MediaWiki, LDAP Authentication and AD groups

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

MediaWiki, LDAP Authentication and AD groups

Ron Hall
Howdy!

I have Media Wiki 1.6.8 setup with Authentication to LDAP - this is
behaving as advertised.
I would now like to set it up so that only members of a specific group
have access to editing
the pages, though anyone can view them.

I can send the config file or relevant bits if you think it will help -
or do I need to do something
different?

r
_______________________________________________
MediaWiki-l mailing list
[hidden email]
http://mail.wikipedia.org/mailman/listinfo/mediawiki-l
Reply | Threaded
Open this post in threaded view
|

Re: MediaWiki, LDAP Authentication and AD groups

MHart
You need to query the directory for the "group" information, then add that
group to the user's list of groups (can be any string)

To add to the group, either use: $wgUser->addGroup($groupname);  or you can
use direct SQL:

INSERT INTO user_groups (ug_user, ug_group) VALUES (SELECT user_id FROM user
WHERE user_name = 'MHart' , 'groupname');

Then use the $wgGroupPermissions['groupname']['edit'] = true; or whatever in
LocalSettings.php

- MHart


----- Original Message -----
From: "Ron Hall" <[hidden email]>
To: "MediaWiki announcements and site admin list"
<[hidden email]>
Sent: Monday, September 25, 2006 9:42 AM
Subject: [Mediawiki-l] MediaWiki, LDAP Authentication and AD groups


> Howdy!
>
> I have Media Wiki 1.6.8 setup with Authentication to LDAP - this is
> behaving as advertised.
> I would now like to set it up so that only members of a specific group
> have access to editing
> the pages, though anyone can view them.
>
> I can send the config file or relevant bits if you think it will help -
> or do I need to do something
> different?
>
> r
> _______________________________________________
> MediaWiki-l mailing list
> [hidden email]
> http://mail.wikipedia.org/mailman/listinfo/mediawiki-l 

_______________________________________________
MediaWiki-l mailing list
[hidden email]
http://mail.wikipedia.org/mailman/listinfo/mediawiki-l
Reply | Threaded
Open this post in threaded view
|

Re: MediaWiki, LDAP Authentication and AD groups

Ron Hall
MHart wrote:

>
> You need to query the directory for the "group" information, then add that
> group to the user's list of groups (can be any string)
>
> To add to the group, either use: $wgUser->addGroup($groupname);  or
> you can
> use direct SQL:
>
> INSERT INTO user_groups (ug_user, ug_group) VALUES (SELECT user_id
> FROM user
> WHERE user_name = 'MHart' , 'groupname');
>
> Then use the $wgGroupPermissions['groupname']['edit'] = true; or
> whatever in
> LocalSettings.php
>
    OK - but how does this work vis-a-vis AD authentication and groups?

    If I include the following in the LocalSettings file it does not work
$wgLDAPRequiredGroups = array( "McGill"=>array("cn=043-NCS ES LMS Wiki
Editors,ou=Admin_Unit Groups,ou=Network & Communications
Services,OU=University Administration,dc=campus,dc=mcgill,dc=ca") );
$wgLDAPGroupUseFullDN = array( "McGill"=>true );
$wgLDAPGroupObjectclass = array( "McGill"=>"group" );
$wgLDAPGroupAttribute = array( "McGill"=>"member" );
$wgLDAPGroupSearchNestedGroups = array( "McGill"=>false );
$wgLDAPBaseDNs = array( "McGill"=>"dc=campus,dc=mcgill,dc=ca" );

Removing it I have authentication working fine, but no groups....

r
   

>
>
> - MHart
>
>
> ----- Original Message -----
> From: "Ron Hall" <[hidden email]>
> To: "MediaWiki announcements and site admin list"
> <[hidden email]>
> Sent: Monday, September 25, 2006 9:42 AM
> Subject: [Mediawiki-l] MediaWiki, LDAP Authentication and AD groups
>
>
> > Howdy!
> >
> > I have Media Wiki 1.6.8 setup with Authentication to LDAP - this is
> > behaving as advertised.
> > I would now like to set it up so that only members of a specific group
> > have access to editing
> > the pages, though anyone can view them.
> >
> > I can send the config file or relevant bits if you think it will help -
> > or do I need to do something
> > different?
> >
> > r
> > _______________________________________________
> > MediaWiki-l mailing list
> > [hidden email]
> > http://mail.wikipedia.org/mailman/listinfo/mediawiki-l
>
> _______________________________________________
> MediaWiki-l mailing list
> [hidden email]
> http://mail.wikipedia.org/mailman/listinfo/mediawiki-l
>

_______________________________________________
MediaWiki-l mailing list
[hidden email]
http://mail.wikipedia.org/mailman/listinfo/mediawiki-l
Reply | Threaded
Open this post in threaded view
|

Re: MediaWiki, LDAP Authentication and AD groups

Gunter-2
In reply to this post by Ron Hall
Hi Ron,

for edit reststrictions you need to make your own group within your wiki.

in LocalSettings.php you need to have

$wgGroupPermissions['*']['edit'] = false;
$wgGroupPermissions['user']['edit'] = false;
$wgGroupPermissions['AnyGroupName']['edit'] = true;

You now need to manually assign AnyGroupName to the users, who are
allowed to edit.

---------

If you check the group in your LDAP already (look into the documentation
of the ldap extension), then only users of the group of your LDAP can
log in in the first place. So you do not need another group in your wiki.

$wgGroupPermissions['*']['edit'] = false;
$wgGroupPermissions['user']['edit'] = true;


regards
Gunter

Ron Hall schrieb:

> Howdy!
>
> I have Media Wiki 1.6.8 setup with Authentication to LDAP - this is
> behaving as advertised.
> I would now like to set it up so that only members of a specific group
> have access to editing
> the pages, though anyone can view them.
>
> I can send the config file or relevant bits if you think it will help -
> or do I need to do something
> different?
>
> r
> _______________________________________________
> MediaWiki-l mailing list
> [hidden email]
> http://mail.wikipedia.org/mailman/listinfo/mediawiki-l
>
>
>  

_______________________________________________
MediaWiki-l mailing list
[hidden email]
http://mail.wikipedia.org/mailman/listinfo/mediawiki-l
Reply | Threaded
Open this post in threaded view
|

Re: MediaWiki, LDAP Authentication and AD groups

MHart
In reply to this post by Ron Hall
>    OK - but how does this work vis-a-vis AD authentication and groups?

Good question - I only know how to do that via my own auth scripts. I use
MediaWiki's LDAP integration for sign in and registration, but I use my own
LDAP scripts to retrieve other information.

Here's a script that will retrieve information about a user. In my scripts,
I don't need to authorize to retrieve public information - all I need is the
application ID given me by the directory services. This script includes
authentication at the end.

# Matt Hart - PHP-based authentication against the directory
# Tested on Fedora Core 4 with Apache 2.0.54, PHP 4.3.11, OpenLDAP
# OpenSSL, php-ldap

echo "<br>Attempting Secure LDAP Connection<br>";

$mh_ldaphost = "ldaps://yourdirectoryhost.com:636";
$mh_ldapconn = ldap_connect($mh_ldaphost) or die ("Failed");
echo "<br>Succeeded ... Testing app binding<br>";

# Bind using app credentials
$mh_appid = "XXXXXXX"; // ****** Use your application id
$mh_dn = "uid=" . $mh_appid . ",ou=theApps,o=dirIntuit.com";
$mh_bind = ldap_bind($mh_ldapconn, $mh_dn) or die("Failed");
echo "<br>Succeeded ... Get user corp ID</br>";

# Get the user's corporate ID
$mh_search = "ou=employees,ou=people,o=dirIntuit.com";
$mh_userid = "XXXXXXXX"; // ****** User ID to find
$mh_filter = "(uid=" . $mh_userid . ")";
$mh_search = ldap_search($mh_ldapconn, $mh_search, $mh_filter) or die
("Failed");
echo "<br>Succeeded: ";
$mh_entries = ldap_get_entries($mh_ldapconn, $mh_search);
$mh_corpid = $mh_entries[0]["intuitid"][0];
echo "CorpID=" . $mh_corpid;

# Authenticate the user
echo "<br><br>Authenticating...<br>";

$mh_authdn = "intuitcorpid=" . $mh_corpid .
",ou=employees,ou=people,o=intuit.com";
$mh_authpass = "XXXXXXXX"; // ****** User password
$mh_authbind = ldap_bind($mh_ldapconn, $mh_authdn, $mh_authpass) or
die("Failed");
die("Success");


- MHart

_______________________________________________
MediaWiki-l mailing list
[hidden email]
http://mail.wikipedia.org/mailman/listinfo/mediawiki-l