[Mediawiki-l] LDAP Inquiry

Steve Finkelstein sf at stevefink.net
Wed May 2 21:31:46 UTC 2007

I'm having a bit of difficulty getting this to work. I added a few
entries to my LDAP that look like this:

# contractors, groups, domain1.com
dn: ou=contractors,ou=groups,domain1.com,dc=com
ou:: Y29udHJhY3RvcnMg
objectClass: organizationalUnit
objectClass: top
description: Restricted Contractor Access

# user1, contractors, groups, domain1.com
dn: uid=user1,ou=contractors,ou=groups,domain1.com,dc=com
objectClass: inetOrgPerson
objectClass: top
objectClass: organizationalPerson
objectClass: person
cn: User1
uid: user1
sn: User1
title: Freelance Graphics Artist

# mediawiki, groups, domain1.com
dn: cn=mediawiki,ou=groups,domain1.com,dc=com
cn: mediawiki
objectClass: groupOfUniqueNames
uniqueMember: uid=user1,ou=contractors,ou=groups,domain1.com,dc=com
description: MediaWiki ACL

And on the MediaWiki side:

require_once ( 'LdapAuthentication.php' );
$wgAuth = new LdapAuthenticationPlugin();
$wgLDAPDomainNames = array( "domain1.com","Contractors" );
$wgLDAPServerNames = array( "domain1.com"=>"foo.domain1.com",
                            "Contractors"=>"foo.domain1.com" );
$wgLDAPSearchAttributes = array( "domain1.com"=>"uid" );
$wgLDAPBaseDNs = array( "domain1.com"=>"ou=staff,domain1.com,dc=com",
$wgLDAPEncryptionType = array( "domain1.com"=>"ssl",
                               "Contractors"=>"ssl" );
#$wgLDAPUseSSL = false;
$wgLDAPUseLocal = false;
$wgLDAPRetrievePrefs = array( "domain1.com"=>true,
                              "Contractors"=>false );
$wgLDAPRequiredGroups = array(
"Contractors"=>array("cn=mediawiki,ou=groups,domain1.com,dc=com") );
$wgLDAPGroupUseFullDN = array( "Contractors"=>true );
$wgLDAPGroupObjectclass = array( "Contractors"=>"groupofuniquenames" );
$wgLDAPGroupAttribute = array( "Contractors"=>"uniquemember" );
$wgLDAPGroupSearchNestedGroups = array( "Contractors"=>false );
$wgLDAPAddLDAPUsers = false;
$wgLDAPUpdateLDAP = false;
$wgLDAPMailPassword = false;
$wgLDAPRetrievePrefs = false;
$wgMinimalPasswordLength = 1;
$wgLDAPDebug = 1;
$wgShowExceptionDetails = true;

domain1 works great, Contractors on the other hand, using groups, will
not authenticate. See anything weird?

- sf

Lane, Ryan wrote:
>> As it stands, everyone user in my LDAP schema that falls 
>> under the following dn: is authorized to login,
>> ou=staff,dc=domain,dc=com
>> Now where the complexity comes in, is I need to add a 
>> contractor to my directory. This contractor should only have 
>> access to mediawiki and nothing else which LDAP authorizes 
>> users to access such as UNIX logins or other web 
>> applications. I do know I can use $wgLDAPUseLocal to allow 
>> local logins, but I'd like to avoid keeping authorization 
>> local to the wiki.
> Add the user to LDAP, but don't add the posixAccount and/or
> shadowAccount objectclasses; or, add the user to another OU (something
> no other services use), and make another domain for the LDAP plugin,
> pointing to this other OU. 
> _______________________________________________
> MediaWiki-l mailing list
> MediaWiki-l at lists.wikimedia.org
> http://lists.wikimedia.org/mailman/listinfo/mediawiki-l
> !DSPAM:1020,4638d12b662441815010600!

More information about the MediaWiki-l mailing list