This extension is maintained by a member of the MediaWiki Stakeholders' Group.
This extension is part of the LDAP Stack and requires the LDAPProvider extension to be installed first.
This extension requires the PluggableAuth extension to be installed first.This extensions checks for certain authorization requirements when logging into a wiki by using Extension:PluggableAuth or Extension:Auth remoteuser. If one of the requirements are not satisfied the login process will be cancelled.
 Release status: stable |
|
|---|---|
|
|
| Author(s) | Cindy Cicalese, Mark A. Hershberger, Robert Vogel |
| Latest version | 1.0.0 |
| Compatibility policy | Snapshots releases along with MediaWiki. Master is not backward compatible. |
| MediaWiki | 1.31+ |
| Composer | mediawiki/ldap-authorization |
| License | GNU General Public License 2.0 or later |
| Download | Download extension Git [?]: |
|
Parameters
|
|
|
Hooks used
|
|
| Quarterly downloads | 669 (Ranked 11th) |
| Translate the LDAPAuthorization extension if it is available at translatewiki.net | |
Installation
- Install the LDAPProvider and PluggableAuth extensions.
- Download and place the file(s) in a directory called
LDAPAuthorizationin yourextensions/folder. - Add the following code at the bottom of your LocalSettings.php file: Configure as required
wfLoadExtension( 'LDAPAuthorization' );
Done – Navigate to Special:Version on your wiki to verify that the extension is successfully installed.
Extension config settings
| Name | Default | Description |
|---|---|---|
AutoAuthRemoteUserStringParserRegistry |
{
"domain-backslash-username": "MediaWiki\\Extension\\LDAPAuthorization\\AutoAuth\\RemoteUserStringParser\\DomainBackslashUsername::factory",
"username-at-domain": "MediaWiki\\Extension\\LDAPAuthorization\\AutoAuth\\RemoteUserStringParser\\UsernameAtDomain::factory"
}
|
A registry of factory callbacks for different parsers, that extract domain and username from a provided domain-username.
Must return Only used in case of auto-authentication provided by Extension:Auth remoteuser. |
AutoAuthRemoteUserStringParser |
"domain-backslash-username" |
Configures which parser is needed to extract domain and username from a provided domain-username. Allowed values are:
Only used in case of auto-authentication provided by Extension:Auth remoteuser. |
AutoAuthUsernameNormalizer |
"" |
A callback that allows to modify the username when Extension:Auth_remoteuser is used for network based authentication. E.g. "strtolower". If form based authentication is also enabled though Extension:LDAPAuthentication2 this should have the same value as $LDAPAuthentication2UsernameNormalizer.
Only used in case of auto-authentication provided by Extension:Auth remoteuser. |
Domain config settings
| Name | Default | Description |
|---|---|---|
rules.groups.required |
[] |
Array of group DNs that are required to complete the login process. Belonging to one group is sufficient (logical OR) to be authorized. |
rules.groups.excluded |
[] |
Array of group DNs that the user may not be member of to complete the login process. Belonging to one group is sufficient (logical OR) to be forbidden to log in. |
rules.attributes |
{} |
This implements the "attributes mapping" rule from Extension:LDAP Authentication
Example: {
"&" : {
"status": "active",
"|": {
"department": [ "100", "200" ],
"level": [ "5", "6" ]
}
}
}
|
rules.query |
"" |
Allows to provide a standard LDAP query to be tested against the user. Comparable to $wgLDAPAuthAttribute from Extension:LDAP Authentication
Example:
|
If you want to configure this in LocalSettings.php you can extend the configuration for LDAPProvider like in this example:
$LDAPProviderDomainConfigProvider = function() {
$config = [
'LDAP' => [
'connection' => [
...
],
'authorization' => [
'rules' => [
'groups' => [
'required' => [ "groupname" ]
]
]
]
]
];
...
Here is a complete example LocalSettings.php configuration for Active Directory:
$LDAPProviderDomainConfigProvider = function()
{
$config =
[
"example.com" =>
[
"connection" =>
[
"server" => "ldap.example.com",
"user" => "cn=ldap,cn=Users,dc=example,dc=com",
"pass" => "password",
"basedn" => "dc=example,dc=com",
"groupbasedn" => "dc=example,dc=com",
"userbasedn" => "dc=example,dc=com",
"searchattribute" => "samaccountname",
"searchstring" => "USER-NAME@example.com",
"usernameattribute" => "samaccountname",
"realnameattribute" => "cn",
"emailattribute" => "mail",
"grouprequest" => "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\GroupMember::factory"
],
"authorization" =>
[
"rules" =>
[
"groups" =>
[
"required" => [ "cn=Developers,cn=Users,dc=example,dc=com" ]
]
]
],
"groupsync" =>
[
"mechanism" => "mappedgroups",
"mapping" =>
[
"sysop" => "cn=Developers,cn=Users,dc=example,dc=com",
"bureaucrat" => "cn=Developers,cn=Users,dc=example,dc=com"
]
],
"userinfo" =>
[
"email" => "mail",
"realname" => "cn",
"properties.gender" => "gender"
]
]
];
return new \MediaWiki\Extension\LDAPProvider\DomainConfigProvider\InlinePHPArray( $config );
};
Versioning
| MediaWiki Release | Recommended Extension Version | Test Status | Latest Test Date |
|---|---|---|---|
| 1.35 (LTS) | LDAPxxx_master | Tested | March 2020 |
 | This extension is included in the following wiki farms/hosts and/or packages:
|
This article is issued from Mediawiki. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.