Jump to content

LDAP hub/Migration from extension LDAPAuthentication/Config conversion

From mediawiki.org
This page is part of a project of the MediaWiki Stakeholders' Group

Automatic config conversion

[edit]

To get you started, you may want to use the command line script

php extensions/LDAPProvider/maintenance/ConvertLdapAuthenticationConfig.php --output /ext/mediawiki/ldapprovider.json

Be aware that your old "LdapAuthentication" configuration ($wgLDAP* variables) must still be enabled in your LocalSettings.php file so the script can read out the values.

Config comparison

[edit]
LDAP Authentication Description LDAP Stack "Domain config" (JSON examples)
$wgLDAPDomainNames = array( 'MyDomain' );
Sets up one domain for authentication
{
    "MyDomain": {
        ...
    }
}
$wgLDAPServerNames = array( 'MyDomain' => 'domaincontroller.mydomain.local' );
References the LDAP server by hostname / IP
{ 
    "MyDomain": {
        "connection": {
            "server": "domaincontroller.mydomain.local",
            ...
        }
    }
}
$wgLDAPProxyAgent = array( 'MyDomain' => 'CN=proxyagent,OU=system,OU=user,DC=mydomain,DC=local');
Sets up proxy user account for "proxy bind"
{ 
    "MyDomain": {
        "connection": {
            ...
            "user": "CN=proxyagent,OU=system,OU=user,DC=mydomain,DC=local",
            ...
        }
    }
}
$wgLDAPProxyAgentPassword = array( 'MyDomain' => 'VerySecret' );
Sets up the password proxy user account for "proxy bind"
{ 
    "MyDomain": {
        "connection": {
            ...
            "pass": "VerySecret",
            ...
        }
    }
}
$wgLDAPEncryptionType = array( 'MyDomain' => 'clear' );
Sets the encryption type
{ 
    "MyDomain": {
        "connection": {
            ...
            "enctype": "clear",
            ...
        }
    }
}
$wgLDAPSearchAttributes = array( 'MyDomain' => 'samaccountname' );
Sets the LDAP attribute name that is used to search for a user entry
{ 
    "MyDomain": {
        "connection": {
            ...
            "searchattribute": "samaccountname",
            ...
        }
    }
}
$wgLDAPBaseDNs = array( 'MyDomain' => 'OU=user,DC=mydomain,DC=local' );
{ 
    "MyDomain": {
        "connection": {
            ...
            "basedn": "OU=user,DC=mydomain,DC=local",
            ...
        }
    }
}
$wgLDAPPreferences = array( 
    'MyDomain' => array( 
        'email' => 'mail',
        'realname' => 'displayname',
        'nickname' => 'samaccountname'
    )
);
Defines which attributes of the LDAP entry are being synchronized to which field in the local MediaWiki database
{ 
    "MyDomain": {
        ...
        "userinfo": {
            "email": "mail",
            "realname": "displayname"
        }
    }
}
$wgLDAPGroupUseFullDN = array( 'MyDomain' => true );
$wgLDAPGroupObjectclass = array( 'MyDomain' => "group" );
$wgLDAPGroupAttribute = array( 'MyDomain' => "member" );
$wgLDAPGroupSearchNestedGroups = array( 'MyDomain' => true );
$wgLDAPActiveDirectory = array( 'MyDomain' => true );
$wgLDAPGroupNameAttribute = array( 'MyDomain' => "cn" );
$wgLDAPGroupBaseDNs = array( 'MyDomain' => 'OU=usergroups,OU=groups,DC=mydomain,DC=local' );
$wgLDAPRequiredGroups = array( 
    'MyDomain' => array( 
        'CN=mediawiki,OU=usergroups,OU=groups,DC=mydomain,DC=local'
    )
);
Restricts login to a certain group membership within the LDAP resource
{ 
    "MyDomain": {
        ...
        "authorization": {
            "rules": {
                 "groups": {
                     "required": [
                         "CN=mediawiki,OU=usergroups,OU=groups,DC=mydomain,DC=local"
                     ]
                 }
            }
        }
    }
}
$wgLDAPUseLocal = false;
Disallows login of local user accounts Not set in the Domain config. This must be set by
$LDAPAuthentication2AllowLocalLogin = false;
$wgPluggableAuth_EnableLocalLogin = false;