  • Added support for resetting password by email


  • Debug logging improved to not fail during AutoAuthSetup
  • Debug logging now prints version number
  • Debug log level 1 now outputs something
  • Few bits of code cleanup


  • Fixed issue with single domains, and non-auto-authentication domains being non-operational
  • Fixed another issue with mail me a password not working properly


  • Fixed issue with group synchronization and nested groups
  • Added support for exclusion groups in addition to required groups
    • Configured via $wgLDAPExcludedGroups; syntax the same as $wgLDAPRequiredGroups
  • Fixed check for returns with no entries
  • Added memberOf support
  • Added patch for getting user's primary group when using memberOf
  • Fixed group synchronization issue with memberOf support (patch by Teddy Reed)
  • Fixed problem with usernames containing parenthesis
  • Fixed warnings in PHP 5.2.10 when some entries weren't returned
  • Fixed issue with $wgLDAPGroupsPrevail
  • Fixed issue with mail temporary password button when email me a password support was enabled
  • Added support for non-standard ports
  • Changed debug to output to a file
  • Added support for modifying LDAP options when connecting
    • Configured via $wgLDAPOptions - see options documentation
  • Added a security fix for register_globals users (seriously, turn register_globals off, if you have it on)


  • Reworked the auto authentication code
  • Added support for web server authentication
  • Added support for Kerberos Authentication (through web server authentication)
  • Added "functionality to ignore email confirmation"
  • Added option for defining attributes to use when pulling preferences
  • Added support for ldapi
  • Fixed Extension talk:LDAP Authentication#Bugs when adding user
  • Fixed SSLAuth function to work with newer versions of MediaWiki
  • Added an id to the userlogin template for wsDomain (added in core code)
  • Fixed the debug code to remove expensive implodes


  • Fixed compatability with php4 (MediaWiki 1.6) - Patch from Bill Allison
  • Only call getAllGroups() if $wgLDAPGroupsPrevail is enabled
  • Added option $wgLDAPLocallyManagedGroups, to specify which groups won't have members automatically removed
    • The sysop, bureaucrat, and bot groups are always considered locally managed
  • Fixed security issue where users weren't removed from groups when the LDAP group was deleted


  • Added options to specify search bases for users, and groups
    • Updated documentation to come
  • Fixed Special:Preferences prints PHP warning, "Undefined index: wsDomain in PATH/LdapAuthentication.php", for lines 591 and 594. MediaWiki 1.9.3, Windows 2003 server, PHP 5.2.2-dev snapshot. 14:27, 29 March 2007 (UTC)
  • Fixed Extension_talk:LDAP_Authentication#allowPasswordChange_doesn.27t_check_for_.24wgLDAPUseLocal
  • Integrated the code from Extension:LDAP_Authentication#Better_support_for_groups so that other extensions can use all available LDAP groups
  • Added better debug information for (nested) group restrictions
  • Added checks for php_ldap; plugin will fail gracefully if it does not exist
  • Added configuration option for modifying LDAP options on connect (patch from Daniel Marczisovszky)
    • Updated documentation to come
  • Fixed issue where local usernames were munged when $wgLDAPUseLocal was enabled
  • Fixed issue where local users were created with a blank password when $wgLDAPUseLocal was enabled
  • Changed link in source to point to mediawiki.org instead of meta
  • Fixed Nested Groups bug Extension_talk:LDAP_Authentication#Nested_Groups_option_not_working




  • Added support for Mediawiki security groups based upon LDAP groups
  • Added an option to disable auto-creation of accounts ($wgLDAPDisableAutoCreate - defaults to false)
  • Fixed TLS/SSL issue discussed in the Suggestions section on the Meta page
    • Removed options $wgLDAPUseSSL and $wgLDAPUseTLS; added option $wgLDAPEncryptionType (an array) with allowed values "ssl", "tls", and "clear"
  • Moved $wgLDAPLowerCaseUsername a little higher up in the authentication chain
  • Added $wgLDAPGroupUseRetrievedUsername so that you can use the exact username pulled from LDAP to search for groups
  • Changed $wgLDAPUseSmartcardAuth to $wgLDAPAutoAuthMethod (a string); this will allow users to define which type of auto authenticate methods they would like to use. Smartcard auth will only be available at first, but other methods will follow.
  • Changed $wgLDAPLowerCaseUsername to allow for multiple domains
  • Moved authenticate part of smartcard login out of getCanonicalName to the SSLAuth function (I have no clue what I was thinking before ;) )


  • Fixed bug in 1.1a with user's preferences being overwritten when $wgLDAPRetrievePrefs was not set, or was set to false. The issue should only have affected 1.1a; 1.0h should not be affected.


  • TLS is now the default encryption mode. To disable SSL/TLS, you need to specifically disable both.
  • Fixed bug in getGroups, searchNestedGroups, and isMemberOfRequiredLdapGroup where warnings are thrown if no groups are found. This was a symptom of a problem in Comment #133 (this would not fix that issue however).
  • Fixed bug with pulled preferences not being saved in the local database.
  • Options have changed to work for multiple domains. All options that make sense with multi-domain support can be configured to work for multiple domains.
  • Smartcard/CAC support has been added to the plugin using the AutoAuthenticate hook.
    • Most options supported by password authentication are supported in smartcard authentication
    • Only a single smartcard domain can be used due to the way AutoAuthenticate works; however, smartcard authentication and password authentication can be mixed allowing multiple domains through the use of clever hackery
    • Smartcard authentication does not have to be turned on for the entire server, but can instead be turned on for certain locations, or even specific wiki pages

Smartcard authentication requires the getCanonicalName() function which is only available in MediaWiki 1.6+. Do not use this version of the plugin for mediawiki 1.5 as it has not been tested and will not be supported; instead, please use version 1.0h.

Many options have changed syntax in this version. Please check the new syntax rules before upgrading to this version.


  • Fixed #118 on the bugzilla page (lowercasing the username in the groups checking)
    • The fix proposed may have caused issues with other users who need case sensitive searches. I've added the fix as a boolean option ($wgLDAPGroupLowerCaseUsername).
  • Fixed #125 on the bugzilla page (redundant auth attr check)
    • This fix disabled the check, it did not remove it. If you would like to re-enable it for performance reasons, just uncomment the section that was commented.
  • Fixed #126 on the bugzilla page (setPassword function erasing the user's password in LDAP)


  • Added a new group based restrictions method
    • Added a number of new options to support this method
    • This method will try to use proxyagent credentials if available to search for groups; the plugin falls back on user credentials if proxyagent credentials fail
    • Support for nested groups is available with this new method as long as the attribute for nested groups is the same attribute used for holding users in groups (such as member=testuser, and member=nestedgroup)
    • Support for username or DNs in groups (testuser vs cn=testuser,ou=people,dc=example,dc=com)
    • Support for multiple groups
    • Support for multiple domains


  • Fixed the version number at the top of the file.
  • Fixed the preferences bug from: Talk:LDAP Authentication#Problem with preferences from LDAP
  • Added function in for changing usernames to lowercase to fix: Extension Talk:LDAP_Authentication#Username_modified_.28capital_letter.29.2C_authentication_fails (only works in versions 1.6+)
  • Fixed an undeclared global variable $wgLDAPWriteLocation in addUsers
  • Cleaned out some unused global variables (I think there may be a couple still hanging around. I'll try to clean them out next version)
  • Added debugging code (let me know what extra debugging info you want, or if some things should be showing at a different debug level)
  • Added the password switching statement from comment #111 in the bugzilla (notice I added it for changing passwords, and for creating users)
  • Added the ability to use TLS as well as LDAPS (I'm not 100% sure this is working, let me know!)