LDAP Integration

1. LDAP Integration with MediaWiki 1.40

This article details the process of integrating Lightweight Directory Access Protocol (LDAP) authentication with your MediaWiki 1.40 installation. LDAP integration allows users to log in with their existing network credentials, streamlining access and simplifying user management. This guide assumes you have a working MediaWiki 1.40 installation and administrator access to both the MediaWiki server and your LDAP directory. Before you begin, ensure you have a backup of your LocalSettings.php file.

Understanding LDAP and MediaWiki Authentication

MediaWiki, by default, manages its own user accounts. Integrating with LDAP offloads user authentication and management to a dedicated directory service. This centralizes user information and enforces consistent password policies. The process involves configuring MediaWiki to query your LDAP server for user details during login. Successful authentication grants access to the wiki based on the user's LDAP group memberships, which can be mapped to MediaWiki user groups. See User rights for more information on wiki groups.

Prerequisites

Before starting the configuration, verify the following:

• **LDAP Server:** You have access to a running LDAP server (e.g., OpenLDAP, Active Directory) and know its address, port, and base DN.
• **LDAP Bind Account:** You have a dedicated LDAP account with sufficient permissions to search the directory for user information. This account should *not* be a privileged administrative account.
• **PHP LDAP Extension:** The PHP LDAP extension must be installed and enabled on your MediaWiki server. You can verify this by running `php -m` and checking for `ldap` in the output. If missing, install it using your system's package manager (e.g., `apt-get install php-ldap` on Debian/Ubuntu).
• **MediaWiki Administrator Access:** You need administrative access to your MediaWiki installation to modify the `LocalSettings.php` file.

Configuration Steps

The primary configuration takes place in your `LocalSettings.php` file. Add the following settings, adjusting the values to match your specific LDAP environment.

```php <?php

1. LDAP Configuration

$wgLDAPPlugin = true;

$wgLDAPServer = array(

 'host' => 'ldap.example.com',
 'port' => 389,
 'basedn' => 'dc=example,dc=com',
 'binddn' => 'cn=ldapsearch,dc=example,dc=com',
 'bindpw' => 'your_ldap_password',
 'version' => 3

);

$wgLDAPSearchAttributes = array(

 'username' => 'uid',
 'realname' => 'cn',
 'email' => 'mail'

);

$wgLDAPGroupMembershipAttribute = 'memberOf';

$wgLDAPCacheTTL = 3600; // Cache LDAP results for 1 hour ?> ```

• • Explanation of settings:**

• `$wgLDAPPlugin = true;`: Enables the LDAP authentication plugin.
• `$wgLDAPServer`: An array containing the connection details for your LDAP server.

   *   `host`: The hostname or IP address of your LDAP server.
   *   `port`: The port number used for LDAP communication (usually 389 for standard LDAP or 636 for LDAPS).
   *   `basedn`: The base distinguished name (DN) from which to search for users.
   *   `binddn`: The distinguished name of the LDAP account used to bind to the server.
   *   `bindpw`: The password for the LDAP bind account.
   *   `version`:  The LDAP protocol version (typically 3).

• `$wgLDAPSearchAttributes`: An array defining how to map LDAP attributes to MediaWiki user properties.

   *   `username`: The LDAP attribute containing the username.
   *   `realname`: The LDAP attribute containing the user's full name.
   *   `email`: The LDAP attribute containing the user's email address.

• `$wgLDAPGroupMembershipAttribute`: The LDAP attribute that lists the groups a user belongs to. This is commonly `memberOf` for OpenLDAP and Active Directory.
• `$wgLDAPCacheTTL`: The time-to-live (TTL) for cached LDAP results in seconds.

Mapping LDAP Groups to MediaWiki User Groups

After configuring the basic LDAP connection, you need to map LDAP groups to MediaWiki user groups. This determines the permissions granted to users after successful authentication. Add the following settings to `LocalSettings.php`:

```php $wgLDAPGroups = array(

 'cn=WikiEditors,dc=example,dc=com' => 'editor',
 'cn=WikiAdministrators,dc=example,dc=com' => 'sysop',
 'cn=ReadOnlyUsers,dc=example,dc=com' => 'reader'

); ```

This table maps LDAP group distinguished names to MediaWiki user groups. For example, users belonging to the `cn=WikiEditors,dc=example,dc=com` group will be automatically assigned the `editor` role in MediaWiki. See Groups for a list of available MediaWiki groups.

Troubleshooting and Common Issues

| Issue | Possible Cause | Solution | |---|---|---| | **Login Failure** | Incorrect LDAP server settings | Double-check the `$wgLDAPServer` array for accuracy. Verify hostname, port, base DN, bind DN, and password. | | **Login Failure** | PHP LDAP extension not installed | Install and enable the PHP LDAP extension. | | **No User Groups Assigned** | Incorrect group mapping | Verify the `$wgLDAPGroups` array and ensure the LDAP group DNs are correct. | | **Slow Login Times** | Excessive LDAP queries | Increase the `$wgLDAPCacheTTL` value to cache LDAP results for a longer duration. | | **LDAP Bind Issues** | Incorrect Bind DN/Password | Verify the Bind DN and password are correct. Check LDAP server logs for authentication errors. |

Advanced Configuration

Further customization is possible through additional settings in `LocalSettings.php`.

• **LDAPS (Secure LDAP):** For enhanced security, use LDAPS (LDAP over SSL/TLS). Set `$wgLDAPServer['useTLS'] = true;` and ensure your PHP LDAP extension supports SSL/TLS.
• **User Creation:** By default, MediaWiki does *not* automatically create users based on LDAP information. You can enable this with `$wgLDAPCreateUsers = true;`, but exercise caution as this can lead to uncontrolled user account creation.
• **Custom Attributes:** You can map additional LDAP attributes to MediaWiki user properties using the `$wgLDAPSearchAttributes` array.

Security Considerations

• **Bind Account Permissions:** Use a dedicated LDAP account with minimal necessary permissions. Avoid using privileged administrative accounts.
• **LDAPS:** Always use LDAPS to encrypt communication between the MediaWiki server and the LDAP server.
• **Caching:** While caching improves performance, be mindful of the cache TTL and potential security implications if user group memberships change frequently.
• **Regular Auditing:** Regularly review your LDAP integration configuration and user group mappings to ensure they align with your security policies.

Further Resources

• Manual:LDAP - Official MediaWiki documentation on LDAP integration.
• [OpenLDAP Documentation](https://www.openldap.org/doc/)
• [Active Directory Documentation](https://docs.microsoft.com/en-us/directory-services/)

Help:Configuration Manual:Configuration settings Help:User rights Help:Groups Manual:LDAP Extension:LDAP Authentication Manual:FAQ Help:FAQ Help:Contents Manual:Contents Special:MyPage Special:Search Special:AllPages Help:Editing Manual:Installation Manual:Upgrading Project:About

Intel-Based Server Configurations

AMD-Based Server Configurations

Order Your Dedicated Server

Configure and order your ideal server configuration

Need Assistance?

• Telegram: @powervps Servers at a discounted price

⚠️ *Note: All benchmark scores are approximate and may vary based on configuration. Server availability subject to stock.* ⚠️