MediaWiki

Extension:LdapAuth/Configuration

< Extension:LdapAuth

Quick Configuration edit

If you can't be bothered reading about how to configure the extension properly, don't worry - here's a quick and easy config you can probably get going with! 

$wgLdapAuthDomainNames = 'MY_DOMAIN_HERE';
$wgLdapAuthServers = 'SERVER1,SERVER2,SERVER3';
$wgLdapAuthBindDN = 'MY_BIND_DN_HERE';
$wgLdapAuthBindPass = 'PASSWORD_FOR_BIND_DN';

If you wish to restrict logins to users in a specific OU/DN, see Base DN Configuration.
If you wish to map Active Directory groups to MediaWiki groups, see Group Mapping.

Configuration edit

As this plugin contains support for multiple domains, most of the following settings have two forms - generic cross-domain setting, or individualised per-domain settings, annotated by PER-DOMAIN.

$wgLdapAuthDomainNames edit

Specifies the LDAP domain (CN) to which we are connecting. Domains may be space-delimited, comma-delimited, or an array.

Note that this does not provide per-domain configuration, as that simply wouldn't make sense!

REQUIRED 

$wgLdapAuthDomainNames = 'DOMAIN_1 DOMAIN_2  DOMAIN_3';  // space-delimited
$wgLdapAuthDomainNames = 'DOMAIN_1,DOMAIN_2, DOMAIN_3';  // comma-delimited
$wgLdapAuthDomainNames = [                               // PHP array format
    'DOMAIN_1',
    'DOMAIN_2',
    'DOMAIN_3',
];

$wgLdapAuthServers edit

Specifies a list of servers to authenticate each domain.

  • REQUIRED
  • PER-DOMAIN
// space and comma delimited - the following servers will be
// used for ALL domains.
$wgLdapAuthServers = '127.0.0.1 127.0.0.2,127.0.0.3';

// mixed format - the following servers are individual to each
// domain, as specified by the array key.
$wgLdapAuthServers = [
    'DOMAIN_1' => '127.0.0.1 127.0.0.2,127.0.0.3',          // space and comma delimited
    'DOMAIN_2' => ['127.0.0.1', '127.0.0.2', '127.0.0.3'],  // PHP array format
    'DOMAIN_3' => '127.0.0.4',
];

$wgLdapAuthBindDN edit

Specifies the user's distinguished name upon which to perform the bind.

  • DEFAULT: false
  • PER-DOMAIN
// DN for single domain usage
$wgLdapAuthBindDN = 'CN=Wiki,DC=DOMAIN_1';

// DN for multi-domain usage
$wgLdapAuthBindDN = [
    'DOMAIN_1' => 'CN=Wiki,DC=DOMAIN_1',
    'DOMAIN_2' => 'CN=Wiki,DC=DOMAIN_2',
    'DOMAIN_3' => 'CN=Wiki,DC=DOMAIN_3',
];

$wgLdapAuthBindPass edit

Specifies the password upon which to perform the bind.

  • DEFAULT: false
  • PER-DOMAIN
$wgLdapAuthBindPass = 'MyPasswordHere';
// or
$wgLdapAuthBindPass = [
    'DOMAIN_1' => 'Domain 1 Password',
    'DOMAIN_2' => 'Domain 2 Password',
    'DOMAIN_3' => 'Domain 3 Password',
];

$wgLdapAuthBaseDN edit

Specifies the DN within which a search is performed.

  • DEFAULT: false
  • PER-DOMAIN
// DN for single domain usage
$wgLdapAuthBaseDN = 'OU=Users,DC=DOMAIN_1';

// DN for multi-domain usage
$wgLdapAuthBaseDN = [
    'DOMAIN_1' => 'OU=Users,DC=DOMAIN_1',
    'DOMAIN_2' => 'OU=Users,DC=DOMAIN_2',
    'DOMAIN_3' => 'OU=Users,DC=DOMAIN_3',
];

$wgLdapAuthSearchTree edit

Specifies whether or not to perform a recursive search on the BaseDN.

  • DEFAULT: true
  • PER-DOMAIN
// We will not allow recursive tree searches on any domain
$wgLdapAuthSearchTree = false;

// We will allow recursive searching for only DOMAIN_1
$wgLdapAuthSearchTree = [
    'DOMAIN_1' => true,
    'DOMAIN_2' => false,
    'DOMAIN_3' => false,
];

$wgLdapAuthSearchFilter edit

The filter to be used when performing a search. By default, searches may be performed against first name, last name or username. Disabled accounts are filtered. %1$s is used as a placeholder for the username for which we are searching.

  • DEFAULT: (&(objectCategory=person)(objectClass=user)(!(UserAccountControl:1.2.840.113556.1.4.803:=2))(|(sAMAccountName=%1$s*)(firstName=%1$s*)(lastName=%1$s*)(displayName=%1$s*)))
  • PER-DOMAIN
// Overwrite search filter for all domains
$wgLdapAuthSearchFilter = '(&(objectClass=user)(displayName=%1$s))';

// Overwrite search filter for only DOMAIN_1.
// All other domains will inherit the default value.
$wgLdapAuthSearchFilter = [
    'DOMAIN_1' => '(&(objectClass=user)(displayName=%1$s))',
];

$wgLdapAuthEncryptionType edit

The encryption method to use on the connection. Valid values are false, 'ssl', 'tls'.

  • DEFAULT: false
  • PER-DOMAIN
// Set all domains to use TLS encryption
$wgLdapAuthEncryptionType = 'tls';

// Specify that DOMAIN_1 will use TLS, DOMAIN_2 will use SSL
// and DOMAIN_3 will not use encryption.
$wgLdapAuthEncryptionType = [
    'DOMAIN_1' => 'tls',
    'DOMAIN_2' => 'ssl',
    'DOMAIN_3' => false,
];

$wgLdapAuthUseLocal edit

Specifies whether local authentication may be performed against the MediaWiki database.

Note that this does not provide per-domain configuration.

  • DEFAULT: false
// Allow logins to MediaWiki "local" accounts
$wgLdapAuthUseLocal = true;

// Disallow logins to MediaWiki "local" accounts
$wgLdapAuthUseLocal = false;

$wgLdapAuthRequireDomain edit

If there is only one domain to select from, the domain field will be hidden for brevity. We can override this behaviour and force the field to always display.

Note that this does not provide per-domain configuration.

  • DEFAULT: false
// The DOMAIN field will ALWAYS be visible when logging in
$wgLdapAuthRequireDomain = true;

// The DOMAIN field will only be visible if required
$wgLdapAuthRequireDomain = false;

$wgLdapAuthMapGroups edit

Maps LDAP groups to equivalent MediaWiki groups.

  • DEFAULT: array()
  • PER-DOMAIN
// The following array will be domain-nonspecific
$wgLdapAuthMapGroups = [
    'bureaucrat' => [
        'CN=Administrator,CN=Users,DC=DOMAIN_1'
    ],
    'sysop' => [
        'CN=Administrator,CN=Users,DC=DOMAIN_1',
        'CN=Power Users,CN=Users,DC=DOMAIN_1',
    ],
];

// The following is more useful - this will be domain-specific
$wgLdapAuthMapGroups = [
    'DOMAIN_1' => [
        'bureaucrat' => [
            'CN=Administrator,CN=Users,DC=DOMAIN_1'
        ],
        'sysop' => [
            'CN=Administrators,CN=Users,DC=DOMAIN_1',
            'CN=Power Users,CN=Users,DC=DOMAIN_1',
        ],
    ],
    'DOMAIN_2' => [
        'bureaucrat' => [
            'CN=Administrators,CN=Users,DC=DOMAIN_2'
        ],
        'sysop' => [
            'CN=Administrators,CN=Users,DC=DOMAIN_2',
        ],
    ],
    'DOMAIN_3' => [
        'bureaucrat' => [
            'CN=Administrators,CN=Users,DC=DOMAIN_3'
        ]
    ],
];

$wgLdapAuthCacheGroupMap edit

Specifies the period of time for which LDAP grouping should be synced for a user.

  • DEFAULT: 3600
  • PER-DOMAIN
// The LDAP group map shall be cached for 10 seconds
// before it is updated from the LDAP server
$wgLdapAuthCacheGroupMap = 10;

// The LDAP group map shall now be cached for an hour
// before it is updated from the LDAP server
$wgLdapAuthCacheGroupMap = 60 * 60;

$wgLdapAuthIsActiveDirectory edit

Are we connecting to an Active-Directory LDAP server?

  • DEFAULT: false
  • PER-DOMAIN
// This is an Active Directory server
$wgLdapAuthIsActiveDirectory = true;

// Otherwise, it isn't Active Directory
$wgLdapAuthIsActiveDirectory = false;
Retrieved from "https://www.mediawiki.org/w/index.php?title=Extension:LdapAuth/Configuration&oldid=6313714"