Is there a way to only allow members of certain groups to log on, or to only allow members of one or more groups to edit certain pages?
Is there a way to only allow members of certain groups to log on, or to only allow members of one or more groups to edit certain pages?
Both! See:
http://www.mediawiki.org/wiki/Ldap#Group_based_restrictions_.28NEW.29
http://www.mediawiki.org/wiki/Ldap#Group_synchronization
V/r,
Ryan Lane
On Mon, Nov 17, 2008 at 05:04:04PM -0600, Lane, Ryan wrote:
Is there a way to only allow members of certain groups to log on, or to only allow members of one or more groups to edit certain pages?
Both! See:
http://www.mediawiki.org/wiki/Ldap#Group_based_restrictions_.28NEW.29
When I try to log in as a user not in a specified group, I get "Login error: Incorrect password entered. Please try again." That will cause all sorts of problems... how do I make it say, "You are not in an authorized group" or something similar?
On Mon, Nov 17, 2008 at 05:04:04PM -0600, Lane, Ryan wrote:
Is there a way to only allow members of certain groups to log on, or to only allow members of one or more groups to edit certain pages?
Both! See:
http://www.mediawiki.org/wiki/Ldap#Group_based_restrictions_.28NEW.29
When I try to log in as a user not in a specified group, I get "Login error: Incorrect password entered. Please try again." That will cause all sorts of problems... how do I make it say, "You are not in an authorized group" or something similar?
This isn't currently possible, because authentication extensions can't pass messages back to the login form.
I've been thinking about tackling this problem for a while, but other things have been higher priority. I'll put this onto my todo list.
Of course, you don't necessarily need to deny login access; you could synchronize the groups, and only allow read and/or write access based upon groups. You can do this by taking all privileges away from "user" and assigning them to groups that you manage.
V/r,
Ryan Lane
On Mon, Nov 17, 2008 at 05:04:04PM -0600, Lane, Ryan wrote:
Is there a way to only allow members of certain groups to log on, or to only allow members of one or more groups to edit certain pages?
Both! See:
http://www.mediawiki.org/wiki/Ldap#Group_based_restrictions_.28NEW.29
Also:
Starting with a setup that does work, just authenticating any AD user, I added:
$wgLDAPRequiredGroups = array( "AD_DOMAIN" => array( "cn=QA Employees,ou=Security Groups,dc=domain,dc=com", "cn=Engineering Employees,ou=Security Groups,dc=domain,dc=com", "cn=Customer Care Employees,ou=Security Groups,dc=domain,dc=com" ) );
$wgLDAPGroupBaseDNs = array( "AD_DOMAIN"=>"ou=Security Groups,dc=domain,dc=com" ); $wgLDAPUserBaseDNs = array( "AD_DOMAIN"=>"ou=Domain Users,dc=domain,dc=com" );
I added myself to the QA Employees group to test, and could not log on. The output I got:
Entering validDomain User is using a valid domain. Setting domain as: AD_DOMAIN Entering getCanonicalName Username isn't empty. Munged username: Joliver Entering authenticate Entering Connect Using TLS or not using encryption. Using servers: ldap://10.0.0.2 Connected successfully Entering getSearchString Doing a straight bind userdn is: AD_DOMAIN\Joliver Binding as the user Bound successfully Entering getUserDN Created a regular filter: (sAMAccountName=Joliver) Entering getBaseDN basedn is ou=Domain Users,dc=domain,dc=com Using base: ou=Domain Users,dc=domain,dc=com Fetched username is not a string (check your hook code...). This message can be safely ignored if you do not have the SetUsernameAttributeFromLDAP hook defined. Pulled the user's DN: Checking for (new style) group membership Entering isMemberOfRequiredLdapGroup Required groups:cn=qa employees,ou=security groups,dc=domain,dc=com,cn=engineering employees,ou=security groups,dc=domain,dc=com,cn=customer care employees,ou=security groups,dc=domain,dc=com Entering getUserGroups Entering getGroups Entering getBaseDN basedn is ou=Security Groups,dc=domain,dc=com Search string: (&(=Joliver)(objectclass=)) No entries returned from search. Couldn't find the user in any groups (1). Entering strict. Returning true in strict(). Entering modifyUITemplate
I think this may be because my user isn't in Domain Users... it's in another folder called "IT". So, I tried:
$wgLDAPUserBaseDNs = array( "AD_DOMAIN" => array( "ou=Domain Users,dc=domain,dc=com", "ou=IT,dc=domain,dc=com" ) );
and now I still get the incorrect password error, and the debug message says:
Entering getBaseDN basedn is Array Using base: Array
I'm not sure if it's just saying that the BaseDN *is* an array, or if it's reading the literal string, "Array".
Also, I noticed that the debug says:
Pulled the user's DN:
Googling around has found examples where that is populated, like:
Pulled the user's DN: CN=John Doe,OU=Users,OU=Administrators,DC=domainname,DC=com
A couple things:
Created a regular filter: (sAMAccountName=Joliver) Entering getBaseDN basedn is ou=Domain Users,dc=domain,dc=com Using base: ou=Domain Users,dc=domain,dc=com Fetched username is not a string (check your hook code...). This message can be safely ignored if you do not have the SetUsernameAttributeFromLDAP hook defined. Pulled the user's DN:
It didn't pull the user's DN. You mention the reason for this below...
Checking for (new style) group membership Entering isMemberOfRequiredLdapGroup Required groups:cn=qa employees,ou=security groups,dc=domain,dc=com,cn=engineering employees,ou=security groups,dc=domain,dc=com,cn=customer care employees,ou=security groups,dc=domain,dc=com Entering getUserGroups Entering getGroups Entering getBaseDN basedn is ou=Security Groups,dc=domain,dc=com Search string: (&(=Joliver)(objectclass=))
This should say: Search string: (&(member=Joliver)(objectclass=group)). You should have all of the following options set:
$wgLDAPGroupUseFullDN = array( "AD_DOMAIN"=>true ); $wgLDAPGroupObjectclass = array( "AD_DOMAIN"=>"group" ); $wgLDAPGroupAttribute = array( "AD_DOMAIN"=>"member" ); $wgLDAPGroupNameAttribute = array( "AD_DOMAIN"=>"cn" ); $wgLDAPSearchAttributes = array( "AD_DOMAIN"=>"sAMAccountName" );
I think this may be because my user isn't in Domain Users... it's in another folder called "IT". So, I tried:
$wgLDAPUserBaseDNs = array( "AD_DOMAIN" => array( "ou=Domain Users,dc=domain,dc=com", "ou=IT,dc=domain,dc=com" ) );
and now I still get the incorrect password error, and the debug message says:
Entering getBaseDN basedn is Array Using base: Array
I'm not sure if it's just saying that the BaseDN *is* an array, or if it's reading the literal string, "Array".
You can only set one base dn. You need to set this to:
$wgLDAPUserBaseDNs = array( "AD_DOMAIN" => "dc=domain,dc=com" );
There is a practical reason to have all user accounts under a single OU (or a set of OUs under a single OU). This is one of those reasons. In AD land, there are other practical reasons including a sane group policy.
Also, I noticed that the debug says:
Pulled the user's DN:
Googling around has found examples where that is populated, like:
Pulled the user's DN: CN=John Doe,OU=Users,OU=Administrators,DC=domainname,DC=com
Yep. That's what it *should* look like.
So, all of this said... The next version of the plugin will have memberOf support, and will have an option to auto-configure all of the annoying settings depending on schema type. It may or may not be out soon depending on my level of lazyness.
V/r,
Ryan Lane
mediawiki-l@lists.wikimedia.org