Extension:LDAPAuthorization
This extensions checks for certain authorization requirements when logging into a wiki by using Extension:PluggableAuth or Extension:Auth remoteuser . If one of the requirements are not satisfied the login process will be cancelled.
LDAPAuthorization Release status: stable |
|
---|---|
Author(s) | Cindy Cicalese, Mark A. Hershberger, Robert Vogel |
Latest version | 1.0.0 |
Compatibility policy | Snapshots releases along with MediaWiki. Master is not backward compatible. |
MediaWiki | 1.31+ |
License | GNU General Public License 2.0 or later |
Download | |
|
|
Quarterly downloads | 287 (Ranked 16th) |
Translate the LDAPAuthorization extension if it is available at translatewiki.net | |
Installation
[edit]- Install the LDAPProvider and PluggableAuth extensions.
- Download and move the extracted
LDAPAuthorization
folder to yourextensions/
directory.
Developers and code contributors should install the extension from Git instead, using:cd extensions/
git clone https://gerrit.wikimedia.org/r/mediawiki/extensions/LDAPAuthorization - Add the following code at the bottom of your LocalSettings.php file: Configure as required.
wfLoadExtension( 'LDAPAuthorization' );
- Done – Navigate to Special:Version on your wiki to verify that the extension is successfully installed.
Extension config settings
[edit]Name | Default | Description |
---|---|---|
AutoAuthRemoteUserStringParserRegistry
|
{
"domain-backslash-username": "MediaWiki\\Extension\\LDAPAuthorization\\AutoAuth\\RemoteUserStringParser\\DomainBackslashUsername::factory",
"username-at-domain": "MediaWiki\\Extension\\LDAPAuthorization\\AutoAuth\\RemoteUserStringParser\\UsernameAtDomain::factory"
}
|
A registry of factory callbacks for different parsers, that extract domain and username from a provided domain-username.
Must return Only used in case of auto-authentication provided by Extension:Auth remoteuser . |
AutoAuthRemoteUserStringParser
|
"domain-backslash-username"
|
Configures which parser is needed to extract domain and username from a provided domain-username. Allowed values are:
Only used in case of auto-authentication provided by Auth remoteuser. |
AutoAuthUsernameNormalizer
|
""
|
A callback that allows to modify the username when Extension:Auth remoteuser is used for network based authentication. E.g. "strtolower" .
If form based authentication is also enabled though Extension:LDAPAuthentication2 this should have the same value as |
Domain config settings
[edit]Name | Default | Description |
---|---|---|
rules.groups.required
|
[]
|
Array of group DNs that are required to complete the login process. Belonging to one group is sufficient (logical OR) to be authorized. |
rules.groups.excluded
|
[]
|
Array of group DNs that the user may not be member of to complete the login process. Belonging to one group is sufficient (logical OR) to be forbidden to log in. |
rules.attributes
|
{}
|
This implements the "attributes mapping" rule from Extension:LDAP Authentication
Example: {
"&" : {
"status": "active",
"|": {
"department": [ "100", "200" ],
"level": [ "5", "6" ]
}
}
}
|
rules.query
|
""
|
Allows to provide a standard LDAP query to be tested against the user. Comparable to $wgLDAPAuthAttribute from Extension:LDAP Authentication
Example:
|
Example 1
[edit]If you want to configure this in LocalSettings.php
you can extend the configuration for LDAPProvider like in this example:
$LDAPProviderDomainConfigProvider = function() {
$config = [
'LDAP' => [
'connection' => [
...
],
'authorization' => [
'rules' => [
'groups' => [
'required' => [ "groupname" ]
]
]
]
]
];
...
Example 2
[edit]Here is a complete example LocalSettings.php
configuration for Active Directory:
$LDAPProviderDomainConfigProvider = function()
{
$config =
[
"example.com" =>
[
"connection" =>
[
"server" => "ldap.example.com",
"user" => "cn=ldap,cn=Users,dc=example,dc=com",
"pass" => "password",
"basedn" => "dc=example,dc=com",
"groupbasedn" => "dc=example,dc=com",
"userbasedn" => "dc=example,dc=com",
"searchattribute" => "samaccountname",
"searchstring" => "USER-NAME@example.com",
"usernameattribute" => "samaccountname",
"realnameattribute" => "cn",
"emailattribute" => "mail",
"grouprequest" => "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\GroupMember::factory"
],
"authorization" =>
[
"rules" =>
[
"groups" =>
[
"required" => [ "cn=Developers,cn=Users,dc=example,dc=com" ]
]
]
],
"groupsync" =>
[
"mechanism" => "mappedgroups",
"mapping" =>
[
"sysop" => "cn=Developers,cn=Users,dc=example,dc=com",
"bureaucrat" => "cn=Developers,cn=Users,dc=example,dc=com"
]
],
"userinfo" =>
[
"email" => "mail",
"realname" => "cn",
"properties.gender" => "gender"
]
]
];
return new \MediaWiki\Extension\LDAPProvider\DomainConfigProvider\InlinePHPArray( $config );
};
Versioning
[edit]MediaWiki Release | Recommended Extension Version | Test Status | Latest Test Date |
---|---|---|---|
1.35 (LTS) | LDAPxxx_master | Tested | March 2020 |
This extension is included in the following wiki farms/hosts and/or packages: This is not an authoritative list. Some wiki farms/hosts and/or packages may contain this extension even if they are not listed here. Always check with your wiki farms/hosts or bundle to confirm. |
- LDAP Stack Member
- PluggableAuth plugins
- Stable extensions
- Extensions with invalid or missing type
- GPL licensed extensions
- Extensions in Wikimedia version control
- AuthRemoteuserFilterUserName extensions
- PluggableAuthUserAuthorization extensions
- All extensions
- Extensions included in BlueSpice
- Extensions included in Canasta
- LDAP extensions
- Extensions by MITRE
- User identity extensions