Sign in Subscribe
By MW in ldap

How to Integrate MediaWiki with LDAP for Single Sign‑On

MediaWiki can authenticate users directly against an Active Directory (AD) or any LDAP directory

Overview

MediaWiki can authenticate users directly against an Active Directory (AD) or any LDAP directory. By using the LDAP Stack extensions together with Extension:PluggableAuth, you get a clean single sign‑on (SSO) experience: users log in with their domain credentials and are automatically mapped to MediaWiki groups.

Prerequisites

  • PHP with the php-ldap module installed.
  • MediaWiki version that matches the LTS release of the LDAP extensions (e.g. MediaWiki 1.35 LTS).
  • An LDAP bind account that can read user and group objects (e.g. CN=MediawikiAuthenticator,OU=Users,DC=example,DC=com).
  • Network access from the web server to the LDAP server (port 389 for plain, 636 for LDAPS).

Required extensions

All extensions must be from the same release series. Install them into extensions/ and enable them in LocalSettings.php:

wfLoadExtension( 'PluggableAuth' );
wfLoadExtension( 'LDAPProvider' );
wfLoadExtension( 'LDAPAuthentication2' );
wfLoadExtension( 'LDAPAuthorization' );
wfLoadExtension( 'LDAPUserInfo' );
wfLoadExtension( 'LDAPGroups' );

Download the extensions from extdist.wmflabs.org (the same site used by MediaWiki).

Step 1 – Create ldap.json

The LDAP Stack reads its configuration from a single JSON file. Store it outside the web root (for example /var/www/ldap.json) and protect it (owner www-data, mode 600).

{
  "example.com": {
    "connection": {
      "server": "ad.example.com",
      "port": "389",
      "use-tls": true,
      "user": "CN=MediawikiAuthenticator,OU=Users,DC=example,DC=com",
      "pass": "YOUR_PASSWORD",
      "enctype": "clear",
      "options": { "LDAP_OPT_DEREF": 1 },
      "basedn": "dc=example,dc=com",
      "userbasedn": "dc=example,dc=com",
      "groupbasedn": "dc=example,dc=com",
      "searchattribute": "samaccountname",
      "usernameattribute": "samaccountname",
      "realnameattribute": "cn",
      "emailattribute": "mail",
      "grouprequest": "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\UserMemberOf::factory",
      "presearchusernamemodifiers": ["spacestounderscores","lowercase"]
    },
    "userinfo": [],
    "authorization": [],
    "groupsync": {
      "mapping": {
        "editor": "CN=WikiEditors,OU=Groups,DC=example,DC=com",
        "sysop": "CN=WikiAdmins,OU=Groups,DC=example,DC=com"
      }
    }
  }
}

Replace example.com and the DN values with those of your own AD forest.

Step 2 – Tune LocalSettings.php

Load the JSON file, activate the extensions and configure PluggableAuth to use the LDAP plugin.

// Load extensions (see above)

// Path to the JSON configuration
$ldapJsonFile = '/var/www/ldap.json';
$ldapConfig = false;
if ( is_file( $ldapJsonFile ) && is_dir( "$IP/extensions/LDAPProvider" ) ) {
    $testJson = @json_decode( file_get_contents( $ldapJsonFile ), true );
    if ( is_array( $testJson ) ) {
        $ldapConfig = true;
    } else {
        error_log( "Invalid JSON in $ldapJsonFile" );
    }
}

if ( $ldapConfig ) {
    wfLoadExtension( 'PluggableAuth' );
    wfLoadExtension( 'LDAPProvider' );
    wfLoadExtension( 'LDAPAuthentication2' );
    wfLoadExtension( 'LDAPAuthorization' );
    wfLoadExtension( 'LDAPUserInfo' );
    wfLoadExtension( 'LDAPGroups' );

    $LDAPProviderDomainConfigs = $ldapJsonFile;
    $LDAPProviderDefaultDomain = array_key_first( json_decode( file_get_contents( $LDAPProviderDomainConfigs ), true ) );

    $wgPluggableAuth_Config = [
        [
            'plugin' => 'LDAPAuthentication2',
            'buttonLabelMessage' => 'pt-login-button',
            'data' => [ 'domain' => $LDAPProviderDefaultDomain ]
        ],
        [ 'plugin' => 'LDAPAuthorization' ]
    ];
}

// Optional: make the wiki private and force LDAP login
$wgGroupPermissions['*']['read'] = false;
$wgGroupPermissions['*']['edit'] = false;
$wgGroupPermissions['*']['createaccount'] = false;
$wgGroupPermissions['*']['autocreateaccount'] = true;
$wgBlockDisablesLogin = true;

Step 3 – Initialise the database

The LDAP extensions add new tables. After the configuration is in place, run MediaWiki’s update script:

php /path/to/mediawiki/maintenance/update.php

Then clear your browser session and try to log in with a domain user.

Step 4 – Debugging tips

If SELinux is enabled, allow Apache to connect to LDAP:

setsebool -P httpd_can_connect_ldap on

Test the bind and search with the command‑line tool:

ldapsearch - ad.example.com -p 389 -D "CN=MediawikiAuthenticator,OU=Users,DC=example,DC=com" -w "YOUR_PASSWORD" -b "dc=example,dc=com" "(samaccountname=yourlogin)"

Enable MediaWiki debug output in LocalSettings.php:

$wgDebugLogFile = "/var/log/mediawiki/debug.log";
$wgShowExceptionDetails = true;

Further reading

Full reference on MediaWiki’s AD integration can be found on the official manual page: Manual:Active_Directory_Integration.

With the steps above you have a functional LDAP‑backed SSO for MediaWiki – users log in with their Windows domain credentials, groups are mapped to MediaWiki permissions, and new accounts are created automatically when needed.

Subscribe to MediaWiki Tips and Tricks

Don’t miss out on the latest articles. Sign up now to get access to the library of members-only articles.
jamie@example.com
Subscribe