[Mediawiki-l] LdapAuthentication Group Synchronization
Keith Bruss
kbruss at smp-inc.com
Wed Jun 27 23:22:27 UTC 2007
Hi All,
I'm looking for some help with the LdapAuthentication extension,
specifically group synchronization and access controls based on the LDAP
group membership. Here's a lil info on my setup:
Gentoo Box with LAMP is running mediawiki:
* MediaWiki: 1.6.8
* PHP: 4.4.2-pl2-gentoo (apache2handler)
* MySQL: 4.1.14-log
* LDAP Authentication Plugin (version 1.1f (alpha)), LDAP Authentication
plugin with support for multiple LDAP authentication methods, by Ryan
Lane
(the latest download on the website has version 1.1f
alpha listed, however when you view this file, you'll notice the version
defined is 1.1f (non-alpha) and the code is different than the 1.1f
alpha)
This is connecting to a Windows 2003 Active Directory LDAP server hosted
on another machine.
Here is my config as it pertains to LDAP
require_once( "includes/LdapAuthentication.php" );
$wgAuth = new LdapAuthenticationPlugin();
$wgLDAPDomainNames = array( "SMP-INC" );
$wgLDAPServerNames = array( "SMP-INC"=>"frodo.smp-inc.com
legolas.smp-inc.com" );
$wgLDAPSearchStrings = array( "SMP-INC"=>"SMP-INC\\USER-NAME" );
#$wgLDAPSearchStrings = array( "SMP-INC"=>"USER-NAME at SMP-INC.com" );
$wgLDAPUseSSL = false; //not recommended but OK for testing
$wgLDAPEncryptionType = array( "SMP-INC"=>'clear' ); // this is needed
in >= 1.1c
$wgLDAPUseLocal = true; //allows mysql db driven auth (default Root
user)
$wgMinimalPasswordLength = 1;
$wgLDAPRetrievePrefs = array( "SMP-INC"=>true ); // this is needed in >=
1.1c
$wgLDAPUpdateLDAP = array( "SMP-INC"=>"false" ); //disables mediawiki
from updating LDAP
$wgLDAPDebug = 3; //debugging
#GROUP BASED AUTH
$wgLDAPSearchAttributes = array( "SMP-INC"=>"sAMAccountName" );
$wgLDAPBaseDNs = array( "SMP-INC"=>"cn=users,dc=smp-inc,dc=com" );
$wgLDAPUseLDAPGroups = array( "SMP-INC"=>true );
$wgLDAPRequiredGroups = array(
"SMP-INC"=>array(
"cn=wiki-readonly,cn=users,dc=smp-inc,dc=com",
"cn=wiki-readwrite,cn=users,dc=smp-inc,dc=com",
"cn=wiki-sysops,cn=users,dc=smp-inc,dc=com"
)
);
$wgLDAPLowerCaseUsername = array( "SMP-INC"=>true );
$wgLDAPGroupUseFullDN = array( "SMP-INC"=>true );
$wgLDAPLowerCaseUsername = array( "SMP-INC"=>true );
$wgLDAPGroupObjectclass = array( "SMP-INC"=>"group" );
$wgLDAPGroupAttribute = array( "SMP-INC"=>"member" );
$wgLDAPGroupSearchNestedGroups = array( "SMP-INC"=>true );
# Prevent new user registrations except by sysops
$wgGroupPermissions['*']['createaccount'] = false;
# Disable reading by anonymous users
$wgGroupPermissions['*']['read'] = false;
# But allow them to read the Login Page, and JS/CSS pages
$wgWhitelistRead = array( "Special:Userlogin", "-",
"MediaWiki:Monobook.css" );
$wgGroupPermissions['wiki-readonly']['move'] = false;
$wgGroupPermissions['wiki-readonly']['read'] = true;
$wgGroupPermissions['wiki-readonly']['edit'] = false;
$wgGroupPermissions['wiki-readonly']['createpage'] = false;
$wgGroupPermissions['wiki-readonly']['createtalk'] = false;
$wgGroupPermissions['wiki-readonly']['upload'] = false;
$wgGroupPermissions['wiki-readonly']['reupload'] = false;
$wgGroupPermissions['wiki-readonly']['reupload-shared'] = false;
$wgGroupPermissions['wiki-readonly']['minoredit'] = false;
$wgGroupPermissions['wiki-readwrite']['move'] = true;
$wgGroupPermissions['wiki-readwrite']['read'] = true;
$wgGroupPermissions['wiki-readwrite']['edit'] = true;
$wgGroupPermissions['wiki-readwrite']['createpage'] = true;
$wgGroupPermissions['wiki-readwrite']['createtalk'] = true;
$wgGroupPermissions['wiki-readwrite']['upload'] = true;
$wgGroupPermissions['wiki-readwrite']['reupload'] = true;
$wgGroupPermissions['wiki-readwrite']['reupload-shared'] = true;
$wgGroupPermissions['wiki-readwrite']['minoredit'] = true;
$wgGroupPermissions['wiki-sysops']['block'] = true;
$wgGroupPermissions['wiki-sysops']['createaccount'] = true;
$wgGroupPermissions['wiki-sysops']['delete'] = true;
$wgGroupPermissions['wiki-sysops']['deletedhistory'] = true;
$wgGroupPermissions['wiki-sysops']['editinterface'] = true;
$wgGroupPermissions['wiki-sysops']['import'] = true;
$wgGroupPermissions['wiki-sysops']['importupload'] = true;
$wgGroupPermissions['wiki-sysops']['move'] = true;
$wgGroupPermissions['wiki-sysops']['patrol'] = true;
$wgGroupPermissions['wiki-sysops']['protect'] = true;
$wgGroupPermissions['wiki-sysops']['rollback'] = true;
$wgGroupPermissions['wiki-sysops']['upload'] = true;
$wgGroupPermissions['wiki-sysops']['reupload'] = true;
$wgGroupPermissions['wiki-sysops']['reupload-shared'] = true;
$wgGroupPermissions['wiki-sysops']['unwatchedpages'] = true;
$wgGroupPermissions['wiki-sysops']['autoconfirmed'] = true;
$wgGroupPermissions['wiki-sysops']['userrights'] = true;
I created 3 Active directory groups and a user for each group:
GROUP USER
wiki-readonly wiki-ro
wiki-readwrite wiki-rw
wiki-sysops wiki-user
I can successfully authenticate against LDAP groups as defined by
$wgLDAPRequiredGroups. Users that are not in $wgLDAPRequiredGroups can
NOT log in. So LDAP is working and group authentication is working.
It is my understanding that at this point I should be able to set
$wgGroupPermissions based on the Active Directory group name so long as
wiki/AD sync is setup as defined by $wgLDAPUseLDAPGroups. With
debugging set to 3, I can log in as any of the 3 defined users, however
they all receive the same group memberships; users and *.
Entering validDomain
User is using a valid domain.
Setting domain as: SMP-INC
Entering getCanonicalName
Username isn't empty.
Munged username: Wiki-rw
Entering authenticate
Entering Connect
Using TLS or not using encryption.
Using servers: ldap://frodo.smp-inc.com ldap://legolas.smp-inc.com
Connected successfully
Lowercasing the username: wiki-rw
Entering getSearchString
Doing a straight bind
userdn is: SMP-INC\wiki-rw
Binding as the user
Binded successfully
Entering getUserDN
Created a regular filter: (sAMAccountName=wiki-rw)
Using base: cn=users,dc=smp-inc,dc=com
Fetched username is not a string (check your hook code...).
Pulled the user's DN: CN=wiki-rw,CN=Users,DC=smp-inc,DC=com
Checking for (new style) group membership
Entering isMemberOfRequiredLdapGroup
Required
groups:cn=wiki-readonly,cn=users,dc=smp-inc,dc=com,cn=wiki-readwrite,cn=
users,dc=smp-inc,dc=com,cn=wiki-sysops,cn=users,dc=smp-inc,dc=com
Entering getUserGroups
Entering getGroups
Search string:
(&(member=CN=wiki-rw,CN=Users,DC=smp-inc,DC=com)(objectclass=group))
Returned groups:cn=wiki-readwrite,cn=users,dc=smp-inc,dc=com
Returned groups:
Found user in a group.
Retrieving LDAP group membership
Entering getUserGroups
Entering getAllGroups
Entering getGroups
Search string: (&(member=\5c2a)(objectclass=group))
Returned groups:
Returned groups:
Retrieving preferences
Retrieved: , , wiki-rw, wiki-rw
Authentication passed
Entering updateUser
Setting user preferences.
Pulling groups from LDAP.
Available groups are:
bot,sysop,bureaucrat,wiki-readonly,wiki-readwrite,wiki-sysops
Effective groups are: *,user
Checking to see if user is in: bot
Entering hasLDAPGroup
Checking to see if user is in: sysop
Entering hasLDAPGroup
Checking to see if user is in: bureaucrat
Entering hasLDAPGroup
Checking to see if user is in: wiki-readonly
Entering hasLDAPGroup
Checking to see if user is in: wiki-readwrite
Entering hasLDAPGroup
Checking to see if user is in: wiki-sysops
Entering hasLDAPGroup
Saving user settings.
You'll notice the line: "Effective groups are: *,user". Shouldn't this
show wiki-readwrite, since that's the AD group this user belongs to? Or
does it not check the AD groups until it says "checking to see if user
is in: wiki-readwrite"? Also, once the member is found in an AD group,
should the MySQL table "wikidb_user_groups" get an UPDATE statement
adding the userid to the AD group?
I've read a lot and looked for Ryan Lane on Freenode. I think I'm
having similar problems as this guy, but I have the newer version:
http://www.mediawiki.org/wiki/Extension_talk:LDAP_Authentication/archive
1#Group_Synchronization
Thanks,
Kbruss
More information about the MediaWiki-l
mailing list