Extension:LDAPGroups

(Redirected from Extension:LdapGroups)
MediaWiki Stakeholders' Group Logo.svg This extension is maintained by a member of the MediaWiki Stakeholders' Group.
MWStake LDAPStack Icon.svg This extension is part of the LDAP Stack and requires the LDAPProvider extension to be installed first.

This extension allows to sync user groups from a LDAP resource, when a user logs into the wiki.

MediaWiki extensions manual
OOjs UI icon advanced.svg
LDAPGroups
Release status: stable
MWStake LDAPStack Icon.svg
Author(s) Cindy Cicalese, Mark A. Hershberger, Robert Vogel
Latest version 1.0.0
Compatibility policy release branches
MediaWiki 1.31+
License GNU General Public License 2.0 or later
Download
Translate the LDAPGroups extension if it is available at translatewiki.net
Check usage and version matrix.

Extension config settingsEdit

When using them in LocalSettings.php, these variables need to be prefixed with $LDAPGroups
Name Default Description
SyncMechanismRegistry
{
	"mappedgroups": "MediaWiki\\Extension\\LDAPGroups\\SyncMechanism\\MappedGroups::factory",
	"allgroups": "MediaWiki\\Extension\\LDAPGroups\\SyncMechanism\\AllGroups::factory"
}
Allows registration of custom group sync mechanisms.


The factory callbacks must return an object of type ISyncMechanism.

Domain config settingsEdit

Name Default Description
groupsync.mechanism "mappedgroups" The key of the sync mechanism (see above) to be used. by default there are two available:
  • "mappedgroups": This re-implements the logic of Extension:LdapGroups and allows to assign local user groups based on group DNs the user belongs to in the LDAP resource..
  • "allgroups": This syncs all groups a user is assigned to in the LDAP resource based on their CN. Be aware that only groups are synced that exist in the local wiki configuration ($wgGroupPermissions). This re-implements the behaviour of Extension:LDAP Authentication.
groupsync.locally-managed [] Only used when groupsync.mechanism = allgroups. Takes an array of local user group names (not DNs!) that should not be assigned/unassigned automattically. Groups "sysop", "bureaucrat" and "bot" are implicitly locally managed.
groupsync.mapping {} Only used when groupsync.mechanism = mappedgroups. Example:
{
	"mathematicians": "ou=mathematicians,dc=example,dc=com",
	"scientists": "ou=scientists,dc=example,dc=com"
}

If you want to configure this in LocalSettings.php you can extend the configuration for LDAPProvider like in this example:

$LDAPProviderDomainConfigProvider = function() {
	$config = [
		'LDAP' => [
			'connection' => [
				...
			],
			'groupsync' => [
				"mechanism" => "allgroups",
				"locally-managed" => [ "local", "wiki", "group", "names" ]
			]
		]
	];
...

Using LDAPGroups without LDAP authenticationEdit

LDAPGroups needs to have information about which LDAP domain configuration to use for a user logging in. For this it uses a table in the database (ldap_domains). When using Extension:LDAPAuthentication2 this table automatically gets the necessary data filled in.

If you use another type of authentication (e.g. Auth_remoteuser or SimpleSAMLphp) you have to find another way of feeding this table. If you are using only one LDAP domain you can e.g. add this to your LocalSettings.php (again based on the example config for LDAPProvider):

function onUserLoggedIn_AddToDomain( $domain, $user ) {
	$userDomainStore = new MediaWiki\Extension\LDAPProvider\UserDomainStore(
		\MediaWiki\MediaWikiServices::getInstance()->getDBLoadBalancer()
	);

	$currentDomain = $userDomainStore->getDomainForUser( $user );

	if ( ! $currentDomain || $currentDomain != $domain ) {
		$userDomainStore->setDomainForUser( $user, $domain );
	}
}
$wgHooks['UserLoggedIn'][] = 'onUserLoggedIn_AddToDomain';

VersioningEdit

LDAP Stack Extensions are targeted/qualified for Mediawiki LTS releases only.
However, this table helps to determine which extension-releases to use across all recent versions.

Mediawiki Release Recommended Extension Version Test Status Latest Test Date
1.31 (LTS) LDAPxxx_REL1_31 Tested, Recommended March 2020
1.32 LDAPxxx_REL1_31 Not Tested -
1.33 LDAPxxx_REL1_31 Tested March 2020
1.34 LDAPxxx_REL1_31 Tested March 2020
1.35 (LTS Planned) LDAPxxx_master Tested March 2020