This MediaWiki extension allows for an instance to be configured to authenticate against a (one or many) LDAP servers. The extension is built for MediaWiki v1.27 or greater, as it utilizes the new extension and authentication framework.
- Download the extension and place it in the
extensions/LdapAuth
directory. - Add the following to your LocalSettings.php file:
wfLoadExtension( 'LdapAuth' );
- Configure as required.
If you can't be bothered reading about how to configure the extension properly, don't worry - here's a quick and easy config you can probably get going with!
$wgLdapAuthDomainNames = 'MY_DOMAIN_HERE';
$wgLdapAuthServers = 'SERVER1,SERVER2,SERVER3';
$wgLdapAuthBindDN = 'MY_BIND_DN_HERE';
$wgLdapAuthBindPass = 'PASSWORD_FOR_BIND_DN';
- If you wish to restrict logins to users in a specific OU/DN, see Base DN Configuration.
- If you wish to map Active Directory groups to MediaWiki groups, see Group Mapping.
As this plugin contains support for multiple domains, most of the following settings have two forms - generic cross-domain setting, or individualised per-domain settings, annotated by PER-DOMAIN.
Specifies the LDAP domain (CN) to which we are connecting. Domains may be space-delimited, comma-delimited, or an array.
Note that this does not provide per-domain configuration, as that simply wouldn't make sense!
Examples:
$wgLdapAuthDomainNames = 'DOMAIN_1 DOMAIN_2 DOMAIN_3'; // space-delimited
$wgLdapAuthDomainNames = 'DOMAIN_1,DOMAIN_2, DOMAIN_3'; // comma-delimited
$wgLdapAuthDomainNames = [ // PHP array format
'DOMAIN_1',
'DOMAIN_2',
'DOMAIN_3',
];
Specifies a list of servers to authenticate each domain.
Examples:
// space and comma delimited - the following servers will be
// used for ALL domains.
$wgLdapAuthServers = '127.0.0.1 127.0.0.2,127.0.0.3';
// mixed format - the following servers are individual to each
// domain, as specified by the array key.
$wgLdapAuthServers = [
'DOMAIN_1' => '127.0.0.1 127.0.0.2,127.0.0.3', // space and comma delimited
'DOMAIN_2' => ['127.0.0.1', '127.0.0.2', '127.0.0.3'], // PHP array format
'DOMAIN_3' => '127.0.0.4',
];
Specifies the user's distinguished name upon which to perform the bind.
Examples:
// DN for single domain usage
$wgLdapAuthBindDN = 'CN=Wiki,DC=DOMAIN_1';
// DN for multi-domain usage
$wgLdapAuthBindDN = [
'DOMAIN_1' => 'CN=Wiki,DC=DOMAIN_1',
'DOMAIN_2' => 'CN=Wiki,DC=DOMAIN_2',
'DOMAIN_3' => 'CN=Wiki,DC=DOMAIN_3',
];
Specifies the password upon which to perform the bind.
Examples:
$wgLdapAuthBindPass = 'MyPasswordHere';
// or
$wgLdapAuthBindPass = [
'DOMAIN_1' => 'Domain 1 Password',
'DOMAIN_2' => 'Domain 2 Password',
'DOMAIN_3' => 'Domain 3 Password',
];
Specifies the DN within which a search is performed.
Examples:
// DN for single domain usage
$wgLdapAuthBaseDN = 'OU=Users,DC=DOMAIN_1';
// DN for multi-domain usage
$wgLdapAuthBaseDN = [
'DOMAIN_1' => 'OU=Users,DC=DOMAIN_1',
'DOMAIN_2' => 'OU=Users,DC=DOMAIN_2',
'DOMAIN_3' => 'OU=Users,DC=DOMAIN_3',
];
Specifies whether or not to perform a recursive search on the BaseDN.
Examples:
// We will not allow recursive tree searches on any domain
$wgLdapAuthSearchTree = false;
// We will allow recursive searching for only DOMAIN_1
$wgLdapAuthSearchTree = [
'DOMAIN_1' => true,
'DOMAIN_2' => false,
'DOMAIN_3' => false,
];
The filter to be used when performing a search. By default, searches may be performed against first name, last name or username. Disabled accounts are filtered. %1$s
is used as a placeholder for the username for which we are searching.
DEFAULT: (&(objectCategory=person)(objectClass=user)(!(UserAccountControl:1.2.840.113556.1.4.803:=2))(|(sAMAccountName=%1$s*)(firstName=%1$s*)(lastName=%1$s*)(displayName=%1$s*)))
Examples:
// Overwrite search filter for all domains
$wgLdapAuthSearchFilter = '(&(objectClass=user)(displayName=%1$s))';
// Overwrite search filter for only DOMAIN_1.
// All other domains will inherit the default value.
$wgLdapAuthSearchFilter = [
'DOMAIN_1' => '(&(objectClass=user)(displayName=%1$s))',
];
The encryption method to use on the connection. Valid values are false, 'ssl', 'tls'.
Examples:
// Set all domains to use TLS encryption
$wgLdapAuthEncryptionType = 'tls';
// Specify that DOMAIN_1 will use TLS, DOMAIN_2 will use SSL
// and DOMAIN_3 will not use encryption.
$wgLdapAuthEncryptionType = [
'DOMAIN_1' => 'tls',
'DOMAIN_2' => 'ssl',
'DOMAIN_3' => false,
];
Specifies whether local authentication may be performed against the MediaWiki database.
Note that this does not provide per-domain configuration.
Examples:
// Allow logins to MediaWiki "local" accounts
$wgLdapAuthUseLocal = true;
// Disallow logins to MediaWiki "local" accounts
$wgLdapAuthUseLocal = false;
If there is only one domain to select from, the domain field will be hidden for brevity. We can override this behaviour and force the field to always display.
Note that this does not provide per-domain configuration.
Examples:
// The DOMAIN field will ALWAYS be visible when logging in
$wgLdapAuthRequireDomain = true;
// The DOMAIN field will only be visible if required
$wgLdapAuthRequireDomain = false;
Maps LDAP groups to equivalent MediaWiki groups.
Examples:
// The following array will be domain-nonspecific
$wgLdapAuthMapGroups = [
'bureaucrat' => [
'CN=Administrator,CN=Users,DC=DOMAIN_1'
],
'sysop' => [
'CN=Administrator,CN=Users,DC=DOMAIN_1',
'CN=Power Users,CN=Users,DC=DOMAIN_1',
],
];
// The following is more useful - this will be domain-specific
$wgLdapAuthMapGroups = [
'DOMAIN_1' => [
'bureaucrat' => [
'CN=Administrator,CN=Users,DC=DOMAIN_1'
],
'sysop' => [
'CN=Administrators,CN=Users,DC=DOMAIN_1',
'CN=Power Users,CN=Users,DC=DOMAIN_1',
],
],
'DOMAIN_2' => [
'bureaucrat' => [
'CN=Administrators,CN=Users,DC=DOMAIN_2'
],
'sysop' => [
'CN=Administrators,CN=Users,DC=DOMAIN_2',
],
],
'DOMAIN_3' => [
'bureaucrat' => [
'CN=Administrators,CN=Users,DC=DOMAIN_3'
]
],
];
Specifies the period of time for which LDAP grouping should be synced for a user.
Examples:
// The LDAP group map shall be cached for 10 seconds
// before it is updated from the LDAP server
$wgLdapAuthCacheGroupMap = 10;
// The LDAP group map shall now be cached for an hour
// before it is updated from the LDAP server
$wgLdapAuthCacheGroupMap = 60 * 60;
Are we connecting to an Active-Directory LDAP server?
Examples:
// This is an Active Directory server
$wgLdapAuthIsActiveDirectory = true;
// Otherwise, it isn't Active Directory
$wgLdapAuthIsActiveDirectory = false;