How to Authenticate using the LDAP Server

The domain for LDAP authentication is example.io. The search string for a user leaf is uid=leaf,ou=people,dc=example,dc=io. Here are the settings used by mediawiki to perform LDAP authentication:

$wgLDAPDomainNames = array('example.io');
$wgLDAPServerNames = array('example.io' => 'zmail1.example.io');

$wgLDAPUseLocal = false;
$wgLDAPEncryptionType = array('example.io' => 'tls');
$wgLDAPPort = array('example.io' => 389);

$wgLDAPSearchStrings = array(
        'example.io' => 'uid=USER-NAME,ou=people,dc=example,dc=io'
);

$wgLDAPBaseDNs = array('example.io' => 'dc=example,dc=io');
$wgLDAPUserBaseDNs = array('example.io' => 'ou=people,dc=example,dc=io');
$wgLDAPGroupBaseDNs = array('example.io' => 'ou=group,dc=example,dc=io');</nowiki>

Some Notes on Querying LDAP

You may consider using the LDAP Utilities to verify that you can connect to the LDAP server, query it, etc. This is useful for debugging issues before trying to configure your application, e.g. MediaWiki, to perform LDAP authentication.

Some Notes on Mediawiki's LDAP Plugin

With 1.27, some of the features of the plugin were broken. In addition to the configuration stored in LocalSettings.php, it was also necessary to follow the instructions here. Specifically, it was necessary to comment out the saveDomain line as described and to give the autocreateaccount permission.

Background on why this is necessary can be found here and also here. There is some useful, but somewhat outdated documentation here. This was also helpful