Extension:LDAPAuthorization/ru

This extension is part of the LDAP Stack and requires the LDAPProvider extension to be installed first.
Category:LDAP Stack Member/ru
This extension depends on the PluggableAuth extension, which must be installed beforehand.
Category:PluggableAuth plugins/ru

This extensions checks for certain authorization requirements when logging into a wiki by using Разришение:PluggableAuth or Extension:Auth remoteuser. If one of the requirements are not satisfied the login process will be cancelled.

Category:Extensions with invalid or missing type/ruCategory:GPL licensed extensions/ru
Справка по расширениям MediaWiki
LDAPAuthorization
Статус релиза: стабильноCategory:Stable extensions/ru
Автор(ы) Cindy Cicalese, Mark A. Hershberger, Robert Vogel
Последняя версия 1.0.0
Политика совместимости Снэпшоты выходят вместе с MediaWiki. Мастер не имеет обратной совместимости.
MediaWiki 1.31+Category:Extensions with manual MediaWiki version/ru
Лицензия GNU General Public License 2.0 или позднее
Скачать
Скачать расширение
Git [?]:
Category:Extensions in Wikimedia version control/ru
Параметры
  • $wgAutoAuthUsernameNormalizer
  • $wgAutoAuthRemoteUserStringParserRegistry
  • $wgAutoAuthRemoteUserStringParser
  • $wgAutoAuthBypassWithCookieUsernameRemoteAddrs
Используемые хуки
Переведите расширение LDAPAuthorization, если оно доступно на translatewiki.net
Category:All extensions/ru

Установка

  • Install the LDAPProvider and PluggableAuth extensions.
  • Скачайте и распакуйте файл(ы) в папку с названием LDAPAuthorization в вашей папке extensions/.
    Вместо этого разработчикам и соавторам кода следует установить расширение из Git, используя:
    cd extensions/
git clone https://gerrit.wikimedia.org/r/mediawiki/extensions/LDAPAuthorization
  • Добавьте следующий код в конце вашего файла LocalSettings.php : 
    wfLoadExtension( 'LDAPAuthorization' );
    Configure as required.
  • Yes Готово – Перейдите на страницу Special:Version на своей вики, чтобы удостовериться в том, что расширение успешно установлено.

Параметры конфигурации расширения

When using them in LocalSettings.php, these variables need to be prefixed with $LDAPAuthorization
Название По умолчанию Описание
AutoAuthRemoteUserStringParserRegistry 
{
 "domain-backslash-username": "MediaWiki\\Extension\\LDAPAuthorization\\AutoAuth\\RemoteUserStringParser\\DomainBackslashUsername::factory",
 "username-at-domain": "MediaWiki\\Extension\\LDAPAuthorization\\AutoAuth\\RemoteUserStringParser\\UsernameAtDomain::factory"
}
A registry of factory callbacks for different parsers, that extract domain and username from a provided domain-username.

Должен возвращать объект IRemoteUserStringParser.

Only used in case of auto-authentication provided by Extension:Auth remoteuser.

AutoAuthRemoteUserStringParser "domain-backslash-username" Configures which parser is needed to extract domain and username from a provided domain-username. Допустимые значения:
  • "domain-backslash-username" (Use this if $_SERVER['REMOTE_USER'] = "SOMEDOMAIN\\Some username")
  • "username-at-domain" (Use this if $_SERVER['REMOTE_USER'] = "some.username@somedomain.local")

Only used in case of auto-authentication provided by Auth remoteuser.

AutoAuthUsernameNormalizer "" A callback that allows to modify the username when Extension:Auth_remoteuser is used for network based authentication. E.g. "strtolower".

If form based authentication is also enabled though Extension:LDAPAuthentication2 this should have the same value as $LDAPAuthentication2UsernameNormalizer. Only used in case of auto-authentication provided by Extension:Auth remoteuser.

Параметры конфигурации домена

Название По умолчанию Описание
rules.groups.required [] Array of group DNs that are required to complete the login process. Belonging to one group is sufficient (logical OR) to be authorized.
rules.groups.excluded [] Array of group DNs that the user may not be member of to complete the login process. Belonging to one group is sufficient (logical OR) to be forbidden to log in.
rules.attributes {} This implements the "attributes mapping" rule from Extension:LDAP Authentication

Example:

{
    "&" : {
    	"status": "active",
    	"|": {
    		"department": [ "100", "200" ],
    		"level": [ "5", "6" ]
    	}
    }
}
rules.query "" Allows to provide a standard LDAP query to be tested against the user. Comparable to $wgLDAPAuthAttribute from Extension:LDAP Authentication

Example:

&(active=TRUE)(permissionAlias=cn=X,ou=Y,ou=accounts,dc=company,dc=local)

Example 1

If you want to configure this in LocalSettings.php you can extend the configuration for LDAPProvider like in this example:

$LDAPProviderDomainConfigProvider = function() {
	$config = [
		'LDAP' => [
			'connection' => [
				...
			],
			'authorization' => [
				'rules' => [
					'groups' => [
						'required' => [ "groupname" ]
					]
				]
			]
		]
	];
...

Example 2

Here is a complete example LocalSettings.php configuration for Active Directory:

$LDAPProviderDomainConfigProvider = function()
{
	$config =
	[
		"example.com" =>
		[
			"connection" =>
			[
				"server" => "ldap.example.com",
				"user" => "cn=ldap,cn=Users,dc=example,dc=com",
				"pass" => "password",
				"basedn" => "dc=example,dc=com",
				"groupbasedn" => "dc=example,dc=com",
				"userbasedn" => "dc=example,dc=com",
				"searchattribute" => "samaccountname",
				"searchstring" => "USER-NAME@example.com",
				"usernameattribute" => "samaccountname",
				"realnameattribute" => "cn",
				"emailattribute" => "mail",
				"grouprequest" => "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\GroupMember::factory"
			],
			"authorization" =>
			[
				"rules" =>
				[
					"groups" =>
					[
						"required" => [ "cn=Developers,cn=Users,dc=example,dc=com" ]
					]
				]
			],
			"groupsync" =>
			[
				"mechanism" => "mappedgroups",
				"mapping" =>
				[
					"sysop" => "cn=Developers,cn=Users,dc=example,dc=com",
					"bureaucrat" => "cn=Developers,cn=Users,dc=example,dc=com"
				]
			],
			"userinfo" =>
			[
				"email" => "mail",
				"realname" => "cn",
				"properties.gender" => "gender"
			]
		]
	];

	return new \MediaWiki\Extension\LDAPProvider\DomainConfigProvider\InlinePHPArray( $config );
};

Versioning

LDAP Stack Extensions are targeted/qualified for MediaWiki LTS releases only.
However, this table helps to determine which extension-releases to use across all recent versions.
MediaWiki Release Recommended Extension Version Test Status Latest Test Date
1.35 (LTS) LDAPxxx_master Tested март 2020
Category:LDAP extensions/ru Category:Extensions by MITRE/ru Category:User identity extensions/ru
Category:All extensions/ru Category:AuthRemoteuserFilterUserName extensions/ru Category:Extensions by MITRE/ru Category:Extensions in Wikimedia version control/ru Category:Extensions included in BlueSpice/ru Category:Extensions included in Canasta/ru Category:Extensions with invalid or missing type/ru Category:Extensions with manual MediaWiki version/ru Category:GPL licensed extensions/ru Category:LDAP Stack Member/ru Category:LDAP extensions/ru Category:PluggableAuthUserAuthorization extensions/ru Category:PluggableAuth plugins/ru Category:Stable extensions/ru Category:User identity extensions/ru