Extension:LDAPAuthorization/de-formal
This extensions checks for certain authorization requirements when logging into a wiki by using Extension:PluggableAuth or Extension:Auth remoteuser . If one of the requirements are not satisfied the login process will be cancelled.
LDAPAuthorization Release status: stable |
|
---|---|
Author(s) | Cindy Cicalese, Mark A. Hershberger, Robert Vogel |
Latest version | 1.0.0 |
Compatibility policy | Snapshots releases along with MediaWiki. Master is not backward compatible. |
MediaWiki | 1.31+ |
Composer | mediawiki/ldap-authorization |
License | GNU General Public License 2.0 or later |
Download | |
|
|
Quarterly downloads | 360 (Ranked 11th) |
Translate the LDAPAuthorization extension if it is available at translatewiki.net | |
Installation
- Install the LDAPProvider and PluggableAuth extensions.
- Die Erweiterung herunterladen und die Datei(en) in ein Verzeichnis namens
LDAPAuthorization
im Ordnerextensions/
ablegen.
Developers and code contributors should install the extension from Git instead, using:cd extensions/
git clone https://gerrit.wikimedia.org/r/mediawiki/extensions/LDAPAuthorization - Folgenden Code am Ende Ihrer LocalSettings.php -Datei hinzufügen: Configure as required.
wfLoadExtension( 'LDAPAuthorization' );
- Done – Zu Special:Version in dem Wiki (bei Einstellung auf deutsch nach Spezial:Version) navigieren, um die erfolgreiche Installierung der Erweiterung zu überprüfen.
Extension config settings
Name | Default | Description |
---|---|---|
AutoAuthRemoteUserStringParserRegistry
|
{
"domain-backslash-username": "MediaWiki\\Extension\\LDAPAuthorization\\AutoAuth\\RemoteUserStringParser\\DomainBackslashUsername::factory",
"username-at-domain": "MediaWiki\\Extension\\LDAPAuthorization\\AutoAuth\\RemoteUserStringParser\\UsernameAtDomain::factory"
}
|
A registry of factory callbacks for different parsers, that extract domain and username from a provided domain-username.
Must return Only used in case of auto-authentication provided by Extension:Auth remoteuser . |
AutoAuthRemoteUserStringParser
|
"domain-backslash-username"
|
Configures which parser is needed to extract domain and username from a provided domain-username. Allowed values are:
Only used in case of auto-authentication provided by Auth remoteuser. |
AutoAuthUsernameNormalizer
|
""
|
A callback that allows to modify the username when Extension:Auth_remoteuser is used for network based authentication. E.g. "strtolower" . If form based authentication is also enabled though Extension:LDAPAuthentication2 this should have the same value as Only used in case of auto-authentication provided by Extension:Auth remoteuser . |
Domain config settings
Name | Default | Description |
---|---|---|
rules.groups.required
|
[]
|
Array of group DNs that are required to complete the login process. Belonging to one group is sufficient (logical OR) to be authorized. |
rules.groups.excluded
|
[]
|
Array of group DNs that the user may not be member of to complete the login process. Belonging to one group is sufficient (logical OR) to be forbidden to log in. |
rules.attributes
|
{}
|
This implements the "attributes mapping" rule from Extension:LDAP Authentication
Example: {
"&" : {
"status": "active",
"|": {
"department": [ "100", "200" ],
"level": [ "5", "6" ]
}
}
}
|
rules.query
|
""
|
Allows to provide a standard LDAP query to be tested against the user. Comparable to $wgLDAPAuthAttribute from Extension:LDAP Authentication
Example:
|
Example 1
If you want to configure this in LocalSettings.php
you can extend the configuration for LDAPProvider like in this example:
$LDAPProviderDomainConfigProvider = function() {
$config = [
'LDAP' => [
'connection' => [
...
],
'authorization' => [
'rules' => [
'groups' => [
'required' => [ "groupname" ]
]
]
]
]
];
...
Example 2
Here is a complete example LocalSettings.php
configuration for Active Directory:
$LDAPProviderDomainConfigProvider = function()
{
$config =
[
"example.com" =>
[
"connection" =>
[
"server" => "ldap.example.com",
"user" => "cn=ldap,cn=Users,dc=example,dc=com",
"pass" => "password",
"basedn" => "dc=example,dc=com",
"groupbasedn" => "dc=example,dc=com",
"userbasedn" => "dc=example,dc=com",
"searchattribute" => "samaccountname",
"searchstring" => "USER-NAME@example.com",
"usernameattribute" => "samaccountname",
"realnameattribute" => "cn",
"emailattribute" => "mail",
"grouprequest" => "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\GroupMember::factory"
],
"authorization" =>
[
"rules" =>
[
"groups" =>
[
"required" => [ "cn=Developers,cn=Users,dc=example,dc=com" ]
]
]
],
"groupsync" =>
[
"mechanism" => "mappedgroups",
"mapping" =>
[
"sysop" => "cn=Developers,cn=Users,dc=example,dc=com",
"bureaucrat" => "cn=Developers,cn=Users,dc=example,dc=com"
]
],
"userinfo" =>
[
"email" => "mail",
"realname" => "cn",
"properties.gender" => "gender"
]
]
];
return new \MediaWiki\Extension\LDAPProvider\DomainConfigProvider\InlinePHPArray( $config );
};
Versioning
MediaWiki Release | Recommended Extension Version | Test Status | Latest Test Date |
---|---|---|---|
1.35 (LTS) | LDAPxxx_master | Tested | März 2020 |
This extension is included in the following wiki farms/hosts and/or packages: This is not an authoritative list. Some wiki farms/hosts and/or packages may contain this extension even if they are not listed here. Always check with your wiki farms/hosts or bundle to confirm. |
- MediaWiki Stakeholders' Group/de-formal
- LDAP Stack Member/de-formal
- PluggableAuth plugins/de-formal
- Stable extensions/de-formal
- Extensions with invalid or missing type/de-formal
- Extensions supporting Composer/de-formal
- GPL licensed extensions/de-formal
- Extensions in Wikimedia version control/de-formal
- AuthRemoteuserFilterUserName extensions/de-formal
- PluggableAuthUserAuthorization extensions/de-formal
- All extensions/de-formal
- Extensions included in BlueSpice/de-formal
- Extensions included in Canasta/de-formal
- LDAP extensions/de-formal
- Extensions by MITRE/de-formal
- User identity extensions/de-formal