I'm having a bit of difficulty getting this to work. I added a few entries to my LDAP that look like this:
# contractors, groups, domain1.com dn: ou=contractors,ou=groups,domain1.com,dc=com ou:: Y29udHJhY3RvcnMg objectClass: organizationalUnit objectClass: top description: Restricted Contractor Access
# user1, contractors, groups, domain1.com dn: uid=user1,ou=contractors,ou=groups,domain1.com,dc=com objectClass: inetOrgPerson objectClass: top objectClass: organizationalPerson objectClass: person cn: User1 uid: user1 sn: User1 title: Freelance Graphics Artist
# mediawiki, groups, domain1.com dn: cn=mediawiki,ou=groups,domain1.com,dc=com cn: mediawiki objectClass: groupOfUniqueNames uniqueMember: uid=user1,ou=contractors,ou=groups,domain1.com,dc=com description: MediaWiki ACL
And on the MediaWiki side:
require_once ( 'LdapAuthentication.php' ); $wgAuth = new LdapAuthenticationPlugin(); $wgLDAPDomainNames = array( "domain1.com","Contractors" ); $wgLDAPServerNames = array( "domain1.com"=>"foo.domain1.com", "Contractors"=>"foo.domain1.com" ); $wgLDAPSearchAttributes = array( "domain1.com"=>"uid" ); $wgLDAPBaseDNs = array( "domain1.com"=>"ou=staff,domain1.com,dc=com", "Contractors"=>"domain1.com,dc=com"); $wgLDAPEncryptionType = array( "domain1.com"=>"ssl", "Contractors"=>"ssl" ); #$wgLDAPUseSSL = false; $wgLDAPUseLocal = false; $wgLDAPRetrievePrefs = array( "domain1.com"=>true, "Contractors"=>false ); $wgLDAPRequiredGroups = array( "Contractors"=>array("cn=mediawiki,ou=groups,domain1.com,dc=com") ); $wgLDAPGroupUseFullDN = array( "Contractors"=>true ); $wgLDAPGroupObjectclass = array( "Contractors"=>"groupofuniquenames" ); $wgLDAPGroupAttribute = array( "Contractors"=>"uniquemember" ); $wgLDAPGroupSearchNestedGroups = array( "Contractors"=>false ); $wgLDAPAddLDAPUsers = false; $wgLDAPUpdateLDAP = false; $wgLDAPMailPassword = false; $wgLDAPRetrievePrefs = false; $wgMinimalPasswordLength = 1; $wgLDAPDebug = 1; $wgShowExceptionDetails = true;
domain1 works great, Contractors on the other hand, using groups, will not authenticate. See anything weird?
- sf
Lane, Ryan wrote:
As it stands, everyone user in my LDAP schema that falls under the following dn: is authorized to login,
ou=staff,dc=domain,dc=com
Now where the complexity comes in, is I need to add a contractor to my directory. This contractor should only have access to mediawiki and nothing else which LDAP authorizes users to access such as UNIX logins or other web applications. I do know I can use $wgLDAPUseLocal to allow local logins, but I'd like to avoid keeping authorization local to the wiki.
Add the user to LDAP, but don't add the posixAccount and/or shadowAccount objectclasses; or, add the user to another OU (something no other services use), and make another domain for the LDAP plugin, pointing to this other OU.
MediaWiki-l mailing list MediaWiki-l@lists.wikimedia.org http://lists.wikimedia.org/mailman/listinfo/mediawiki-l
!DSPAM:1020,4638d12b662441815010600!