Jump to content

Topic on Extension talk:LDAPAuthorization

LDAP group authorization

5 comments • 12:41, 11 February 2022 2 years ago
5
93.229.78.177 (talkcontribs)

Im currently running into some issues trying to set up my ldapprovider.json config.

The mediawiki works with pure LDAP - everyone can login and it works. Now i want only a certain LDAP Group to login and i cant get my head around it...

My ldapprovider.json:

<code>

  1 {

  2     "intern.goetel.de": {

  3             "connection": {

  4                     "server": "our-dc-controller",

  5                     "user": "ldap-user",

  6                     "pass": "password",

  7                     "options": {

  8                             "LDAP_OPT_DEREF": 1

  9                     },

10                     "basedn": "ou=container, dc=domain,dc=tld",

11                     "groupbasedn": "dc=domain,dc=tld",

12                     "userbasedn": "dc=domain,dc=tld",

13                     "searchattribute": "samaccountname",

14                     "usernameattribute": "samaccountname",

15                     "realnameattribute": "cn",

16                     "emailattribute": "mail",

17                     "grouprequest": "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\UserMemberOf::factory"

18             },

19             "authorization": {

20                     "rules": {

21                             "groups": {

22                                     "required": ["CN=groupname,OU=OUname,OU=OUname,DC=goetel,DC=de"]

23                             }

24                     }

25             }

26     }

27 }

</code>

I don´t get any errors. Everyone can still login, doesn´t matter if they´re in that Group or not...


Can someone help me in this?

Reply 18:17, 9 February 2022 2 years ago
Osnard (talkcontribs)

This looks just right. Can you confirm that php extensions/LDAPProvider/maintenance/ShowUserGroups.php ... does not list "CN=groupname,OU=OUname,OU=OUname,DC=goetel,DC=de". Can you confirm Extension:LDAPAuthorization to be properly enabled?

Reply 07:40, 10 February 2022 2 years ago
93.229.78.177 (talkcontribs)

I tested it with 2 Accounts - user1 should login, user2 should not. "php ..." from user1 shows the group, from user2 is doesnt


LDAPAuthorization isnt installed, we got LDAPAuthentication2 and LDAPProvider running. Do i just need to install LDAPAuthorization on the wiki?

Reply 12:58, 10 February 2022 2 years ago
Osnard (talkcontribs)
Reply 14:09, 10 February 2022 2 years ago
2A03:6880:1:309:6189:A5C1:16D7:4954 (talkcontribs)

Now it works flawless, didnßt know i need another Extension...

Thank your for your help!

Reply 12:41, 11 February 2022 2 years ago
Reply to "LDAP group authorization"
Retrieved from "https://www.mediawiki.org/wiki/Topic:Wppr7hra4x37htm6"