Silke Meyer

OpenLDAP with … MediaWiki

/

, , ,

In the last few months, I worked a lot on connecting different services to OpenLDAP. My general impression is that, in many cases, there could be a more detailed documentation about it. So here is a little collection – no long articles, just the configuration part. This is part 2: How to integrate MediaWiki with OpenLDAP?

You need the extension LDAP_Authentication to authenticate users against OpenLDAP. The usual place to configure MediaWiki, is the file LocalSettings.php, so that’s where you insert the LDAP stuff, too. I found it very well documented. Here is what I wanted to do:

  • My wiki users are organized in two different subtrees in the DIT (here I called them „staff“ and „volunteers“).
  • I want to synchronize LDAP groups to MediaWiki security groups. The MediaWiki security groups the users from both LDAP groups are in partly overlap („group1“).
  • The wiki already exists. The user names are full names including a space. I will use the displayName from LDAP.
  • Again, I use groupOfNames and the memberOf overlay. There is this setting that confused me first: $wgLDAPGroupsUseMemberOf. If you turn it on, the extension will query LDAP for all groups the given user account is a member of, even if they are outside the defined $wgLDAPGroupBaseDNs. Each of these groups is then compared to $wgLDAPRequiredGroups. I couldn’t get this to work, but without the setting it does.
require_once "$IP/extensions/LdapAuthentication/LdapAuthentication.php";

// Extra debug log
$wgLDAPDebug = 9;
$wgDebugLogGroups['ldap'] = '/tmp/debug.log';

$wgAuth = new LdapAuthenticationPlugin();
// My two groups of users according to LDAP.
// They will show in a drop down menu on Mediawiki's login page.
$wgLDAPDomainNames = array( 'staff', 'volunteers' );
$wgLDAPServerNames = array(
    'staff' => 'localhost',
    'volunteers' => 'localhost'
);

$wgLDAPEncryptionType = array(
    'staff' => 'tls',
    'volunteers' => 'tls'
);
$wgLDAPPort = array(
    'staff' => 389,
    'volunteers' => 389
);
// bind account
$wgLDAPProxyAgent = array(
    'staff' => 'cn=binduser,dc=example,dc=org',
    'volunteers' => 'cn=binduser,dc=example,dc=org'
);
$wgLDAPProxyAgentPassword = array(
    'staff' => 'secret',
    'volunteers' => 'secret'
);

// Do not use MediaWiki's database
$wgLDAPUseLocal = false;

// get the displayName attribute from LDAP
$wgLDAPSearchAttributes = array(
    'staff' => 'displayName',
    'volunteers' => 'displayName' 
);

// username mapping -> use displayName from LDAP as login name
$wgHooks['SetUsernameAttributeFromLDAP'][] = 'SetUsernameAttribute';
function SetUsernameAttribute(&$LDAPUsername, $info) {
    if ( isset($info[0]['displayName']) ) {
        $LDAPUsername = $info[0]['displayName'][0];
    }
    return true;
}

// where to look in the LDAP tree
$wgLDAPBaseDNs = array(
    'staff' => 'dc=example,dc=org',
    'volunteers' => 'dc=example,dc=org'
);
$wgLDAPGroupBaseDNs = array(
    'staff' => 'ou=wiki,ou=staff,dc=example,dc=org',
    'volunteers' => 'ou=wiki,ou=volunteers,dc=example,dc=org'
);
$wgLDAPUserBaseDNs = array(
    'staff' => 'ou=users,ou=staff,dc=example,dc=org',
    'volunteers' => 'ou=users,ou=volunteers,dc=example,dc=org'
);

// mapping attributes between MW and LDAP
$wgLDAPPreferences = array(
    'staff' => array( 'email' => 'mail', 'realname' => 'displayName' ),
    'volunteers' => array( 'email' => 'mail', 'realname' => 'displayName' )
);

$wgLDAPGroupUseRetrievedUsername = array(
    'staff' => true,
    'volunteers' => true
);

// Automatically create user accounts if LDAP accounts exist
$wgLDAPDisableAutoCreate = array(
    'staff' => false,
    'volunteers' => false
);

# Group based restriction
$wgLDAPLowerCaseUsername = array(
    'staff' => false,
    'volunteers' => false
);
$wgLDAPGroupUseFullDN = array(
    'staff' => true,
    'volunteers' => true
);
$wgLDAPGroupObjectclass = array(
    'staff' => 'groupOfNames',
    'volunteers' => 'groupOfNames'
);
$wgLDAPGroupAttribute = array(
    'staff' => 'member',
    'volunteers' => 'member'
);
$wgLDAPGroupNameAttribute = array(
    'staff' => 'cn',
    'volunteers' => 'cn'
);

// synching LDAP groups with MW security groups
$wgLDAPUseLDAPGroups = array(
    'staff' => true,
    'volunteers' => true
);

// Create the MediaWiki groups sysop, bureaucrat and bot in LDAP and use them.
// If you have other MW security groups list them here.
$wgLDAPLocallyManagedGroups = array(
    'staff' => array( 'group1', 'group2' ),
    'volunteers' => array( 'group1', 'group3' )
);

// For group based login restrictions:
// Array of the groups the user is required to be a member of:
$wgLDAPRequiredGroups = array( 
		'staff' => array(
                'cn=sysop,ou=wiki,ou=staff,dc=example,dc=org'',
                'cn=bureaucrat,ou=wiki,ou=staff,dc=example,dc=org',
                'cn=bot,ou=wiki,ou=staff,dc=example,dc=org',
                'cn=group1,ou=wiki,ou=staff,dc=example,dc=org',
                'cn=group2,ou=wiki,ou=staff,dc=example,dc=org',
                ),
                'volunteers' => array(
		'cn=group1,ou=wiki,ou=volunteers,dc=example,dc=org'
                'cn=group3,ou=wiki,ou=volunteers,dc=example,dc=org'
                ),
);
Series Navigation<< OpenLDAP with … OTRSOpenLDAP with … GNU social >>