diff --git a/site-cookbooks/kosmos-mediawiki/recipes/default.rb b/site-cookbooks/kosmos-mediawiki/recipes/default.rb
index e07f7a5..46a6793 100644
--- a/site-cookbooks/kosmos-mediawiki/recipes/default.rb
+++ b/site-cookbooks/kosmos-mediawiki/recipes/default.rb
@@ -133,6 +133,8 @@ else
   package "php-curl"
 end
 
+package "php-ldap"
+
 ark "MediawikiHubot" do
   url "https://github.com/67P/mediawiki-hubot/archive/master.zip"
   path "#{node['mediawiki']['webdir']}/extensions/MediawikiHubot"
@@ -150,6 +152,49 @@ template "#{node['mediawiki']['webdir']}/extensions/MediawikiHubot/DefaultConfig
             wiki_url: node['mediawiki']['url']
 end
 
+#
+# LDAP
+ark "PluggableAuth" do
+  url "https://extdist.wmflabs.org/dist/extensions/PluggableAuth-REL1_33-a69f626.tar.gz"
+  path "#{node['mediawiki']['webdir']}/extensions"
+  owner node["nginx"]["user"]
+  group node["nginx"]["group"]
+  mode 0750
+  action :dump
+end
+
+ark "LDAPProvider" do
+  url "https://extdist.wmflabs.org/dist/extensions/LDAPProvider-master-6ce932d.tar.gz"
+  path "#{node['mediawiki']['webdir']}/extensions"
+  owner node["nginx"]["user"]
+  group node["nginx"]["group"]
+  mode 0750
+  action :dump
+end
+
+ark "LDAPAuthorization" do
+  url "https://extdist.wmflabs.org/dist/extensions/LDAPAuthorization-REL1_31-2bfd752.tar.gz"
+  path "#{node['mediawiki']['webdir']}/extensions"
+  owner node["nginx"]["user"]
+  group node["nginx"]["group"]
+  mode 0750
+  action :dump
+end
+
+ark "LDAPAuthorization" do
+  url "https://extdist.wmflabs.org/dist/extensions/LDAPAuthentication2-REL1_31-e170a82.tar.gz"
+  path "#{node['mediawiki']['webdir']}/extensions"
+  owner node["nginx"]["user"]
+  group node["nginx"]["group"]
+  mode 0750
+  action :dump
+end
+
+ldap_credentials = data_bag_item("credentials", "389")
+ldap_domain = node["kosmos-dirsrv"]["nginx"]["domain"]
+ldap_encryption_type = node.chef_environment == "development" ? "clear" : "tls"
+ldap_base = "ou=users,dc=kosmos,dc=org"
+
 ruby_block "configuration" do
   block do
     file = Chef::Util::FileEdit.new("#{node['mediawiki']['webdir']}/LocalSettings.php")
@@ -196,6 +241,46 @@ $wgArticlePath = "/$1";
 
     file.insert_line_if_no_match(/Mermaid/,
                                  "wfLoadExtension( 'Mermaid' );")
+    file.insert_line_if_no_match(/# LDAP config/,
+                                 <<-EOF
+# LDAP config
+$LDAPProviderDomainConfigProvider = function()
+{
+    $config = [
+        "#{server_name}" => [
+            "connection" => [
+                "server" => "#{ldap_domain}",
+                "enctype" => "#{ldap_encryption_type}",
+                "user" => "cn=Directory Manager",
+                "pass" => "#{ldap_credentials['password']}",
+                "basedn" => "#{ldap_base}",
+                "groupbasedn" => "#{ldap_base}",
+                "userbasedn" => "#{ldap_base}",
+                "searchattribute" => "uid",
+                "searchstring" => "cn=USER-NAME,#{ldap_base}",
+                "usernameattribute" => "uid",
+                "realnameattribute" => "cn",
+                "emailattribute" => "mail"
+            ],
+            "authorization" => [
+                "rules" => [
+                        "attributes" => [
+                                        "wiki" => "enabled"
+                    ]
+                ]
+            ]
+        ]
+    ];
+
+    return new \\MediaWiki\\Extension\\LDAPProvider\\DomainConfigProvider\\InlinePHPArray( $config );
+};
+$wgPluggableAuth_EnableLocalLogin = true; # allow local logins
+wfLoadExtension( 'LDAPProvider' );
+wfLoadExtension( 'PluggableAuth' );
+wfLoadExtension( 'LDAPAuthorization' );
+wfLoadExtension( 'LDAPAuthentication2' );
+                                 EOF
+                                 )
 
     file.write_file
   end