[Mediawiki-l] LdapAuthentication Group Synchronization

Michael B Allen ioplex at gmail.com
Thu Jun 28 17:09:50 UTC 2007 

Hi Keith,

There's plugin called Plexcel (proprietary 60 day trial or up to 25
users) that you might want to look at. It does group authorization
directly with AD groups.

Mike

On 6/27/07, Keith Bruss <kbruss at smp-inc.com> wrote:
> Hi All,
>
>
>
> I'm looking for some help with the LdapAuthentication extension,
> specifically group synchronization and access controls based on the LDAP
> group membership.  Here's a lil info on my setup:
>
>
>
> Gentoo Box with LAMP is running mediawiki:
>
> *  MediaWiki: 1.6.8
>
> * PHP: 4.4.2-pl2-gentoo (apache2handler)
>
> * MySQL: 4.1.14-log
>
> * LDAP Authentication Plugin (version 1.1f (alpha)), LDAP Authentication
> plugin with support for multiple LDAP authentication methods, by Ryan
> Lane
>
>                 (the latest download on the website has version 1.1f
> alpha listed, however when you view this file, you'll notice the version
> defined is 1.1f (non-alpha) and the code is different than the 1.1f
> alpha)
>
>
>
> This is connecting to a Windows 2003 Active Directory LDAP server hosted
> on another machine.
>
>
>
> Here is my config as it pertains to LDAP
>
>
>
> require_once( "includes/LdapAuthentication.php" );
>
> $wgAuth = new LdapAuthenticationPlugin();
>
> $wgLDAPDomainNames = array( "SMP-INC" );
>
> $wgLDAPServerNames = array( "SMP-INC"=>"frodo.smp-inc.com
> legolas.smp-inc.com" );
>
> $wgLDAPSearchStrings = array( "SMP-INC"=>"SMP-INC\\USER-NAME" );
>
> #$wgLDAPSearchStrings = array( "SMP-INC"=>"USER-NAME at SMP-INC.com" );
>
> $wgLDAPUseSSL = false; //not recommended but OK for testing
>
> $wgLDAPEncryptionType = array( "SMP-INC"=>'clear' ); // this is needed
> in >= 1.1c
>
> $wgLDAPUseLocal = true; //allows mysql db driven auth (default Root
> user)
>
> $wgMinimalPasswordLength = 1;
>
> $wgLDAPRetrievePrefs = array( "SMP-INC"=>true ); // this is needed in >=
> 1.1c
>
> $wgLDAPUpdateLDAP = array( "SMP-INC"=>"false" ); //disables mediawiki
> from updating LDAP
>
>
>
> $wgLDAPDebug = 3; //debugging
>
>
>
> #GROUP BASED AUTH
>
> $wgLDAPSearchAttributes = array( "SMP-INC"=>"sAMAccountName" );
>
> $wgLDAPBaseDNs = array( "SMP-INC"=>"cn=users,dc=smp-inc,dc=com" );
>
> $wgLDAPUseLDAPGroups = array( "SMP-INC"=>true );
>
> $wgLDAPRequiredGroups = array(
>
>         "SMP-INC"=>array(
>
>                 "cn=wiki-readonly,cn=users,dc=smp-inc,dc=com",
>
>                 "cn=wiki-readwrite,cn=users,dc=smp-inc,dc=com",
>
>                 "cn=wiki-sysops,cn=users,dc=smp-inc,dc=com"
>
>                 )
>
>         );
>
> $wgLDAPLowerCaseUsername = array( "SMP-INC"=>true );
>
> $wgLDAPGroupUseFullDN = array( "SMP-INC"=>true );
>
> $wgLDAPLowerCaseUsername = array( "SMP-INC"=>true );
>
> $wgLDAPGroupObjectclass = array( "SMP-INC"=>"group" );
>
> $wgLDAPGroupAttribute = array( "SMP-INC"=>"member" );
>
> $wgLDAPGroupSearchNestedGroups = array( "SMP-INC"=>true );
>
>
>
> # Prevent new user registrations except by sysops
>
> $wgGroupPermissions['*']['createaccount'] = false;
>
>
>
> # Disable reading by anonymous users
>
> $wgGroupPermissions['*']['read'] = false;
>
>
>
> # But allow them to read the Login Page, and JS/CSS pages
>
> $wgWhitelistRead = array( "Special:Userlogin", "-",
> "MediaWiki:Monobook.css" );
>
>
>
> $wgGroupPermissions['wiki-readonly']['move']             = false;
>
> $wgGroupPermissions['wiki-readonly']['read']             = true;
>
> $wgGroupPermissions['wiki-readonly']['edit']             = false;
>
> $wgGroupPermissions['wiki-readonly']['createpage']       = false;
>
> $wgGroupPermissions['wiki-readonly']['createtalk']       = false;
>
> $wgGroupPermissions['wiki-readonly']['upload']           = false;
>
> $wgGroupPermissions['wiki-readonly']['reupload']         = false;
>
> $wgGroupPermissions['wiki-readonly']['reupload-shared']  = false;
>
> $wgGroupPermissions['wiki-readonly']['minoredit']        = false;
>
>
>
> $wgGroupPermissions['wiki-readwrite']['move']            = true;
>
> $wgGroupPermissions['wiki-readwrite']['read']            = true;
>
> $wgGroupPermissions['wiki-readwrite']['edit']            = true;
>
> $wgGroupPermissions['wiki-readwrite']['createpage']      = true;
>
> $wgGroupPermissions['wiki-readwrite']['createtalk']      = true;
>
> $wgGroupPermissions['wiki-readwrite']['upload']          = true;
>
> $wgGroupPermissions['wiki-readwrite']['reupload']        = true;
>
> $wgGroupPermissions['wiki-readwrite']['reupload-shared'] = true;
>
> $wgGroupPermissions['wiki-readwrite']['minoredit']       = true;
>
>
>
> $wgGroupPermissions['wiki-sysops']['block']              = true;
>
> $wgGroupPermissions['wiki-sysops']['createaccount']      = true;
>
> $wgGroupPermissions['wiki-sysops']['delete']             = true;
>
> $wgGroupPermissions['wiki-sysops']['deletedhistory']     = true;
>
> $wgGroupPermissions['wiki-sysops']['editinterface']      = true;
>
> $wgGroupPermissions['wiki-sysops']['import']             = true;
>
> $wgGroupPermissions['wiki-sysops']['importupload']       = true;
>
> $wgGroupPermissions['wiki-sysops']['move']               = true;
>
> $wgGroupPermissions['wiki-sysops']['patrol']             = true;
>
> $wgGroupPermissions['wiki-sysops']['protect']            = true;
>
> $wgGroupPermissions['wiki-sysops']['rollback']           = true;
>
> $wgGroupPermissions['wiki-sysops']['upload']             = true;
>
> $wgGroupPermissions['wiki-sysops']['reupload']           = true;
>
> $wgGroupPermissions['wiki-sysops']['reupload-shared']    = true;
>
> $wgGroupPermissions['wiki-sysops']['unwatchedpages']     = true;
>
> $wgGroupPermissions['wiki-sysops']['autoconfirmed']      = true;
>
> $wgGroupPermissions['wiki-sysops']['userrights']         = true;
>
>
>
> I created 3 Active directory groups and a user for each group:
>
> GROUP                                 USER
>
> wiki-readonly                    wiki-ro
>
> wiki-readwrite                  wiki-rw
>
> wiki-sysops                         wiki-user
>
>
>
> I can successfully authenticate against LDAP groups as defined by
> $wgLDAPRequiredGroups.  Users that are not in $wgLDAPRequiredGroups can
> NOT log in.   So LDAP is working and group authentication is working.
> It is my understanding that at this point I should be able to set
> $wgGroupPermissions based on the Active Directory group name so long as
> wiki/AD sync is setup as defined by $wgLDAPUseLDAPGroups.  With
> debugging set to 3, I can log in as any of the 3 defined users, however
> they all receive the same group memberships; users and *.
>
>
>
> Entering validDomain
>
> User is using a valid domain.
>
> Setting domain as: SMP-INC
>
> Entering getCanonicalName
>
> Username isn't empty.
>
> Munged username: Wiki-rw
>
> Entering authenticate
>
> Entering Connect
>
> Using TLS or not using encryption.
>
> Using servers: ldap://frodo.smp-inc.com ldap://legolas.smp-inc.com
>
> Connected successfully
>
> Lowercasing the username: wiki-rw
>
> Entering getSearchString
>
> Doing a straight bind
>
> userdn is: SMP-INC\wiki-rw
>
> Binding as the user
>
> Binded successfully
>
> Entering getUserDN
>
> Created a regular filter: (sAMAccountName=wiki-rw)
>
> Using base: cn=users,dc=smp-inc,dc=com
>
> Fetched username is not a string (check your hook code...).
>
> Pulled the user's DN: CN=wiki-rw,CN=Users,DC=smp-inc,DC=com
>
> Checking for (new style) group membership
>
> Entering isMemberOfRequiredLdapGroup
>
> Required
> groups:cn=wiki-readonly,cn=users,dc=smp-inc,dc=com,cn=wiki-readwrite,cn=
> users,dc=smp-inc,dc=com,cn=wiki-sysops,cn=users,dc=smp-inc,dc=com
>
> Entering getUserGroups
>
> Entering getGroups
>
> Search string:
> (&(member=CN=wiki-rw,CN=Users,DC=smp-inc,DC=com)(objectclass=group))
>
> Returned groups:cn=wiki-readwrite,cn=users,dc=smp-inc,dc=com
>
> Returned groups:
>
> Found user in a group.
>
> Retrieving LDAP group membership
>
> Entering getUserGroups
>
> Entering getAllGroups
>
> Entering getGroups
>
> Search string: (&(member=\5c2a)(objectclass=group))
>
> Returned groups:
>
> Returned groups:
>
> Retrieving preferences
>
> Retrieved: , , wiki-rw, wiki-rw
>
> Authentication passed
>
> Entering updateUser
>
> Setting user preferences.
>
> Pulling groups from LDAP.
>
> Available groups are:
> bot,sysop,bureaucrat,wiki-readonly,wiki-readwrite,wiki-sysops
>
> Effective groups are: *,user
>
> Checking to see if user is in: bot
>
> Entering hasLDAPGroup
>
> Checking to see if user is in: sysop
>
> Entering hasLDAPGroup
>
> Checking to see if user is in: bureaucrat
>
> Entering hasLDAPGroup
>
> Checking to see if user is in: wiki-readonly
>
> Entering hasLDAPGroup
>
> Checking to see if user is in: wiki-readwrite
>
> Entering hasLDAPGroup
>
> Checking to see if user is in: wiki-sysops
>
> Entering hasLDAPGroup
>
> Saving user settings.
>
>
>
> You'll notice the line:  "Effective groups are: *,user".  Shouldn't this
> show wiki-readwrite, since that's the AD group this user belongs to?  Or
> does it not check the AD groups until it says "checking to see if user
> is in: wiki-readwrite"?  Also, once the member is found in an AD group,
> should the MySQL table "wikidb_user_groups" get an UPDATE statement
> adding the userid to the AD group?
>
>
>
> I've read a lot and looked for Ryan Lane on Freenode.  I think I'm
> having similar problems as this guy, but I have the newer version:
> http://www.mediawiki.org/wiki/Extension_talk:LDAP_Authentication/archive
> 1#Group_Synchronization
>
>
>
> Thanks,
>
>
>
> Kbruss
>
>
>
> _______________________________________________
> MediaWiki-l mailing list
> MediaWiki-l at lists.wikimedia.org
> http://lists.wikimedia.org/mailman/listinfo/mediawiki-l
>

More information about the MediaWiki-l mailing list