WikiMedia Active Directory Group membership as a log in permission requirement
After setting up wikimedia with LDAP support one of the requested tasks was to have access control on who’s allowed to do what in the system.
exploring the web brought me to the available option of requiring a user whom attempts to log in to be a member of an Active Directory security group, that in my case, I created just for the wiki users.
there are 2 (and more) options but I found these handy:
1. require members to be a part of a security Active Directory group in order for them to be able to log in
2. members who are a part of a specific group – let’s say – “Wiki Prohibited users” – cannot log in at all.
I picked the first one as I wanted to have a central location and view of who I’m allowing to see the wikimedia content of my organisation.
navigate to your wiki directory, edit your LocalSettings file.php and add the required strings:
$wgLDAPGroupUseFullDN = array( “yourdomain”=>true );
$wgLDAPBaseDNs = array( ‘yourdomain’ => ‘dc=your,dc=domain,dc=com’);
$wgLDAPSearchAttributes = array( ‘yourdomain’ => ‘sAMAccountName’ );
$wgLDAPUseLDAPGroups = array( “yourdomain” => true );
$wgLDAPGroupObjectclass = array ( “yourdomain” => “group” );
$wgLDAPGroupAtrribute = array( “yourdomain” => “member” );
$wgLDAPGroupNameAttribute = array ( “yourdomain” => “cn” );
$wgLDAPRequiredGroups = array( “yourdomain” => array(“cn=My Domain Wiki Users,ou=yourOU,OU=yourOU,dc=your,dc=your domain,dc=com”) );
$wgLDAPGroupsUseMemberOf = array( “yourdomain” => true );
$wgGroupPermissions['My Domain Wiki Users]['edit'] = true;
restart httpd daemon to re-read the newmodified settings
Add a test user to the Active Directory security group made for wiki to check integrity and ability to login, at this point – it should be working (considering you already have LDAP authentication working with your domain controller)
* note: for troubleshooting check the wiki logs for any errors (if enabled)