Erweiterung:LDAPAuthorization
This extension is part of the LDAP Stack and requires the LDAPProvider extension to be installed first.
This extension requires the PluggableAuth extension to be installed first.This extensions checks for certain authorization requirements when logging into a wiki by using Erweiterung:PluggableAuth or Erweiterung:Auth remoteuser. If one of the requirements are not satisfied the login process will be cancelled.
 Freigabestatus: stabil |
|
|---|---|
|
|
| Autor(en) | Cindy Cicalese, Mark A. Hershberger, Robert Vogel |
| Letzte Version | 1.0.0 |
| Kompatibilitätspolitik | Snapshots werden zusammen mit MediaWiki veröffentlicht. Der Master ist nicht abwärtskompatibel. |
| MediaWiki | 1.31+ |
| Lizenz | GNU General Public License 2.0 oder später |
| Herunterladen | |
|
|
| Quarterly downloads | 277 (Ranked 17th) |
| Übersetze die LDAPAuthorization-Erweiterung, wenn sie auf translatewiki.net verfügbar ist | |
Installation
- Install the LDAPProvider and PluggableAuth extensions.
- Die Erweiterung herunterladen und die Datei(en) in ein Verzeichnis namens
LDAPAuthorizationim Ordnerextensions/ablegen.
Entwickler und Code-Beitragende sollten stattdessen die Erweiterung von Git installieren, mit:cd extensions/
git clone https://gerrit.wikimedia.org/r/mediawiki/extensions/LDAPAuthorization - Folgenden Code am Ende deiner LocalSettings.php-Datei einfügen: Configure as required.
wfLoadExtension( 'LDAPAuthorization' );
Erledigt – Navigiere zu Special:Version in deinem Wiki, um zu überprüfen, ob die Erweiterung erfolgreich installiert wurde.
Erweiterungskonfigurationseinstellungen
| Name | Standard | Beschreibung |
|---|---|---|
AutoAuthRemoteUserStringParserRegistry
|
{
"domain-backslash-username": "MediaWiki\\Extension\\LDAPAuthorization\\AutoAuth\\RemoteUserStringParser\\DomainBackslashUsername::factory",
"username-at-domain": "MediaWiki\\Extension\\LDAPAuthorization\\AutoAuth\\RemoteUserStringParser\\UsernameAtDomain::factory"
}
|
A registry of factory callbacks for different parsers, that extract domain and username from a provided domain-username.
Must return Only used in case of auto-authentication provided by Erweiterung:Auth remoteuser. |
AutoAuthRemoteUserStringParser
|
"domain-backslash-username"
|
Configures which parser is needed to extract domain and username from a provided domain-username. Erlaubte Werte sind:
Only used in case of auto-authentication provided by Auth remoteuser. |
AutoAuthUsernameNormalizer
|
""
|
A callback that allows to modify the username when Erweiterung:Auth remoteuser is used for network based authentication. E.g. "strtolower".
If form based authentication is also enabled though Erweiterung:LDAPAuthentication2 this should have the same value as |
Domain config settings
| Name | Standard | Beschreibung |
|---|---|---|
rules.groups.required
|
[]
|
Array of group DNs that are required to complete the login process. Belonging to one group is sufficient (logical OR) to be authorized. |
rules.groups.excluded
|
[]
|
Array of group DNs that the user may not be member of to complete the login process. Belonging to one group is sufficient (logical OR) to be forbidden to log in. |
rules.attributes
|
{}
|
This implements the "attributes mapping" rule from Extension:LDAP Authentication
Example: {
"&" : {
"status": "active",
"|": {
"department": [ "100", "200" ],
"level": [ "5", "6" ]
}
}
}
|
rules.query
|
""
|
Allows to provide a standard LDAP query to be tested against the user. Comparable to $wgLDAPAuthAttribute from Extension:LDAP Authentication
Example:
|
Example 1
If you want to configure this in LocalSettings.php you can extend the configuration for LDAPProvider like in this example:
$LDAPProviderDomainConfigProvider = function() {
$config = [
'LDAP' => [
'connection' => [
...
],
'authorization' => [
'rules' => [
'groups' => [
'required' => [ "groupname" ]
]
]
]
]
];
...
Example 2
Here is a complete example LocalSettings.php configuration for Active Directory:
$LDAPProviderDomainConfigProvider = function()
{
$config =
[
"example.com" =>
[
"connection" =>
[
"server" => "ldap.example.com",
"user" => "cn=ldap,cn=Users,dc=example,dc=com",
"pass" => "password",
"basedn" => "dc=example,dc=com",
"groupbasedn" => "dc=example,dc=com",
"userbasedn" => "dc=example,dc=com",
"searchattribute" => "samaccountname",
"searchstring" => "USER-NAME@example.com",
"usernameattribute" => "samaccountname",
"realnameattribute" => "cn",
"emailattribute" => "mail",
"grouprequest" => "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\GroupMember::factory"
],
"authorization" =>
[
"rules" =>
[
"groups" =>
[
"required" => [ "cn=Developers,cn=Users,dc=example,dc=com" ]
]
]
],
"groupsync" =>
[
"mechanism" => "mappedgroups",
"mapping" =>
[
"sysop" => "cn=Developers,cn=Users,dc=example,dc=com",
"bureaucrat" => "cn=Developers,cn=Users,dc=example,dc=com"
]
],
"userinfo" =>
[
"email" => "mail",
"realname" => "cn",
"properties.gender" => "gender"
]
]
];
return new \MediaWiki\Extension\LDAPProvider\DomainConfigProvider\InlinePHPArray( $config );
};
Versionierung
| MediaWiki Release | Recommended Extension Version | Test Status | Latest Test Date |
|---|---|---|---|
| 1.35 (LTS) | LDAPxxx_master | Tested | März 2020 |
 | Diese Erweiterung ist in den folgenden Softwarepaketen enthalten und/oder wird von den folgenden Wiki-Farmen, bzw. Wiki-Hostern verwendet: Dies ist keine maßgebliche Liste. Softwarepakete und/oder Wiki-Farmen, bzw. Wiki-Hoster nutzen diese Erweiterung ggf., obwohl sie nicht in dieser Liste enthalten sind. Prüfe daher stets die Nutzung im verwendeten Softwarepaket und/oder bei der Wiki-Farm, bzw. dem Wiki-Hoster. |
Categories:
- LDAP Stack Member/de
- PluggableAuth plugins/de
- Stable extensions/de
- Extensions with invalid or missing type/de
- GPL licensed extensions/de
- Extensions in Wikimedia version control/de
- AuthRemoteuserFilterUserName extensions/de
- PluggableAuthUserAuthorization extensions/de
- All extensions/de
- Extensions included in BlueSpice/de
- Extensions included in Canasta/de
- LDAP extensions/de
- Extensions by MITRE/de
- User identity extensions/de