Howdy!
I have Media Wiki 1.6.8 setup with Authentication to LDAP - this is behaving as advertised. I would now like to set it up so that only members of a specific group have access to editing the pages, though anyone can view them.
I can send the config file or relevant bits if you think it will help - or do I need to do something different?
r
You need to query the directory for the "group" information, then add that group to the user's list of groups (can be any string)
To add to the group, either use: $wgUser->addGroup($groupname); or you can use direct SQL:
INSERT INTO user_groups (ug_user, ug_group) VALUES (SELECT user_id FROM user WHERE user_name = 'MHart' , 'groupname');
Then use the $wgGroupPermissions['groupname']['edit'] = true; or whatever in LocalSettings.php
- MHart
----- Original Message ----- From: "Ron Hall" ron.hall@mcgill.ca To: "MediaWiki announcements and site admin list" mediawiki-l@Wikimedia.org Sent: Monday, September 25, 2006 9:42 AM Subject: [Mediawiki-l] MediaWiki, LDAP Authentication and AD groups
Howdy!
I have Media Wiki 1.6.8 setup with Authentication to LDAP - this is behaving as advertised. I would now like to set it up so that only members of a specific group have access to editing the pages, though anyone can view them.
I can send the config file or relevant bits if you think it will help - or do I need to do something different?
r _______________________________________________ MediaWiki-l mailing list MediaWiki-l@Wikimedia.org http://mail.wikipedia.org/mailman/listinfo/mediawiki-l
MHart wrote:
You need to query the directory for the "group" information, then add that group to the user's list of groups (can be any string)
To add to the group, either use: $wgUser->addGroup($groupname); or you can use direct SQL:
INSERT INTO user_groups (ug_user, ug_group) VALUES (SELECT user_id FROM user WHERE user_name = 'MHart' , 'groupname');
Then use the $wgGroupPermissions['groupname']['edit'] = true; or whatever in LocalSettings.php
OK - but how does this work vis-a-vis AD authentication and groups?
If I include the following in the LocalSettings file it does not work $wgLDAPRequiredGroups = array( "McGill"=>array("cn=043-NCS ES LMS Wiki Editors,ou=Admin_Unit Groups,ou=Network & Communications Services,OU=University Administration,dc=campus,dc=mcgill,dc=ca") ); $wgLDAPGroupUseFullDN = array( "McGill"=>true ); $wgLDAPGroupObjectclass = array( "McGill"=>"group" ); $wgLDAPGroupAttribute = array( "McGill"=>"member" ); $wgLDAPGroupSearchNestedGroups = array( "McGill"=>false ); $wgLDAPBaseDNs = array( "McGill"=>"dc=campus,dc=mcgill,dc=ca" );
Removing it I have authentication working fine, but no groups....
r
- MHart
----- Original Message ----- From: "Ron Hall" ron.hall@mcgill.ca To: "MediaWiki announcements and site admin list" mediawiki-l@Wikimedia.org Sent: Monday, September 25, 2006 9:42 AM Subject: [Mediawiki-l] MediaWiki, LDAP Authentication and AD groups
Howdy!
I have Media Wiki 1.6.8 setup with Authentication to LDAP - this is behaving as advertised. I would now like to set it up so that only members of a specific group have access to editing the pages, though anyone can view them.
I can send the config file or relevant bits if you think it will help - or do I need to do something different?
r _______________________________________________ MediaWiki-l mailing list MediaWiki-l@Wikimedia.org http://mail.wikipedia.org/mailman/listinfo/mediawiki-l
MediaWiki-l mailing list MediaWiki-l@Wikimedia.org http://mail.wikipedia.org/mailman/listinfo/mediawiki-l
OK - but how does this work vis-a-vis AD authentication and groups?
Good question - I only know how to do that via my own auth scripts. I use MediaWiki's LDAP integration for sign in and registration, but I use my own LDAP scripts to retrieve other information.
Here's a script that will retrieve information about a user. In my scripts, I don't need to authorize to retrieve public information - all I need is the application ID given me by the directory services. This script includes authentication at the end.
# Matt Hart - PHP-based authentication against the directory # Tested on Fedora Core 4 with Apache 2.0.54, PHP 4.3.11, OpenLDAP # OpenSSL, php-ldap
echo "<br>Attempting Secure LDAP Connection<br>";
$mh_ldaphost = "ldaps://yourdirectoryhost.com:636"; $mh_ldapconn = ldap_connect($mh_ldaphost) or die ("Failed"); echo "<br>Succeeded ... Testing app binding<br>";
# Bind using app credentials $mh_appid = "XXXXXXX"; // ****** Use your application id $mh_dn = "uid=" . $mh_appid . ",ou=theApps,o=dirIntuit.com"; $mh_bind = ldap_bind($mh_ldapconn, $mh_dn) or die("Failed"); echo "<br>Succeeded ... Get user corp ID</br>";
# Get the user's corporate ID $mh_search = "ou=employees,ou=people,o=dirIntuit.com"; $mh_userid = "XXXXXXXX"; // ****** User ID to find $mh_filter = "(uid=" . $mh_userid . ")"; $mh_search = ldap_search($mh_ldapconn, $mh_search, $mh_filter) or die ("Failed"); echo "<br>Succeeded: "; $mh_entries = ldap_get_entries($mh_ldapconn, $mh_search); $mh_corpid = $mh_entries[0]["intuitid"][0]; echo "CorpID=" . $mh_corpid;
# Authenticate the user echo "<br><br>Authenticating...<br>";
$mh_authdn = "intuitcorpid=" . $mh_corpid . ",ou=employees,ou=people,o=intuit.com"; $mh_authpass = "XXXXXXXX"; // ****** User password $mh_authbind = ldap_bind($mh_ldapconn, $mh_authdn, $mh_authpass) or die("Failed"); die("Success");
- MHart
Hi Ron,
for edit reststrictions you need to make your own group within your wiki.
in LocalSettings.php you need to have
$wgGroupPermissions['*']['edit'] = false; $wgGroupPermissions['user']['edit'] = false; $wgGroupPermissions['AnyGroupName']['edit'] = true;
You now need to manually assign AnyGroupName to the users, who are allowed to edit.
---------
If you check the group in your LDAP already (look into the documentation of the ldap extension), then only users of the group of your LDAP can log in in the first place. So you do not need another group in your wiki.
$wgGroupPermissions['*']['edit'] = false; $wgGroupPermissions['user']['edit'] = true;
regards Gunter
Ron Hall schrieb:
Howdy!
I have Media Wiki 1.6.8 setup with Authentication to LDAP - this is behaving as advertised. I would now like to set it up so that only members of a specific group have access to editing the pages, though anyone can view them.
I can send the config file or relevant bits if you think it will help - or do I need to do something different?
r _______________________________________________ MediaWiki-l mailing list MediaWiki-l@Wikimedia.org http://mail.wikipedia.org/mailman/listinfo/mediawiki-l
mediawiki-l@lists.wikimedia.org