AD 组授权 - 用户未授权
AD group authorization - user not authorized
使用 我似乎在我们本地 windows 域 (abc.local) 的内部维基上(运行 在 Debian 10 VM 上)安装了 LDAP .我希望所有域用户都能够编辑 wiki。当我尝试使用测试帐户 (rjsmith) 登录 wiki 时,我得到 User rjsmith not authorized.。如果我故意为 rjsmith 输入错误的密码,我会得到 Could not authenticate credentials against domain "abc.local".
这是来自我的 LocalSettings.php:
的 LDAP 内联函数
$LDAPProviderDomainConfigProvider = function()
{
$config =
[
"abc.local" =>
[
"connection" =>
[
"server" => "5.5.5.5",
"user" => "Administrator@abc.local",
"pass" => "password",
"basedn" => "dc=abc,dc=local",
"groupbasedn" => "dc=abc,dc=local",
"userbasedn" => "dc=abc,dc=local",
"searchattribute" => "samaccountname",
"searchstring" => "USER-NAME@abc.local",
"usernameattribute" => "samaccountname",
"realnameattribute" => "cn",
"emailattribute" => "mail",
"grouprequest" => "MediaWiki\Extension\LDAPProvider\UserGroupsRequest\GroupMember::factory"
],
"authorization" =>
[
"rules" =>
[
"groups" =>
[
"required" => [ "cn=Users,dc=abc,dc=local" ]
]
]
],
"userinfo" =>
[
"email" => "mail",
"realname" => "cn",
"properties.gender" => "gender"
]
]
];
return new \MediaWiki\Extension\LDAPProvider\DomainConfigProvider\InlinePHPArray( $config );
};
我需要什么才能使组 Domain Users (abc.local/Users) 中的任何域用户都可以访问该 wiki?
谢谢,
俄罗斯人
是的!即使是一只瞎眼的松鼠,偶尔也会发现一颗坚果!成功了!
通过大量的试验和错误,我最终只需要将 "groups" 部分更改为简单的 "group" => "Users"。如果我想进一步限制它,我可以创建一个新的域组 WikiUsers,并将 select 用户放入其中。然后我需要在下面设置 "group" => "WikiUsers" 。但是,我希望任何本地域用户都可以访问,所以我下面的内容是完美的。
另外,我对上面问题中显示的配置进行了另一项更改。我创建了一个普通域用户,除了登录 (readonly@abc.local) 之外没有其他权限,所以我不必使用管理员帐户以明文发送密码。
$LDAPProviderDomainConfigProvider = function()
{
$config =
[
"abc.local" =>
[
"connection" =>
[
"server" => "5.5.5.5",
"user" => "readonly@abc.local",
"pass" => "password",
"basedn" => "dc=abc,dc=local",
"groupbasedn" => "dc=abc,dc=local",
"userbasedn" => "dc=abc,dc=local",
"searchattribute" => "samaccountname",
"searchstring" => "USER-NAME@abc.local",
"usernameattribute" => "samaccountname",
"realnameattribute" => "cn",
"emailattribute" => "mail",
"grouprequest" => "MediaWiki\Extension\LDAPProvider\UserGroupsRequest\GroupMember::fa$
],
"authorization" =>
[
"rules" =>
[
"group" => "Users",
]
],
"userinfo" =>
[
"email" => "mail",
"realname" => "cn",
"properties.gender" => "gender"
]
]
];
return new \MediaWiki\Extension\LDAPProvider\DomainConfigProvider\InlinePHPArray( $config );
};
使用 abc.local) 的内部维基上(运行 在 Debian 10 VM 上)安装了 LDAP .我希望所有域用户都能够编辑 wiki。当我尝试使用测试帐户 (rjsmith) 登录 wiki 时,我得到 User rjsmith not authorized.。如果我故意为 rjsmith 输入错误的密码,我会得到 Could not authenticate credentials against domain "abc.local".
这是来自我的 LocalSettings.php:
的 LDAP 内联函数$LDAPProviderDomainConfigProvider = function()
{
$config =
[
"abc.local" =>
[
"connection" =>
[
"server" => "5.5.5.5",
"user" => "Administrator@abc.local",
"pass" => "password",
"basedn" => "dc=abc,dc=local",
"groupbasedn" => "dc=abc,dc=local",
"userbasedn" => "dc=abc,dc=local",
"searchattribute" => "samaccountname",
"searchstring" => "USER-NAME@abc.local",
"usernameattribute" => "samaccountname",
"realnameattribute" => "cn",
"emailattribute" => "mail",
"grouprequest" => "MediaWiki\Extension\LDAPProvider\UserGroupsRequest\GroupMember::factory"
],
"authorization" =>
[
"rules" =>
[
"groups" =>
[
"required" => [ "cn=Users,dc=abc,dc=local" ]
]
]
],
"userinfo" =>
[
"email" => "mail",
"realname" => "cn",
"properties.gender" => "gender"
]
]
];
return new \MediaWiki\Extension\LDAPProvider\DomainConfigProvider\InlinePHPArray( $config );
};
我需要什么才能使组 Domain Users (abc.local/Users) 中的任何域用户都可以访问该 wiki?
谢谢, 俄罗斯人
是的!即使是一只瞎眼的松鼠,偶尔也会发现一颗坚果!成功了!
通过大量的试验和错误,我最终只需要将 "groups" 部分更改为简单的 "group" => "Users"。如果我想进一步限制它,我可以创建一个新的域组 WikiUsers,并将 select 用户放入其中。然后我需要在下面设置 "group" => "WikiUsers" 。但是,我希望任何本地域用户都可以访问,所以我下面的内容是完美的。
另外,我对上面问题中显示的配置进行了另一项更改。我创建了一个普通域用户,除了登录 (readonly@abc.local) 之外没有其他权限,所以我不必使用管理员帐户以明文发送密码。
$LDAPProviderDomainConfigProvider = function()
{
$config =
[
"abc.local" =>
[
"connection" =>
[
"server" => "5.5.5.5",
"user" => "readonly@abc.local",
"pass" => "password",
"basedn" => "dc=abc,dc=local",
"groupbasedn" => "dc=abc,dc=local",
"userbasedn" => "dc=abc,dc=local",
"searchattribute" => "samaccountname",
"searchstring" => "USER-NAME@abc.local",
"usernameattribute" => "samaccountname",
"realnameattribute" => "cn",
"emailattribute" => "mail",
"grouprequest" => "MediaWiki\Extension\LDAPProvider\UserGroupsRequest\GroupMember::fa$
],
"authorization" =>
[
"rules" =>
[
"group" => "Users",
]
],
"userinfo" =>
[
"email" => "mail",
"realname" => "cn",
"properties.gender" => "gender"
]
]
];
return new \MediaWiki\Extension\LDAPProvider\DomainConfigProvider\InlinePHPArray( $config );
};