LDAP hub

Process edit

The stack provides a multi-step process:

LDAP stack flow edit

When migrating from "LdapAuthentication" you will need to convert your configuration.

• Migration from extension LDAPAuthentication
• Config conversion

Be aware that you might not need to install all the LDAP Stack extensions to fulfill your use case:

I want to have network based authentication (implicit login) (e.g. by using Apache mod_auth_kerb)

You need Extension:Auth_remoteuser

I want to have form-based authentication where my user puts in a username and password that are managed within LDAP

You need Extension:LDAPProvider, Extension:PluggableAuth and Extension:LDAPAuthentication2

I want to restrict login to certain LDAP groups or LDAP attribute values

You need Extension:LDAPProvider and Extension:LDAPAuthorization

I sync user groups managed in LDAP into local wiki user groups

You need Extension:LDAPProvider and Extension:LDAPGroups

I sync user info like "realname" or "email" from LDAP into local wiki user properties

You need Extension:LDAPProvider and Extension:LDAPUserInfo

Group based login restrictions edit

The LDAP Stack can be configured to allow only certain user groups to actually log in to the wiki. This means that if a group requirement is not met, a user can not even log into the wiki and no user account will be created in the wiki database. The functionality is implemented in LDAPAuthorization.

There are two configuration options:

Required groups (authorization.rules.groups.required)

Excluded groups (authorization.rules.groups.excluded)

Group synchronization edit

Local wiki user groups can be automatically synchronized with groups that are set in LDAP. LDAPGroups takes care of this. By default, there are two mechanisms available:

MappedGroups

All local user groups that should be synced must be configured explicitly within a mapping of the form <localusergroup> --> <group-DN>. Groups that are not listed in this mapping will not be synced even if the user is a member on LDAP.

AllGroups

All user groups that a user is assigned to in LDAP will be synced to the local database. Instead of the full group DN, only the CN part of the DN will be used. It is possible to exclude certain groups (e.g., the sysop from being synced).

Mapped groups edit

A mapping can be set up like this:

"groupsync": {
	"mapping": {
		"mathematicians": "ou=mathematicians,dc=example,dc=com",
		"scientists": "ou=scientists,dc=example,dc=com"
	}

All groups edit

If all groups should be synced, one must configure

"groupsync": {
	"mechanism": "allgroups"

To prevent certain groups (e.g. "sysop") to be synced, use

"groupsync": {
	"locally-managed": [ "sysop" ]

For debugging, make sure the cache is disabled with $LDAPProviderCacheType = CACHE_NONE;

You can use the following command line scripts to verify your setup:

php extensions/LDAPProvider/maintenance/ShowUserInfo.php --domain YourDomain --username SomeUser
php extensions/LDAPProvider/maintenance/ShowUserGroups.php --domain YourDomain --username SomeUser
php extensions/LDAPProvider/maintenance/CheckLogin.php --domain YourDomain --username SomeUser

Be aware that YourDomain needs to be the exact same value that is specified in the domain config (e.g. the root node of ldapprovider.json).

To enable the debug log you can use

$wgDebugLogGroups['PluggableAuth'] = 
$wgDebugLogGroups['LDAP'] = 
$wgDebugLogGroups['MediaWiki\\Extension\\LDAPProvider\\Client'] = 
$wgDebugLogGroups['LDAPProvider'] = 
$wgDebugLogGroups['LDAPGroups'] = 
$wgDebugLogGroups['LDAPUserInfo'] = 
$wgDebugLogGroups['LDAPAuthentication2'] = 
$wgDebugLogGroups['LDAPAuthorization'] = '/tmp/LDAP.log';

in your LocalSettings.php.

See https://github.com/createyourpersonalaccount/openldap-mediawiki/. It is a minimal working example that you can build on.

• Manual:Active Directory Integration (PluggableAuth + LDAP Stack)