Extension talk:LDAP Authentication
About - Requirements - Configuration - Options - Changelog - Roadmap - Suggestions - User provided info - FAQ - Support
[edit] How to ask for support
There's a couple key pieces of info I always need:
- The MediaWiki version you are using
- The LdapAuthentication extension version you are using
I very often will need to see two other things when you ask for support, so you should have them prepared:
- Your configuration, with sensitive stuff snipped out
- The extension's debug log, with sensitive stuff snipped out
When you are trying to debug an authentication problem, you should always use the most basic configuration possible. For instance, if you don't have basic authentication working yet, you shouldn't have group restrictions or group synchronization enabled yet. I will generally ask you to disable these things when debugging.
Also, $wgLDAPUseLocal is almost never what you want to use. It's a frequent cause of configuration issues, and unless you really know what you are doing, it should not be set (or explicitly set to false, which is the default).
Most importantly of all: ensure you are using the newest version of the extension. From the snapshot manager, that's the "trunk" version. If you are using svn, just make sure you use svn up. This is one of the more common cause of problems.
[edit] How to submit a bug
If you've found a bug, please submit it here.
[edit] Archives
Contents
 First page |
 Previous page |
 Next page |
 Last page |
Hi,
I'm using Zimbra (open source edition) that also comes with LDAP. I have now installed MediaWiki, and would like to use Zimbra for LDAP authentication.
Tested the documented setup and search around for different setups - but no go. Anyone already using Zimbra LDAP against MediaWiki that could post a working configuration?
Let's say my Zimbra installation is running on zimbra.mydomain.com - and in the debug log for the extention I'm able to connect successfully to zimbra.mydomain.com, but for different configurations I have tested it fails after that. So - any hope that someone could post a working configuration to put in LocalSettings.php?
Running MediaWiki on Linux.
Thanks.
Well, you kind of need to know how the zimbra LDAP is configured. This plugin won't do any form of auto-detection or auto-configuration.
Working with the same problem. The main problem is that the zimbra ldap is having some very strict acl's on the group-tree (we're also using posix). Tried it with a bind user, but the plugin always seem to try to bind with the regular user, which hasn't read rights in that part of the ldap-tree. There are some options, allow everyone to read more of the ldap, or do the complete lookup by the bind-user, which probably would require a rewrite of the plugin. If someone has other options....
Hello, i have a problem with the LDAPAuthentication. Maybe someone can help me. The user authentication should be managed through Active Directory (Exchange 2003). The problem is users cannot login. The errorlog always says "bind failed". The passwort is definitely correct, i've also tried using encryptiontype = 'clear'. But same result. I got the Server's certificate and put into described folder: C:\openldap\sysconf\certs.pem and modified the ldap.conf. In Active Directory all users are in the default folder "Users".
Any mistakes in the config or what can cause the problem?
the following versions are installed:
Mediawiki 1.16.5 PHP 5.3.5 (XAMPP) MySQL 5.5.8 (XAMPP) LDAPAuthPlugin 1.0.8.6
Localsetting - config:
## install extension for AD - Integration require_once("$IP/extensions/LdapAuthentication/LdapAuthentication.php"); $wgAuth = new LdapAuthenticationPlugin(); $wgLDAPDomainNames = array( 'DOMAIN' ); $wgLDAPServerNames = array( 'DOMAIN' => 'server2.domain.local' ); $wgLDAPSearchAttributes = array('DOMAIN' => 'uid'); $wgLDAPBaseDNs = array('DOMAIN' => 'dc=domain,dc=local'); $wgLDAPSearchStrings = array('DOMAIN' => 'uid=USER-NAME,ou=Users,dc=domain,dc=local'); $wgLDAPEncryptionType = array( 'DOMAIN' => 'ssl' ); #encryption-options are 'clear', 'ssl' (and default 'tls') $wgLDAPUseLocal = false; $wgMinimalPasswordLength = 1; ## Logging Debug-Information for LDAP $wgLDAPDebug = 3; $wgDebugLogGroups["ldap"] = "C:/Program Files/xampp/htdocs/wiki/debug.log" ;
debug-log:
2011-06-14 12:56:12 wikidb-abc_: 1.2e Entering validDomain 2011-06-14 12:56:12 wikidb-abc_: 1.2e User is using a valid domain (DOMAIN). 2011-06-14 12:56:12 wikidb-abc_: 1.2e Setting domain as: DOMAIN 2011-06-14 12:56:12 wikidb-abc_: 1.2e Entering getCanonicalName 2011-06-14 12:56:12 wikidb-abc_: 1.2e Username isn't empty. 2011-06-14 12:56:12 wikidb-abc_: 1.2e Munged username: user1 2011-06-14 12:56:12 wikidb-abc_: 1.2e Entering authenticate 2011-06-14 12:56:12 wikidb-abc_: 1.2e 2011-06-14 12:56:12 wikidb-abc_: 1.2e Entering Connect 2011-06-14 12:56:12 wikidb-abc_: 1.2e Using SSL 2011-06-14 12:56:12 wikidb-abc_: 1.2e Using servers: ldaps://server2.domain.local 2011-06-14 12:56:12 wikidb-abc_: 1.2e Connected successfully 2011-06-14 12:56:12 wikidb-abc_: 1.2e Entering getSearchString 2011-06-14 12:56:12 wikidb-abc_: 1.2e Doing a straight bind 2011-06-14 12:56:12 wikidb-abc_: 1.2e userdn is: uid=User1,ou=Users,dc=domain,dc=local 2011-06-14 12:56:12 wikidb-abc_: 1.2e 2011-06-14 12:56:12 wikidb-abc_: 1.2e Binding as the user 2011-06-14 12:56:12 wikidb-abc_: 1.2e Failed to bind as uid=User1,ou=Users,dc=domain,dc=local 2011-06-14 12:56:12 wikidb-abc_: 1.2e with password: user1pwd 2011-06-14 12:56:12 wikidb-abc_: 1.2e Entering strict. 2011-06-14 12:56:12 wikidb-abc_: 1.2e Returning true in strict(). 2011-06-14 12:56:12 wikidb-abc_: 1.2e Entering allowPasswordChange 2011-06-14 12:56:12 wikidb-abc_: 1.2e Entering modifyUITemplate
Try config below: (change the "DOMAIN" sections, also in "DOMAIN\\USER-NAME" but leave "USER-NAME" intact
$wgLDAPDebug = 3; $wgDebugLogGroups["ldap"] = "C:\log\ldap.log" ;
$wgLDAPDomainNames = array('DOMAIN',);
$wgLDAPServerNames = array('DOMAIN' => 'server2.domain.local',);
$wgLDAPSearchStrings = array('DOMAIN' => 'DOMAIN\\USER-NAME',);
$wgLDAPEncryptionType = array('DOMAIN' => 'clear',);
$wgLDAPBaseDNs = array('DOMAIN' => 'ou=Users,dc=domain,dc=local');
$wgLDAPSearchAttributes = array('DOMAIN' => 'sAMAccountName');
$wgLDAPProxyAgent = array("DOMAIN"=>"*****");
$wgLDAPProxyAgentPassword = array("DOMAIN"=>"*****");
$wgLDAPUpdateLDAP = array("DOMAIN"=>false);
$wgLDAPAddLDAPUsers = array("DOMAIN"=>false);
$wgLDAPPreferences = array( 'DOMAIN' => true );
Cheers,
Lucas
Hi Lucas.
First, thanks for your config. That helped a lot! I used it and can now authenticate with AD credentials.
But connection is still in cleartext. To avoid MITM-Attacks the next step is to encrypt the connection via ssl. I changed the option:
$wgLDAPEncryptionType = array('DOMAIN' => 'ssl',);
I got the Server's Certificate using openssl (on an ubuntu machine):
openssl s_client -showcerts -connect server2.domain.local:636
I extracted the Certificate to a new file and tested with:
openssl x509 -noout -text -in certs.pem
Output was similar to the example in the documentation. So Certificatefile seems fine, no error occurred.
I placed cert-file to location: C:\openldap\sysconf\certs.pem
I created ldap.conf-file: C:\openldap\sysconf\ldap.conf containing the following line
TLS_CACERT C:\openldap\sysconf\certs.pem
Restarted Webserver.
Debuglog still gives old errormessage. Failed to bind as... something special to consider with ssl?
Sorry, that is as far as I came. I forced ssl for my website but did not succeed to get ssl working
cheers,
Lucas
Check the certificate being used. Was it signed by a CA, or signed by itself?
openssl x509 -noout -text -in C:\openldap\sysconf\certs.pem
It is signed itself. Here is the output:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
61:03:f5:7d:00:02:00:00:00:3f
Signature Algorithm: sha1WithRSAEncryption
Issuer: DC=local, DC=domain, CN=Private Exchange Zertifizierungsstelle
Validity
Not Before: Feb 22 14:37:35 2011 GMT
Not After : Feb 22 14:37:35 2012 GMT
Subject: CN=server2.domain.local
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:c6:50:[...(i've cut something)...]:60:09
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage:
Digital Signature, Key Encipherment
S/MIME Capabilities:
050...*.H..
......0...*.H..
......0...+....0
..*.H..
..
X509v3 Subject Key Identifier:
BE:B0:1E:3C:BC:EE:7D:28:B6:78:F5:D1:A6:02:F3:9C:31:F9:4A:68
1.3.6.1.4.1.311.20.2:
. .D.o.m.a.i.n.C.o.n.t.r.o.l.l.e.r
X509v3 Authority Key Identifier:
keyid:AE:60:A2:A5:5A:23:D8:59:9F:5C:B6:F6:CA:B1:0B:32:5B:1C:2D:C8
X509v3 CRL Distribution Points:
URI:ldap:///CN=Private%20Exchange%20Zertifizierungsstelle(1),CN=server2,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=domain,DC=local?certificateRevocationList?base?objectClass=cRLDistributionPoint
URI:http://server2.domain.local/CertEnroll/Private%20Exchange%20Zertifizierungsstelle(1).crl
Authority Information Access:
CA Issuers - URI:ldap:///CN=Private%20Exchange%20Zertifizierungsstelle,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=domain,DC=local?cACertificate?base?objectClass=certificationAuthority
CA Issuers - URI:http://server2.domain.local/CertEnroll/server2.domain.local_Private%20Exchange%20Zertifizierungsstelle(2).crt
X509v3 Extended Key Usage:
TLS Web Client Authentication, TLS Web Server Authentication
X509v3 Subject Alternative Name:
othername:<unsupported>, DNS:server2.domain.local
Signature Algorithm: sha1WithRSAEncryption
ad:e6:46:26:98:10:1d:85:83:aa:1f:9e:77:10:9a:c3:37:be:
00:ac:b7:9e:92:81:8c:c5:50:bf:6c:dd:25:d9:84:72:01:58:
0c:93:b1:68:63:66:3d:7a:92:1d:a0:c1:3a:4e:fa:b3:0b:1c:
17:92:0c:87:53:9b:6e:ea:0a:6b:66:51:6a:58:22:9a:3f:30:
a3:41:6a:3d:88:c8:86:bc:70:35:d1:78:da:48:d0:05:9b:37:
cc:85:d5:f0:d5:6d:d3:c3:99:a5:dd:46:47:b8:bf:ad:18:ef:
56:2d:c0:b9:81:61:04:12:58:7f:77:49:4a:bc:b9:97:96:95:
14:7b:1b:02:40:e8:99:f3:b7:d5:26:4a:ae:10:d8:3d:46:ad:
e4:67:5c:60:53:f0:b2:b6:ef:f1:00:39:83:1b:c3:93:cb:0e:
4e:6d:a4:24:08:74:e6:0a:a8:0b:a4:d2:34:7b:f0:68:7a:3e:
f2:0e:9d:fb:db:c2:64:45:c6:fa:09:3e:d8:32:ce:94:ee:27:
b0:44:9c:59:f3:8c:6b:82:e2:e9:63:1c:7d:e4:e7:60:95:89:
42:73:76:ab:73:d0:c8:80:a4:ee:52:db:8e:86:b3:96:56:13:
99:d4:0e:b3:48:84:b0:eb:1c:a2:6a:58:8d:16:00:14:39:c9:
76:d2:ae:a7
-----BEGIN CERTIFICATE-----
MIIGSTCCB[...(some other stuff here)...]yXbSrqc=
-----END CERTIFICATE-----
On the Server I used the tool ldp.exe. Connection over ssl(port 636) can be established and bind is OK there. So the server seems to be configured right. It accepts ssl connections. Nevertheless php still fails to bind, when i try to log in the Wiki.
I've modified the "bindAs" method in LDAPAuthentication.php to get a more informative errormessage:
function bindAs( $userdn = null, $password = null ) { // constant for ldap_bind() error-reporting define("LDAP_OPT_DIAGNOSTIC_MESSAGE", 0x0032); // Let's see if the user can authenticate. if ( $userdn == null || $password == null ) { $bind = @ldap_bind( $this->ldapconn ); $this->printDebug("anonymous bind", HIGHLYSENSITIVE); } else { $this->printDebug("trying to bind calling:", HIGHLYSENSITIVE); $this->PrintDebug("\tldap_bind( conn_handle=$this->ldapconn, userdn=$userdn, password=$password ).." , HIGHLYSENSITIVE); $bind = @ldap_bind( $this->ldapconn, $userdn, $password ); } if ( !$bind ) { $this->printDebug("\tldap_bind(...) failed.", HIGHLYSENSITIVE); $this->printDebug("\tLDAP_Error Code : " . ldap_errno($this->ldapconn), HIGHLYSENSITIVE); $this->printDebug("\tLDAP Error Msg : " .ldap_error($this->ldapconn), HIGHLYSENSITIVE); if (ldap_get_option($this->ldapconn, LDAP_OPT_DIAGNOSTIC_MESSAGE, $extended_error)) { $this->printDebug("\tLDAP Extended ErrorMsg: $extended_error", HIGHLYSENSITIVE ); } $this->printDebug( "Failed to bind as $userdn", NONSENSITIVE ); $this->printDebug( "with password: $password", HIGHLYSENSITIVE ); return false; } return true;
results are:
2011-06-30 14:22:24 wikidb-sij_: 1.2e Entering Connect 2011-06-30 14:22:24 wikidb-sij_: 1.2e Using SSL 2011-06-30 14:22:24 wikidb-sij_: 1.2e Using servers: ldaps://server2.domain.local 2011-06-30 14:22:24 wikidb-sij_: 1.2e Connection handle: Resource id #86 2011-06-30 14:22:24 wikidb-sij_: 1.2e Connected successfully 2011-06-30 14:22:24 wikidb-sij_: 1.2e Entering getSearchString 2011-06-30 14:22:24 wikidb-sij_: 1.2e Doing a straight bind 2011-06-30 14:22:24 wikidb-sij_: 1.2e userdn is: DOMAIN\user1 2011-06-30 14:22:24 wikidb-sij_: 1.2e 2011-06-30 14:22:24 wikidb-sij_: 1.2e Binding as the user 2011-06-30 14:22:24 wikidb-sij_: 1.2e trying to bind calling: 2011-06-30 14:22:24 wikidb-sij_: 1.2e ldap_bind( conn_handle=Resource id #86, userdn=DOMAIN\user1, password=user1pwd ).. 2011-06-30 14:22:24 wikidb-sij_: 1.2e ldap_bind(...) failed. 2011-06-30 14:22:24 wikidb-sij_: 1.2e LDAP_Error Code : -1 2011-06-30 14:22:24 wikidb-sij_: 1.2e LDAP Error Msg : Can't contact LDAP server 2011-06-30 14:22:24 wikidb-sij_: 1.2e LDAP Extended ErrorMsg: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed 2011-06-30 14:22:24 wikidb-sij_: 1.2e Failed to bind as DOMAIN\user1 2011-06-30 14:22:24 wikidb-sij_: 1.2e with password: user1pwd 2011-06-30 14:22:24 wikidb-sij_: 1.2e Entering strict. 2011-06-30 14:22:24 wikidb-sij_: 1.2e Returning true in strict(). 2011-06-30 14:22:24 wikidb-sij_: 1.2e Entering allowPasswordChange 2011-06-30 14:22:24 wikidb-sij_: 1.2e Entering modifyUITemplate
So there must be a problem with the certificate-file. How can i test, if the certificate is valid or not?
Hi Im having problems with the Ldap login feature on my Wiki, it was working fine but now when i try to login with correct details it and try to go into the special pages it keeps saying "You must be logged in to access this page directly." Anyone know why this error of Undefined Index: ws Domain error is being shown at the top of the page? Is this something to do with my Ldap Plugin?
Subscript textSorry, forgot the debug log, its below ..................
2011-09-28 08:32:16 wikidb: 1.2e Entering validDomain 2011-09-28 08:32:16 wikidb: 1.2e User is not using a valid domain (). 2011-09-28 08:32:16 wikidb: 1.2e Setting domain as: invaliddomain 2011-09-28 08:32:16 wikidb: 1.2e Entering allowPasswordChange 2011-09-28 08:32:16 wikidb: 1.2e Entering modifyUITemplate 2011-09-28 08:32:32 wikidb: 1.2e Entering validDomain 2011-09-28 08:32:32 wikidb: 1.2e User is using a valid domain (hmrcmis). 2011-09-28 08:32:32 wikidb: 1.2e Setting domain as: hmrcmis 2011-09-28 08:32:32 wikidb: 1.2e Entering getCanonicalName 2011-09-28 08:32:32 wikidb: 1.2e Username isn't empty. 2011-09-28 08:32:32 wikidb: 1.2e Munged username: Cg10223 2011-09-28 08:32:32 wikidb: 1.2e Entering authenticate 2011-09-28 08:32:32 wikidb: 1.2e 2011-09-28 08:32:32 wikidb: 1.2e Entering Connect 2011-09-28 08:32:32 wikidb: 1.2e Using TLS or not using encryption. 2011-09-28 08:32:32 wikidb: 1.2e Using servers: ldap://11.111.111.11:111 2011-09-28 08:32:32 wikidb: 1.2e Connected successfully 2011-09-28 08:32:32 wikidb: 1.2e Entering getSearchString 2011-09-28 08:32:32 wikidb: 1.2e Doing a straight bind 2011-09-28 08:32:32 wikidb: 1.2e userdn is: Cg10223@hmrcmis.net 2011-09-28 08:32:32 wikidb: 1.2e 2011-09-28 08:32:32 wikidb: 1.2e Binding as the user 2011-09-28 08:32:32 wikidb: 1.2e Bound successfully 2011-09-28 08:32:32 wikidb: 1.2e Entering getUserDN 2011-09-28 08:32:32 wikidb: 1.2e Created a regular filter: (sAMAccountName=Cg10223) 2011-09-28 08:32:32 wikidb: 1.2e Entering getBaseDN 2011-09-28 08:32:32 wikidb: 1.2e basedn is not set for this type of entry, trying to get the default basedn. 2011-09-28 08:32:32 wikidb: 1.2e Entering getBaseDN 2011-09-28 08:32:32 wikidb: 1.2e basedn is ou=End User,dc=hmrcmis,dc=net 2011-09-28 08:32:32 wikidb: 1.2e Using base: ou=End User,dc=hmrcmis,dc=net 2011-09-28 08:32:32 wikidb: 1.2e Fetched username is not a string (check your hook code...). This message can be safely ignored if you do not have the SetUsernameAttributeFromLDAP hook defined. 2011-09-28 08:32:32 wikidb: 1.2e Pulled the user's DN: CN=CG10223,OU=NoRoamingProfile,OU=Relaxed,OU=Accounts,OU=End User,DC=hmrcmis,DC=net 2011-09-28 08:32:32 wikidb: 1.2e Entering getGroups 2011-09-28 08:32:32 wikidb: 1.2e Entering checkGroups 2011-09-28 08:32:32 wikidb: 1.2e Entering getPreferences 2011-09-28 08:32:32 wikidb: 1.2e Entering synchUsername 2011-09-28 08:32:32 wikidb: 1.2e Authentication passed 2011-09-28 08:32:32 wikidb: 1.2e Entering updateUser 2011-09-28 08:32:32 wikidb: 1.2e Entering allowPasswordChange
................................
This issue has cropped up before and is referenced throughout the archives. It looks like Ryan has been unable to reproduce the error. Here is the last entry I noticed on this topic from Archive 2: Extension_talk:LDAP_Authentication/Archive_2#Undefined_index:_wsDomain_error
This error happened to me, as well. It appears to be caused by an expired LDAP session. Even though the LDAP session timed out, wiki allows the user to stay logged in. So when the user tries to access "My Preferences", they will get the Undefined Index error. I eliminated the error by logging out and back in.
The solution should be to simply check for an active LDAP session, and force the user to log back in if it expired. It's not a fatal error, so I haven't had a chance to research it further than this.
I'm actually seeing the problem myself now as well. I'm having a hard time tracking down the issue. It's likely an issue in MediaWiki, but I'll also continue looking through the extension for this.
FIX (patch):
--- /tmp/foobar 2011-11-14 11:35:23.000000000 +0100
+++ LdapAuthentication.php 2011-11-14 11:47:13.000000000 +0100
@@ -649,18 +649,22 @@
$retval = false;
- // Local domains need to be able to change passwords
- if ( ( isset( $wgLDAPUseLocal ) && $wgLDAPUseLocal ) && 'local' == $_SESSION['wsDomain'] ) {
- $retval = true;
- }
+ if ( isset( $_SESSION['wsDomain'] ) ) {
- if ( isset( $wgLDAPUpdateLDAP[$_SESSION['wsDomain']] ) && $wgLDAPUpdateLDAP[$_SESSION['wsDomain']] ) {
- $retval = true;
- }
+ // Local domains need to be able to change passwords
+ if ( ( isset( $wgLDAPUseLocal ) && $wgLDAPUseLocal ) && 'local' == $_SESSION['wsDomain'] ) {
+ $retval = true;
+ }
+
+ if ( isset( $wgLDAPUpdateLDAP[$_SESSION['wsDomain']] ) && $wgLDAPUpdateLDAP[$_SESSION['wsDomain']] ) {
+ $retval = true;
+ }
+
+ if ( isset( $wgLDAPMailPassword[$_SESSION['wsDomain']] ) && $wgLDAPMailPassword[$_SESSION['wsDomain']] ) {
+ $retval = true;
+ }
- if ( isset( $wgLDAPMailPassword[$_SESSION['wsDomain']] ) && $wgLDAPMailPassword[$_SESSION['wsDomain']] ) {
- $retval = true;
- }
+ }
return $retval;
}
BEFORE:
function allowPasswordChange() {
global $wgLDAPUpdateLDAP, $wgLDAPMailPassword;
global $wgLDAPUseLocal;
$this->printDebug( "Entering allowPasswordChange", NONSENSITIVE );
$retval = false;
// Local domains need to be able to change passwords
if ( ( isset( $wgLDAPUseLocal ) && $wgLDAPUseLocal ) && 'local' == $_SESSION['wsDomain'] ) {
$retval = true;
}
if ( isset( $wgLDAPUpdateLDAP[$_SESSION['wsDomain']] ) && $wgLDAPUpdateLDAP[$_SESSION['wsDomain']] ) {
$retval = true;
}
if ( isset( $wgLDAPMailPassword[$_SESSION['wsDomain']] ) && $wgLDAPMailPassword[$_SESSION['wsDomain']] ) {
$retval = true;
}
return $retval;
}
AFTER:
function allowPasswordChange() {
global $wgLDAPUpdateLDAP, $wgLDAPMailPassword;
global $wgLDAPUseLocal;
$this->printDebug( "Entering allowPasswordChange", NONSENSITIVE );
$retval = false;
if ( isset( $_SESSION['wsDomain'] ) ) {
// Local domains need to be able to change passwords
if ( ( isset( $wgLDAPUseLocal ) && $wgLDAPUseLocal ) && 'local' == $_SESSION['wsDomain'] ) {
$retval = true;
}
if ( isset( $wgLDAPUpdateLDAP[$_SESSION['wsDomain']] ) && $wgLDAPUpdateLDAP[$_SESSION['wsDomain']] ) {
$retval = true;
}
if ( isset( $wgLDAPMailPassword[$_SESSION['wsDomain']] ) && $wgLDAPMailPassword[$_SESSION['wsDomain']] ) {
$retval = true;
}
}
return $retval;
}
What I've done: $_SESSION['wsDomain'] is not defined, so check this first...
I didn't dig deeper and I don't know if wsDomain should be defined in the session. If it should be defined, then this is just a temporary workaround and not a permanently fix :)
MediaWiki 1.18.1
PHP 5.3.6 (cgi-fcgi)
MySQL 5.5.12
LdapAuthentication-trunk-r108179
Windows 2008R2 AD
Sometimes I got error:
Warning: ldap_start_tls(): Unable to start TLS: Can't contact LDAP server in LdapAuthentication.php on line 577
After relogon to wiki this text disappear. In configuration $wgLDAPEncryptionType = array('VG' => 'clear');
Small addition. In debug.log I see:
2012-01-13 06:21:56 WikiVG: 2.0a Using servers:
With empty server.
After relogin to wiki in new strings I see:
2012-01-13 06:21:40 WikiVG: 2.0a Using servers: ldap://vs-dc-16-2.vg.local:389
But after small time (about 5 min) I will get error again.
Have you tried applying this patch? MediaWiki 1.18 has a bug that messes up ldap user sessions.
Just applied this patch. Testing. Thanks for help.
This is the same issue I reported in this thread, and while this patch did fix part of my issue, I'm still getting this error when searching or clicking any "redlink" pages while NOT logged in. Once I log in, the errors go away (for me). I also tried installing LDAP Authentication r108775 without improvement.
I still have high hopes that Ryan will be able to figure it out!
Hello
I'm not sure this is a place for a patch so tell me if I'm wrong.
I want to load user attributes from LDAP while allowing users to change their nicknames(or signatures) or real names. So I added an option to control whether override the current MediaWiki user preferences or not.
I'm submitting the patch. I would like to have this feature in the extension.
patch:
--- C:/Users/iwao/Downloads/LdapAuthentication.trunk.php Thu Jan 12 09:38:09 2012
+++ C:/Users/iwao/Downloads/LdapAuthentication.php Thu Jan 12 13:30:21 2012
@@ -53,6 +53,7 @@
$wgLDAPPasswordHash = array();
$wgLDAPMailPassword = array();
$wgLDAPPreferences = array();
+$wgLDAPPreferencesNoOverride = array();
$wgLDAPDisableAutoCreate = array();
$wgLDAPDebug = 0;
$wgLDAPGroupUseFullDN = array();
@@ -389,6 +390,9 @@
case 'Preferences':
global $wgLDAPPreferences;
return self::setOrDefault( $wgLDAPPreferences, $domain, array() );
+ case 'PreferencesNoOverride':
+ global $wgLDAPPreferencesNoOverride;
+ return self::setOrDefault( $wgLDAPPreferencesNoOverride, $domain, array() );
case 'DisableAutoCreate':
global $wgLDAPDisableAutoCreate;
return self::setOrDefault( $wgLDAPDisableAutoCreate, $domain, false );
@@ -1042,6 +1046,27 @@
}
/**
+ * Check if the current user preference is invalid and to update
+ *
+ * @param $pref Preference to set
+ * @param $oldvalue Old value stored in MediaWiki
+ * @param $newvalue New value to set
+ */
+ private function isUserPreferenceInvalid( $pref, $oldvalue, $newvalue ) {
+ $this->printDebug( "Entering isUserPreferenceInvalid", NONSENSITIVE );
+ $nooverride = $this->getConf( 'PreferencesNoOverride' );
+ $this->printDebug( $nooverride [ $pref ] ? 'true' : 'false', NONSENSITIVE);
+ if ( $newvalue ) {
+ if ( is_null( $oldvalue ) ||
+ ( !isset( $nooverride[ $pref ] ) || $nooverride[ $pref ] ) ) {
+
+ return true;
+ }
+ }
+ return false;
+ }
+
+ /**
* When a user logs in, update user with information from LDAP.
*
* @param $user User
@@ -1058,24 +1083,27 @@
if ( $this->getConf( 'Preferences' ) ) {
$this->printDebug( "Setting user preferences.", NONSENSITIVE );
- if ( $this->lang ) {
+ if ( $this->isUserPreferenceInvalid( 'language', $user->getOption('language'), $this->lang ) ) {
$this->printDebug( "Setting language.", NONSENSITIVE );
$user->setOption( 'language', $this->lang );
+ $saveSettings = true;
}
- if ( $this->nickname ) {
+ if ( $this->isUserPreferenceInvalid( 'nickname', $user->getOption( 'nickname' ), $this->nickname ) ) {
$this->printDebug( "Setting nickname.", NONSENSITIVE );
$user->setOption( 'nickname', $this->nickname );
+ $saveSettings = true;
}
- if ( $this->realname ) {
+ if ( $this->isUserPreferenceInvalid( 'realname', $user->getRealName(), $this->realname ) ) {
$this->printDebug( "Setting realname.", NONSENSITIVE );
$user->setRealName( $this->realname );
+ $saveSettings = true;
}
- if ( $this->email ) {
+ if ( $this->isUserPreferenceInvalid( 'email', $user->getEmail(), $this->email ) ) {
$this->printDebug( "Setting email.", NONSENSITIVE );
$user->setEmail( $this->email );
$user->confirmEmail();
+ $saveSettings = true;
}
- $saveSettings = true;
}
if ( $this->getConf( 'UseLDAPGroups' ) ) {
Options shall be specified like this:
$wgLDAPPreferencesNoOverride = array( "mydomain" => array( "realname" => true, "nickname" => false ) );
If not specified, user preferences will be overridden.
Hello
MediaWiki 1.18.0 PHP 5.3.8 (cgi-fcgi) LDAPAuthentication: trunk (r108101)
User-name mapping configuration hook doesn't work as expected. I assume this feature enables the wiki to display a different username while using another id for LDAP authentication.
I setup the extension so users can log in to the wiki with their LDAP username and display their e-mail address as their Username. However, the extension tries to authenticate with hooked username instead of LDAP username.
In the log, the first time it performs the search with my LDAP ID (sAMAccountName=myLDAPid) but the second time, it performs with hooked username (sAMAccountName=Yuryu).
Is this expected?
from LocalSettings.php:
require_once( "$IP/extensions/LdapAuthentication/LdapAuthentication.php" );
$wgAuth = new LdapAuthenticationPlugin();
$wgLDAPDomainNames = array( 'mydomain' );
$wgLDAPServerNames = array( 'mydomain' => 'domain.example.com' );
$wgLDAPSearchAttributes = array( 'mydomain' => 'sAMAccountName' );
$wgLDAPBaseDNs = array( 'mydomain' => 'DC=domain,DC=example,DC=com' );
$wgLDAPEncryptionType = array( 'mydomain' => 'clear' );
$wgLDAPUseLocal = false;
$wgMinimalPasswordLength = 6;
$wgLDAPProxyAgent = array( 'mydomain' => 'CN=search,OU=Users,DC=domain,DC=example,DC=com' );
$wgLDAPProxyAgentPassword = array( 'mydomain' => 'password' );
$wgLDAPPreferences = array( "mydomain"=>array( "email"=>"mail", "realname"=>"displayname","nickname"=>"givenname") );
$wgLDAPDebug = 2;
$wgDebugLogGroups["ldap"] = "c:/windows/temp/mwldap.log";
$wgHooks['SetUsernameAttributeFromLDAP'][] = 'SetUsernameAttribute';
function SetUsernameAttribute(&$LDAPUsername, $info) {
$mail_user = explode('@', $info[0]['mail'][0]);
$LDAPUsername = $mail_user[0];
return true;
}
Log (stripped):
2012-01-05 08:02:33 mediawiki-mw_: 2.0a Entering validDomain 2012-01-05 08:02:33 mediawiki-mw_: 2.0a User is using a valid domain (mydomain). 2012-01-05 08:02:33 mediawiki-mw_: 2.0a Setting domain as: mydomain 2012-01-05 08:02:33 mediawiki-mw_: 2.0a Entering getCanonicalName 2012-01-05 08:02:33 mediawiki-mw_: 2.0a Username isn't empty. 2012-01-05 08:02:33 mediawiki-mw_: 2.0a Entering Connect 2012-01-05 08:02:33 mediawiki-mw_: 2.0a Using TLS or not using encryption. 2012-01-05 08:02:33 mediawiki-mw_: 2.0a PHP's LDAP connect method returned true (note, this does not imply it connected to the server). 2012-01-05 08:02:33 mediawiki-mw_: 2.0a Entering getUserDN 2012-01-05 08:02:33 mediawiki-mw_: 2.0a Doing a proxy bind 2012-01-05 08:02:33 mediawiki-mw_: 2.0a Created a regular filter: (sAMAccountName=myLDAPid) 2012-01-05 08:02:33 mediawiki-mw_: 2.0a Entering getBaseDN 2012-01-05 08:02:33 mediawiki-mw_: 2.0a basedn is not set for this type of entry, trying to get the default basedn. 2012-01-05 08:02:33 mediawiki-mw_: 2.0a Entering getBaseDN 2012-01-05 08:02:33 mediawiki-mw_: 2.0a Using base: DC=domain,DC=example,DC=com 2012-01-05 08:02:33 mediawiki-mw_: 2.0a Username munged by hook: yuryu 2012-01-05 08:02:33 mediawiki-mw_: 2.0a Using LDAPUsername: yuryu 2012-01-05 08:02:33 mediawiki-mw_: 2.0a Munged username: Yuryu 2012-01-05 08:02:33 mediawiki-mw_: 2.0a Entering getCanonicalName 2012-01-05 08:02:33 mediawiki-mw_: 2.0a Username isn't empty. 2012-01-05 08:02:33 mediawiki-mw_: 2.0a Entering Connect 2012-01-05 08:02:33 mediawiki-mw_: 2.0a Using TLS or not using encryption. 2012-01-05 08:02:33 mediawiki-mw_: 2.0a Using servers: ldap://domain.example.com:389 2012-01-05 08:02:33 mediawiki-mw_: 2.0a PHP's LDAP connect method returned true (note, this does not imply it connected to the server). 2012-01-05 08:02:33 mediawiki-mw_: 2.0a Entering getUserDN 2012-01-05 08:02:33 mediawiki-mw_: 2.0a Doing a proxy bind 2012-01-05 08:02:33 mediawiki-mw_: 2.0a Created a regular filter: (sAMAccountName=Yuryu) 2012-01-05 08:02:33 mediawiki-mw_: 2.0a Entering getBaseDN 2012-01-05 08:02:33 mediawiki-mw_: 2.0a basedn is not set for this type of entry, trying to get the default basedn. 2012-01-05 08:02:33 mediawiki-mw_: 2.0a Entering getBaseDN 2012-01-05 08:02:33 mediawiki-mw_: 2.0a Using base: DC=domain,DC=example,DC=com2012-01-05 08:02:33 mediawiki-mw_: 2.0a Couldn't find an entry 2012-01-05 08:02:33 mediawiki-mw_: entering SetUsernameAttribute 2012-01-05 08:02:33 mediawiki-mw_: LDAPUsername = yuryu 2012-01-05 08:02:33 mediawiki-mw_: 2.0a Username munged by hook: yuryu 2012-01-05 08:02:33 mediawiki-mw_: 2.0a Using LDAPUsername: yuryu 2012-01-05 08:02:33 mediawiki-mw_: 2.0a Munged username: Yuryu 2012-01-05 08:02:33 mediawiki-mw_: 2.0a Entering getCanonicalName 2012-01-05 08:02:33 mediawiki-mw_: 2.0a Username isn't empty. 2012-01-05 08:02:33 mediawiki-mw_: 2.0a Fetched userInfo from memcache. 2012-01-05 08:02:33 mediawiki-mw_: 2.0a Username matched a key in memcache, using the fetched name: Yuryu 2012-01-05 08:02:33 mediawiki-mw_: 2.0a Entering getCanonicalName 2012-01-05 08:02:33 mediawiki-mw_: 2.0a Username isn't empty. 2012-01-05 08:02:33 mediawiki-mw_: 2.0a Fetched userInfo from memcache. 2012-01-05 08:02:33 mediawiki-mw_: 2.0a Username matched a key in memcache, using the fetched name: Yuryu 2012-01-05 08:02:33 mediawiki-mw_: 2.0a Entering userExists 2012-01-05 08:02:33 mediawiki-mw_: 2.0a 2012-01-05 08:02:33 mediawiki-mw_: 2.0a Entering authenticate for username Yuryu 2012-01-05 08:02:33 mediawiki-mw_: 2.0a 2012-01-05 08:02:33 mediawiki-mw_: 2.0a Entering Connect 2012-01-05 08:02:33 mediawiki-mw_: 2.0a Using TLS or not using encryption. 2012-01-05 08:02:33 mediawiki-mw_: 2.0a Using servers: ldap://domain.example.com:389 2012-01-05 08:02:33 mediawiki-mw_: 2.0a PHP's LDAP connect method returned true (note, this does not imply it connected to the server). 2012-01-05 08:02:33 mediawiki-mw_: 2.0a Entering getSearchString 2012-01-05 08:02:33 mediawiki-mw_: 2.0a Entering getUserDN 2012-01-05 08:02:33 mediawiki-mw_: 2.0a Doing a proxy bind 2012-01-05 08:02:33 mediawiki-mw_: 2.0a Created a regular filter: (sAMAccountName=Yuryu) 2012-01-05 08:02:33 mediawiki-mw_: 2.0a Entering getBaseDN 2012-01-05 08:02:33 mediawiki-mw_: 2.0a basedn is not set for this type of entry, trying to get the default basedn. 2012-01-05 08:02:33 mediawiki-mw_: 2.0a Entering getBaseDN 2012-01-05 08:02:33 mediawiki-mw_: 2.0a Using base: DC=domain,DC=example,DC=com 2012-01-05 08:02:33 mediawiki-mw_: 2.0a Couldn't find an entry 2012-01-05 08:02:33 mediawiki-mw_: 2.0a userdn is: 2012-01-05 08:02:33 mediawiki-mw_: 2.0a User DN is blank 2012-01-05 08:02:34 mediawiki-mw_: 2.0a Entering allowPasswordChange 2012-01-05 08:02:34 mediawiki-mw_: 2.0a Entering modifyUITemplate
This is likely a bug due to refactoring in 2.0a. I'll try to test this and fix it soon.
I've configured LDAP and got it working. However, after I login, if I visit the Special:SpecialPages page, I get this error:
PHP Warning: strtok() expects parameter 1 to be string, array given in C:\inetpub\wwwroot\twiki\extensions\LdapAuthentication\LdapAuthentication.php on line 566 PHP Warning: ldap_start_tls(): Unable to start TLS: Can't contact LDAP server in C:\inetpub\wwwroot\twiki\extensions\LdapAuthentication\LdapAuthentication.php on line 589 PHP Warning: strtok() expects parameter 1 to be string, array given in C:\inetpub\wwwroot\twiki\extensions\LdapAuthentication\LdapAuthentication.php on line 566 PHP Warning: ldap_start_tls(): Unable to start TLS: Can't contact LDAP server in C:\inetpub\wwwroot\twiki\extensions\LdapAuthentication\LdapAuthentication.php on line 589
Once I get the error, I get it on every page until I manually go to the logout page and logout. I'm quite confused why I get this error after the LDAP authentication has already happened. I'm just using basic authentication - no searches or groups, and every other page I've tested works. Only Special:SpecialPages is having trouble. If I logout, I can visit SpecialPages without issue. The problem only occurs after I've logged in.
- MediaWiki 1.18
- LDAPAuthentication Revision 107956 pulled from SVN on 3-Jan-2012
- PHP 5.3.8
- WIMP architecture on Windows 2008 R2
require_once( "$IP/extensions/LdapAuthentication/LdapAuthentication.php" );
$wgAuth = new LdapAuthenticationPlugin();
# production setup
$wgLDAPDomainNames = array("domain.com");
$wgLDAPBaseDNs = array("domain.com" =>"dc=domain,dc=com");
$wgLDAPServerNames = array("domain.com" => "dc1.domain.com");
$wgLDAPSearchStrings = array("domain.com" => "USER-NAME@domain.com");
$wgLDAPEncryptionType = array("domain.com" => "clear"); # replace "clear" with "ssl" if that is necessary
$wgLDAPProxyAgent = array("domain.com" => "CN=LDAP-reader-account,DC=domain,DC=com");
$wgLDAPProxyAgentPassword = array("domain.com" => "password");
This is a bug in MediaWiki. I fixed this in MediaWiki trunk, you can easily backport it.
Ryan, you rule. Super easy fix, even for someone who doesn't know anything about PHP. I was just about to disable LDAP authentication and now I don't have to. Thanks for making this extension and providing such quick support. JasonPenney 14:36, 5 January 2012 (UTC)
You're welcome. Thankfully this will just be fixed in the next release, so no more patching needed :).
Ryan, FYI, I'm still getting this error when an unauthenticated user visits a "redlink" page. Since you sound confident that the next Mediawiki release will deal with the underlying issue, I'm not that worried, but if you're the one making those fixes, if figured you'd want to know.
PHP Warning: strtok() expects parameter 1 to be string, array given in C:\inetpub\wwwroot\twiki\extensions\LdapAuthentication\LdapAuthentication.php on line 566 PHP Warning: ldap_start_tls(): Unable to start TLS: Can't contact LDAP server in C:\inetpub\wwwroot\twiki\extensions\LdapAuthentication\LdapAuthentication.php on line 589 PHP Warning: strtok() expects parameter 1 to be string, array given in C:\inetpub\wwwroot\twiki\extensions\LdapAuthentication\LdapAuthentication.php on line 566 PHP Warning: ldap_start_tls(): Unable to start TLS: Can't contact LDAP server in C:\inetpub\wwwroot\twiki\extensions\LdapAuthentication\LdapAuthentication.php on line 589 PHP Warning: strtok() expects parameter 1 to be string, array given in C:\inetpub\wwwroot\twiki\extensions\LdapAuthentication\LdapAuthentication.php on line 566 PHP Warning: ldap_start_tls(): Unable to start TLS: Can't contact LDAP server in C:\inetpub\wwwroot\twiki\extensions\LdapAuthentication\LdapAuthentication.php on line 589
This is the code change I made in SpecialUserLogin.php
if( !$wgAuth->validDomain( $this->mDomain ) ) {
# JPenney - changed this code based on http://www.mediawiki.org/wiki/Special:Code/MediaWiki/107129
# $this->mDomain = 'invaliddomain';
if ( isset( $_SESSION['wsDomain'] ) ) {
$this->mDomain = $_SESSION['wsDomain'];
} else {
$this->mDomain = 'invaliddomain';
}
}
$wgAuth->setDomain( $this->mDomain );
Hello,
I checked out the trunk (r108101) and LdapAuthentication.php doesn't work on my PHP. I got an error "searchattr undefined" ( apologize I didn't record the exact error message).
I looked into the code and found the following line seem missing,
$searchattr = $this->getConf( 'SearchAttribute' );
around line 1262, in getUserDN() function.
Hope this helps.
First of all, much respect for this plugin. Second, please excuse my English, but I'm at and I will learn better:) Third, the authentication works, great. My problem is that the ldap groups in MediaWiki are NOT "autoupdateing" to the table "user_groups".
My System:
MediaWiki 1.17.0 "LDAPAUTHVERSION", "1.2h" PHP 5.3.3 mysql 5.0.77
The "username" is added after the "log in" into the "users" table. that works good.
If I do then an insert:
(INSERT INTO `table`.`user_groups` (`ug_user` ,`ug_group`) VALUES ('12', 'ldap-write-group');)
It works with the "rights/policy". I've searched, but not found what I could use to handle this problem.
Why is the "ldap-group-name" not automatically added to the "user_groups" table?
I have three groups in ldap. Two groups for "read" and one is allowed for "write".
$wgGroupPermissions['*' ]['createaccount'] = false;
$wgGroupPermissions['*' ]['edit'] = false;
$wgGroupPermissions['*' ]['read'] = false;
$wgGroupPermissions['user' ]['edit'] = false;
$wgGroupPermissions['user' ]['read'] = false;
$wgGroupPermissions['ldap-write-group' ]['read'] = true;
$wgGroupPermissions['ldap-write-group' ]['edit'] = true;
$wgGroupPermissions['ldap-read-1' ]['read'] = true;
$wgGroupPermissions['ldap-read-1' ]['edit'] = false;
$wgGroupPermissions['ldap-read-2-' ]['read'] = true;
$wgGroupPermissions['ldap-read-2-' ]['edit'] = false;
my Localsettings(LDAP PART):
-
-
-
-
-
- LDAP CONFIG##################################################################################
-
-
-
-
require_once( "extensions/LdapAuthentication/LdapAuthentication.php" ); $wgAuth = new LdapAuthenticationPlugin(); $wgUseLDAP = true;
$wgLDAPDomainNames = array(
"ldap-write-group","ldap-read-1","ldap-read-2-" );
$wgLDAPServerNames = array(
"ldap-write-group" => "ldapHOST", "ldap-read-1" => "ldapHOST", "ldap-read-2-" => "ldapHOST" );
$wgLDAPUseLocal = false;
$wgLDAPEncryptionType = array(
"ldap-write-group"=>"clear", "ldap-read-1"=>"clear", "ldap-read-2-"=>"clear" );
$wgLDAPSearchAttributes = array(
"ldap-write-group"=>"uid", "ldap-read-1"=>"uid", "ldap-read-2-"=>"uid" );
$wgLDAPBaseDNs = array(
"ldap-write-group"=>"ou=users,dc=,dc=", "ldap-read-1"=>"ou=users,dc=,dc=", "ldap-read-2-"=>"ou=users,dc=,dc=" );
$wgLDAPGroupBaseDNs = array(
"ldap-write-group"=>"ou=groups,dc=,dc=", "ldap-read-1"=>"ou=groups,dc=,dc=", "ldap-read-2-"=>"ou=groups,dc=,dc=" );
$wgLDAPGroupUseFullDN = array(
"ldap-write-group"=>true, "ldap-read-1"=>true, "ldap-read-2-"=>true );
$wgLDAPLowerCaseUsername = array(
"ldap-write-group"=>true, "ldap-read-1"=>true, "ldap-read-2-"=>true );
$wgLDAPGroupObjectclass = array(
"ldap-write-group"=>"groupofuniquenames", "ldap-read-1"=>"groupofuniquenames", "ldap-read-2-"=>"groupofuniquenames" );
$wgLDAPGroupSearchNestedGroups = array(
"ldap-write-group"=>false, "ldap-read-1"=>false, "ldap-read-2-"=>false );
$wgLDAPGroupAttribute = array(
"ldap-write-group"=>"uniquemember", "ldap-read-1"=>"uniquemember", "ldap-read-2-"=>"uniquemember" );
$wgLDAPGroupNameAttribute = array(
"ldap-write-group"=>"cn", "ldap-read-1"=>"cn", "ldap-read-2-"=>"cn" );
$wgLDAPRequireAuthAttribute = array(
"ldap-write-group"=>true, "ldap-read-1"=>true, "ldap-read-2-"=>true );
$wgLDAPRequiredGroups = array(
"ldap-write-group" => array("cn=ldap-write-group,ou=Groups,dc=,dc="),
"ldap-read-1" => array("cn=ldap-read-1,ou=Groups,dc=,dc="),
"ldap-read-2-" => array("cn=ldap-read-2,ou=Groups,dc=,dc=")
);
$wgLDAPLocallyManagedGroups = array(
"ldap-write-group" => array( "ldap-write-group" ), "ldap-read-1" => array( "ldap-read-1" ), "ldap-read-2-" => array( "ldap-read-2" ) );
$wgLDAPGroupsPrevail = array(
"ldap-write-group" => false, "ldap-read-1" => false, "ldap-read-2-" => false );
$wgLDAPUseLDAPGroups = array( "ldap-write-group"=>true ); $wgLDAPUseLDAPGroups = array( "ldap-read-1"=>true ); $wgLDAPUseLDAPGroups = array( "ldap-read-2-"=>true );
$wgLDAPGroupsUseMemberOf = array( "ldap-write-group" => true ); $wgLDAPGroupsUseMemberOf = array( "ldap-read-1" => true ); $wgLDAPGroupsUseMemberOf = array( "ldap-read-2-" => true );
$wgLDAPGroupObjectclass = array( "ldap-write-group"=>"groupOfUniqueNames" ); $wgLDAPGroupObjectclass = array( "ldap-read-1"=>"groupOfUniqueNames" ); $wgLDAPGroupObjectclass = array( "ldap-read-2-"=>"groupOfUniqueNames" );
$wgLDAPAddLDAPUsers = false; $wgLDAPUpdateLDAP = false;
$wgLDAPProxyAgent = array(
"ldap-write-group"=>"cn=,ou=,dc=,dc=", "ldap-read-1"=>"cn=,ou=,dc=,dc=", "ldap-read-2-"=>"cn=,ou=,dc=,dc=");
$wgLDAPProxyAgentPassword = array(
"ldap-write-group"=>"PW", "ldap-read-1"=>"PW", "ldap-read-2-"=>"PW");
$wgLDAPDebug = 99; $wgDebugLogGroups["ldap"] = "/tmp/debug-tech.log" ;
$wgMinimalPasswordLength = 1;
###### LDAP CONFIG##################################################################################
It would be really nice if someone could help me?
Hello, FIRST, thank you for your wonderful extension.
We are using Mediawiki 0.18.0, LDAPAUTHVERSION=1.2e.
As for Clausekwis, we need $wgLDAPUseLocal because we want to grant certain rights to both specific internal (LDAP) and external (local) users.
There seems to be a problem with local accounts having capital characters in the middle of there username (like 'FirstMiddleLast'): such created users are "not registered" (when editing User:FirstMiddleLast), and we can't grant them any rights (Special:Permissions -> contributor not found).
Steps to reproduce:
- setup mediawiki + LDAP instance
- with $wgLDAPUseLocal=true
- with local 'Admin' user
- login as 'Admin/LdapDomain' (yes, /LdapDomain !)
- create local 'FirstMiddleLast' user
- list users (Special:UserList)
- click 'FirstMiddleLast'
- see 'User account "FirstMiddleLast" is not registered' warning
After some digging, I found that it only works when I am logged in with the 'local' domain ($wsDomain="local"). My question is: why, when looking for a given user, check for the domain of the currently logged in user ? And why not store the domain (user-specific) into the database ?
Here's a kind of stack trace to explain how I came to this conclusion:
includes/Article.php:function showMissingArticle():
$user = User::newFromName( $rootPart, false /* allow IP users*/ );
includes/User.php:function newFromName( $name, $validate = 'valid' ):
$name = self::getCanonicalName( $name, $validate );
includes/User.php:function getCanonicalName( $name, $validate = 'valid' ):
global $wgAuth;
$name = $wgAuth->getCanonicalName( $t->getText() );
extensions/LdapAuthentication/LdapAuthentication.php:
function getCanonicalName( $username ) {
// ...
if ( isset( $_SESSION['wsDomain'] ) && 'local' != $_SESSION['wsDomain'] ) {
$username = strtolower( $username );
}
The problem is that the username is returned lowercased (with the first character upcased) which should not happen for local accounts.
I believe there are no plans to support $wgLDAPUseLocal further, but I'll be glad to know a better way to have both LDAP and external (local) accounts.
As a workaround, we ended up imposing lowercased usernames (like 'first.middle.last').
You can add the users to another OU, then have LDAP use that OU as another domain. It's a *way* better solution that using the local database as a fallback, which is really meant as a temporarily solution to migrating all users to LDAP.
Another alternative is to have some form of web sso, like SAML, where you can do federation. Many of these systems support OpenID, which means you could use the OpenID extension, and then limit access to people by taking rights away from the user group and adding them to a group you manage.
There's a ton of ways to handle this, which is why I don't support using $wgLDAPUseLocal as a long term measure.
Connot logon on version 2.0a caused by error in getConf() not looking for the good parameter ('Port')
I upgraded my version of LDAPAuthentication, and couldn't log on my MediaWiki anymore. After activating the debug logs, I noticed that the connection string wasn't quite correct:
:2011-12-26 13:34:05 kbwiki: 2.0a Entering Connect :2011-12-26 13:34:05 kbwiki: 2.0a Using TLS or not using encryption. :2011-12-26 13:34:05 kbwiki: 2.0a Using servers: ldap://myserver.foobar.com: :2011-12-26 13:34:05 kbwiki: 2.0a Failed to connect
As you can see, there is a ':', but no port number. When Looking at the source, the line that builds the connection string (line 555):
$servers = $servers . " " . $serverpre . $tok . ":" . $this->getConf( 'LDAPPort' );
Looks for a variable named 'LDAPPort', but in the getConf function, it looks for a variable named 'Port' (line 183). I think this is the mistake.
To correct it, just change that line 183:
case 'Port':
with:
case 'LDAPPort':
And everything comes back to normal!
Connot logon on version 2.0a caused by error in getConf() not looking for the good parameter ('Port')
I upgraded my version of LDAPAuthentication, and couldn't log on my MediaWiki anymore. After activating the debug logs, I noticed that the connection string wasn't quite correct:
:2011-12-26 13:34:05 kbwiki: 2.0a Entering Connect :2011-12-26 13:34:05 kbwiki: 2.0a Using TLS or not using encryption. :2011-12-26 13:34:05 kbwiki: 2.0a Using servers: ldap://myserver.foobar.com: :2011-12-26 13:34:05 kbwiki: 2.0a Failed to connect
As you can see, there is a ':', but no port number. When Looking at the source, the line that builds the connection string (line 555):
$servers = $servers . " " . $serverpre . $tok . ":" . $this->getConf( 'LDAPPort' );
Looks for a variable named 'LDAPPort', but in the getConf function, it looks for a variable named 'Port' (line 183). I think this is the mistake.
To correct it, just change that line 183:
case 'Port':
with:
case 'LDAPPort':
And everything comes back to normal!
MediaWiki 1.17.0 MySql 5.5.15 Web Server : IIS 7.5 -> PHP 5.3.8 OS : Windows Server 2008 R2 (Domain Controller)
Since it's the domain controller, and that LDP.exe works with SSL, I believe my configuration is correct. More so, taking into account that I've already configured a few services to connect via SSL to AD like Collabnet Subversion Edge, My own Windows Service, IIS, FTP.
I've been able to make it work in clear mode, on port 389... However, as soon as I switch back to 636, and mode to 'ssl', I get a "bad password" error.
Also, I've been unable to get the logging to work... No file appear where I've set the directory! Here is my current configuration that I'm trying to get to work:
require_once ('extensions/LdapAuthentication/LdapAuthentication.php');
$wgAuth = new LdapAuthenticationPlugin();
$wgLDAPDomainNames = array(
'Jeremfg Active Directory'
);
$wgLDAPSearchStrings = array(
'Jeremfg Active Directory' => 'USER-NAME@moon.jeremfg.com'
);
$wgLDAPServerNames = array(
'Jeremfg Active Directory' => 'moon.jeremfg.com'
);
$wgLDAPEncryptionType = array(
'Jeremfg Active Directory' => 'ssl'
);
$wgLDAPPort = array(
'Jeremfg Active Directory'=>636
);
$wgLDAPBaseDNs = array(
'Jeremfg Active Directory' => 'dc=moon,dc=jeremfg,dc=com'
);
$wgLDAPSearchAttributes = array(
'Jeremfg Active Directory' => 'sAMAccountName'
);
$wgLDAPDisableAutoCreate = array(
'Jeremfg Active Directory' => false
);
$wgLDAPDebug = 1;
$wgDebugLogGroups["ldap"] = "C:\inetpub\wwwroot\quadwiki\logs" ;
$wgLDAPUseLocal = false;
$wgMinimalPasswordLength = 1;
I don't have any other php application so far that uses LDAP, but I've enabled it, as with SSL (SSL is confirmed to work with PEAR mail smtp send)... In any case, you can see the current configuration: https://jeremfg.com/phpinfo.php
Any idea how to enable logging, or why I can't connect via ssl? Thanks!
Edit : I use my own self-signed certificate, generated with the Certification Service of Windows Server
I decided, for the time being, to give up with SSL... It shouldn't be too bad since the AD and PHP Server run on the same machine (aka localhost)
As for logging, I've been able to enable it... Giving IIS_USER write access wasn't enough.. I gave "Everyone" write access to the folder were logs are written. This shouldn't be a problem since only logs are stored there!
My new problem now is trying to establish group based authorization. I beleive the problem resides with PHP function "ldap_search(), ldap_list() and ldap_read()" which doesn't use the correct scope (Not subtree for ldap_search() for example) on my system... I had the same problem while configuring Mantis Bug Tracker...
For mantis, I rewrote part of the code, to circuvent this problem... I intend to do the same for LDAP_Authentication.php
Well, I'll take patches, if you write it in a backwards compatible way, and do it consistently throughout the plugin.
I began writing my patch, but didn't go very far... I ran in a few problems since Mantis doesn't do authentication exactly in the same way...
In the end, I just gave up, and put the Full DN to a single group, and added all the users to that group. Since it isn't a big group, it wasn't too bad. As long as no subtree search was required, I'm ok!
The problem lies with the ldap extension in PHP, and it's that component that should be fixed in the end...
Plus, my patch wouldn't have been really great, putting a much larger load on LDAP. What I did for mantis, is to configure an array of DNs in the config file, and try them all, one after the other, until I get a good result, or returned the last failure. Not a great patch, just a quick and dirty workaround, which is all I needed!
Users seeing "You have made too many recent attempts on this account's password" when trying to login
We have your extension installed on a corporate internal wiki and we periodically see users with this error message presented "You have made too many recent attempts on this account's password"
They have had our helpdesk reset their AD password but still see this message when trying to get onto the wiki. The message never seems to go away ( we have tried leaving an account over a weekend but its still there after a few days ), do you know how to resolve this ?
Appreciate any help you can offer.
regards Rob
I have a great install of mediawiki up and running, nice custom theme and several plugins. The last piece of the puzzle to be able to launch the wiki is to configure the LDAP plugin to work with Open Directory. Our servers run Snow Leoaprd 10.6. I have tried some basic configuration with little success, the latest error message simply says, "Login error Incorrect password entered. Please try again." Any help is greatly appreciated.
I am running MediaWiki version: 1.16 The version of the LDAP plugin is: 1.2b (alpha)
Our LocalSettings file looks like this:
require_once( "$IP/extensions/LdapAuthentication/LdapAuthentication.php" ); $wgAuth = new LdapAuthenticationPlugin();
$wgLDAPDomainNames = array(
"SpliceHere" );
$wgLDAPServerNames = array(
"SpliceHere"=>"odserver.splice.lan" );
$wgLDAPWriteLocation = array(
"SpliceHere"=>"cn=users,dc=odserver,dc=splice,dc=lan" );
$wgLDAPUseLocal = false;
$wgLDAPOptions = array(
"SpliceHere"=>array( LDAP_OPT_DEREF, 1 ), );
$wgLDAPPort = array(
"SpliceHere"=>389 ); $wgLDAPSearchStrings = array( "SpliceHere"=>"uid=mediawiki,cn=users,dc=odserver,dc=splice,dc=lan" ); $wgLDAPPreferences = array( "SpliceHere"=>array( "email"=>"mail","realname"=>"displayname","nickname"=>"cn","language"=>"preferredlanguage") );
$wgLDAPMailPassword = array( "SpliceHere"=>true ); $wgDebugLogGroups["ldap"] = "/tmp/debug.log" ;
My organization is getting ADFS (Active Directory Federation Services) to provide SSO for external providers within our Windows-based intranet. Can MediaWiki take advantage of this technology in some way to achieve single sign-on? Our wiki (Linux-based) already uses LdapAuthentication with users manually logging into the wiki with their NT username and password.
I have never tried this, but my understanding is ADFS supports SAML 2.0, as does Mediawiki if you add the following extension... Extension:SAMLAuth This should work for SSO in a federated environment. If someone could confirm that would be useful.
SAMLAuth may work. You can likely also use an apache module for this, and then have LDAP auth do auto-auth so that you can pull groups and such too, if you need to.
If you just need authentication, and don't need groups and such, I think there are a few web server authentication plugins for MediaWiki as well, then you can use an Apache module in combination with it.
Here's what I'm working with:
Windows Server 2008 R2 (AD environment)
IIS 7.5
OpenLDAP (for the CA certificate handling)
Mediawiki 1.17
PHP 5.3.8
MySQL 5.1.50
LDAPAuthentication v.1.2h
Everything is working fine, except I'm unable to figure out how to go about having domain users automatically authenticate to Mediawiki using my current setup. Is there anything special that I should do when using IIS, since all documentation I've seen heavily favors Apache? Thanks.
-Chris
Nevermind. I seem to have gotten auto-authentication working with IIS. If anyone is interested, I'll post what I did later.
Sounds like a great idea for my intranet... Would you post it please?
Here's what I did to get my setup working...
[edit] LocalSettings.php file
##LDAP Authentication Plugin require_once( "$IP/extensions/LdapAuthentication/LdapAutoAuthentication.php" ); require_once( "$IP/extensions/LdapAuthentication/LdapAuthentication.php" ); $wgLDAPDomainNames = array("DOMAIN"); $wgLDAPGroupBaseDNs = array("DOMAIN"=>"ou=groups,dc=domain,dc=org"); $wgLDAPAutoAuthDomain = "DOMAIN"; $wgLDAPGroupUseFullDN = array( "DOMAIN"=>true ); $wgLDAPServerNames = array("DOMAIN"=>"vw2k8-adfsmo2.domain.org"); $wgLDAPSearchStrings = array( "DOMAIN" => "DOMAIN\USER-NAME" ); $wgLDAPSearchAttributes = array("DOMAIN"=>"sAMAccountName"); $wgLDAPBaseDNs = array("DOMAIN"=>"dc=domain,dc=org"); $wgLDAPEncryptionType = array( "DOMAIN" => "ssl" ); $wgMinimalPasswordLength = 1; #Configure LDAP Group settings $wgLDAPUseLDAPGroups = array( "DOMAIN"=>true ); $wgLDAPGroupObjectclass = array( "DOMAIN"=>"group" ); $wgLDAPGroupAttribute = array( "DOMAIN"=>"member" ); $wgLDAPGroupNameAttribute = array( "DOMAIN"=>"cn" ); #Restrict anonymous users $wgGroupPermissions['*' ]['createaccount'] = false; $wgGroupPermissions['*' ]['read'] = false; $wgGroupPermissions['*' ]['edit'] = false; #Remove the domain portion of the displayed username. Example: "DOMAIN\username" to "username" list($dom,$userid) = split('[\]',$_SERVER['REMOTE_USER']); $wgLDAPAutoAuthUsername = $userid; AutoAuthSetup();
Note: Absent from the config are $wgLDAPProxyAgent and $wgLDAPProxyAgentPassword. You will probably need these. I didn't for some reason, so I omitted them.
[edit] Forcing Kerberos Authentication on IIS
Helpful link: http://technet.microsoft.com/en-us/library/cc754628(WS.10).aspx
Important Quote from TechNet: The default setting for Windows authentication is Negotiate. This setting means that the client can select the appropriate security support provider. To force NTLM authentication, you must change the value of the <Provider> element under the <windowsAuthentication> element in the ApplicationHost.config file.
I changed my ApplicationHost.config file to look like this:
<windowsAuthentication enabled="false">
<providers>
<add value="NTLM" />
<!-- <add value="Negotiate" /> -->
</providers>
</windowsAuthentication>
[edit] Configuring OpenLDAP client
Helpful link: http://www.ashleyknowles.net/2011/07/iis-php-and-ldaps-with-active-directory/
C:\OpenLDAP\sysconf\ldap.conf
#ldap.conf contains the following TLS_REQCERT never TLS_CACERT C:\openldap\sysconf\webcert.crt
To get the certificate, I just had to go to
http://vw2k8-adfsmo2.DOMAIN.org/certsrv
and select "Download a CA certificate, certificate chain, or CRL". Make sure it's in Base64 X.509 format. The extension was .cer but I renamed it to .crt (doesn't hurt anything).
Okay. That's all I can think of at the moment. If I feel I missed anything, I'll update this post.
-Chris
Some background. Simple LDAP authentication was working, authenticating to my domain controller. We added a Windows Certificate Authority for testing other things on one of the domain controllers.
Since then, I have re-imported the cert into /etc/pki/tls/certs and its still not authenticating.
I followed the directions here: Extension:LDAP Authentication/Requirements#Certificate trusts
When running: openssl s_client -showcerts -connect server:636 I get all the expected results, except the last line is:
Verify return code: 21 (unable to verify the first certificate)
I am sure this is why the authentication isn't working.
So, proceeding on the issue, I have done the following, and it didn't help:
- Create hash links to the certs
cd /etc/pki/tls/certs for i in `ls *.crt`;do
[ ! -e $i.0 ] && ln -s $i $(openssl x509 -hash -noout -in $i).0 > /dev/null 2>&1 || :
done Next, create a CA bundle, as some applications only work properly with a bundled file of CAs (notice that *.crt is assumed be your CA certificates): for i in `ls *.crt` do
cat $i >> /etc/pki/tls/certs/local-bundle.crt
done Finally, add the trust to openldap's client configuration: Edit /etc/openldap/ldap.conf Add the following lines: TLS_CACERTDIR /etc/pki/tls/certs TLS_CACERT /etc/pki/tls/certs/local-bundle.crt
Can anyone offer some advise that would help?
Always receive bad password message.
Win serv 2008 r2
MW 1.16.5
php 5.3.6
LDAP Authentication Plugin (Version 1.2b (alpha))
- require_once("$IP/extensions/LdapAuthentication/LdapAuthentication.php");
- $wgAuth = new LdapAuthenticationPlugin();
- $wgLDAPDomainNames = array(
- "CAT",
- "AD"
- );
- $wgLDAPServerNames = array(
- "CAT"=>"CAT.xxx.edu",
- "AD"=>"AD.xxx.edu"
- );
- $wgLDAPSearchStrings = array(
- "CAT"=>"CAT\USER-NAME",
- "AD"=>"AD\USER-NAME"
- );
- $wgLDAPEncryptionType = array(
- "CAT"=>"clear",
- "AD"=>"ssl"
- );
- $wgLDAPPort = array(
- "CAT.unh.edu"=>389,
- "AD.unh.edu"=>636
- );
- $wgMinimalPasswordLength = 1;
- $wgLDAPGroupUseFullDN = array(
- "CAT" => true,
- "AD" => true
- );
- $wgLDAPBaseDNs = array(
- "CAT" => "uid=USER-NAME,ou=Students,dc=xxx,dc=edu",
- "AD" => "uid=USER-NAME,ou=People,dc=xxx,dc=edu");
- $wgLDAPSearchAttributes = array(
- "CAT" => "sAMAccountName",
- "AD" => "sAMAccountName"
- );
- // $wgLDAPGroupsUseMemberOf = array( "CAT" => true );
- $wgLDAPGroupObjectclass = array( "CAT" => "group" );
- $wgLDAPGroupAttribute = array( "CAT" => "member" );
- $wgLDAPGroupNameAttribute = array( "CAT" => "cn" );
- // $wgLDAPUseLDAPGroups = array( "CAT" => true );
- $wgLDAPPreferences = array("CAT"=>array( "email"=>"mail","realname"=>"cn","nickname"=>"cn"));
- $wgLDAPGroupSearchNestedGroups = array( "CAT.xxx.edu" => true );
I only want to have users in "CAT" have a wiki account, I dont want to create accounts.
Thanks for the help, Im a fulltime student who works at the school. I have 16 hours a week to administrate 2 wikis 2 drupal instances and 5 other servers. I also have a 4 month old and another job so any help might just keep me from going quite mad!
Thanks, Chris
More Info
2011-10-23 21:48:58 opencomputing_wiki: Entering validDomain
2011-10-23 21:48:58 opencomputing_wiki: User is using a valid domain.
2011-10-23 21:48:58 opencomputing_wiki: Setting domain as: CAT
2011-10-23 21:48:58 opencomputing_wiki: Entering getCanonicalName
2011-10-23 21:48:58 opencomputing_wiki: Username isn't empty.
2011-10-23 21:48:58 opencomputing_wiki: Munged username: xxx
2011-10-23 21:48:58 opencomputing_wiki: Entering authenticate
2011-10-23 21:48:58 opencomputing_wiki:
2011-10-23 21:48:58 opencomputing_wiki: Entering Connect
2011-10-23 21:48:58 opencomputing_wiki: Using TLS or not using encryption.
2011-10-23 21:48:58 opencomputing_wiki: Using servers:
2011-10-23 21:48:58 opencomputing_wiki: Using TLS
2011-10-23 21:48:58 opencomputing_wiki: Failed to start TLS.
2011-10-23 21:48:58 opencomputing_wiki: Connected successfully
2011-10-23 21:48:58 opencomputing_wiki: Entering getSearchString
2011-10-23 21:48:58 opencomputing_wiki: Doing an anonymous bind
2011-10-23 21:48:58 opencomputing_wiki: Failed to bind as
2011-10-23 21:48:58 opencomputing_wiki: Failed to bind
2011-10-23 21:48:58 opencomputing_wiki: User DN is blank
2011-10-23 21:48:58 opencomputing_wiki: Entering strict.
2011-10-23 21:48:58 opencomputing_wiki: Returning true in strict().
2011-10-23 21:48:58 opencomputing_wiki: Entering allowPasswordChange
2011-10-23 21:48:58 opencomputing_wiki: Entering modifyUITemplate
Its
Any help on this?
Hi
I'm trying to use SSL in configuration file :
require_once( "$IP/extensions/LdapAuthentication/LdapAuthentication.php" ); $wgAuth = new LdapAuthenticationPlugin(); $wgLDAPUseLocal = "true"; $wgLDAPDebug = 99; $wgLDAPDomainNames = array( "example"); $wgLDAPDisableAutoCreate = array("example"=>"true"); $wgLDAPUseSSL = array( "example"=>"true" ); $wgLDAPEncryptionType = array( "example" => "ssl"); $wgLDAPServerNames = array("example" => "127.0.0.1"); $wgLDAPPort = array("example" => "636"); $wgLDAPBaseDNs = array("example" => "dc=example,dc=com" ); ....
But still I get in Apache logs
[Sun Oct 09 22:32:31 2011] [error] [client 127.0.0.1] PHP Warning: ldap_start_tls(): Unable to start TLS: Can't contact LDAP server in /usr/share/mediawiki/extensions/LdapAuthentication/LdapAuthentication.php on line 283
Why this reference to TLS as I want to use SSL ?
Thanks for advance
If you are going to use SSL, you can't use an IP address. Also, if you are going to use 127.0.0.1, what's the point of using SSL anyway? An attacker that has the ability to sniff that traffic also has the ability to decrypt the traffic using the private key anyway.
First page |
Previous page |
Next page |
Last page |
