Extension talk:LDAPAuthorization

hello, i have mediawiki 1.39, PHP 8.3, Windows Server 2016 with IIS and will be using LDAP extensions

apologies if this is in the wrong discussion area

I will have, when fully set up, 8 groups with multiple users per group

only 1 of those groups will have full permissions, the rest will only have read

each of the 7 groups that will have read only, will also only have their own area of our local mediawiki site they'll have access to

which extension/s will control that? and where in LocalSettings and ldapprovider.json will those accesses be configured?

thank you

We are trying to migrate from mediawiki 1.30.0 to 1.39.3.

Everything seems to work so far, except authentication via LDAP.

All LDAPProvider related scripts return data or report success:

./LDAPProvider/maintenance/CheckConnection.php --conf /opt/mediawiki/LocalSettings.php --config /opt/mediawiki/ldapprovider.json --domain DOMAIN "(samaccountname=me)"

=> valid Data

./LDAPProvider/maintenance/ShowUserInfo.php --conf /opt/mediawiki/LocalSettings.php --domain DOMAIN --username me

=> valid Data

php ./LDAPProvider/maintenance/CheckLogin.php --conf /opt/mediawiki/LocalSettings.php --domain DOMAIN --username me

=> OK

php ./LDAPProvider/maintenance/ShowUserGroups.php --conf /opt/mediawiki/LocalSettings.php  --domain DOMAIN --username me

=> valid Data

ldapprovider.json:

{

  "DOMAIN": {

    "connection": {

      "server": "dc",

      "port": "636",

      "user": "ldap",

      "pass": "pass",

      "enctype": "ssl",

      "options": {

        "LDAP_OPT_DEREF": 1

      },

      "basedn": "OU=User,...",

      "userbasedn": "OU=User,...",

      "groupbasedn": "OU=Group...",

      "searchattribute": "sAMAccountName",

      "searchstring": "DOMAIN\\USER-NAME",

      "usernameattribute": "sAMAccountName",

      "realnameattribute": "cn",

      "emailattribute": "mail",

      "grouprequest": "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\UserMemberOf::factory",

      "presearchusernamemodifiers": [ "spacestounderscores", "lowercase" ]

    },

    "authorization": {

      "rules": {

        "groups": {

          "required":[

            "CN=User",

            "CN=Admin"

          ]

        }

      }

    },

    "groupsync": {

      "mechanism": "mappedgroups",

      "mapping": {

        "user": "CN=User",

        "sysop": "CN=VAdmin"

      }

    },

    "userinfo": {

      "attributes-map": {

        "email": "mail",

        "realname": "fullname"

      }

    }

  }

}

LocalSettings.php:

wfLoadExtension( 'AccessControl' );

wfLoadExtension( 'LDAPProvider' );

wfLoadExtension( 'LDAPAuthentication2' );

wfLoadExtension( 'LDAPAuthorization' );

wfLoadExtension( 'LDAPUserInfo' );

wfLoadExtension( 'LDAPGroups' );

wfLoadExtension( 'PluggableAuth' );

$wgDebugLogFile = "/opt/log/mediawiki_debug-{$wgDBname}.log";

$wgShowExceptionDetails = true;

$wgDebugToolbar = true;

$wgShowDebug = true;

$wgDevelopmentWarnings = false;

$wgDebugDumpSql = false;

$wgDebugLogGroups['authentication'] = "/opt/log/authentication.log";

$wgDebugLogGroups['login'] = "/opt/log/login.log";

$wgDebugLogGroups['PluggableAuth'] = "/opt/log/LDAP-Pluggable.log";

$wgDebugLogGroups['LDAP'] = "/opt/log/LDAP.log";

$wgDebugLogGroups['MediaWiki\\Extension\\LDAPProvider\\Client'] = "/opt/log/LDAPProvider_Client.log";

$wgDebugLogGroups['LDAPGroups'] = "/opt/log/LDAPGroups.log";

$wgDebugLogGroups['LDAPUserInfo'] = "/opt/log/LDAPUserInfo.log";

$wgDebugLogGroups['LDAPAuthentication2'] = "/opt/log/LDAPAuthentication2.log";

$wgDebugLogGroups['LDAPAuthorization'] = "/opt/log/LDAPAuthorization.log";

$LDAPProviderDomainConfigs ="/opt/data/config/ldapprovider.json";

$LDAPProviderDomainConfigProvider = "MediaWiki\\Extension\\LDAPProvider\\DomainConfigProvider\\LocalJSONFile::newInstance" ;

$LDAPProviderDefaultDomain = 'DOMAIN;

$wgAccessControlMessages = true;

$wgUseMediaWikiGroups = true;

$wgAdminCanReadAll = true;

$wgPluggableAuth_EnableAutoLogin = false;

$wgPluggableAuth_EnableLocalLogin = true;

(also tried $wgPluggableAuth_EnableLocalLogin = false;)

$LDAPAuthentication2AllowLocalLogin = true;

(also tried $LDAPAuthentication2AllowLocalLogin = false;)

$LDAPAuthentication2UsernameNormalizer = "strtolower";

$LDAPGroupsSyncMechanismRegistry = "mappedgroups";

$wgGroupPermissions['*']['createaccount'] = true;

$wgGroupPermissions['*']['autocreateaccount'] = true;

$wgGroupPermissions['*']['edit'] = false;

$wgGroupPermissions['*']['read'] = true;

$wgGroupPermissions['user']['edit'] = true;

$wgGroupPermissions['sysop']['edit'] = true;

$wgPluggableAuth_ButtonLabel = "Anmelden";

Debug-Output

• [error] [ZHi9J4zwAEy-BdrMNX0gmgAAAEE] /mediawiki/index.php?title=Spezial:Anmelden&returnto=Hauptseite PHP Deprecated: Use of userCan hook (used in AccessControlHooks::onUserCan) was deprecated in MediaWiki 1.37. [Called from MediaWiki\HookContainer\HookContainer::run]

• [authentication] Login failed in primary authentication because no provider accepted

hello, out of curiosity, did you ever find a resolution?

When trying to Login with a LDAP user, who never logged in befor, the check for required groups always fails.

I checked the Logs and saw, that the plugin actually sent the IP adress instead of the username to check.

I appended the log with three login attempts:

• The first one fails for an user, which already logged in before but is not the required group
• The second one shows the described behavior. I try to login with "auth.test2", but the Plugin checks for groups of "172.22.0.1", which is the IP adress of the mediawiki container
• The third attempt shows a sucessfull login of another user, who already existed and who also is in the required group
  

Domain set to 'LDAP'. MediaWiki\Extension\LDAPAuthorization\Hook\PluggableAuthUserAuthorization: Check authorization for user 'Auth.test'. Requirement 'groups.required' not satisfied. Requirements could not be satisfied. Domain set to 'LDAP'. MediaWiki\Extension\LDAPAuthorization\Hook\PluggableAuthUserAuthorization: Check authorization for user '172.22.0.1'. Requirement 'groups.required' not satisfied. Requirements could not be satisfied. Domain set to 'LDAP'. MediaWiki\Extension\LDAPAuthorization\Hook\PluggableAuthUserAuthorization: Check authorization for user 'valid.user'. Requirement 'groups.required' satisfied. All requirements satisfied.

Can you please share information about the environment? MediaWiki versions? Do you have a specific setting of $wgGroupPermissions in your LocalSettings.php file? Maybe regarding the autocreateaccount permission?

I use Mediawiki 1.38.2 inside a Docker Container and those Version of the LDAP Plugins (I accidentaly cut them out in the original post..):

LDAPAuthentication2    1.0.3 (c6a342f)

LDAPAuthorization    1.1.0 (e6815d2)

LDAPGroups    1.0.3 (e579978)

LDAPProvider    1.0.5 (8e1a6ff)

LDAPUserInfo    1.0.0 (b95faa0)

PluggableAuth    5.7

The $wgGroupPermissions are

$wgGroupPermissions['*']['edit'] = false;

$wgGroupPermissions['user']['edit'] = true;

$wgGroupPermissions['*']['autocreateaccount'] = true;

$wgGroupPermissions['*']['createaccount'] = false;

I tried to follow that example for the settings: Manual:Active Directory Integration

Hello, I was having the same issue on my side and I fixed that by modifying the PluggableAuthUserAuthorization.php, function process(), since it previously relied on getName() which turned out to return the IP address of the origin of the HTTP request for non-existing users.

Lines modified are marked with the comment "MODIFIED THIS" in the code here below, and were replaced by lines immediately following:

/**

     *

     * @return bool

     */

    public function process() {

        //MODIFIED THIS: $this->logger->debug( __CLASS__ . ": Check authorization for user '{$this->user->getName()}'." );

        $this->logger->debug( __CLASS__ . ": Check authorization for user '{$this->user->mName}'." );

        if ( $this->isLocalUser() ) {

            $this->logger->debug( 'Skipping local user.' );

            return true;

        }

        $requirementsChecker = new RequirementsChecker( $this->ldapClient, $this->domainConfig );

        $requirementsChecker->setLogger( $this->logger );

        ////MODIFIED THIS: if ( !$requirementsChecker->allSatisfiedBy( $this->user->getName() ) ) {

        if ( !$requirementsChecker->allSatisfiedBy( $this->user->mName ) ) {

            $this->logger->debug( 'Requirements could not be satisfied.' );

            $this->authorized = false;

            return false;

        }

        $this->logger->debug( 'All requirements satisfied.' );

        return true;

    }

All originated from PluggableAuthLogin.php, function execute() where for non-existing users the following code is executed:

if ( $id === null ) {

                    $user->loadDefaults( $username );

                    $user->mName = $username;

                    $user->mRealName = $realname;

                    $user->mEmail = $email;

                    $user->mEmailAuthenticated = wfTimestamp();

                    $user->mTouched = wfTimestamp();

                    wfDebugLog( 'PluggableAuth', 'Authenticated new user: ' . $username );

                    // PluggableAuthPopulateGroups is called from LocalUserCreated hook

                }

thus not initializing user member mLoadedItems, which in turns is requested by getName() through isItemLoaded function, otherwise the request origin IP address is returned:

/**

     * Get the user name, or the IP of an anonymous user

     * @return string User's name or IP address

     */

    public function getName(): string {

        if ( $this->isItemLoaded( 'name', 'only' ) ) {

            // Special case optimisation

            return $this->mName;

        }

        $this->load();

        if ( $this->mName === false ) {

            // Clean up IPs

            $this->mName = IPUtils::sanitizeIP( $this->getRequest()->getIP() );

        }

        return $this->mName;

    }

Replacing getName in PluggableAuthUserAuthorization.php with direct access to mName member (which is initialized by PluggableAuthLogin.php) made the magic.

Probably there are more elegant solution for fixing that, and the problem maybe should be reported to PluggableAuth developers (how can I do that? anyone knows? I am new to mediawiki...) but anyway that fixed the problem for me and maybe can be useful for some others too.

You made my day - Thanks a lot !!!

I have the same problem that users that are not stored in the database are not authorized. This is what the log file for LDAPAuthorization gives me after I apply @Morix Dev's changes to PluggableAuthUserAuthorization.php :

2023-05-08 04:44:39 vermkv-wiki-neu wiki_d35: Domain set to 'wiki_d35'.

2023-05-08 04:44:39 vermkv-wiki-neu wiki_d35: MediaWiki\Extension\LDAPAuthorization\Hook\PluggableAuthUserAuthorization: Check authorization for user ')'.

2023-05-08 04:44:39 vermkv-wiki-neu wiki_d35: Requirement 'groups.required' not satisfied.

2023-05-08 04:44:39 vermkv-wiki-neu wiki_d35: Requirements could not be satisfied.

I have Mediawiki 1.39.3 with php 8.1.2 and MariaDB 10.6.12.

My configuration in LocalSettings.php:

wfLoadExtension( 'PluggableAuth' );

wfLoadExtension( 'LDAPProvider' );

wfLoadExtension( 'LDAPAuthentication2' );

wfLoadExtension( 'LDAPUserInfo' );

wfLoadExtension( 'LDAPAuthorization' );

$wgPluggableAuth_EnableLocalLogin = false;

$wgPluggableAuth_ButtonLabel = "Anmelden";

$LDAPAuthorizationAutoAuthRemoteUserStringParser = 'username-at-domain';

$LDAPAuthentication2UsernameNormalizer = 'ucfirst';

$LDAPAuthentication2AllowLocalLogin = false;

$wgAuthRemoteuserAllowUserSwitch = false;

$wgPluggableAuth_Config['Log In'] = [

   'plugin' => 'LDAPAuthentication2',

   'data' => [

       'domain' => 'wiki_d35'

   ]

];

$wgDebugLogGroups['PluggableAuth'] = [

       'destination' => "$IP/cache/PluggableAuth.log"

];

$wgDebugLogGroups['LDAPProvider'] = [

       'destination' => "$IP/cache/LDAPProvider.log"

];

$wgDebugLogGroups['LDAPAuthentication2'] = [

       'destination' => "$IP/cache/LDAPAuth.log"

];

$wgDebugLogGroups['LDAPAuthorization'] = [

       'destination' => "$IP/cache/LDAPAuthorization.log"

];

$LDAPProviderDomainConfigProvider = function() {

   $config = [

       "LDAP" => [

           "connection" => [

               "server" => "***",

               "options" => [ "LDAP_OPT_DEREF" => 1, "LDAP_OPT_PROTOCOL_VERSION" => 3 ],

               "port" => 389,

               "enctype" => "tls",

               "basedn" => "o=***,c=***",

               "userbasedn" => "o=***,c=***",

               "groupbasedn" => "ou=group,ou=***,o=***,c=***",

               "searchattribute" => 'uid',

               "usernameattribute" => 'uid',

               "realnameattribute" => "cn",

               "emailattribute" => "mail",

               "grouprequest" => "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\GroupMember::factory"

  ],

           "authorization" => [

               "rules" => [

                   "groups" => [

                       "required" => [

                           "cn=***,ou=***,ou=***,o=***,c=***"

                       ]

                   ]

               ]

           ],

           "authentication" => [

               "usernameattribute" => "uid",

               "realnameattribute" => "cn",

               "emailattribute" => "mail"

           ],

           'userinfo' => [

               'attributes-map' => [

                   'email' => 'mail',

                   'realname' => 'cn'

               ]

           ]

       ]

   ];

   return new \MediaWiki\Extension\LDAPProvider\DomainConfigProvider\InlinePHPArray( $config );

};

I added the line

               $this->user->setName( $this->ldapClient->getUsername() );

at the beginning of the function process() in the file

extensions/LDAPAuthorization/src/hook/PluggableAuthUserAuthorization.php

Maybe this is related to task T334950 (Fix at https://gerrit.wikimedia.org/r/c/mediawiki/extensions/PluggableAuth/+/909674)and will be fixed in an upcoming release of Extension:PluggableAuth.

Battling with these extensions and have got Authorization to work, but when I try to restrict by group it fail. Looking at function makeGroupRequirements the ldapUserGroups has no values.

   $ldapUserGroups = $this->ldapClient->getUserGroups( $username );

$username equals "andrew" and looking at debug output the memberof has been read.

[MediaWiki\Extension\LDAPProvider\Client] MediaWiki\Extension\LDAPProvider\Client::getUserDN: search with array (

  'base' => 'dc=dcs,dc=bbk,dc=ac,dc=uk',

  'filter' => '(samaccountname=andrew)',

  'attributes' =>

  array (

   0 => '*',

   1 => 'memberof',

  ),

)

....

   10 => 'usncreated',

   'memberof' =>

   array (

     'count' => 7,

     0 => 'CN=xxx1,DC=dcs,DC=bbk,DC=ac,DC=uk',

     1 => 'CN=xxx2,DC=dcs,DC=bbk,DC=ac,DC=uk',

     2 => 'CN=xxx3,OU=StaffUsers,DC=dcs,DC=bbk,DC=ac,DC=uk',

     3 => 'CN=xxx4,OU=StaffUsers,DC=dcs,DC=bbk,DC=ac,DC=uk',

     4 => 'CN=xxx5,CN=Users,DC=dcs,DC=bbk,DC=ac,DC=uk',

     5 => 'CN=xxx6,CN=Users,DC=dcs,DC=bbk,DC=ac,DC=uk',

     6 => 'CN=xxx7,OU=StaffUsers,DC=dcs,DC=bbk,DC=ac,DC=uk',

   ),

   11 => 'memberof',

   'usnchanged' =>

   array (

     'count' => 1,

Any ideas?

Maybe you need to set <code>"MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\UserMemberOf::factory"</code> in you domain config under "connection/grouprequest". See Extension:LDAPProvider#Domain_config_settings

@Osnard GREAT!!! That worked.

I have this problem with OpenLDAP and "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\GroupMember::factory" - The group I want to search is a 'groupOfNames'

Without the authorization plugin enabled I can log in.

The config in a json file: {

       "LDAP": {
               "connection": {
                       "server": "XXX",
                       "user": "cn=docswiki_ro,ou=serviceaccounts,dc=XXX",
                       "pass": "",
                       "basedn": "XXX",
                       "groupbasedn": "ou=roles,ou=groups,dc=XXX",
                       "userbasedn": "ou=volunteers,dc=XXX",
                       "searchattribute": "uid",
                       "searchstring": "uid=USER-NAME,ou=volunteers,dc=XXX",
                       "usernameattribute": "uid",
                       "realnameattribute": "cn",
                       "emailattribute": "mail",
                       "grouprequest": "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\GroupMember::factory"
               },
               "authorization": {
                       "rules": {
                               "groups": {
                                       "required": [
                                               "cn=rol_webadmin,ou=roles,ou=groups,dc=XXX"
                                       ]
                               }
                       }
               }
       }

}

You may need to "hack" that code line until I can introduce a proper configuration variable: https://github.com/wikimedia/mediawiki-extensions-LDAPProvider/blob/5c4546b8cb1f9890c3063f0bf073793e66563c01/src/UserGroupsRequest/GroupMember.php#L31

Alternatively you can implement a `UserGroupsRequest` class yourself and contribute it.

I think I see the problem. I'm using an objectclass 'groupofnames' (in openldap) but the code you added only checks for a 'group.' When I have time I'll change that in the code and see if it works.

Confirmed, I changed it into groupOfNames and now my account authorizes but my test account doesn't; as expected.

Thanks for confirming this. I have added this topic to https://phabricator.wikimedia.org/T214146

It's working??

I have this problem, too. But it only occurs in private wikis. What can I do to solve this?

I use MediaWiki 1.39.3

PHP Version 8.1.2

MariaDB 10.6.12

Which LDAP extension versions are you using?

I'm using

PluggableAuth 5.7

LDAPAuthentication2 1.0.3

LDAPProvider 1.0.5

LDAPUserInfo 1.0.0

LDAPAuthorization 1.1.0

I cannot use PluggableAuth 6.X since it doesn't work with LDAPAuthentication2 or LDAPAuthorization yet.

The change has been merged quite a while ago. You can now set the groupobjectclass to groupOfNames in connection.

is it possible to use the newer LDAP stack with anonymous binding? Does the json look like this?

{

"****": {

"connection": {

"server": "**.***.**.**",

"port": "389",

"user": "",

"pass": "",

"enctype": "clear",

"options": {

"LDAP_OPT_DEREF": 1,

                "LDAP_OPT_PROTOCOL_VERSION": 3,

                "LDAP_OPT_REFERRALS": 0

},

"basedn": "dc=****,dc=**,dc=**",

"userbasedn": "dc=****,dc=**,dc=**",

"groupbasedn": "dc=****,dc=**,dc=**",

"searchattribute": "samaccountname",

"usernameattribute": "samaccountname",

"realnameattribute": "cn",

"emailattribute": "mail",

"grouprequest": "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\UserMemberOf::factory",

"presearchusernamemodifiers": [ "spacestounderscores", "lowercase" ]

},

"userinfo": [],

"authorization": [],

"groupsync": {

"mapping": {

}

}

}

}

"****": {

"connection": {

"server": "**.128.**.**",

"port": "389",

"user": "",

"pass": "",

"enctype": "clear",

"options": {

"LDAP_OPT_DEREF": 1,

                "LDAP_OPT_PROTOCOL_VERSION": 3,

                "LDAP_OPT_REFERRALS": 0

},

"basedn": "dc=****,dc=**,dc=**",

"userbasedn": "dc=****,dc=**,dc=**",

"groupbasedn": "dc=****,dc=**,dc=**",

"searchattribute": "samaccountname",

"usernameattribute": "samaccountname",

"realnameattribute": "cn",

"emailattribute": "mail",

"grouprequest": "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\UserMemberOf::factory",

"presearchusernamemodifiers": [ "spacestounderscores", "lowercase" ]

},

"userinfo": [],

"authorization": [],

"groupsync": {

"mapping": {

}

}

}

}

No, anonymous binding is currently not supported

After fighting with Ldap Authentication - which works fine now -- i wanted to restrict it to certain AD group(s).

But when I run with "wfLoadExtension( 'LDAPAuthorization' );" it passes the "auth" part, but the verification of the group check blows up.

MediaWiki 1.35.3

PHP 7.3.29

LDAPAuthentication2 1.0.3

LDAPAuthorization 1.1.0

LDAPProvider 1.0.5

PluggableAuth 5.7

I cant figure out what I am missing, if anything

On screen I get:

Special:PluggableAuthLogin TypeError from line 47 of includes/config/HashConfig.php: Argument 1 passed to HashConfig::__construct() must be of the type array, null given, called in extensions/LDAPProvider/src/DomainConfigFactory.php on line 74

Backtrace:

#0 extensions/LDAPProvider/src/DomainConfigFactory.php(74): HashConfig->__construct(NULL)

#1 extensions/LDAPAuthorization/src/Hook/PluggableAuthUserAuthorization.php(65): MediaWiki\Extension\LDAPProvider\DomainConfigFactory->factory(string, string)

#2 extensions/LDAPAuthorization/src/Hook/PluggableAuthUserAuthorization.php(77): MediaWiki\Extension\LDAPAuthorization\Hook\PluggableAuthUserAuthorization->__construct(User, boolean)

#3 includes/HookContainer/HookContainer.php(329): MediaWiki\Extension\LDAPAuthorization\Hook\PluggableAuthUserAuthorization::callback(User, boolean)

#4 includes/HookContainer/HookContainer.php(132): MediaWiki\HookContainer\HookContainer->callLegacyHook(string, array, array, array)

....

In the Debug Logging, I get:

2022-05-27 18:07:54 {server name} {wiki name}: Domain set to 'abc.def.org'.

[error] [YpETerowjGVT6h9w1gQ@LwAAAAo] Special:PluggableAuthLogin   ErrorException from line 74 of extensions/LDAPProvider/src/DomainConfigFactory.php:

PHP Notice: Undefined index: authorization

#0 extensions/LDAPProvider/src/DomainConfigFactory.php(74): MWExceptionHandler::handleError(integer, string, string, integer, array)

#1 extensions/LDAPAuthorization/src/Hook/PluggableAuthUserAuthorization.php(65): MediaWiki\Extension\LDAPProvider\DomainConfigFactory->factory(string, string)

#2 extensions/LDAPAuthorization/src/Hook/PluggableAuthUserAuthorization.php(77): MediaWiki\Extension\LDAPAuthorization\Hook\PluggableAuthUserAuthorization->__construct(User, boolean)

#3 includes/HookContainer/HookContainer.php(329): MediaWiki\Extension\LDAPAuthorization\Hook\PluggableAuthUserAuthorization::callback(User, boolean)

#4 includes/HookContainer/HookContainer.php(132): MediaWiki\HookContainer\HookContainer->callLegacyHook(string, array, array, array)

#5 includes/Hooks.php(137): MediaWiki\HookContainer\HookContainer->run(string, array, array)

#6 extensions/PluggableAuth/includes/PluggableAuthLogin.php(53): Hooks::run(string, array)

#7 includes/specialpage/SpecialPage.php(600): PluggableAuthLogin->execute(NULL)

#8 includes/specialpage/SpecialPageFactory.php(635): SpecialPage->run(NULL)

#9 includes/MediaWiki.php(307): MediaWiki\SpecialPage\SpecialPageFactory->executePath(Title, RequestContext)

#10 includes/MediaWiki.php(940): MediaWiki->performRequest()

SO the issue seems to be "Undefined index: authorization"

(which is present in my "ldap.json" file - below) Undefined index: authorization

{

        "abd.def.org": {

                "connection": {

                        "server": "dc.abc.def.org",

                        "port": "389",

                        "user": "CN=Service,OU=groups,DC=abc,DC=def,DC=org",

                        "pass": "",

                        "options": {

                                "LDAP_OPT_DEREF": 1

                        },

                        "basedn": "DC=abc,DC=def,DC=org",

                        "userbasedn": "DC=abc,DC=def,DC=org",

                        "groupbasedn": "DC=abc,DC=def,DC=org",

                        "searchattribute": "samAccountName",

                        "usernameattribute": "samaccountname",

                        "realnameattribute": "cn",

                        "emailattribute": "mail",

                        "grouprequest": "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\UserMemberOf::factory",

                        "authorization": {

                                "rules": {

                                        "groups": {

                                                "required": ["CN=support,DC=abc,DC=def,DC=org"]

                                        }

                                }

                        }

                }

        }

}

SO -- I have no idea what's wrong, havent been able to figure out out! Argh!

The "authorization" node must not be nested within, but a sibling of "connection"

oh!!

that was it!!

thanks might!!

"grouprequest" => "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\GroupMember::factory"

Regarding the part of the settings for "grouprequest" where it says MediaWiki, if I named by wiki something other than the default, like "mywikipage", would I change MediaWiki to mywikipage in this setting?

No. This is just a PHP namespace. It does not depend on you local wikis name ($wgSitename)

Appreciate the information

Im currently running into some issues trying to set up my ldapprovider.json config.

The mediawiki works with pure LDAP - everyone can login and it works. Now i want only a certain LDAP Group to login and i cant get my head around it...

My ldapprovider.json:

<code>

  1 {

  2     "intern.goetel.de": {

  3             "connection": {

  4                     "server": "our-dc-controller",

  5                     "user": "ldap-user",

  6                     "pass": "password",

  7                     "options": {

  8                             "LDAP_OPT_DEREF": 1

  9                     },

10                     "basedn": "ou=container, dc=domain,dc=tld",

11                     "groupbasedn": "dc=domain,dc=tld",

12                     "userbasedn": "dc=domain,dc=tld",

13                     "searchattribute": "samaccountname",

14                     "usernameattribute": "samaccountname",

15                     "realnameattribute": "cn",

16                     "emailattribute": "mail",

17                     "grouprequest": "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\UserMemberOf::factory"

18             },

19             "authorization": {

20                     "rules": {

21                             "groups": {

22                                     "required": ["CN=groupname,OU=OUname,OU=OUname,DC=goetel,DC=de"]

23                             }

24                     }

25             }

26     }

27 }

</code>

I don´t get any errors. Everyone can still login, doesn´t matter if they´re in that Group or not...

Can someone help me in this?

This looks just right. Can you confirm that php extensions/LDAPProvider/maintenance/ShowUserGroups.php ... does not list "CN=groupname,OU=OUname,OU=OUname,DC=goetel,DC=de". Can you confirm Extension:LDAPAuthorization to be properly enabled?

I tested it with 2 Accounts - user1 should login, user2 should not. "php ..." from user1 shows the group, from user2 is doesnt

LDAPAuthorization isnt installed, we got LDAPAuthentication2 and LDAPProvider running. Do i just need to install LDAPAuthorization on the wiki?

Yes. Please install and activate Extension:LDAPAuthorization.

Now it works flawless, didnßt know i need another Extension...

Thank your for your help!

Windows Server 2012R2

LDAPAuthentication2 1.0.2 (58e281c) 07:04, 7 January 2021

LDAPAuthorization 1.1.0 (e037664) 19:38, 9 July 2020

LDAPProvider 1.0.5 (ca854c1) 07:54, 14 December 2020

LDAPUserInfo 1.0.0 (39cca83) 19:58, 9 July 2020

PluggableAuth 5.7 (2a465ae) 15:07, 10 July 2020

LocalSettings.php:

wfLoadExtension( 'LDAPProvider' );

wfLoadExtension( 'PluggableAuth' );

wfLoadExtension( 'LDAPAuthentication2' );

wfLoadExtension( 'LDAPUserInfo' );

wfLoadExtension( 'LDAPAuthorization' );

$LDAPProviderDomainConfigProvider = function() {

$config = [

'server.ssv.ww.lcl' => [

'connection' => [

"server" => "server.ssv.ww.lcl",

"port" => "389",

"user" => "pre\\account",

"pass" => 'password',

"options" => [ "LDAP_OPT_DEREF" => 1 ],

"basedn" => "CN=containerNameHere,DC=ssv,DC=ww,DC=lcl",

"groupbasedn" => "CN=Groups,CN=containerNameHere,DC=ssv,DC=ww,DC=lcl",

"userbasedn" => "CN=Users,CN=containerNameHere,DC=ssv,DC=ww,DC=lcl",

"searchattribute" => "sAMAccountName",

"searchstring" => "pre\\USER-NAME",

"usernameattribute" => "sAMAccountName",

"realnameattribute" => "cn",

"emailattribute" => "mail",

"nestedgroups" => true,

"grouprequest" => "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\GroupUniqueMember::factory"

# ],

# "groupsync" => [ # ],

# "userinfo" => [ ]

]

];

return new \MediaWiki\Extension\LDAPProvider\DomainConfigProvider\InlinePHPArray( $config );

};

$LDAPAuthentication2UsernameNormalizer = 'strtolower';

LDAPProvider\maintenance\CheckLogin.php says "OK" to my account but running ShowUserGroups with same -u and -d input gives "C:\MediaWiki\extensions\LDAPProvider\src\Client.php: Error in LDAP search: No such object" and ShowUserGroups says "PHP Warning:  ldap_count_entries() expects parameter 2 to be resource, bool given in C:\MediaWiki\extensions\LDAPProvider\src\PlatformFunctionWrapper.php on line 295" along with the same error in Client.php as above. The line of code in Client that throws the error is this one:

if ( !$res ) { throw new MWException( "Error in LDAP search: " . $this->connection->error() ); } which is in this function: public function search( $match, $basedn = null, $attrs = [ "*" ] )

Any ideas on how I should proceed to troubleshoot this?

If a "bool" is returned this indicates that no connection to the LDAP server could be established. Try a standalone script like https://www.php.net/manual/en/function.ldap-bind.php#refsect1-function.ldap-bind-examples to verify your connection settings.

I ran that example script and it works properly. The LocalSettings.php file has the correct username/password because the CheckLogin.php script returns "OK". The problem is that the ShowUserGroups.php script is returning a lot of errors, using the same config file. It still returns that "bool" error but the other scripts I run in the maintenance directory seem to work fine. I'm stuck and don't know how to move forward with troubleshooting this problem.

Have you tried using "samaccountname" instead of "sAMAccountName"? Also you "searchtring" looks odd. It should be a DN.

Got it to work finally!!!

In the settings:

groupbasedn and userbasedn strings can only contain DN items, no CN or OU items

searchattribute and usernameattribute strings both had to be samaccountname

grouprequest string needed a leading \\ and set to ...GroupMember::factory

searchstring needed leading domain prefix followed by \\USER-NAME

enctype had to be "clear"

I may have made minor code changes in several of the modules, been working on this for months off and on so not sure. Troubleshooting sucks when it is trial and error testing. In Client.php/getUserGroups() function I added our baseDN string instead of the default empty ' ' parameter. In UserInfoRequest.php/GetUserInfo() I had to comment out the "memberof" and leave attribute as just the wildcard. In GroupMember.php instead of an empty $baseDN I set it to $this->config->get( ClientConfig::GROUP_BASE_DN ). I think that about covers it.

Thanks for sharing! Maybe you could provide me with your code? I could check if I can add it to the extension.

Basically it was those changes above, not worth a full copy-n-paste since you can see they were very minor changes. This was a very steep learning curve trying to get Active Directory under IIS working. I still do not have the automatic login working with LDAPAuthentication2 yet but at least I can manually log in and nothing throws any errors in the logs.

Okay, thanks. For SSO you will need Extension:Auth_remoteuser. In IIS it should be straight forward to enable SSO. You should only need to switch from "Anonymous" to "NLTM/Kerberos" type in the "Authentication" section of your IIS-Website.

Thank you. I installed that but it still won't auto-login when I hit the wiki page. In another place I read that I need to disable the LDAPAuthentication2 extension, so I also tried to disable that, but same thing. Do you still need to click the Login link to log in automatically? When I do that i get a message: "The supplied credentials are not associated with any user on this wiki." but I have the createaccount setting set to true, as well as the autocreateaccount. Am I missing something else?

If you don't need form based authentication, you can disable Extension:LDAPAuthentication2 completely. If Extension:Auth_remoteuser does not log you in automatically there can be three reasons:

• $_SERVER['REMOTE_USER'] is not properly set by the websever. Validate this by using a `phpinfo();` in a new file in the document root.
• $_SERVER['REMOTE_USER'] contains characters that are not allowed as MediaWiki usernames.
• Extension:LDAPAuthorization prevents the implicit login due to authorization issues. You may want to enable LDAP debugging to get more information.

Now I'm finally getting the wiki to use AD to authenticate existing users, but new users are not getting accounts created automatically. I have both of these set to true: $wgGroupPermissions['*']['autocreateaccount'] = true; and $wgGroupPermissions['*']['createaccount'] = true; but the new accounts never show up in the mySQL users table. Plus, people who are not in the database are getting website Error 500 and none of the log files are being written to, nor in the system Event log for IIS. Once more, I'm stuck again.

"Error 500" means there is an issue in the Wiki application. Are there also no outputs in the PHP error log?

The only PHP 7.4 error logged when someone goes to the MW webpage and their account is not in the MySQL user table is this:

[14-Jun-2021 21:40:26 UTC] PHP Deprecated:  Directive 'track_errors' is deprecated in Unknown on line 0

So it edited php.ini and set "track_errors" to "off" and we will see if that error goes away.

Also, here are all of the debug settings I have enabled in LocalSettings.php file:

$wgShowExceptionDetails = true;

$wgDebugLogFile = '\\temp\\wikidbg.log'; 

$wgDebugLogGroups['PluggableAuth'] = '\\temp\\PLUG.log';

$wgDebugLogGroups['LDAP'] = '\\temp\\LDAP.log';

$wgDebugLogGroups['MediaWiki\\Extension\\LDAPProvider\\Client'] = '\\temp\\LDprov.log';

$wgDebugLogGroups['LDAPGroups'] = '\\temp\\LDgrp.log';

$wgDebugLogGroups['LDAPUserInfo'] = '\\temp\\LDui.log';

$wgDebugLogGroups['LDAPAuthorization'] = '\\temp\\LDAPauthor.log';

Not a single entry anywhere, not even in Windows event log, when a non-existing user goes to the MW webpage. yet it works for everyone who is in the user table just fine. I also have both account create variables set to true...any ideas?

Here is the webpage they see when they hit the page (note that active directory is enabled and they are on the network so it should log them in automagically like it does to those users who are already in the sql user table): https://ibb.co/dj9rHnZ

Please make sure the "\\temp" directory as well as the "php_error.log" file are writeable for the webserver user (probably "IUSR" or something). Windows can be tricky when it comes to FS permissions.

They are writeable since I generated other errors in another app that uses the same php version and it wrote those errors. Plus the other log files work if I generate thrown errors. So whatever the problem is, it is not causing a loggable error.

It's acting like it is unable to create new account, no matter what I have $wgGroupPermissions[] set to. Need more thoughts on how to troubleshoot this please, none of the log files are logging any errors for when users hit the page and get the Error 500, not even the IIS event log...?! And yes, my perms are set properly for all of the log files on the server since previous problems on this long trail of tears has shown other errors being logged from the other extensions.

Can you maybe share a screenshot of that error 500 (you can use some "pastebin" like tools on the web). If possible also a screenshot that shows the "Network" panel of the browsers developer tools. You may need to redact sensitive information (like server or user names, base urls, ...)

The error 500 screen is shown in the link above. Still trying to get someone who cannot log in to get me a screenshot of the browser dev tools network tab...

The screenshot does not show an error 500. It is a regular error message in the form based authentication process, shown when there is not local user account in the database. It is not emitted by the LDAP-Stack extensions, but rather by MediaWiki core software. Can you confirm you have the "autocreateaccount" permission assigned to the group of unauthenticated users ("*")?

Here is that part of LocalSettings.php in /mediawiki directory: .

$wgGroupPermissions['*']['createaccount'] = false;

$wgGroupPermissions['*']['autocreateaccount'] = true;

$wgGroupPermissions['*']['read'] = true;

$wgGroupPermissions['*']['edit'] = false;

$wgGroupPermissions['write']['edit'] = true;

$wgGroupPermissions['developers']['edit'] = true;

$wgGroupPermissions['*']['createpage'] = false;

$wgGroupPermissions['write']['createpage'] = true;

$wgGroupPermissions['developers']['createpage'] = true;

$wgGroupPermissions['bureaucrat']['userrights'] = true;

.

So the problem appears to be code in auth_remoteuser extension file UserNameSessionInfo.php and I had to comment out this code:

1. if ( !Hooks::run( static::HOOKNAME, [ &$filteredUserName ] ) ) {
2. $metadata[ 'filteredUserName' ] = $filteredUserName;
3. $this->logger->warning(
4. "Can't login remote user '{remoteUserName}' automatically. " .
5. "Blocked this user when applying filter to '{filteredUserName}'.",
6. $metadata
7. );
8. continue;
9. }

Not sure what it even tries to do, but it would never work properly and nobody could get authenticated via active directory and automatically logged in. When I commented this section out, everything works as expected! I manually stripped the domain from the front of the username info and allowed it to get properly stuffed into the filtered name array. Would be great if somebody would tell me what this HOOKNAME stuff is trying to do...

This hook is used by Extension:LDAPAuthorization extension to prevent auto login of users that do not match certain criterias (e.g. LDAP group membership). If you don't need that feature I recommend to disable LDAPAuthorization in general.

I have an issue where enabling LDAP Authorization for a specific LDAP group disables the use of local wiki account logins. I get the message "User not authorized" as if I was using a bad password or user which is not in the group.

If I disable the LDAP Authorization extension then my local wiki login works again.

Is there a way to work around this? Would it help to create a custom wiki group?

We need local logins for visitors and temporary users which do not need an LDAP account.

I'm using MediaWiki 1.35 with PHP 7.3.22.

Please share your "authorization" config section. Also please check with "LDAPProvider/maintenance/ShowUserInfo.php" and "LDAPProvider/maintenance/ShowUserGroups.php" what the application "sees".

@Osnard here's the authorization section from my JSON file.

                "authorization": {

                            "rules": {

                               "groups": {

                                  "required": ["cn=ausadmins,ou=Groups,ou=IMSS,o=Caltech,c=US"]

                                  }

                                }

                },

I can run the ShowUserGroups.php and ShowUserInfo.php scripts to query LDAP. They return the expected information.

If it helps we do have a wiki farm/family configuration. So I configure SERVER_NAME accordingly and give the --wiki option for running those scripts.

Yes, looks like others have the same issue. I have created a bug report: https://phabricator.wikimedia.org/T275496

Please feel free to add info to that task.