No categories assigned

LDAP

    • This page is first draft
< Manual:Extension‎ | LDAPAuthentication
Revision as of 16:36, 26 November 2019 by Mlink-rodrigue (talk | contribs) (Text replacement - "LDAPAuthentication" to "Manual:Extension/LDAPAuthentication")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

/etc/ldapprovider.json

ldapprovider.json

{
	"DOMAIN OF CUSTOMER": {
		"connection": {
			"server": "",
			"user": "",
			"pass": "",
			"basedn": "",
			"userbasedn": "",
			"groupbasedn": "",
			"searchattribute": "samaccountname",
			"usernameattribute": "samaccountname",
			"realnameattribute": "displayname",
			"emailattribute": "mail",
			"grouprequest": "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\GroupMember::factory",
			"nestedgroups": true
		},
		"authorization": {
			"rules": {
				"groups": {
					"required": [ "" ]
				}
			}
		},
		"userinfo": {
			"attributes-map": {
				"email": "mail",
				"realname": "displayname",
			}
		},
		"groupsync": {
			"mechanism": "allgroups"
		}
	}
}

090-LDAP.php

wfLoadExtensions( [
	'Auth_remoteuser',// only needed if SingleSignOn is used
	'LDAPProvider',
	'Manual:Extension/LDAPAuthentication2',
	'LDAPAuthorization',
	'LDAPGroups',
	'LDAPUserInfo',
	'PluggableAuth'
] );

$LDAPProviderDomainConfigs = "/etc/ldapprovider.json";
$Manual:Extension/LDAPAuthentication2AllowLocalLogin = false;
$Manual:Extension/LDAPAuthentication2UsernameNormalizer = 'strtolower';
$LDAPProviderCacheTime = 300;
$LDAPProviderCacheType = CACHE_MEMCACHED; // or CACHE_NONE if no memcached is installed
$LDAPAuthorizationAutoAuthRemoteUserStringParser = 'username-at-domain'; // remove if your $_SERVER[ 'REMOTE_USER' ] is like "domain\user". If you have to remove this, follow step 2

$bsgPermissionConfig['autocreateaccount'] = [ 'type' => 'global', "roles" => [ 'autocreateaccount' ] ];

$wgAuthRemoteuserUserName = function() {
	global $wgDBname;
	$user = '';
	if( isset( $_SERVER[ 'REMOTE_USER' ] ) ) {
		$user = $_SERVER[ 'REMOTE_USER' ];
	}

	//Bypass fot Parsoid / PhantomJS calls
	if( isset( $_SERVER[ 'REMOTE_ADDR' ] ) && substr( $_SERVER[ 'REMOTE_ADDR' ], 0, 4 ) == '127.' ) {
		if( empty( $user ) ) {
			// check the 304f3058RemoteToken name of your cookies in your browser!
			$user = $_COOKIE[$wgDBname.'304f3058RemoteToken'] . '@DOMAIN OF CUSTOMER'; // Step 2: change this to $user = 'DOMAIN OF CUSTOMER\\' . $_COOKIE[$wgDBname.'304f3058RemoteToken'];
		}
	}

	return $user;
};
Note: This part 304f3058 of the cookie will change on some reasons. It should not, but we've seen it. So check with the cookies in your browser. $wgDBname is set in your LocalSettings.php

Attachments

Discussions