On Mon, Nov 17, 2008 at 05:04:04PM -0600, Lane, Ryan wrote:
Is there a way
to only allow members of certain groups to log
on, or to
only allow members of one or more groups to edit certain pages?
Both! See:
http://www.mediawiki.org/wiki/Ldap#Group_based_restrictions_.28NEW.29
http://www.mediawiki.org/wiki/Ldap#Group_synchronization
Also:
Starting with a setup that does work, just authenticating any AD user, I
added:
$wgLDAPRequiredGroups = array(
"AD_DOMAIN" => array(
"cn=QA Employees,ou=Security Groups,dc=domain,dc=com",
"cn=Engineering Employees,ou=Security Groups,dc=domain,dc=com",
"cn=Customer Care Employees,ou=Security Groups,dc=domain,dc=com"
)
);
$wgLDAPGroupBaseDNs = array( "AD_DOMAIN"=>"ou=Security
Groups,dc=domain,dc=com" );
$wgLDAPUserBaseDNs = array( "AD_DOMAIN"=>"ou=Domain
Users,dc=domain,dc=com" );
I added myself to the QA Employees group to test, and could not log on.
The output I got:
Entering validDomain
User is using a valid domain.
Setting domain as: AD_DOMAIN
Entering getCanonicalName
Username isn't empty.
Munged username: Joliver
Entering authenticate
Entering Connect
Using TLS or not using encryption.
Using servers: ldap://10.0.0.2
Connected successfully
Entering getSearchString
Doing a straight bind
userdn is: AD_DOMAIN\Joliver
Binding as the user
Bound successfully
Entering getUserDN
Created a regular filter: (sAMAccountName=Joliver)
Entering getBaseDN
basedn is ou=Domain Users,dc=domain,dc=com
Using base: ou=Domain Users,dc=domain,dc=com
Fetched username is not a string (check your hook code...). This message
can be safely ignored if you do not have the
SetUsernameAttributeFromLDAP hook defined.
Pulled the user's DN:
Checking for (new style) group membership
Entering isMemberOfRequiredLdapGroup
Required groups:cn=qa employees,ou=security
groups,dc=domain,dc=com,cn=engineering employees,ou=security
groups,dc=domain,dc=com,cn=customer care employees,ou=security
groups,dc=domain,dc=com
Entering getUserGroups
Entering getGroups
Entering getBaseDN
basedn is ou=Security Groups,dc=domain,dc=com
Search string: (&(=Joliver)(objectclass=))
No entries returned from search.
Couldn't find the user in any groups (1).
Entering strict.
Returning true in strict().
Entering modifyUITemplate
I think this may be because my user isn't in Domain Users... it's in
another folder called "IT". So, I tried:
$wgLDAPUserBaseDNs = array(
"AD_DOMAIN" => array(
"ou=Domain Users,dc=domain,dc=com",
"ou=IT,dc=domain,dc=com"
)
);
and now I still get the incorrect password error, and the debug message
says:
Entering getBaseDN
basedn is Array
Using base: Array
I'm not sure if it's just saying that the BaseDN *is* an array, or if
it's reading the literal string, "Array".
Also, I noticed that the debug says:
Pulled the user's DN:
Googling around has found examples where that is populated, like:
Pulled the user's DN: CN=John
Doe,OU=Users,OU=Administrators,DC=domainname,DC=com
--
***********************************************************************
* John Oliver
http://www.john-oliver.net/ *
* *
***********************************************************************