There are no approved versions of this page.
No categories assigned
LDAP
-
- Last edited 5 years ago by MLR
-
-
- This page is a first draft
/etc/ldapprovider.json
ldapprovider.json
{
"DOMAIN OF CUSTOMER": {
"connection": {
"server": "",
"user": "",
"pass": "",
"basedn": "",
"userbasedn": "",
"groupbasedn": "",
"searchattribute": "samaccountname",
"usernameattribute": "samaccountname",
"realnameattribute": "displayname",
"emailattribute": "mail",
"grouprequest": "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\GroupMember::factory",
"nestedgroups": true
},
"authorization": {
"rules": {
"groups": {
"required": [ "" ]
}
}
},
"userinfo": {
"attributes-map": {
"email": "mail",
"realname": "displayname",
}
},
"groupsync": {
"mechanism": "allgroups"
}
}
}
090-LDAP.php
wfLoadExtensions( [
'Auth_remoteuser',// only needed if SingleSignOn is used
'LDAPProvider',
'Manual:Extension/LDAPAuthentication2',
'LDAPAuthorization',
'LDAPGroups',
'LDAPUserInfo',
'PluggableAuth'
] );
$LDAPProviderDomainConfigs = "/etc/ldapprovider.json";
$Manual:Extension/LDAPAuthentication2AllowLocalLogin = false;
$Manual:Extension/LDAPAuthentication2UsernameNormalizer = 'strtolower';
$LDAPProviderCacheTime = 300;
$LDAPProviderCacheType = CACHE_MEMCACHED; // or CACHE_NONE if no memcached is installed
$LDAPAuthorizationAutoAuthRemoteUserStringParser = 'username-at-domain'; // remove if your $_SERVER[ 'REMOTE_USER' ] is like "domain\user". If you have to remove this, follow step 2
$bsgPermissionConfig['autocreateaccount'] = [ 'type' => 'global', "roles" => [ 'autocreateaccount' ] ];
$wgAuthRemoteuserUserName = function() {
global $wgDBname;
$user = '';
if( isset( $_SERVER[ 'REMOTE_USER' ] ) ) {
$user = $_SERVER[ 'REMOTE_USER' ];
}
//Bypass fot Parsoid / PhantomJS calls
if( isset( $_SERVER[ 'REMOTE_ADDR' ] ) && substr( $_SERVER[ 'REMOTE_ADDR' ], 0, 4 ) == '127.' ) {
if( empty( $user ) ) {
// check the 304f3058RemoteToken name of your cookies in your browser!
$user = $_COOKIE[$wgDBname.'304f3058RemoteToken'] . '@DOMAIN OF CUSTOMER'; // Step 2: change this to $user = 'DOMAIN OF CUSTOMER\\' . $_COOKIE[$wgDBname.'304f3058RemoteToken'];
}
}
return $user;
};
Note: This part 304f3058 of the cookie will change on some reasons. It should not, but we've seen it. So check with the cookies in your browser. $wgDBname is set in your LocalSettings.php