Jump to content

Extension:LDAPProvider

From mediawiki.org
This page is a translated version of the page Extension:LDAPProvider and the translation is 26% complete.
Outdated translations are marked like this.

LDAPAuthentication2 [1][2]の後継として、$2が作られました。それらはすべて、リモートLDAPリソースと対話する必要があります。[3]. 設定やメンテナンスを容易にし、一元化するために、この拡張機能が作られました。 LDAPリソースからデータを照会するためのクラスと設定を提供します。

MediaWiki 拡張機能マニュアル
LDAPProvider
リリースの状態: 安定
説明 LDAPリソースに接続し、それに対してクエリーを実行するための共通基盤を提供します。
作者
最新バージョン 3.0.0-alpha
互換性の方針 MediaWiki とともにリリースされるスナップショット。 master には後方互換性がありません。
データベースの変更 はい
Composer mediawiki/ldap-provider
テーブル ldap_domains
ライセンス GNU 一般公衆利用許諾書 2.0 以降
ダウンロード
  • $wgCacheTime
  • $wgCacheType
  • $wgPreSearchUsernameModifierRegistry
  • $wgDefaultDomain
  • $wgDomainConfigs
  • $wgDomainConfigProvider
  • $wgClientRegistry
四半期ごとのダウンロード数 373 (Ranked 8th)
translatewiki.net で翻訳を利用できる場合は、LDAPProvider 拡張機能の翻訳にご協力ください
問題点 未解決のタスク · バグを報告

インストール

  • ダウンロードして、ファイルをextensions/フォルダー内のLDAPProviderという名前のディレクトリ内に配置します。
    開発者とコード寄稿者は、上記の代わりに以下を使用してGitからインストールします:cd extensions/
    git clone https://gerrit.wikimedia.org/r/mediawiki/extensions/LDAPProvider
  • 以下のコードを LocalSettings.php ファイルの末尾に追加します:
    wfLoadExtension( 'LDAPProvider' );
    
  • 必要なデータベース・テーブルを作成するためにphp maintenance/update.phpを実行します。
  • 必要に応じて設定します
  • Yes 完了 – ウィキの「Special:Version」に移動して、拡張機能が正しくインストールされたことを確認します。

設定

「拡張設定」と「ドメイン設定」の比較

この拡張機能には2種類の構成があるのが特徴です。 一方では、古典的な「拡張構成」があります。 LocalSettings.php内のグローバル変数を利用して設定することができる。 これらの変数にはwgの接頭辞がないことに注意してください。 これらの設定は、拡張機能全体に影響します。

On the other side there is a configuration that is specific to a remote LDAP resource, like connection settings, group membership query mechanism or base DNs[4]. Multiple domains can be configured independently. These settings only affect the communication to the LDAP resource, based on the domain that this resource serves.

拡張機能の設定

When using them in LocalSettings.php, these variables need to be prefixed with $LDAPProvider
名前 既定 説明
CacheType "CACHE_ANYTHING" The sort of cache to use for the connection information.
CacheTime 500 How long cached items should stick around in seconds.
ClientRegistry [] Allows registration of custom clients. The key is the domain to be handled, the value is a callback that returns an objects which derives from Client.
DomainConfigs "/etc/mediawiki/ldapprovider.json" Stores per domain configuration. Only evaluated if $LDAPProviderDomainConfigProvider is set to use the default LocalJSONFile. See below.
DomainConfigProvider "\\MediaWiki\\Extension\\LDAPProvider\\DomainConfigProvider\\LocalJSONFile::newInstance" Specifies the mechanism for obtaining the domain configuration. Must be a callback that returns an IDomainConfigProvider.
DefaultDomain "" Specifies the domain to fall back in case no domain was found for a user. This is often the case when using Extension:Auth_remoteuser for network based authentication.
PreSearchUsernameModifierRegistry
[
 "removespaces": "\\MediaWiki\\Extension\\LDAPProvider\\PreSearchUsernameModifier\\RemoveSpaces::newInstance",
 "spacetounderscore": "\\MediaWiki\\Extension\\LDAPProvider\\PreSearchUsernameModifier\\SpacesToUnderscores::newInstance",
 "spacestounderscores": "\\MediaWiki\\Extension\\LDAPProvider\\PreSearchUsernameModifier\\SpacesToUnderscores::newInstance",
 "strtolower": "\\MediaWiki\\Extension\\LDAPProvider\\PreSearchUsernameModifier\\ToLower::newInstance",
 "lowercase": "\\MediaWiki\\Extension\\LDAPProvider\\PreSearchUsernameModifier\\ToLower::newInstance"
]
Specifies factory callbacks for objects of type MediaWiki\Extension\LDAPProvider\IPreSearchUsernameModifier. The keys can be used in the domain configuration in the field connection.presearchusernamemodifiers. Example for a custom modifier:
$LDAPProviderPreSearchUsernameModifierRegistry
['custom-prefix-modifier'] = function() {
  return new MediaWiki\Extension\LDAPProvider
  \PreSearchUsernameModifier\GenericCallback(
    function( $username ) {
      return "some_prefix_$username";
  } );
};

ドメイン構成設定

名前 既定 説明
server - One or more hostnames of the LDAP backend. Separated by a single space.
port 389 The port the LDAP server is listening to
user "" The FQDN of a user who has at least read rights
pass "" The password for the user above
options {} (JSON object or indexed PHP array) LDAP specific options. Must be string literals as key.
enctype clear Must be one of 'ldapi', 'ssl', 'tls', or 'clear'
groupbasedn "" Used for group membership queries
userbasedn "" Used for user info queries. Also for resolving a local username into an appropriate user DN
searchattribute "" Attribute to use in searches for user DN. "uid" and "samaccountname" are common. A "searchstring" will skip this search, if your user's DNs follow a single pattern.
searchstring "" Provides a pattern for user DN, in lieu of searching for it by "searchattribute" and username.

Value should be an example DN with "USER-NAME" in the place of a real username.

e.g.

"CN=USER-NAME,OU=Users,DC=example,DC=com"

grouprequest "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\GroupUniqueMember::factory" Mechanism to fetch user group data. Following types are available:
  • "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\GroupMember::factory"
  • "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\GroupUniqueMember::factory"
  • "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\UserMemberOf::factory"
  • "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\Configurable::factory"
  • "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\GroupMemberUid::factory"

Which one to choose depends on the LDAP backend.


GroupMember searches for "group" objects by "(member=$userDN)", including nested groups, if configured (see "nestedgroups" below).

GroupUniqueMember searches for "groupofUniqueName" objects where "(uniqueMember=$userDN)".

UserMemberOf searches for "memberOf" attributes of the user's own LDAP object.

"Configurable" does a custom search, "(&(objectclass=$objectClass)($groupAttribute=$userDN))". See groupobjectclass and groupattribute, below.

GroupMemberUid searches for "posixGroup" objects by "(member=$userUid)", or nested groups, if configured (see "nestedgroups" below).

groupobjectclass "" In case Configurable is used in grouprequest the groupobjectclass can be specified here. E.g. group
groupattribute "member" In case Configurable is used in grouprequest the groupattribute can be specified here. E.g. member
presearchusernamemodifiers [] Username modifiers, for the purpose of LDAP-query.
Useful when LDAP usernames do not match MediaWiki username format.
( e.g. LDAP accounts use underscores-instead-of-spaces, or need to be lower-cased )
The modified username will be used with "searchstring" or "searchattribute" methods of determining user DN.


Use one-or-more of the available modifiers:

  • lowercase
  • removespaces
  • spacestounderscores


Sample Usage:
[ "lowercase" ]
[ "removespaces" ]
[ "spacestounderscores", "lowercase" ]

Working Example: Login-User Joe Bloggs will be translated to joe_bloggs LDAP search query,
with config of: [ "spacestounderscores", "lowercase" ]

Additional modifiers can be registered through the $LDAPProviderPreSearchUsernameModifierRegistry (see above) variable.

nestedgroups false Whether to use LDAP_MATCHING_RULE_IN_CHAIN to fetch nested groups. Will only work for Microsoft Active Directory and with grouprequest = MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\GroupMember::factory


Specifically, this is a search for group objects where "(member:1.2.840.113556.1.4.1941:=$userDN)".

ドメイン構成プロバイダー

By default the domain specific configuration is held in a static JSON file. But one can also use a PHP based (dynamic) configuration. The relevant extension configuration is $LDAPProviderDomainConfigProvider. It needs to be a callback that returns an object of type IDomainConfigProvider.

静的なJSONファイル

This is the default way. Just set up the extension configuration $LDAPProviderDomainConfigs to point to a valid JSON file (should be outside of web root).

$LDAPProviderDomainConfigs = "$IP/../ldapprovider.json";

Example

{
	"LDAP": {
		"connection": {
			"server": "ldap.forumsys.com",
			"user": "cn=read-only-admin,dc=example,dc=com",
			"pass": "password",
			"options": {
				"LDAP_OPT_DEREF": 1
			},
			"basedn": "dc=example,dc=com",
			"groupbasedn": "dc=example,dc=com",
			"userbasedn": "dc=example,dc=com",
			"searchattribute": "uid",
			"searchstring": "uid=USER-NAME,dc=example,dc=com",
			"usernameattribute": "uid",
			"realnameattribute": "cn",
			"emailattribute": "mail"
		}
	}
}

動的なPHP配列

As an alternative to the JSON file one can use a PHP array to configure the domains. In this case, just have the $LDAPProviderDomainConfigs callback return an instance of InlinePHPArray.

Example

$LDAPProviderDomainConfigProvider = function() {
	$config = [
		'LDAP' => [
			'connection' => [
				"server" => "ldap.forumsys.com",
				"user" => "cn=read-only-admin,dc=example,dc=com",
				"pass" => 'password',
				"options" => [
					"LDAP_OPT_DEREF" => 1
				],
				"basedn" => "dc=example,dc=com",
				"groupbasedn" => "dc=example,dc=com",
				"userbasedn" => "dc=example,dc=com",
				"searchattribute" => "uid",
				"searchstring" => "uid=USER-NAME,dc=example,dc=com",
				"usernameattribute" => "uid",
				"realnameattribute" => "cn",
				"emailattribute" => "mail"
			]
		]
	];

	return new \MediaWiki\Extension\LDAPProvider\DomainConfigProvider\InlinePHPArray( $config );
};

Advanced configuration

Dynamic usergroup attribute

Example

ldapprovider.json:

 {
 	"LDAP": {
 		"connection": {
 			"server": "...",
 			...
 			"grouprequest": "...Configurable::factory",
 			"groupobjectclass": "groupOfUniqueNames",
 			"groupattribute": "uniqueMember",
 			"group-attribute-value-callback": "myCoolCallback"
 		},
 },

Here "group-attribute-value-callback" specifies the name of some callback function which contains logic for the calculation of "groupattribute" value.

LocalSettings.php:

function myCoolCallback( $username ) {
 	return new \MediaWiki\Extension\LDAPProvider\EscapedString( $username );
 }

That's an example of a simple callback which returns the unchanged username as "groupattribute" value.

バージョン化

LDAP Stack Extensions are targeted/qualified for MediaWiki LTS releases only.
However, this table helps to determine which extension-releases to use across all recent versions.

MediaWiki リリース Recommended Extension Version テストの状態 最終テスト日
1.35 (LTS) LDAPxxx_master テスト済 2020年3月

トラブルシューティング

例外:「ドメイン 'XYZ'に使用できる構成はありません!」

Please make sure, that the values in the database field ldap_domains.domain_id match with the values set in the first level of the domain-configuration (e.g. in ldapprovider.json, you will need to replace "LDAP" at the top level with your domain. This can be checked by viewing the $_SERVER['USERDOMAIN'] entry in your server's phpinfo() ). If they don't, you can either change the entries in the database using UPDATE ldap_domains SET domain = "DomainNameAsInConfiguration"; or adapt the configuration. Attention: In the current version, the domain name is case sensitive.

例外:「ドメイン'LDAP'の構成にセクション'authorization'が見つかりません」

If you enabled the LDAPAuthorization extension (as recommended in the PluggableAuth documentation), you need to add the authorization configuration in the LDAPProvider domain config (more info on LDAPAuthorization Configuration)

Warning: The supplied credentials are not associated with any user on this wiki.

Check that "userbasedn" and "searchattribute" are correct.

エンドツーエンドのサンプル

References

  1. previously Extension:LDAP_Authentication
  2. LDAP stack flow
  3. Lightweight Directory Access Protocol (LDAP) (en)
  4. Distinguished Name (DN)