Mediawiki and LDAP (active directory)

Hi, there!

Sorry for the late reply. I've been out of the office all last week. I'm posting my configuration LocalSettings.php. I have edited it for privacy reasons, but I think you'll get the point quickly by taking a look at it. You will note that OU, CN and other words appear there sometimes in capital letters or not. I believe that is unrelevant for your config to work as expected. What you have to make sure about is that the names your LDAP/AD entries match the ones of your config. Let's say you have a group in your LDAP called Users, then write Users in your config. Check out the groupsync and authorization parameters. I think they're related and must be both declared in order to make Authorization work properly.

# End of automatically generated settings.
# Add more configuration options below.

# LDAP
wfLoadExtensions( [
'PluggableAuth',
'LDAPProvider',
'LDAPAuthentication2',
'LDAPAuthorization',
'Auth_remoteuser',
'LDAPGroups'
] );

# I DON'T KNOW WHAT THIS DOES, BUT I THINK IT IS NEEDED ;-)
$wgAuthRemoteuserUserNameReplaceFilter = [
'@DOMAIN.MY$' => '' // mod_krb5 and .htaccess
];

$wgGroupPermissions['*']['createaccount'] = false;
$wgGroupPermissions['*']['autocreateaccount'] = true;

$LDAPAuthentication2UsernameNormalizer = 'strtolower';
$LDAPAuthentication2AllowLocalLogin = true;

$LDAPProviderDomainConfigProvider = function() {
$config = [
'mydomain' => [
'connection' => [
"server" => "your_server_IP_or_dns_name_without_http_https_or_whatever",
"user" => "CN=XXXXXX,OU=Users,OU=XXXXXX,DC=XXXXXX,",
"pass" => 'XXXXXXXXXXXXXXXXXXXXXX',
"port" => Better to use 389 to avoid SSL problems just for testing, then use 636,
"enctype" => 'ssl',
"options" => [
"LDAP_OPT_DEREF" => 1
],
"basedn" => "ou=XXXXXX,dc=XXXXXX",
"groupbasedn" => "ou=Groups,ou=XXXXXXXX,ou=XXXXXXXXXXX",
"userbasedn" => "ou=XXXXXXXXXX,dc=XXXXXXXXX",
"searchattribute" => "samaccountname",
"usernameattribute" => "samaccountname",
"realnameattribute" => "cn",
"emailattribute" => "mail",
"grouprequest" => "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\GroupMember::factory"
],
'groupsync' =>
[
"mechanism" => "mappedgroups",
"mapping" =>
[
"read" => "cn=XXXXXXXXXXXXXXX,ou=XXXXXXXXXXXXXXX,ou=XXXXXXXXXXXXXXX",
"write" => "cn=XXXXXXXXXXXXXXX,ou=XXXXXXXXXXXXXXX,ou=XXXXXXXXXXXXXXX"
]
],
'authorization' =>
[
"rules" =>
[
"groups" =>
[
"required" =>
[
"cn=XXXXXXXXXXXXXXX,ou=XXXXXXXXXXXXXXX,ou=XXXXXXXXXXXXXXX"
]
]
]
],
'userinfo' => [
"attributes-map" => [
"realname" => "cn"
]
]
]
];

return new \MediaWiki\Extension\LDAPProvider\DomainConfigProvider\InlinePHPArray( $config );
};

# This will show errors in your browser if there are any of them (like a --verbose option I think). Remove it in production or set it to false
$wgShowExceptionDetails = true;

kelirkenan

awliste