Topic on Extension talk:LDAPGroups/Archive 2

Assign groups based on ldap attribute?

2
TimRiker (talkcontribs)

I'd like to add users to a MediaWiki group based on the setting of an ldap attribute.

If the user has "personType" set to "emp" in ldap then add them to the "employee" MediaWiki group and insure they are not in "contractors"

If the user has "personType" set to "con" in ldap then add them to the "contractor" MediaWiki group and insure they are not in "employees"

If the person does not have a "personType" attribute, remove them from both groups.

For another group, if the field "specialId" exists with any value, add them to the "specials" group, otherwise remove them from "specials".

Can this be done with settings? I suspect I'll need a callback function in LocalSettings.php to handle this. Is there a hook to call?

Osnard (talkcontribs)

Well, Extension:LDAPGroups does not support group mapping based regular (non-group membership) attributes. Its internal logic is only provided with values from the grouprequest configured in Extension:LDAPProvider. There is also no callback or hooks that can be used for this. One would need to implement a new MediaWiki\Extension\LDAPGroups\ISyncMechanism.

But, if you use Extension:PluggableAuth for login, rather than Extension:Auth_remoteuser, you may be able to use its group sync capabilities.

This should be doable with a configuration like this:

$wgPluggableAuth_Config = [
  "My LDAP" => [
...
    'groupsyncs' => [
      [
        'type' => 'mapped',
        'map' => [
          'employee' => [ 'personType' => 'emp' ],
          'contractors' => [ 'personType' => 'con' ],
          // Unfortunately there is no wildcard support, so all values need to be set explicitly
          'specials' => [ 'specialId' => [ '...', '...'  ] ]
        ]
      ]
    ]
  ]
];

Also check out the various test cases implemented in Extension:PluggableAuth: https://github.com/wikimedia/mediawiki-extensions-PluggableAuth/blob/7.1.0/tests/phpunit/Group/MapGroupsTest.php#L70-L89

Be aware, that Extension:PluggableAuth only syncs on login, unlike Extension:LDAPGroups, which does this once an hour even during an active session.

Reply to "Assign groups based on ldap attribute?"