LDAP hub/Migration from extension LDAPAuthentication/Config conversion
Appearance
Automatic config conversion
[edit]To get you started, you may want to use the command line script
php extensions/LDAPProvider/maintenance/ConvertLdapAuthenticationConfig.php --output /ext/mediawiki/ldapprovider.json
Be aware that your old "LdapAuthentication" configuration ($wgLDAP*
variables) must still be enabled in your LocalSettings.php
file so the script can read out the values.
Config comparison
[edit]LDAP Authentication | Description | LDAP Stack "Domain config" (JSON examples) |
---|---|---|
$wgLDAPDomainNames = array( 'MyDomain' );
|
Sets up one domain for authentication |
{
"MyDomain": {
...
}
}
|
$wgLDAPServerNames = array( 'MyDomain' => 'domaincontroller.mydomain.local' );
|
References the LDAP server by hostname / IP |
{
"MyDomain": {
"connection": {
"server": "domaincontroller.mydomain.local",
...
}
}
}
|
$wgLDAPProxyAgent = array( 'MyDomain' => 'CN=proxyagent,OU=system,OU=user,DC=mydomain,DC=local');
|
Sets up proxy user account for "proxy bind" |
{
"MyDomain": {
"connection": {
...
"user": "CN=proxyagent,OU=system,OU=user,DC=mydomain,DC=local",
...
}
}
}
|
$wgLDAPProxyAgentPassword = array( 'MyDomain' => 'VerySecret' );
|
Sets up the password proxy user account for "proxy bind" |
{
"MyDomain": {
"connection": {
...
"pass": "VerySecret",
...
}
}
}
|
$wgLDAPEncryptionType = array( 'MyDomain' => 'clear' );
|
Sets the encryption type |
{
"MyDomain": {
"connection": {
...
"enctype": "clear",
...
}
}
}
|
$wgLDAPSearchAttributes = array( 'MyDomain' => 'samaccountname' );
|
Sets the LDAP attribute name that is used to search for a user entry |
{
"MyDomain": {
"connection": {
...
"searchattribute": "samaccountname",
...
}
}
}
|
$wgLDAPBaseDNs = array( 'MyDomain' => 'OU=user,DC=mydomain,DC=local' );
|
{
"MyDomain": {
"connection": {
...
"basedn": "OU=user,DC=mydomain,DC=local",
...
}
}
}
| |
$wgLDAPPreferences = array(
'MyDomain' => array(
'email' => 'mail',
'realname' => 'displayname',
'nickname' => 'samaccountname'
)
);
|
Defines which attributes of the LDAP entry are being synchronized to which field in the local MediaWiki database |
{
"MyDomain": {
...
"userinfo": {
"email": "mail",
"realname": "displayname"
}
}
}
|
$wgLDAPGroupUseFullDN = array( 'MyDomain' => true );
|
||
$wgLDAPGroupObjectclass = array( 'MyDomain' => "group" );
|
||
$wgLDAPGroupAttribute = array( 'MyDomain' => "member" );
|
||
$wgLDAPGroupSearchNestedGroups = array( 'MyDomain' => true );
|
||
$wgLDAPActiveDirectory = array( 'MyDomain' => true );
|
||
$wgLDAPGroupNameAttribute = array( 'MyDomain' => "cn" );
|
||
$wgLDAPGroupBaseDNs = array( 'MyDomain' => 'OU=usergroups,OU=groups,DC=mydomain,DC=local' );
|
||
$wgLDAPRequiredGroups = array(
'MyDomain' => array(
'CN=mediawiki,OU=usergroups,OU=groups,DC=mydomain,DC=local'
)
);
|
Restricts login to a certain group membership within the LDAP resource |
{
"MyDomain": {
...
"authorization": {
"rules": {
"groups": {
"required": [
"CN=mediawiki,OU=usergroups,OU=groups,DC=mydomain,DC=local"
]
}
}
}
}
}
|
$wgLDAPUseLocal = false;
|
Disallows login of local user accounts | Not set in the Domain config. This must be set by
$LDAPAuthentication2AllowLocalLogin = false;
$wgPluggableAuth_EnableLocalLogin = false;
|