Extension talk:LDAPGroups

I'd like to add users to a MediaWiki group based on the setting of an ldap attribute.

If the user has "personType" set to "emp" in ldap then add them to the "employee" MediaWiki group and insure they are not in "contractors"

If the user has "personType" set to "con" in ldap then add them to the "contractor" MediaWiki group and insure they are not in "employees"

If the person does not have a "personType" attribute, remove them from both groups.

For another group, if the field "specialId" exists with any value, add them to the "specials" group, otherwise remove them from "specials".

Can this be done with settings? I suspect I'll need a callback function in LocalSettings.php to handle this. Is there a hook to call?

Well, Extension:LDAPGroups does not support group mapping based regular (non-group membership) attributes. Its internal logic is only provided with values from the grouprequest configured in Extension:LDAPProvider. There is also no callback or hooks that can be used for this. One would need to implement a new MediaWiki\Extension\LDAPGroups\ISyncMechanism.

But, if you use Extension:PluggableAuth for login, rather than Extension:Auth_remoteuser, you may be able to use its group sync capabilities.

This should be doable with a configuration like this:

$wgPluggableAuth_Config = [
  "My LDAP" => [
...
    'groupsyncs' => [
      [
        'type' => 'mapped',
        'map' => [
          'employee' => [ 'personType' => 'emp' ],
          'contractors' => [ 'personType' => 'con' ],
          // Unfortunately there is no wildcard support, so all values need to be set explicitly
          'specials' => [ 'specialId' => [ '...', '...'  ] ]
        ]
      ]
    ]
  ]
];

Also check out the various test cases implemented in Extension:PluggableAuth: https://github.com/wikimedia/mediawiki-extensions-PluggableAuth/blob/7.1.0/tests/phpunit/Group/MapGroupsTest.php#L70-L89

Be aware, that Extension:PluggableAuth only syncs on login, unlike Extension:LDAPGroups, which does this once an hour even during an active session.

Hello,

i like to assign multiple LDAP groups to a single mediawiki group. How can that be done?

php it would look like this

$group['admin'] = "Grp_IT1;

$group['admin'] += "Grp_IT2;

This does overwrite but not extend...

"groupsync": {

  "mapping": {

   "admin": "CN=Grp_IT1,OU=example,DC=com",

   "admin": "CN=Grp_IT2,OU=example,DC=com",

   "sysop": "CN=Grp_IT1,OU=example,DC=com"

  }

}

You should be able to do this with

"groupsync": {
  "mapping": {
   "admin": [
      "CN=Grp_IT1,OU=example,DC=com",
      "CN=Grp_IT2,OU=example,DC=com"
   ],
   "sysop": "CN=Grp_IT1,OU=example,DC=com"
  }
}

Hello,

I've problem about this extension i can find my group with ldapsearch but that doesn't work with this extension :

I've blank return with this command :

php extensions/LDAPProvider/maintenance/ShowUserGroups.php --domain domain.local --username myuser

My ldap config :

{

"domain.local": {

"connection": {

"server": "srv-dc1.domain.local",

"port": "389",

"use-tls": "true",

"user": "CN=Mediawiki,OU=My Accounts,dc=domain,dc=local",

"pass": "password",

"enctype": "clear",

"options": {

"LDAP_OPT_DEREF": 1

},

"basedn": "dc=domain,dc=local",

"groupbasedn": "OU=My Groups,dc=domain,dc=local",

"userbasedn": "OU=My Accounts,dc=domain,dc=local",

"searchattribute": "samaccountname",

"usernameattribute": "samaccountname",

"realnameattribute": "cn",

"emailattribute": "mail",

"grouprequest": "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\UserMemberOf::factory",

"presearchusernamemodifiers": [ "spacestounderscores", "lowercase" ]

},

"userinfo": [],

"authorization": {

"rules": {

"groups": {

"required": [ "CN=Mediawiki_Access,OU=My Groups,dc=domain,dc=local" ]

}

}

},

"groupsync": {

"mapping": {

"engineering": "CN=Mediawiki_Admins,OU=My Groups,dc=domain,dc=local",

"bureaucrat": "CN=Mediawiki_Admins,OU=My Groups,dc=domain,dc=local",

"interface-admin": "CN=Mediawiki_Admins,OU=My Groups,dc=domain,dc=local",

"sysop": "CN=Mediawiki_Admins,OU=My Groups,dc=domain,dc=local"

}

}

}

}

And i've this error into my apache :

Undefined array key "memberof" in /var/lib/mediawiki/extensions/LDAPProvider/src/UserGroupsRequest/UserMemberOf.php

What can i check ?

Regards,

Kévin.

Well, apparently the group information is is not stored in the the memberOf field of the of the "user info". Try to use a different value for grouprequest

• "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\GroupMember::factory"
• "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\GroupUniqueMember::factory"
• "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\UserMemberOf::factory"
• "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\Configurable::factory"
• "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\GroupMemberUid::factory"

Depending on the chosen value, additional configuration may be required. See also Extension:LDAPProvider#Domain_config_settings

Hello,

Thank you the value GroupMember work !

Regards,

Kévin.

Hi all,

I've set up LDAP stack, after some time and effort, I was able to make it authenticate with success and have some group info mapped on MediaWiki.

The first user I tested was not member of any AD Group, I logged in MediaWiki the user were created on MediaWiki database. After some troubleshooting, I found out that the userwas not member of groups so I added to a group.

When I go to Special pages and check the privileges of the user, it has none.

I did another test, created a new user on Active Directory, but this user as member of group, and did a login on MediaWiki. The user logged with success and checking on privileges, the user has the groups mapped as set on LDAPProvider.

This is the way that extension works, I mean, it does not reflect changes on groups after the user is created?

Bes regards,

No, it should also revoke group membership. Can you please share the exact settings you have made?

I've set up LDAPProvider successfully without any problems. But once I activate LDAPGroups it gives me the error

Original exception: [85942cc925c78b2bb06ab606] /index.php/Hauptseite MediaWiki\Extension\LDAPProvider\LDAPNoDomainConfigException from line 60 of /var/www/mediawiki/extensions/LDAPProvider/src/DomainConfigFactory.php: No configuration available for domain 'domain'!

Now I can replace "LDAP" in the ldapprovider.json with the domain, that's alo actually in the table mediawikildap_domains, but that only changes the error to

[a3278aaca2ec924fb8299178] /index.php/Hauptseite TypeError from line 47 of /var/www/mediawiki/includes/config/HashConfig.php: Argument 1 passed to HashConfig::__construct() must be of the type array, null given, called in /var/www/mediawiki/extensions/LDAPProvider/src/DomainConfigFactory.php on line 74

I already tested if the config added to ldapprovider.json makes any trouble, but everything loads fine as long as LDAPGroups is disabled. Now what am I doing wrong?

excerpt from LocalSettings.php:

# LDAP-Authentifizierung

wfLoadExtension( 'LDAPProvider' );

$LDAPProviderDomainConfigs = "/var/www/mediawiki/ldapprovider.json";

wfLoadExtension( 'PluggableAuth' );

$wgPluggableAuth_EnableLocalLogin = false;

$wgPluggableAuth_ButtonLabel = "Anmelden";

wfLoadExtension( 'LDAPAuthentication2' );

$LDAPAuthentication2UsernameNormalizer = 'strtolower';

wfLoadExtension( 'LDAPGroups' );

excerpt from the ldapprovider.json where I added the config

"groupsync": {

"mechanism": "mappedgroups",

"mapping": {

"sysop": "cn=sudoers,ou=groups,dc=domain,dc=de"

}

}

Hello, i am newbie in mediawiki and i am setting up ldap. I managed to connect the active directory database with media wiki and it works perfectly. However, I still can't sync AD groups with mediawiki groups.

My goal is that only users from the bureaucrat and sysop groups can edit the wiki. Others can only read.

Do you know how to do it? Here is my ldap.json:

{

   "xbeta.local": {

       "connection": {

           "server": "172.45.0.1",

           "port": "3268",

           "user": "CN=svc_wiki,OU=Cmpt_Serveurs,DC=xbeta,DC=local",

           "pass": "//masked",

           "enctype": "clear",

           "options": {

               "LDAP_OPT_DEREF": 1

           },

           "basedn": "dc=xbeta,dc=local",

           "userbasedn": "dc=xbeta,dc=local",

           "groupbasedn": "dc=xbeta,dc=local",

           "searchattribute": "samaccountname",

           "usernameattribute": "samaccountname",

           "realnameattribute": "cn",

           "emailattribute": "mail",

           "grouprequest": "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\UserMemberOf::factory",

           "presearchusernamemodifiers": [ "spacestounderscores", "lowercase" ]

       },

       "userinfo": [],

       "authorization": [],

       "groupsync": {

           "mapping": {

               "sysop": "OU=Architecture,OU=DSI,DC=xbeta,DC=local",

               "bureaucrat": "OU=Support,OU=DSI,DC=xbeta,DC=local"

           }

       }

   }

}

And a part of my localsetting.php :

// Create Wiki-Group 'engineering' from default user group

$wgGroupPermissions['engineering'] = $wgGroupPermissions['user'];

// Private Wiki. External LDAP login. Default NS requires login.

$wgEmailConfirmToEdit = false;

$wgGroupPermissions['*']['edit'] = false;

$wgGroupPermissions['*']['read'] = true;

$wgGroupPermissions['*']['createaccount'] = false;

$wgGroupPermissions['sysop']['createaccount'] = false;

$wgGroupPermissions['*']['autocreateaccount'] = true;

$wgBlockDisablesLogin = true;

// Load LDAP Config from JSON

$ldapJsonFile = "$IP/ldap.json";

$ldapConfig = false;

if (is_file($ldapJsonFile) && is_dir("$IP/extensions/LDAPProvider")) {

  $testJson = @json_decode(file_get_contents($ldapJsonFile),true);

  if (is_array($testJson)) {

   $ldapConfig = true;

  } else {

   error_log("Found invalid JSON in file: $IP/ldap.json");

  }

}

// Activate Extension

if ( $ldapConfig ) {

  wfLoadExtension( 'PluggableAuth' );

  wfLoadExtension( 'LDAPProvider' );

  wfLoadExtension( 'LDAPAuthentication2' );

  wfLoadExtension( 'LDAPAuthorization' );

  wfLoadExtension( 'LDAPUserInfo' );

  wfLoadExtension( 'LDAPGroups' );

  $LDAPProviderDomainConfigs = $ldapJsonFile;

  $wgPluggableAuth_ButtonLabel = "Log in";

  // Force LDAPGroups to sync by choosing a domain ( e.g. first JSON object in ldap.json )

  $LDAPProviderDefaultDomain = "xbeta.local";

  if ($wikiRequestSafe) { $LDAPAuthentication2AllowLocalLogin = true; }

}

# End of automatically generated settings.

# Add more configuration options below.

Thanks a lot for your help !

Looks good in general. Have you checked if the following CLI scripts work properly?

• php extensions/LDAPProvider/maintenance/CheckLogin.php --domain xbeta.local --username <someusername>
• php extensions/LDAPProvider/maintenance/ShowUserInfo.php --domain xbeta.local --username <someusername>
• php extensions/LDAPProvider/maintenance/ShowGroups.php --domain xbeta.local --username <someusername>

Hello!

I setup mediawiki 1.35 LTS with an AD LDAP and it works fine so far.

Now i wanted to specify one AD Group in my wiki with user rights and another AD Group with administrator rights.

In my actual setup both specified AD Groups "standard_wiki_users" and "standard_wiki_admins" have only user rights.

Maybe there is some mistake in my idea of setting up this... As i read every user is as standard in group "user", but how can

in specify an AD group additional to group "administrator"?

in Localsettings i configured:

#Create Wiki-Group 'standard_wiki_users' from default user group

$wgGroupPermissions['standard_wiki_users'] = $wgGroupPermissions['user'];

#Load LDAP Config from JSON

$ldapJsonFile = "$IP/ldap.json";

$ldapConfig = false;

if (is_file($ldapJsonFile) && is_dir("$IP/extensions/LDAPProvider")) {

  $testJson = @json_decode(file_get_contents($ldapJsonFile),true);

  if (is_array($testJson)) {

   $ldapConfig = true;

  } else {

   error_log("Found invalid JSON in file: $IP/ldap.json");

  }

}

In ldap.json in configured:

...

              "authorization": {

                       "rules": {

                               "groups": {

                                       "required": [

                               "cn=standard_wiki_users,ou=xyz,dc=test,dc=test,dc=com",

  "cn=admin_wiki_users,ou=xyz,dc=test,dc=test,dc=com"

                                               ]

                                       }

                               }

                       },

               "groupsync": {

                       "mapping": {

                               "user": "CN=standard_wiki_users,ou=xyz,dc=test,dc=test,dc=com",

"administrator": "CN=admin_wiki_users,ou=xyz,dc=test,dc=test,dc=com"

                       }

               }

       }

}

Thanks!

I upgrade my wiki to 1.37.1, and in my previous wiki some content was accessible only if the user was in a ldap group.

I set ldap configuration and it works ffine, but I don't know how to add group.

Any idea please ?

Hi!

Please have a look at

• LDAP_hub#Working_with_Groups
• LDAP_hub/Migration_from_extension_LDAPAuthentication
• LDAP_hub/Migration_from_extension_LDAPAuthentication/Config_conversion

Hello, I'm trying to sync user groups from my AD source with local groups in my wiki. I'm on MediaWiki 1.35. When logging in there are no user groups synced.

After reading several threads in this page, this is my output from ShowUserGroups.php:

Full DNs:

       CN=BG Wiki Admins,OU=023 Software und Tools,OU=02 Benutzergruppen,OU=Steinbeiss,DC=stzegs,DC=ads

       CN=BG IT Temp,OU=021 Abteilungen,OU=02 Benutzergruppen,OU=Steinbeiss,DC=stzegs,DC=ads

       CN=BG California.pro User,OU=023 Software und Tools,OU=02 Benutzergruppen,OU=Steinbeiss,DC=stzegs,DC=ads

       CN=FG Passwort-Zugriffsberechtigte,OU=044 Sonstige,OU=04 Freigabegruppen,OU=Steinbeiss,DC=stzegs,DC=ads

       CN=Temporäre Mitarbeiter,OU=_Sicherheitsgruppen_löschen_nach_AD_Abschluss,OU=Steinbeiss,DC=stzegs,DC=ads

       CN=V Schreiber,OU=LW-V,OU=04 Freigabegruppen,OU=Steinbeiss,DC=stzegs,DC=ads

Short names:

       bg wiki admins

       bg it temp

       bg california.pro user

       fg passwort-zugriffsberechtigte

       temporäre mitarbeiter

       v schreiber

My LocalSettings.php:

wfLoadExtension( 'LDAPProvider' );

wfLoadExtension( 'PluggableAuth' );

wfLoadExtension( 'LDAPAuthentication2' );

wfLoadExtension( 'LDAPGroups' );

$wgGroupPermissions['bg wiki admins']['read'] = true;

#$LDAPAuthentication2AllowLocalLogin = true;

$LDAPProviderDomainConfigProvider = function() {

       $config = [

               'LDAP' => [

                       'connection' => [

                               "server" => "removed",

                               "user" => "cn=mrbs,ou=012 Servicezugänge, ou=01 Konten,ou=Steinbeiss,dc=stzegs,dc=ads",

                               "pass" => "removed",

                               "options" => [

                                       "LDAP_OPT_DEREF" => 1

                               ],

                               //"basedn" => "ou=011 Benutzer,ou=01 Konten,ou=Steinbeiss,dc=stzegs,dc=ads",

                               "basedn" => "ou=Steinbeiss,dc=stzegs,dc=ads",

                               //"basedn" => "ou=",

                               "grouprequest"=> "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\UserMemberOf::factory",

                               "groupbasedn" => "ou=023 Software und Tools,ou=02 Benutzergruppen,ou=Steinbeiss,dc=stzegs,dc=ads",

                               "userbasedn" => "ou=011 Benutzer,ou=01 Konten,ou=Steinbeiss,dc=stzegs,dc=ads",

                               "searchattribute" => "samaccountname",

                               "searchstring" => "STZEGS\\USER-NAME",

                               "usernameattribute" => "samaccountname",

                               "realnameattribute" => "cn",

                               "emailattribute" => "mail"

                       ],

                       'groupsync' => [

                               "mechanism" => "mappedgroups",

                               "mapping" => ["bg wiki admins" => "cn=BG Wiki Admins,ou=023 Software und Tools,ou=02 Benutzergruppen,ou=Steinbeiss,dc=stzegs,dc=ads"]

                       ]

               ]

       ];

       return new \MediaWiki\Extension\LDAPProvider\DomainConfigProvider\InlinePHPArray( $config );

};

Please tell me if I'm missing something important here.

Kind regards, Jan

Looks all good. Have you tried to enable debug logging?

With enabled debug logging like this:

$LDAPProviderCacheType = CACHE_NONE;

$wgDebugLogGroups['PluggableAuth'] = "PluggableAuth.log";

$wgDebugLogGroups['LDAP'] = "LDAP.log";

$wgDebugLogGroups['MediaWiki\\Extension\\LDAPProvider\\Client'] = "LDAPProvider.log";

$wgDebugLogGroups['LDAPGroups'] = "LDAPGroups.log";

$wgDebugLogGroups['LDAPAuthentication2'] = "LDAPAuthentication.log";

No log file for LDAPGroups shows up when I'm logging in or out with my account on the MediaWiki configuration I am using.

However my LDAP.log file shows that my user is within the group from the AD source:

12 => 'usncreated',

   'memberof' =>

   array (

     'count' => 6,

     0 => 'CN=BG Wiki Admins,OU=023 Software und Tools,OU=02 Benutzergruppen,OU=Steinbeiss,DC=stzegs,DC=ads',

     1 => 'CN=BG IT Temp,OU=021 Abteilungen,OU=02 Benutzergruppen,OU=Steinbeiss,DC=stzegs,DC=ads',

     2 => 'CN=BG California.pro User,OU=023 Software und Tools,OU=02 Benutzergruppen,OU=Steinbeiss,DC=stzegs,DC=ads',

     3 => 'CN=FG Passwort-Zugriffsberechtigte,OU=044 Sonstige,OU=04 Freigabegruppen,OU=Steinbeiss,DC=stzegs,DC=ads',

     4 => 'CN=Temporäre Mitarbeiter,OU=_Sicherheitsgruppen_löschen_nach_AD_Abschluss,OU=Steinbeiss,DC=stzegs,DC=ads',

     5 => 'CN=V Schreiber,OU=LW-V,OU=04 Freigabegruppen,OU=Steinbeiss,DC=stzegs,DC=ads',

I also get a logging file from LDAPProvider and PluggableAuth but I could find no errors related to my issue. Is there anything specific I should be looking for?

I have also run update.php multiple times if that matters and logging in/out works just fine.

If you don't have entries in `LDAPGroups.log`, this means the code is not even invoked. Can you please try to set `$LDAPProviderDefaultDomain = "LDAP";`?

Sorry for the late reply, this worked.

Thank you very much for your help.

Hi,

is it possible to use an attribute which is not part of the DN as the name of a group? My group DNs look something like this:

GroupUID=1234,ou=groups,ou=myou,o=myo,dc=de

This results in a short name (as shown by ShowUserGroups.php) of "1234". The attribute which holds the name that I would like to use instead, is cn.

If I use mappedgroups to sync the groups and manually map the names to the DNs, they are correctly added to the wiki. However, if I use allgroups, they're not. As I understand, this is due to the fact that only groups mentioned in e.g. wgGroupPermissions are added. Obviously I use the groups' cns, not the GroupUIDs in those settings. Can this be done?

Our current Wiki which still uses the old LDAP stack, has this setting $wgLDAPGroupNameAttribute = array('ldap1' => "cn"); which works fine.

Here is my current ldapprovider.json:

{

   "MyDomain": {

       "connection": {

           "server": "ldap.mydomain.de",

           "port": 389,

           "options": {

               "LDAP_OPT_DEREF": 1

           },

           "basedn": "ou=myou,o=myo,dc=de",

           "groupbasedn": "ou=groups,ou=myou,o=myo,dc=de",

           "userbasedn": "ou=users,ou=myou,o=myo,dc=de",

           "searchattribute": "uid",

           "usernameattribute": "uid",

           "realnameattribute": "displayName",

           "emailattribute": "mail",

           "grouprequest": "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\Configurable::factory",

           "groupobjectclass": "groupOfNames"

       },

       "groupsync": {

           "mechanism": "allgroups"

       }

   }

}

MediaWiki and LDAP stack relatively up to date on the REL1_35 branches.

Thanks in advance!

Update: I tried using the GroupUID in a group permission and that works with the allgroups mechanism. So the question boils down to "How can I use a different attribute as the name of the group?".