Mediawiki LDAP 设置问题

Mediawiki LDAP 设置问题

我在 Fedora 机器上安装了 Mediawiki,并尝试让它使用我们的 AD 凭据。它已成功连接到我们的 AD 服务器,您可以使用它们顺利登录 mediawiki。但是现在我试图限制它,以便只有我们的 IT 部门用户可以登录。但我似乎无法正确设置,我的 LocalSettings 文件的相关部分如下:

require_once("/directo/LdapAuthentication.php");
$wgAuth = new LdapAuthenticationPlugin();
$wgLDAPDomainNames = array("MYDOMAIN");
$wgLDAPServerNames = array("MYDOMAIN" => "DOMAINIP");
$wgLDAPSearchStrings = array("MYDOMAIN" => "MYDOMAIN\\USER-NAME);
$wgLDAPEncryptionType = array("MYDOMAIN" => "ssl");

$wgLDAPBaseDNs = array("MYDOMAIN" => "dc=MYDOMAIN","dc=com");
$wgLDAPSearchAttributes = array("MYDOMAIN"=>"sAMAccountName");
$wgLDAPRetrievePrefs = array("MYDOMAIN" =>true);
$wgLDAPPreferences = array("MYDOMAIN" =>array('email' => 'mail','realname'=>'displayname'));
$wgLDAPDebug =3;
$wgLDAPExceptionDetails = true;

$wgLDAPRequiredGroups = array("MYDOMAIN" => array("OU=Users,OU=IT,OU=Admin,DC=MYDOMAIN,DC=com"));

如果我删除最后一行关于所需组的内容,我就可以正常登录了。我们在 AD 中对文件夹的设置如下,从上到下依次为 MYDOMAIN-> Admin -> IT ->Users ->John Doe。但就像我说的,如果我执行最后一行,就没有人可以登录我们的 mediawiki。

答案1

正如评论中所述,wiki 只能由一个群组访问(读/写)。

我们解决这个问题的方法是首先使用 apache 基本身份验证的组合。因此,在 wiki 的 vhost 中,您设置了一个 Directory 指令:

    <Directory /srv/apacheprod/html/mediawiki >
    AllowOverride All
    AuthBasicProvider ldap
    AuthType Basic
    AuthzLDAPAuthoritative off
    AuthName "Wiki Operations"

    AuthLDAPUrl "ldap://domain.local:3268/DC=DOMAIN,DC=LOCAL?sAMAccountName?sub?(objectClass=*)" NONE

    # bind as wiki user
    AuthLDAPBindDN "cn=wiki,ou=service_accounts,dc=domain,dc=local"
    AuthLDAPBindPassword pwd

    # members of these groups may log in
    # do not use inverted comma's in the group distinguished name or it won't work!
    require ldap-group CN=ICT - Operations,OU=Security Groepen,DC=domain,DC=local
    require ldap-group CN=ICT - devs,ou=security groepen,DC=domain,DC=local

</Directory>

这可以保护 wiki 免受不属于这些组的用户的侵害,但我们希望用户登录后已经拥有 mediawiki 帐户。这是使用mediawiki 的 ldap 身份验证扩展

因此,请下载扩展程序并修改您的 LocalSettings.php。我们的如下所示:

##### LdapAuth plugin #####

## load the library
require_once( "$IP/extensions/LdapAuthentication/LdapAuthentication.php" );
require_once( "$IP/extensions/LdapAuthentication/LdapAutoAuthentication.php" );

## create an object
$wgAuth = new LdapAuthenticationPlugin();

# we are using AD, so define it here
$wgLDAPDomainNames = array(
    "AD",
);

# ldap servers for AD
$wgLDAPServerNames = array(
    "AD" => "dc01.domain.local dc02.domain.local dc03.domain.local"
);

$wgLDAPEncryptionType = array(
    "AD" => "clear"
);

$wgLDAPProxyAgent = array(
    "AD" => "CN=mediawiki,OU=Service_accounts,DC=domain,DC=local"
);

$wgLDAPProxyAgentPassword = array(
    "AD" => "pwd"
);

$wgLDAPBaseDNs = array(
    "AD" => "dc=domain,dc=local"
);

$wgLDAPSearchAttributes = array(
    "AD" => "sAMAccountName",
);

//Option for allowing the retrieval of user preferences from LDAP.
//Only pulls a small amount of info currently.
//Default: false
//DEPRECATED in 1.2a
$wgLDAPRetrievePrefs = array(
    "AD"=>false
);

//Option for pulling specific preferences. Available options
//are "email", "realname", "nickname", "language"
//Ensure all attribute names given are in lower case.
//Default: none; disabled
//Available in 1.2a
$wgLDAPPreferences = array(
    "AD"=>array( "email"=>"mail","realname"=>"displayname","nickname"=>"cn","language"=>"preferredlanguage")
);

$wgLDAPAutoAuthUsername = preg_replace( '/@.*/', '', $_SERVER["REMOTE_USER"] );

$wgLDAPAutoAuthDomain = "AD" ;

# debugging this extension, uncomment if needed
#$wgLDAPDebug = 1;
#$wgDebugLogGroups['ldap'] = '/srv/apacheprod/html/mediawiki/tmp/ldap_debug.log';

AutoAuthSetup();

通过这些设置,我们就可以实现您想要做的事情。

相关内容