[edit] This site was an experiment and as of April 7th, 2009 is no longer accepting changes. It is kept up for archival and reference purposes. New work is ongoing in the direction of having a Pointrel Social Semantic Desktop instead of a Halo Semantic MediaWiki.

Help:How can I use LDAP authentication?

From Oscomak

Jump to: navigation, search
Question
question:=How can I use LDAP authentication?

Answer
description:=The LDAP extension is deployed with SMW+. Just include some configurations in LocalSettings.php.
What is LDAP?

LDAP is a hierarchical database used as a directory service. It's commonly used as a central authentication service by many applications. Since there is an LDAP extension for MW, wiki users can also be authenticated by an LDAP server. It's possible to manage only users or both users and groups on an LDAP server. Additionally, you can use the LDAP server together with the normal authentication mechanism of MW during a migration process.

Basic authentication

The basic authentication mode verifies only users in the wiki, but not groups. Groups are managed in the wiki manner, not at the LDAP server. To use that mode, you have to add some lines to your LocalSettings.php: 

require_once('extensions/LdapAuthentication.php');
$wgAuth = new LdapAuthenticationPlugin();
$wgLDAPDomainNames = array(   // (1)
  'Ontoprise'
);
$wgLDAPServerNames = array(   // (2)
  'Ontoprise' => 'localhost'
);
$wgLDAPSearchStrings = array( // (3)
  'Ontoprise' => 'uid=USER-NAME,ou=Users,dc=example,dc=com'
);
$wgLDAPUseLocal = false;      // (4)
$wgLDAPEncryptionType = array( "Ontoprise"=> "tcl"); // (5)
$wgLDAPOptions['no_url'] = true; // (6)
$wgLDAPOptions['port'] = 10389;  // (7)
$wgMinimalPasswordLength = 1;    // (8)

Explanation:

  1. The domain used to login. (Arbitrary name)
  2. The LDAP server name.
  3. Query string which identifies a user. The variable USER-NAME is replaced by the actual user name.
  4. Use only LDAP for auth or local DB too. Good for transitional purposes if not all users are already registered at the LDAP server.
  5. Server encryption protocol: SSL or TCL
  6. Do not put the protocol name 'ldap://' before the server name. Some servers do not accept that (e.g. Apache Directory)
  7. Server port of LDAP service
  8. Minimal length of password
Advanced LDAP authentication

The advanced auth allows to handle the groups at the LDAP server too. It needs some additional configs:

  • Required groups: all fully qualified names of required groups, e.g. 
$wgLDAPRequiredGroups['Ontoprise'] = array("cn=sysop,ou=groups,dc=example,dc=com","cn=gardener,ou=groups,dc=example,dc=com");
  • Group Base DN: Base DN of groups 
$wgLDAPGroupBaseDNs['Ontoprise'] = "ou=groups,dc=example,dc=com";
  • Group object: objectclass of $wgLDAPGroupAttribute 
$wgLDAPGroupObjectclass['Ontoprise'] = "groupOfUniqueNames";
  • Group attribute: attribute which links to group members (users) 
$wgLDAPGroupAttribute['Ontoprise'] = "uniquemember";
  • Group attribute value: template for target of $wgLDAPGroupAttribute (USER-NAME is replaced by actual username) 
$wgLDAPGroupAttributeValue['Ontoprise'] = "uid=USER-NAME,ou=users";
  • Group name attribute: name of attribute of group name 
$wgLDAPGroupNameAttribute['Ontoprise'] = "cn";
Retrieved from "http://www.oscomak.net/wiki/Help:How_can_I_use_LDAP_authentication%3F"