Mediawiki LDAP

Configuring Mediawiki to work with Foxpass's LDAP server

  • Create an LDAP binder in Foxpass called mediawiki
  • use this plugin: https://www.mediawiki.org/wiki/Extension:LDAP_Authentication/Configuration_Options
  • First, create a user in the wiki in the database with your own LDAP username, and set them as a sysop
  • install the plugin for your OS as per the directions
  • connect to the wiki db and add the ldap_domains table as mentioned above
  • update the configuration file with your own settings, including the user & pass of your LDAP binder, the group (if required) for users, etc
  • restart nginx or apache
  • login with Foxpass password
# LDAP
require_once ('extensions/LdapAuthentication/LdapAuthentication.php');
require_once ('includes/AuthPlugin.php');
$wgAuth = new LdapAuthenticationPlugin();

# disable local users
$wgLDAPUseLocal = false;
# extra permissions required for LDAP system to auto-create db users
$wgGroupPermissions['*']['autocreateaccount'] = true;
$wgGroupPermissions['*']['createaccount'] = true;

$wgLDAPDomainNames = array(
  'ldap_foxpass_com',
);
$wgLDAPServerNames = array(
  'ldap_foxpass_com' => 'ldap.foxpass.com',
);
$wgLDAPUseLocal = false;
$wgLDAPEncryptionType = array(
  'ldap_foxpass_com' => 'ssl',
);
$wgLDAPPort = array(
  'ldap_foxpass_com' => 636,
);
$wgLDAPProxyAgent = array(
  'ldap_foxpass_com' => 'cn=mediawiki,dc=example,dc=com',
);
$wgLDAPProxyAgentPassword = array(
  'ldap_foxpass_com' => 'xxxxxxxxxx'
);
$wgLDAPSearchAttributes = array(
  'ldap_foxpass_com' => 'uid'
);
$wgLDAPBaseDNs = array(
  'ldap_foxpass_com' => 'dc=example,dc=com',
);
# To pull e-mail address from LDAP
$wgLDAPPreferences = array(
  'ldap_foxpass_com' => array( 'email' => 'mail')
);
# Group based restriction
$wgLDAPGroupUseFullDN = array( "ldap_foxpass_com"=>true );
$wgLDAPGroupObjectclass = array( "ldap_foxpass_com"=>"posixGroup" );
$wgLDAPGroupAttribute = array( "ldap_foxpass_com"=>"member" );
$wgLDAPGroupSearchNestedGroups = array( "ldap_foxpass_com"=>false );
$wgLDAPGroupNameAttribute = array( "ldap_foxpass_com"=>"cn" );
### Users must be in a group called 'ldapwiki' for login to be successful
$wgLDAPRequiredGroups = array( "ldap_foxpass_com"=>array("cn=ldapwiki,ou=groups,dc=example,dc=com"));
$wgLDAPGroupsUseMemberOf = array(
  'ldap_foxpass_com' => false
);
$wgLDAPLowerCaseUsername = array(
  'ldap_foxpass_com' => true,
);
$wgMinimalPasswordLength = 1;
$wgLDAPDisableAutoCreate = array("ldap_foxpass_com"=>false);
### END LDAP END LDAP END LDAP
### EDIT EDIT ENABLE DEBUG LOGS
/**
 * The debug log file must never be publicly accessible because it
 * contains private data. But ensure that the directory is writeable by the
 * PHP script running within your Web server.
 * The filename is with the database name of the wiki.
 */
$wgDebugLogFile = "/var/log/mediawiki/debug-{$wgDBname}.log";
### ALSO turn on LDAP debug
$wgLDAPDebug = 99;
$wgDebugLogGroups['ldap'] = '/var/log/mediawiki/debug-ldap.log';
# add an important but missing table to your wiki's db
CREATE TABLE ldap_domains (domain_id int not null primary key auto_increment,domain varchar(255) binary not null,user_id int not null);