Does not use real ldap uid when checking groups, but wikified uid

From MediaWiki.org
Jump to: navigation, search

I am using Mediawiki 1.14.1 with the latest stable LDAP authentication extension to authenticate against a Linux OpenLDAP server. The basic authentication works fine, however, as soon as I add group checking like this, it does not work anymore:

$wgLDAPRequiredGroups = array( "AI"=>array("cn=wikiusers,ou=Groups,dc=mydomain,dc=com") );
$wgLDAPGroupUseFullDN = array( "AI"=>false );
$wgLDAPGroupObjectclass = array( "AI"=>"posixgroup" );
$wgLDAPGroupAttribute = array( "AI"=>"memberuid" );
$wgLDAPGroupSearchNestedGroups = array( "AI"=>false );
$wgLDAPGroupNameAttribute = array( "AI"=>"cn" );

Looking in the slapd logs, I see this:

Nov 16 12:03:51 arti2 slapd[20513]: conn=184 fd=41 ACCEPT from IP=123.123.123.123:47086 (IP=0.0.0.0:636)
Nov 16 12:03:51 arti2 slapd[20513]: conn=184 fd=41 TLS established tls_ssf=128 ssf=128
Nov 16 12:03:51 arti2 slapd[20513]: conn=184 op=0 BIND dn="" method=128
Nov 16 12:03:51 arti2 slapd[20513]: conn=184 op=0 RESULT tag=97 err=0 text=
Nov 16 12:03:51 arti2 slapd[20513]: conn=184 op=1 SRCH base="dc=mydomain,dc=com" scope=2 deref=0 filter="(uid=username)"
Nov 16 12:03:51 arti2 slapd[20513]: conn=184 op=1 SRCH attr=*
Nov 16 12:03:51 arti2 slapd[20513]: conn=184 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
Nov 16 12:03:51 arti2 slapd[20513]: conn=184 op=2 BIND dn="uid=username,ou=People,dc=mydomain,dc=com" method=128
Nov 16 12:03:51 arti2 slapd[20513]: conn=184 op=2 BIND dn="uid=username,ou=People,dc=mydomain,dc=com" mech=SIMPLE ssf=0
Nov 16 12:03:51 arti2 slapd[20513]: conn=184 op=2 RESULT tag=97 err=0 text=
Nov 16 12:03:51 arti2 slapd[20513]: conn=184 op=3 SRCH base="dc=mydomain,dc=com" scope=2 deref=0 filter="(&(memberUid=Username)(objectClass=posixGroup))"
Nov 16 12:03:51 arti2 slapd[20513]: conn=184 op=3 SEARCH RESULT tag=101 err=0 nentries=0 text=

Notice that it uses the wikified uid as memberUid when looking up the groups. If I check this query with ldapsearch, no results are indeed returned with the capitalized name, however changing the first letter to lower case, makes the query work correctly.

134.184.26.5911:12, 16 November 2009

You can use:

$wgLDAPLowerCaseUsername = array( "AI" => true );

This setting will make the wiki use an all lowercase username when searching. It isn't optimal, since it won't work if your usernames have case in them anywhere, but if your users are all lowercase, it'll work.

Ryan lane14:30, 16 November 2009
 
Retrieved from "http://www.mediawiki.org/wiki/Thread:Extension_talk:LDAP_Authentication/Does_not_use_real_ldap_uid_when_checking_groups,_but_wikified_uid#Does_not_use_real_ldap_uid_when_checking_groups.2C_but_wikified_uid_29"
Personal tools
Variants
Actions
Site
Support
Download
Development
Communication
Toolbox