Open main menu

Changes

4,123 bytes added ,  17:06, 14 May 2015
basic config info for LDAP extension
Google deprecated it's support for OpenID 2.0 support. They now implement "[[wp:OpenID Connect|OpenID Connect]]" (official site: http://openid.net/connect/) Unfortunately, Evan Prodromou's MediaWiki [[mw:Extension:OpenID|Extension:OpenID]] extension is written for OpenID 2.0 So, to wiki's that used Google as an Identity/Auth provider must now switch to LDAP or other means. Fortunately, there isn't too much work to do if you have an [[LDAP]] server in place.

== In LocalSettings.php ==
# set <code>$wgOpenIDLoginOnly = false;</code> (so we can login with a wiki account)

# The OpenID extension creates Special:OpenIDLogin as a substitute/replacement for Special:Login. Once we set <code>$wgOpenIDLoginOnly</code> to false, we can access the Special:Login again.

# Disable or delete the 'include' for the OpenID extension
# modify the <code>$wgWhitelistRead</code> list

# remove all the options related to the OpenID extension
# include the LDAP extension
# run <code>update.php</code>

# add all the LDAP extension configurations

== General ==
# ensure that you have php-ldap (<code>sudo yum -y install php-ldap</code> or <code>sudo apt-get install php-ldap</code>)

# test your login and view the log file
# promote your LDAP user <code>grundlett@wiki:/var/www/html/wiki/maintenance$ php createAndPromote.php --force --bureaucrat --sysop Grundlett</code>

# find and edit the interface messages for login
# find and edit the Help: content for login

== Note ==
You can see the list of existing users at Special:ListUsers

== Configuration ==
Here's a sample configuration for an Active Directory LDAP server
<source lang=php>
$wgAuth = new LdapAuthenticationPlugin();
$wgLDAPDomainNames = array('example');
//$wgLDAPServerNames = array('example' => 'ad.example.net');
$wgLDAPServerNames = array('example' => '192.168.0.67 192.168.0.68');
$wgLDAPEncryptionType = array( 'example' =>"clear" ); // default: tls
$wgLDAPGroupUseFullDN = array( 'example'=>true );
$wgLDAPGroupObjectclass = array( 'example'=>"group" );
$wgLDAPGroupAttribute = array( 'example'=>"member" );
$wgLDAPGroupSearchNestedGroups = array( 'example'=>true );
$wgLDAPGroupNameAttribute = array( 'example'=>"cn" );
$wgLDAPBaseDNs = array( 'example'=>"dc=ad,dc=example,dc=net" );
$wgLDAPActiveDirectory = array( 'example'=>true );
# using AD-style straight binds (DOMAIN\\USER-NAME or USER-NAME@DOMAIN),
# you'll need one more option to make this work correctly:
$wgLDAPSearchAttributes = array( 'example'=>"sAMAccountName" );
$wgLDAPPreferences = array( 'example' => array( 'email' => 'mail','realname' => 'cn','nickname' => 'samaccountname'));
$wgLDAPProxyAgent = array( 'example' => "cn=wikiservice,ou=Service,ou=Accounts,dc=ad,dc=example,dc=net");
$wgLDAPProxyAgentPassword = array('example'=> 'SomeLongRandomPassword');
# add in a debug log file
$wgLDAPDebug = 3; // default is 0, highest is 3
$wgDebugLogGroups['ldap'] = '/tmp/wiki-ldap-debug.log';

// This hook is called by the LdapAuthentication plugin. It is a configuration hook. Here we
// are specifying what attibute we want to use for a username in the wiki.
// Note that this hook is NOT called on a straight bind.
// The hook calls the function defined below.
$wgHooks['SetUsernameAttributeFromLDAP'][] = 'SetUsernameAttribute';
// This function allows you to get the username from LDAP however you need to do it.
// This is the username MediaWiki will use.
function SetUsernameAttribute(&$LDAPUsername, $info) {
$LDAPUsername = $info[0]['samaccountname'][0];
return true;
}
// Allow the use of the local database as well as the LDAP database.
// Mostly for transitional purposes. Unless you *really* know what you are doing,
// don't use this option. It will likely cause you annoying problems, and
// it will cause me annoying support headaches.
// Warning: Using this option will allow MediaWiki to leak LDAP passwords into
// its local database. It's highly recommended that this setting not be used for
// anything other than transitional purposes.
// Default: false
$wgLDAPUseLocal = false;

</source>
4,558

edits