我在 Fedora 机器上安装了 Mediawiki,并尝试让它使用我们的 AD 凭据。它已成功连接到我们的 AD 服务器,您可以使用它们顺利登录 mediawiki。但是现在我试图限制它,以便只有我们的 IT 部门用户可以登录。但我似乎无法正确设置,我的 LocalSettings 文件的相关部分如下:
require_once("/directo/LdapAuthentication.php");
$wgAuth = new LdapAuthenticationPlugin();
$wgLDAPDomainNames = array("MYDOMAIN");
$wgLDAPServerNames = array("MYDOMAIN" => "DOMAINIP");
$wgLDAPSearchStrings = array("MYDOMAIN" => "MYDOMAIN\\USER-NAME);
$wgLDAPEncryptionType = array("MYDOMAIN" => "ssl");
$wgLDAPBaseDNs = array("MYDOMAIN" => "dc=MYDOMAIN","dc=com");
$wgLDAPSearchAttributes = array("MYDOMAIN"=>"sAMAccountName");
$wgLDAPRetrievePrefs = array("MYDOMAIN" =>true);
$wgLDAPPreferences = array("MYDOMAIN" =>array('email' => 'mail','realname'=>'displayname'));
$wgLDAPDebug =3;
$wgLDAPExceptionDetails = true;
$wgLDAPRequiredGroups = array("MYDOMAIN" => array("OU=Users,OU=IT,OU=Admin,DC=MYDOMAIN,DC=com"));
如果我删除最后一行关于所需组的内容,我就可以正常登录了。我们在 AD 中对文件夹的设置如下,从上到下依次为 MYDOMAIN-> Admin -> IT ->Users ->John Doe。但就像我说的,如果我执行最后一行,就没有人可以登录我们的 mediawiki。
答案1
正如评论中所述,wiki 只能由一个群组访问(读/写)。
我们解决这个问题的方法是首先使用 apache 基本身份验证的组合。因此,在 wiki 的 vhost 中,您设置了一个 Directory 指令:
<Directory /srv/apacheprod/html/mediawiki >
AllowOverride All
AuthBasicProvider ldap
AuthType Basic
AuthzLDAPAuthoritative off
AuthName "Wiki Operations"
AuthLDAPUrl "ldap://domain.local:3268/DC=DOMAIN,DC=LOCAL?sAMAccountName?sub?(objectClass=*)" NONE
# bind as wiki user
AuthLDAPBindDN "cn=wiki,ou=service_accounts,dc=domain,dc=local"
AuthLDAPBindPassword pwd
# members of these groups may log in
# do not use inverted comma's in the group distinguished name or it won't work!
require ldap-group CN=ICT - Operations,OU=Security Groepen,DC=domain,DC=local
require ldap-group CN=ICT - devs,ou=security groepen,DC=domain,DC=local
</Directory>
这可以保护 wiki 免受不属于这些组的用户的侵害,但我们希望用户登录后已经拥有 mediawiki 帐户。这是使用mediawiki 的 ldap 身份验证扩展
因此,请下载扩展程序并修改您的 LocalSettings.php。我们的如下所示:
##### LdapAuth plugin #####
## load the library
require_once( "$IP/extensions/LdapAuthentication/LdapAuthentication.php" );
require_once( "$IP/extensions/LdapAuthentication/LdapAutoAuthentication.php" );
## create an object
$wgAuth = new LdapAuthenticationPlugin();
# we are using AD, so define it here
$wgLDAPDomainNames = array(
"AD",
);
# ldap servers for AD
$wgLDAPServerNames = array(
"AD" => "dc01.domain.local dc02.domain.local dc03.domain.local"
);
$wgLDAPEncryptionType = array(
"AD" => "clear"
);
$wgLDAPProxyAgent = array(
"AD" => "CN=mediawiki,OU=Service_accounts,DC=domain,DC=local"
);
$wgLDAPProxyAgentPassword = array(
"AD" => "pwd"
);
$wgLDAPBaseDNs = array(
"AD" => "dc=domain,dc=local"
);
$wgLDAPSearchAttributes = array(
"AD" => "sAMAccountName",
);
//Option for allowing the retrieval of user preferences from LDAP.
//Only pulls a small amount of info currently.
//Default: false
//DEPRECATED in 1.2a
$wgLDAPRetrievePrefs = array(
"AD"=>false
);
//Option for pulling specific preferences. Available options
//are "email", "realname", "nickname", "language"
//Ensure all attribute names given are in lower case.
//Default: none; disabled
//Available in 1.2a
$wgLDAPPreferences = array(
"AD"=>array( "email"=>"mail","realname"=>"displayname","nickname"=>"cn","language"=>"preferredlanguage")
);
$wgLDAPAutoAuthUsername = preg_replace( '/@.*/', '', $_SERVER["REMOTE_USER"] );
$wgLDAPAutoAuthDomain = "AD" ;
# debugging this extension, uncomment if needed
#$wgLDAPDebug = 1;
#$wgDebugLogGroups['ldap'] = '/srv/apacheprod/html/mediawiki/tmp/ldap_debug.log';
AutoAuthSetup();
通过这些设置,我们就可以实现您想要做的事情。