Extension talk:PluggableAuth

About this board

When reporting an error, please be sure to include version information for MediaWiki and all relevant extensions as well as configuration information. Also, please turn on debug logging as described at Manual:How to debug#Logging and include the relevant portions of the debug log.

Start a new topic

Could not authenticate credentials against domain "test.local"

3 comments • 12:59, 26 April 2024 8 days ago

3

Ksmith197 (talkcontribs)

Hi,

I'm having issues authenticating against my AD server from Special:UserLogin page. I tried running the "CheckLogin.php" with the account which returned a "FAILED". Utilizing the same account I'm able to login to the Active Directory server locally, and from the mediawiki server, perform an ldapsearch w/ bind successfully. The end goal is for any user that exist in Active directory to be able to authenticate and log into the wiki.

I've been at this for 2-3 weeks now, unfortunately...

Below is the version numbers for all relevant components.

Product	Version
MediaWiki	1.39.6
PHP	7.4.33 (fpm-fcgi)
MariaDB	11.3.2-MariaDB-1:11.3.2+maria~ubu2204
ICU	67.1
Lua	5.1.5
Pygments	2.7.1

LDAPAuthentication2	2.0.5 (f303c55) 02:27, 27 November 2023	GPL-2.0	Allows authentication against a LDAP resource	Cindy Cicalese, Mark A. Hershberger and Hallo Welt! GmbH
LDAPProvider	2.0.3 (740f097) 07:27, 19 December 2023	GPL-2.0+	Provides a common infrastructure to connect to an LDAP resource and run queries against it	Cindy Cicalese, Mark A. Hershberger and Hallo Welt! GmbH

PluggableAuth	7.0.0 (b1ca368) 10:23, 8 January 2024	MIT	Provides framework for pluggable authentication and authorization	Cindy Cicalese

Here is my LocalSettings.php:

# Degbugging!

4

5 error_reporting( E_ALL );

6 ini_set( 'display_errors', 1 );

7 $wgShowExceptionDetails = true;

8 $wgDebugToolbar = true;

9 $wgShowErrors = true;

10 $wgShowError = true;

11 $wgShowDebug = true;

12 $wgDebugLogFile = '/tmp/debug.log';

13

14 $wgDebugLogGroups = array(

15 'PluggableAuth' => '/tmp/pa.log',

16 'LDAP' => '/tmp/LDAP.log',

17 'LDAPProvider' => '/tmp/LDAPProvider.log',

18 'LDAPAuthentication2' => '/tmp/LDAPAuthentication2.log',

19 'LDAPAuthorization' => '/tmp/LDAPAuthorization.log',

20 'LDAPUserInfo' => '/tmp/LDAPUser.log',

21 'LDAPGroups' => '/tmp/LDAPGroups.log',

22 'MediaWiki\\Extension\\LDAPProvider\\Client' => '/tmp/ldapprovider_client.log'

23 );

462 ##################################################################

463 # LDAP JSON FILE #

464 ##################################################################

465

466 $safeIPs = array('127.0.0.1','localhost');

467 $ipsVars = array('HTTP_X_FORWARDED_FOR', 'HTTP_X_REAL_IP', 'REMOTE_ADDR');

468 foreach ($ipsVars as $ipsVar) {

469 if (isset($_SERVER[$ipsVar]) && mb_strlen($_SERVER[$ipsVar]) > 3 ) { $wikiRequestIP = $_SERVER[$ipsVar];

470 break; }

471 }

472 $wikiRequestSafe = ( isset($wikiRequestIP) && ( in_array($wikiRequestIP,$safeIPs) ));

473

474 // Create Wiki-Group 'engineering' from default user group

475 $wgGroupPermissions['engineering'] = $wgGroupPermissions['user'];

476

477 // Private Wiki. External LDAP Login. Default NS requires login.

478 $wgEmailConfirmToEdit = false;

479 $wgGroupPermissions['*']['edit'] = false;

480 $wgGroupPermissions['*']['read'] = false;

481 $wgGroupPermissions['*']['createaccount'] = false;

482 $wgGroupPermissions['sysop']['createaccount'] = false;

483 $wgGroupPermissions['*']['autocreateaccount'] = true;

484 $wgBlockDisablesLogin = true;

485

486 $ldapConfig = false;

487 $ldapJsonFile = "/var/www/ldapprovider.json";

488 if (is_file($ldapJsonFile) && is_dir("/var/www/mediawiki/w/extensions/LDAPProvider")) {

489 $testJson = @json_decode(file_get_contents($ldapJsonFile), true);

490 if (is_array($testJson)) {

491 $ldapConfig = true;

492

493 } else {

494 error_log("Found invalid JSON in file: /var/www/ldapprovider.json");

495 }

496 }

497

498 if ($ldapConfig) {

499

500 wfLoadExtension('LDAPProvider');

501 wfLoadExtension('LDAPAuthentication2');

502 #wfLoadExtension('LDAPAuthorization');

503 #wfLoadExtension('LDAPUserInfo');

504 #wfLoadExtension('LDAPGroups');

505 wfLoadExtension('PluggableAuth');

$LDAPProviderDomainConfigs = $ldapJsonFile;

509

510 $wgLDAPDebug = 3;//for debugging LDAP

511

512 $wgLDAPProvider["CacheType"] = "CACHE_NONE";

513 $wgLDAPProvider["CacheTime"] = 3600;

514

515 // Force LDAPGroups to sync by choosing a domain (e.g. first JSON object in ldapprovider.json)

516 $LDAPProviderDefaultDomain = array_key_first(json_decode(file_get_contents($LDAPProviderDomainConfigs), true));

517

518 $wgPluggableAuth_EnableAutoLogin = false;

519 $wgPluggableAuth_EnableLocalLogin = false; # required to show the username and password field on login page

520 $wgPluggableAuth_EnableFastLogout = true;

521

522

523 $wgPluggableAuth_Config = array(

524 array(

525 "plugin" => "LDAPAuthentication2",

526 "buttonLabelMessage" => "Domain Login",

527 "data" => ["domain" => $LDAPProviderDefaultDomain]

528 ),

529 #array("plugin" => "LDAPAuthorization"),

530 );

531

532 if ($wikiRequestSafe) { $LDAPAuthentication2AllowLocalLogin = false; }

533 }

534

# LDAPAuthentication2

608

609 // Whether or not to display a "local" psuedo-domain in the domain selector on "Special:Login", thus allowing to authenticate against the local user database. (defaults to false if not specified)

610 $LDAPAuthentication2AllowLocalLogin = true;

611

612 // Use this function for normalizing username for LDAP, for example 'strtolower'. (defaults to "")

613 $LDAPAuthentication2UsernameNormalizer = "";

614

615 # Auth_remoteuser

616 // Set the name for mapping into the local wiki user database. If the value is `null`, the extension defaults to using the enviornment variables `REMOTE_USER` and `REDIRECT_REMOTE_USER`

617

618 $wgAuthRemoteuserUserName = null; //default

619

620 #$wgAuthRemoteuserUserName = [

621 # $_SERVER[ 'REMOTE_USER' ],

622 # $_SERVER[ 'REDIRECT_REMOTE_USER' ]

623 #];

624

625 $wgAuthRemoteuserUserNameReplaceFilter = null; //default

626

627

628

629

630 # PluggableAuth Extension Configuration

631

632 // Should user login occur automatically when a user visits the wiki?

633 $wgPluggableAuth_EnableAutoLogin = true;

634

635 // Should user also be presented with username/password fields on the login page to allow local password-based login to the wiki

636 $wgPluggableAuth_EnableLocalLogin = true;

Here is my ldapprovider.json located at /var/www/:

{

"test.local": {

"connection": {

"server": "{IP_ADDRESS_HERE}",

"port": "389",

"user": "CN=XXXXX,CN=Users,DC=test,DC=local",

"pass": "XXXXXXX",

"enctype": "clear",

"options": {

"LDAP_OPT_DEREF": 1

},

"basedn": "dc=test,dc=local",

"userbasedn": "dc=test,dc=local",

"groupbasedn": "dc=test,dc=local",

"searchattributes": {

"realname": "cn",

"username": "samaccountname"

},

"grouprequest": {

"groupAttribute": "member",

"isMemberCritical": true

},

"userinfo": [],

"authorization": [],

"groupsync": {

"mapping": {

"bureaucrat": ["CN=Domain Admins,CN=Users,DC=test,DC=local", "CN=Adminstrators,CN=Users,DN=test,DN=local"],

"interface-admin": ["CN=Domain Admins,CN=Users,DC=test,DC=local", "CN=Adminstrators,CN=Users,DN=test,DN=local"],

"sysop": ["CN=Domain Admins,CN=Users,DC=test,DC=local", "CN=Adminstrators,CN=Users,DN=test,DN=local"]

}

Reply 18:47, 25 April 2024 9 days ago

Cindy.cicalese (talkcontribs)

Your best bet for getting help is to post at Extension talk:LDAPAuthentication2. Include debug logs from Manual:How to debug.

Reply 21:51, 25 April 2024 9 days ago

Ksmith197 (talkcontribs)

Okay! thank you!

Reply 12:59, 26 April 2024 8 days ago

Reply to "Could not authenticate credentials against domain "test.local""

how to define "groupsyncs" for wgPluggableAuth_Config OpenIDConnect

6 comments • 22:17, 19 April 2024 15 days ago

6

RakingTheLeaves (talkcontribs)

MediaWiki 1.41.0 (62e7aef)

OpenID Connect 7.0.2 (c515880)

PluggableAuth 7.0.0 (2d86d50)

PHP 8.2.17 (apache2handler)

ICU 72.1

PostgreSQL 16.0

I'm unclear on the correct way to reference field in the access_token from the OIDC payload and assign them to the default roles in mediaWiki using groupsyncs. I have the following defined in LocalSettings.php. below that I have the access_token example pulled from the jwt. Logging in works great. But auto-assigning users that have thefieldwithrole to a group doesn't seem to be working.

Any insight into what I might be doing wrong?

$wgPluggableAuth_Config[] = [

'plugin' => 'OpenIDConnect',

'data' => [

.......

],

'groupsyncs' => [

[

'type' => 'mapped',

'map' => [

'users' => [ 'thefieldwithrole' => 'roleA' ],

'sysop' => [ 'thefieldwithrole' => 'roleB' ]

]

];

Example Access_Token pulled from jwt payload:

{

"thefieldwithrole" : "roleA",

"aud" : "omitted",

"authorization_details": [],

"client_id" : "theclientid",

"client_key" : "theclientkey",

"Email" : "someemailaddress",

"exp" : 1234567890

"first_name" : "first",

"iss" : "omitted",

"jti" : "xf8i7vW",

"last_name" : "last",

"login" : "12345678",

"Organization" : "theorg",

"samaccountname" : "12345678",

"scope" : "openid profile",

"sub" : "12345678",

"subject" : "12345678",

"uid" : "12345678",

"userid" : "12345678",

"userId" : "12345678",

}

Reply Edited 13:37, 3 April 2024 1 month ago

Wikiphpnoob (talkcontribs)

@RakingTheLeaves

hello, i'm in the process of trying to figure this out. i'm using azure ad and openid connect.

have you had any success figuring things out?

Reply 21:17, 15 April 2024 19 days ago

RakingTheLeaves (talkcontribs)

Apologies for the delay... I haven't been focused on this much this week. But, no... I haven't quite figured it out (yet). It "seems" like the code isn't seeing the "thefieldwithrole" from the access_token of the OIDC token payload.

Without any other guidance to go by, my current thinking is to try putting my authZ info into the authorization_details[] section of the payload in accordance with the intent of the RFC... maybe the extension author is expecting to find the information there... unsure. If that doesn't work, may slog through the extension code to see if I can figure it out.... just getting to the point where I can't delay the project much longer and may try something else.

https://datatracker.ietf.org/doc/html/rfc9396

"This specification introduces a new parameter authorization_details that allows clients to specify their fine-grained authorization requirements using the expressiveness of JSON [RFC8259] data structures.¶"

Reply 14:15, 19 April 2024 15 days ago

RakingTheLeaves (talkcontribs)

I will post here if I get it going.

Reply 14:19, 19 April 2024 15 days ago

Wikiphpnoob (talkcontribs)

@RakingTheLeaves

your response is greatly appreciated.

i have managed to get passed authentication. but i'm finding it difficult for my log in to pull group memberships from the local azure ad/entra. and likewise, if i find anything, i'll share it.

thanks

Reply 15:10, 19 April 2024 15 days ago

Wikiphpnoob (talkcontribs)

OK, i was able to get groupsync working between azure ad and wiki

i think something to consider is how azure ad is configured as well. on top of the claim for user info when the wiki app is registered in the azure portal, a groups claim needs to be added.

a rough instruction is :

Azure Active Directory > App registrations > the wiki app > Token configuration(might be under Manage) > is there a group claim?

if not, click Add optional claim > ID for id tokens > Group > ...hopefully you can follow from there. i think its better to use group id than samaccountname

then when configuring PluggableAuth_Confiig...

'groupsyncs' => [

[

'type' => 'mapped',

'map' => [

'information_technology' => ['groups' => 'azure ad group id'] ]

]

'groups' is needed, though i cannot remember why. I found this explanation using ChatGPT ", the groups claim in a token can contain the IDs of the Azure AD groups to which the user belongs"

hopefully that helps some? good luck

Reply 22:17, 19 April 2024 15 days ago

Reply to "how to define "groupsyncs" for wgPluggableAuth_Config OpenIDConnect"

Could not authenticate credentials against domain "LDAP"

One comment • 14:32, 8 April 2024 26 days ago

1

Summary by Wikiphpnoob

moving from using LDAP to using OpenID Connect

Wikiphpnoob (talkcontribs)

hello, hoping someone can shine a light for me. the site said dont take this job on as a newb and i of course totally ignored that suggestion.

i have MediaWiki 1.41.0, PHP 8.3.3 on Windows Server 2016 ( i know, its old), with IIS 10

I have extensions:

wfLoadExtension( 'LDAPProvider' );

wfLoadExtension( 'LDAPAuthentication2' );

wfLoadExtension( 'LDAPAuthorization' );

wfLoadExtension( 'LDAPGroups');

wfLoadExtension( 'LDAPUserInfo');

wfLoadExtension( 'PluggableAuth' );

when using good accounts to authenticate, getting "Could not authenticate credentials against domain "LDAP"

see below, do i have too much configured? not enough? any suggestion at all would be cool. thanks to any who responds

***LOCALSETTINGS BELOW:***

# Safe IP or not (for bypassing external login via AD)

$safeIPs = array('10.0.0.0', '10.255.255.255'); // Replace with your desired range

$ipsVars = array('HTTP_X_FORWARDED_FOR', 'HTTP_X_REAL_IP', 'REMOTE_ADDR');

foreach ($ipsVars as $ipsVar) {

if (isset($_SERVER[$ipsVar]) && mb_strlen($_SERVER[$ipsVar]) > 3 ) {

$wikiRequestIP = $_SERVER[$ipsVar];

break;

}

$wikiRequestSafe = (isset($wikiRequestIP) && (in_array($wikiRequestIP, $safeIPs)));

# Load LDAP Config from JSON

$ldapJsonFile = dirname(__FILE__) . "/extensions/LDAPProvider/ldapprovider.json";

$ldapConfig = false;

if (is_file($ldapJsonFile)) {

$testJson = @json_decode(file_get_contents($ldapJsonFile), true);

if (is_array($testJson)) {

$LDAPProviderDomainConfigs = $testJson;

$ldapConfig = true;

} else {

error_log("Found invalid JSON in file: $ldapJsonFile");

}

# Activate extensions

if ($ldapConfig) {

wfLoadExtension( 'LDAPProvider' );

wfLoadExtension( 'LDAPAuthentication2' );

wfLoadExtension( 'LDAPAuthorization' );

wfLoadExtension( 'LDAPGroups');

wfLoadExtension( 'LDAPUserInfo');

wfLoadExtension( 'PluggableAuth' );

$LDAPProviderDomainConfigs = $ldapJsonFile;

$LDAPProviderPreSearchUsernameModifierRegistry = [

'lowercase' => function () {

return \MediaWiki\Extension\LDAPProvider\PreSearchUsernameModifier\ToLower::newInstance();

}

];

$wgLDAPProvider['CacheType'] = 'CACHE_NONE';

$wgLDAPProvider['CacheTime'] = 3600;

# LDAPAuthentication2 configuration

$LDAPAuthentication2AllowLocalLogin = true;

$LDAPAuthentication2UsernameNormalizer = 'lowercase';

$wgLDAPAuthentication2['authentication']['usernameattribute'] = 'samaccountName';

# Configure PluggableAuth settings

$wgPluggableAuth_EnableAutoLogin = false;

$wgPluggableAuth_EnableLocalLogin = false;

$wgPluggableAuth_EnableLocalProperties = false;

$wgPluggableAuth_EnableFastLogout = true;

$wgPluggableAuth_Config = [

"RAA Wiki Login" => [

'plugin' => 'LDAPAuthentication2',

'data' => ['domain' => 'LDAP']

]

];

$LDAPGroupsSyncMechanismRegistry = [

'mappedgroups' => 'MediaWiki\\Extension\\LDAPGroups\\SyncMechanism\\MappedGroups::factory'

];

}

***LDAPPROVIDER.JSON BELOW***

"LDAP": {

"connection": {

"server": "ldap-server",

"port": 389,

"enctype": "clear",

"user": "cn=mediawiki,ou=service accounts,dc=acme,dc=org",

"pass": "pass",

"options": {

"LDAP_OPT_DEREF": 1

},

"basedn": "dc=acme,dc=org",

"userbasedn": "ou=users,dc=acme,dc=org",

"groupbasedn": "ou=groups,dc=acme,dc=org",

"usersearch": "samaccountname",

"groupsearch": "$dn",

"searchattribute": "samaccountname",

"usernameattribute": "samaccountname",

"realnameattribute": "cn",

"grouprequest": "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\UserMemberOf::factory",

"presearchusernamemodifiers": [ "lowercase" ],

"searchstring": "(samaccountname=%{username})"

},

"authorization": {

"rules": {

"groups": {

"required": [

"CN=Information Technology,OU=GROUPS,DC=ACME,DC=ORG",

"CN=Human Resources,OU=GROUPS,DC=ACME,DC=ORG"

]

}

},

"groupsync": {

"mechanism": "mappedgroups",

"mapping": {

"information_technology": "CN=Information Technology,OU=GROUPS,DC=ACME,DC=ORG",

"human_resources": "CN=Human Resources,OU=GROUPS,DC=ACME,DC=ORG"

}

},

"userinfo": {

"realname": "samaccountname"

}

**********************************************

help me obi wan kenobi, youre my only hope

16:44, 19 March 2024 1 month ago

Trying to do a LDAP Login

2 comments • 14:18, 1 March 2024 2 months ago

2

GregANICO (talkcontribs)

Hi Everyone, I am wondering if anybody has ran into this issue when trying to login via ldap. I get this error after putting in my domain username and password.

ZeDJRu4hcahAMcLvtSppyAAAAMI] /mediawiki-1.39.5/index.php?title=Special:PluggableAuthLogin MediaWiki\Extension\LDAPProvider\DomainConfigProvider\ConfigException: ⧼ldapprovider-domain-config-invalid⧽

Thanks in advance,

Greg

18:21, 29 February 2024 2 months ago

GregANICO (talkcontribs)

Here is the backtrace:

Backtrace:

from /var/www/html/mediawiki-1.39.5/extensions/LDAPProvider/src/DomainConfigProvider/LocalJSONFile.php(51)

#0 /var/www/html/mediawiki-1.39.5/extensions/LDAPProvider/src/DomainConfigProvider/LocalJSONFile.php(70): MediaWiki\Extension\LDAPProvider\DomainConfigProvider\LocalJSONFile->__construct()

#1 [internal function]: MediaWiki\Extension\LDAPProvider\DomainConfigProvider\LocalJSONFile::newInstance()

#2 /var/www/html/mediawiki-1.39.5/extensions/LDAPProvider/src/DomainConfigFactory.php(101): call_user_func_array()

#3 /var/www/html/mediawiki-1.39.5/extensions/LDAPProvider/src/ClientFactory.php(62): MediaWiki\Extension\LDAPProvider\DomainConfigFactory::getInstance()

#4 /var/www/html/mediawiki-1.39.5/extensions/LDAPAuthentication2/src/PluggableAuth.php(254): MediaWiki\Extension\LDAPProvider\ClientFactory->getForDomain()

#5 /var/www/html/mediawiki-1.39.5/extensions/LDAPAuthentication2/src/PluggableAuth.php(123): MediaWiki\Extension\LDAPAuthentication2\PluggableAuth->checkLDAPLogin()

#6 /var/www/html/mediawiki-1.39.5/extensions/PluggableAuth/includes/PluggableAuthLogin.php(101): MediaWiki\Extension\LDAPAuthentication2\PluggableAuth->authenticate()

#7 /var/www/html/mediawiki-1.39.5/includes/specialpage/SpecialPage.php(701): MediaWiki\Extension\PluggableAuth\PluggableAuthLogin->execute()

#8 /var/www/html/mediawiki-1.39.5/includes/specialpage/SpecialPageFactory.php(1428): SpecialPage->run()

#9 /var/www/html/mediawiki-1.39.5/includes/MediaWiki.php(316): MediaWiki\SpecialPage\SpecialPageFactory->executePath()

#10 /var/www/html/mediawiki-1.39.5/includes/MediaWiki.php(904): MediaWiki->performRequest()

#11 /var/www/html/mediawiki-1.39.5/includes/MediaWiki.php(562): MediaWiki->main()

#12 /var/www/html/mediawiki-1.39.5/index.php(52): MediaWiki->run()

#13 /var/www/html/mediawiki-1.39.5/index.php(48): wfIndexMain()

#14 {main}

18:24, 29 February 2024 2 months ago

Modify the login buttons to show even longer button texts (solution presented)

5 comments • 22:28, 25 January 2024 3 months ago

5

Wikinaut (talkcontribs)

It makes the buttons (here the standard Login-button and the Extension:OpenIDConnect-Login-button) to display all texts on the buttons, even if the texts are longer:

In LocalSettings.php add:

# https://www.mediawiki.org/w/index.php?title=Topic:Xx8ol75kyh1qejp8
# How to modify the Login-Page
$GLOBALS['wgHooks']['BeforePageDisplay'][] = function( OutputPage &$out, Skin &$skin ) {
        $style = <<<EOT
            <style type="text/css">
                    button#wpLoginAttempt {
                            white-space: normal;
                            word-wrap: break-word;
                            height: auto !important;
                    }

                    button#mw-input-pluggableauthlogin0 {
                            background-color: salmon !important;
                            border-color: salmon !important;
                            white-space: normal;
                            word-wrap: break-word;
                            height: auto !important;
                    }
            </style>
EOT;

        $out->addHeadItem( 'change-login-button', $style );
        return true;
};

Was discussed here: https://www.mediawiki.org/wiki/Topic:Xx8ol75kyh1qejp8

Reply Edited 20:28, 24 January 2024 3 months ago

Cindy.cicalese (talkcontribs)

Thank you for your contribution. Please feel free to add it to the extension wiki page as a tip.

Reply 17:54, 25 January 2024 3 months ago

Wikinaut (talkcontribs)

This is quite difficult for me because of the translation tags, otherwise I would have added it there.

Reply 19:36, 25 January 2024 3 months ago

Cindy.cicalese (talkcontribs)

You can ignore the translation tags. Somebody else will come along after you and add them.

Reply 22:13, 25 January 2024 3 months ago

Wikinaut (talkcontribs)

merci! I expected that but wanted to wait, thanks. Done.

Reply Edited 22:28, 25 January 2024 3 months ago

Reply to "Modify the login buttons to show even longer button texts (solution presented)"

MW 1.39.6 TypeError

7 comments • 20:04, 4 January 2024 4 months ago

7

DeEliteOne (talkcontribs)

I'm trying to update from MW 1.39.5 to 1.39.6 and am getting the following internal error when trying to log in:

index.php/Special:PluggableAuthLogin TypeError: Argument 1 passed to Jumbojett\OpenIDConnectClient::addScope() must be of the type array, string given, called in /var/www/html/extensions/OpenIDConnect/includes/OpenIDConnect.php on line 199
Backtrace:
from /var/www/html/vendor/jumbojett/openid-connect-php/src/OpenIDConnectClient.php(556)
# 0 /var/www/html/extensions/OpenIDConnect/includes/OpenIDConnect.php(199): Jumbojett\OpenIDConnectClient->addScope()
# 1 /var/www/html/extensions/PluggableAuth/includes/PluggableAuthLogin.php(101): MediaWiki\Extension\OpenIDConnect\OpenIDConnect->authenticate()
# 2 /var/www/html/includes/specialpage/SpecialPage.php(701): MediaWiki\Extension\PluggableAuth\PluggableAuthLogin->execute()
# 3 /var/www/html/includes/specialpage/SpecialPageFactory.php(1428): SpecialPage->run()
# 4 /var/www/html/includes/MediaWiki.php(316): MediaWiki\SpecialPage\SpecialPageFactory->executePath()
# 5 /var/www/html/includes/MediaWiki.php(904): MediaWiki->performRequest()
# 6 /var/www/html/includes/MediaWiki.php(562): MediaWiki->main()
# 7 /var/www/html/index.php(50): MediaWiki->run()
# 8 /var/www/html/index.php(46): wfIndexMain()
# 9 {main}

Here is what I believe to be the relevant config from LocalSettings.php:

wfLoadExtension( 'PluggableAuth' );
$wgPluggableAuth_Config[] = [
      'plugin' => 'OpenIDConnect',
      'buttonLabelMessage' => 'Example',
      'data' => [
          'providerURL' => 'https://example.com/auth/realms/example',
          'clientID' => getenv('OIDC_CLIENTID'),
          'clientsecret' => getenv('OIDC_CLIENTSECRET')
      ]
];
$wgPluggableAuth_EnableLocalLogin = false;
$wgPluggableAuth_EnableAutoLogin = true;

wfLoadExtension( 'OpenIDConnect' );
$wgOpenIDConnect_MigrateUsersByUserName = true;

wfLoadExtension( 'LDAPProvider' );
$LDAPProviderDomainConfigProvider = function()
{
   $config =
   [
       "LDAP" =>
       [
           "connection" =>
           [
               "server" => "example.com",
               "basedn" => "ou=people,dc=example,dc=com",
               "userbasedn" => "ou=people,ou=system,dc=example,dc=com",
               "searchattribute" => "uid",
               "searchstring" => "USER-NAME",
               "usernameattribute" => "uid",
               "realnameattribute" => "displayName",
               "emailattribute" => "mail",
               "groupbasedn" => "cn=example,ou=secgroups,ou=system,dc=example,dc=com",
               "groupobjectclass" => "groupOfNames",
               "groupattribute" => "member",
               "grouprequest" => "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\Configurable::factory"
           ],
           "authorization" =>
           [
               "rules" =>
               [
                   "groups" =>
                   [
                       "required" => [ "cn=example,ou=secgroups,ou=system,dc=example,dc=com" ]
                   ]
               ]
           ],
       ]
   ];
   return new \MediaWiki\Extension\LDAPProvider\DomainConfigProvider\InlinePHPArray( $config );
};

wfLoadExtension( 'LDAPAuthorization' );

Is there anything I should be changing before trying to update?

Reply 17:39, 4 January 2024 4 months ago

Cindy.cicalese (talkcontribs)

It looks like you are using a newer version of the jumbojett/openid-connect-php library than is supported. The OpenID Connect composer.json file specifies version 0.9.10, which looks to be compatible. A newer commit adds an array typehint to the addScope() function, causing the error. Did you edit the OpenID Connect composer.json file?

Reply 19:15, 4 January 2024 4 months ago

DeEliteOne (talkcontribs)

No, I haven't edited the file, and my live copy of the file is using version 0.9.10. Full contents:

{
       "name": "mediawiki/openidconnect",
       "type": "mediawiki-extension",
       "description": "Provides authentication using OpenID Connect in conjunction with PluggableAuth",
       "license": "MIT",
       "authors": [
               {
                       "name": "Cindy Cicalese",
                       "email": "cicalese@mitre.org"
               }
       ],
       "require": {
               "jumbojett/openid-connect-php": "0.9.10",
               "composer/installers": "~1.0|~2"
       },
       "require-dev": {
               "mediawiki/mediawiki-codesniffer": "39.0.0",
               "mediawiki/minus-x": "1.1.1",
               "php-parallel-lint/php-console-highlighter": "1.0.0",
               "php-parallel-lint/php-parallel-lint": "1.3.2"
       },
       "scripts": {
               "test": [
                       "parallel-lint . --exclude vendor --exclude node_modules",
                       "@phpcs",
                       "minus-x check ."
               ],
               "fix": [
                       "minus-x fix .",
                       "phpcbf"
               ],
               "phpcs": "phpcs -sp --cache"
       },
       "extra": {
               "installer-name": "OpenIDConnect"
       },
       "config": {
               "allow-plugins": {
                       "composer/installers": true
               }
       }
}

Reply 19:41, 4 January 2024 4 months ago

DeEliteOne (talkcontribs)

Nevermind - the deployment is containerized, and I missed that it was pulling the latest release of jumbojett/openid-connect-php in the Dockerfile, overriding individual composer.json files. I'm not exactly sure why it was set up this way (inherited code), but locking the release to v0.9.10 worked. Thanks so much!

Reply 19:53, 4 January 2024 4 months ago

Cindy.cicalese (talkcontribs)

That's very strange. When you look at vendor/jumbojett/openid-connect-php/src/OpenIDConnectClient.php and search for addScope do you see https://github.com/jumbojett/OpenID-Connect-PHP/blob/master/src/OpenIDConnectClient.php#L556 (which I suspect, based on the stack trace, which is the master branch) or https://github.com/jumbojett/OpenID-Connect-PHP/blob/45aac47b525f0483dd4db3324bb1f1cab4666061/src/OpenIDConnectClient.php#L587 (whose line number do not match the stack trace, but it is version 0.9.10). The manifest on packagist agrees with the git hashes for the versions (https://packagist.org/packages/jumbojett/openid-connect-php#v0.9.10).

Reply 20:02, 4 January 2024 4 months ago

Cindy.cicalese (talkcontribs)

Ah, our messages crossed. I'm so glad you figured it out!

Reply 20:03, 4 January 2024 4 months ago

Cindy.cicalese (talkcontribs)

And now I know I'll need to change the code if I bump the version to the new 1.0.0 release! Thanks!

Reply 20:04, 4 January 2024 4 months ago

Reply to "MW 1.39.6 TypeError"

default value of $wgPluggableAuth_EnableFastLogout ?

2 comments • 19:45, 8 December 2023 4 months ago

2

Summary by Wladek92

false ; done, thanks.

Wladek92 (talkcontribs)

@Cindy.cicalese Hi, in paragraph Version_7.0.0_or_later i have pushed the description right to the respective 'description' column, but now what do we write in the 'default value' for $wgPluggableAuth_EnableFastLogout please ? Thanks. --Christian 🇫🇷 FR (talk) 16:56, 8 December 2023 (UTC)

16:56, 8 December 2023 4 months ago

Cindy.cicalese (talkcontribs)

Thanks for the updates and fixes! The value should be false; I added it.

19:31, 8 December 2023 4 months ago

Is there a minimal Auth provider example available?

3 comments • 11:10, 1 December 2023 5 months ago

3

Axkibe (talkcontribs)

Sorry If I didnt see it somewhere in the docs, but do you have somewhere a minimalst auth provider example/template one could use as basis to extend?

The section "Creating an authorization plugin" talks something about a hook, but the other auth provider plugins (for 7.0) I looked through, do not use it, but extend some class?

Unless I'm completely overlooking something, could you please provide a dummy provider that say just hardcoded authorizes the user "bob" with the password "foobar"? (and thats the place I'd put my backend in)

Reply 15:11, 30 November 2023 5 months ago

Cindy.cicalese (talkcontribs)

You could look at the tests/includes/DummyAuth.php file for a minimal provider used in testing. Probably the simplest fully functional provider from a code perspective is Extension:OpenID Connect. You are correct that the group population hook was removed in version 7.0 and the documentation needs to be updated to reflect that.

Reply 16:24, 30 November 2023 5 months ago

Axkibe (talkcontribs)

Thank you! Got it and works, but had to look through other solutions for a complete API (at least I hope i have everything I need :). To be honest I got confused by "authorization" vs "authentication" thats why the doc made so little sense to me.

Reply 11:10, 1 December 2023 5 months ago

Reply to "Is there a minimal Auth provider example available?"

wikimedia 1.39.5 - The supplied credentials could not be authenticated.

2 comments • 17:24, 15 November 2023 5 months ago

2

Simon.matys (talkcontribs)

Hello, I'm struggling a bit with LDAP configuration on MediaWiki 1.39.5.

I know that it was discussed here before, but I was not able to make sense of the documentation or discussion on this comunity forum, to the point in which I would resolve it myself, so I decided to ask for help. I'm a bit new to this, so I suspect the main problem is with my understanding of configuration, and that it is not really a bug.

The issue I'm having is with extension PluggableAuth, which is causing the error "The supplied credentials could not be authenticated."

Please, can you help me understand, what am I doing wrong?

For context, this was the configuration of old wiki server:

_________________________________________________________________________ _________________________________________________________________________

# ---------------LDAP---------------
wfLoadExtensions( [
	'PluggableAuth',
	'Auth_remoteuser',
	'LDAPProvider',
	'LDAPAuthentication2',
	'LDAPAuthorization',
	'LDAPUserInfo'
] );
$LDAPAuthorizationAutoAuthRemoteUserStringParser = 'username-at-domain';
$LDAPAuthentication2UsernameNormalizer = 'strtolower';
$LDAPAuthentication2AllowLocalLogin = false;
$wgAuthRemoteuserAllowUserSwitch = false;
$wgPluggableAuth_EnableLocalLogin = false;
$wgPluggableAuth_ButtonLabel = "Log In";

$wgAuthRemoteuserUserName = function() {
	$user = '';''
	if( isset( $_SERVER[ 'REMOTE_USER' ] ) ) {
		$user = strtolower( $_SERVER[ 'REMOTE_USER' ] );
	}

	return $user;
};
$LDAPProviderDomainConfigProvider = function() {
	$config = [
		'example.com' => [
			'connection' => [
				"server" => "ldap-1.example.com ldap-2.example.com",
                "port" => 636,
                "enctype" => "ssl",
      			"user" => "cn=anonym,ou=ldap,dc=example,dc=com",
    			"pass" => "password",
				"options" => [
					"LDAP_OPT_DEREF" => 1
				],
				"basedn" => "ou=people,ou=users,dc=example,dc=com",
				"groupbasedn" => "ou=people,ou=users,dc=example,dc=com",
				"userbasedn" => "ou=people,ou=users,dc=example,dc=com",
				"searchattribute" => "uid",
				"usernameattribute" => "uid",
				"realnameattribute" => "displayName",
				"emailattribute" => "mail",
				"grouprequest" => "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\GroupMember::factory"
			],
			'authorization' => [],
			'userinfo' => [
				'attributes-map' => [
					'email' => 'mail',
					'realname' => 'displayName'
				]
			]
		]
	];

	return new \MediaWiki\Extension\LDAPProvider\DomainConfigProvider\InlinePHPArray( $config );
};

_________________________________________________________________________ _________________________________________________________________________

Versions of extensions used in new wiki are listed below. I didn't try any other as to my understanding, these should be compatible.

Auth_remoteuser-REL1_39-b9c4b86 (2.1.1)
LDAPAuthentication2-REL1_39-42ec3c8 (2.0.4)
LDAPAuthorization-REL1_39-07d09d8 (2.0.2)
LDAPProvider-REL1_39-a3c56fa (2.0.2)
LDAPUserInfo-REL1_39-2fda62c (2.0.1)
PluggableAuth-REL1_39-e952f13 (7.0.0)

To rule out the problem with connection with LDAP, and or the issue with PHP module for LDAP, I've tested the connection by using the command ldapsearch as the example below with success. I did same for PHP module with simple php script.

ldapsearch -x -H ldaps://ldap-1.example.com:636 -D "cn=anonym,ou=ldap,dc=example,dc=com" -W -b "ou=people,ou=users,dc=example,dc=com" "(uid=name.surname)"

The configuration I've tested is bellow. I've tried also other configurations, but this is the state in which I'm now.

_________________________________________________________________________ _________________________________________________________________________

The LocalSettings.php configuration for LDAP is:

wfLoadExtensions([
    'PluggableAuth',
    'Auth_remoteuser',
    'LDAPProvider',
    'LDAPAuthentication2',
    'LDAPAuthorization',
    'LDAPUserInfo'
]);

$LDAPProviderDomainConfigProvider = function() {
    $config = json_decode(file_get_contents("/path/to/ldap.json"), true);
    return new \MediaWiki\Extension\LDAPProvider\DomainConfigProvider\InlinePHPArray($config);
};

$LDAPAuthentication2UsernameNormalizer = 'strtolower';
$LDAPAuthentication2AllowLocalLogin = false;
$wgAuthRemoteuserAllowUserSwitch = false;
$wgPluggableAuth_EnableLocalLogin = false;
$wgPluggableAuth_ButtonLabel = "Log In";

$wgAuthRemoteuserUserName = function() {
    return strtolower($_SERVER['REMOTE_USER'] ?? '');
};

_________________________________________________________________________

This is ldap.json configuration:

{
    "example.com": {
        "connection": {
            "server": "ldap-1.example.com ldap-2.example.com",
            "port": 636,
            "enctype": "ssl",
            "user": "cn=anonym,ou=ldap,dc=example,dc=com",
            "pass": "password",
            "options": {
                "LDAP_OPT_DEREF": 1
            },
            "basedn": "ou=people,ou=users,dc=example,dc=com",
            "groupbasedn": "ou=people,ou=users,dc=example,dc=com",
            "userbasedn": "ou=people,ou=users,dc=example,dc=com",
            "searchattribute": "uid",
            "usernameattribute": "uid",
            "realnameattribute": "displayName",
            "emailattribute": "mail"
        },
        "authorization": [],
        "userinfo": {
            "attributes-map": {
                "email": "mail",
                "realname": "displayName"
            }
        }
    }
}

_________________________________________________________________________ _________________________________________________________________________

Reply Edited 12:07, 15 November 2023 5 months ago

Cindy.cicalese (talkcontribs)

There is likely an issue with your configuration. Your best bet for getting help is to post at Extension talk:LDAPProvider or Extension talk:LDAPAuthentication2.

Reply 17:24, 15 November 2023 5 months ago

Reply to "wikimedia 1.39.5 - The supplied credentials could not be authenticated."

PluggableAuthPopulateGroups removed in v7

2 comments • 14:30, 27 October 2023 6 months ago

2

185.116.43.6 (talkcontribs)

Why has this hook been removed? It's such a shame... Configuring things in globals seems very dirty to me.

Reply 11:31, 27 October 2023 6 months ago

Cindy.cicalese (talkcontribs)

Per Extension:PluggableAuth#Group_Synchronization, "In version 7.0.0 and later when you are using an authentication plugin that supports retrieval of attributes from the identity provider (currently OpenID Connect, SimpleSAMLphp, WSOAuth, and JWTAuth), it is possible to synchronize groups from the identity provider to MediaWiki groups. There are two built-in group synchronization algorithms, syncall and mapped, described below. It is also possible for an extension to provide additional custom group synchronization algorithms." This more flexible functionality replaces the earlier approach that used that hook and allows a more consistent approach to group management between the plugins.

Reply 14:30, 27 October 2023 6 months ago

Reply to "PluggableAuthPopulateGroups removed in v7"