In part 1 of this series, I discussed basic password authentication for Active Directory (AD). In this article I will discuss enabling group restrictions and synchronization, and retrieving preferences for AD. I’ll first discuss group restrictions, then synchronization, then retrieving preferences.
Group restrictions and synchronization will require you to somewhat understand the LDAP structure that your AD environment is built upon. Don’t worry, this isn’t as scary as it sounds, and I’ll explain how to find all of the information you’ll require.
[toc title=”Table of Contents”]
Before you start, you must have authentication working. See part 1 of this series to enable authentication. Don’t try to get everything working at the same time. First ensure authentication is working, then enable group restrictions, then go from there.
For this article we will use the domain configured in part 1:
$wgLDAPDomainNames = array( "TESTAD" );
Shared group options
Telling the plugin how to map users to group members
AD stores full Distinguished Names (DN)s like cn=Ryan Lane,dc=testad,dc=example,dc=com in groups, so we’ll need to tell the plugin to use full DNs. Also, we’ll need to tell the plugin how to get the user’s DN. Place the following in LocalSettings.php:
$wgLDAPGroupUseFullDN = array( "TESTAD"=>true ); $wgLDAPBaseDNs = array( 'TESTAD' => 'dc=testad,dc=example,dc=com' ); $wgLDAPSearchAttributes = array( 'TESTAD' => 'sAMAccountName' );
Telling the plugin how to find users in groups
For the plugin to find your groups, it needs to know how to search for them. There are two methods for doing this: The first (and easiest) way to do this is to use memberOf. The second way is to tell the plugin the attribute and objectclass used by the group, and the attribute used for member of the group.
Currently, the plugin cannot find the primary group of a user using memberOf. If you need to restrict groups based on user’s primary groups, do not use memberOf. To enable memberOf for AD, put the following in LocalSettings.php:
$wgLDAPGroupsUseMemberOf = array( "TESTAD" => true );
Manually configure the search
Thankfully, most (all?) AD configurations use the same attributes and objectclasses for group membership, so this is fairly straightforward. Put the following into LocalSettings.php:
//The objectclass of the groups we want to search for $wgLDAPGroupObjectclass = array( "TESTAD"=>"group" ); //The attribute used for group members $wgLDAPGroupAttribute = array( "TESTAD"=>"member" ); //The naming attribute of the group $wgLDAPGroupNameAttribute = array( "TESTAD"=>"cn" );
The LDAP plugin supports two types of group restriction. The first is a list of groups a user is required to be a member of (required groups), the second is a list of groups a user cannot be a member of (excluded groups). Both types of restrictions can be used simultaneously.
To require a user to be a member of a group (such as cn=wiki-users,ou=groups,dc=testad,dc=example,dc=com), put the following into LocalSettings.php:
$wgLDAPRequiredGroups = array( "TESTAD"=> array( "cn=wiki-users,ou=groups,dc=testad,dc=example,dc=com" ) );
To require a user to not be a member of a specific group (such as cn=excluded-wiki-users,ou=groups,dc=testad,dc=example,dc=com), put the following into LocalSettings.php:
$wgLDAPExcludedGroups = array( "TESTAD"=> array( "cn=excluded-wiki-users,ou=groups,dc=testad,dc=example,dc=com" ) );
Group synchronization allows you to manage MediaWiki authorization using groups defined in your AD server. To enable synchronization, simply add the following to LocalSettings.php:
$wgLDAPUseLDAPGroups = array( "TESTAD"=>true );
To use LDAP groups, you’ll have to define their permissions; say for instance you have a group called “wiki-users”, you could enable edit permissions for users in that group by adding the following to LocalSettings.php:
$wgGroupPermissions['wiki-users']['edit'] = true;
If you’d like to add sysop permissions to a group called “wiki-admins”, you could put the following into LocalSettings.php:
$wgGroupPermissions['wiki-admin'] = $wgGroupPermissions['sysop'];
Overall, group synchronization is far more powerful than group restriction. See MediaWiki’s user rights documentation for more information on controlling access.
The LDAP plugin can pull certain attributes from AD, and assign them to MediaWiki user preferences. The MediaWiki attributes currently available are email, realname, nickname, and language. You can configure which MediaWiki preference maps to which AD attribute; put the following in your LocalSettings.php to retrieve preferences:
$wgLDAPPreferences = array( "TESTAD"=>array( "email"=>"mail","realname"=>"cn","nickname"=>"sAMAccountName","language"=>"preferredLanguage") );
Finding user and group DNs, and object attributes
To find the DN of a user in an AD group for use in any options mentioned above, use the dsquery command:
dsquery group -name "wiki-users" "cn=wiki-users,ou=groups,dc=testad,dc=example,dc=com"
To get the value of specific attributes, use the dsquery command in conjunction with the dsget command:
dsquery user -name "test-user" "cn=test-user,ou=Domain Users,dc=testad,dc=example,dc=com" dsget "cn=test-user,ou=Domain Users,dc=testad,dc=example,dc=com" -upn upn test-user@TESTAD.EXAMPLE.COM
You can get a lot of information with these commands; to find out what else you can find, see the help documentation using dsquery /?.
Test your configuration by logging in with an LDAP user
If you are doing group synchronization, you should ensure users are being correctly added and removed from MediaWiki groups when they are being added and removed from your AD groups. If you are retrieving preferences, you should ensure they are being updated when you log in.
If you have any questions, you should post them on the discussion page for the plugin on mediawiki.org, or leave me a comment (the former is preferred).