Topic on Extension talk:PluggableAuth

Could not authenticate credentials against domain "test.local"

3 comments • 12:59, 26 April 2024 22 days ago

3

Ksmith197 (talkcontribs)

Hi,

I'm having issues authenticating against my AD server from Special:UserLogin page. I tried running the "CheckLogin.php" with the account which returned a "FAILED". Utilizing the same account I'm able to login to the Active Directory server locally, and from the mediawiki server, perform an ldapsearch w/ bind successfully. The end goal is for any user that exist in Active directory to be able to authenticate and log into the wiki.

I've been at this for 2-3 weeks now, unfortunately...

Below is the version numbers for all relevant components.

Product	Version
MediaWiki	1.39.6
PHP	7.4.33 (fpm-fcgi)
MariaDB	11.3.2-MariaDB-1:11.3.2+maria~ubu2204
ICU	67.1
Lua	5.1.5
Pygments	2.7.1

LDAPAuthentication2	2.0.5 (f303c55) 02:27, 27 November 2023	GPL-2.0	Allows authentication against a LDAP resource	Cindy Cicalese, Mark A. Hershberger and Hallo Welt! GmbH
LDAPProvider	2.0.3 (740f097) 07:27, 19 December 2023	GPL-2.0+	Provides a common infrastructure to connect to an LDAP resource and run queries against it	Cindy Cicalese, Mark A. Hershberger and Hallo Welt! GmbH

PluggableAuth	7.0.0 (b1ca368) 10:23, 8 January 2024	MIT	Provides framework for pluggable authentication and authorization	Cindy Cicalese

Here is my LocalSettings.php:

# Degbugging!

4

5 error_reporting( E_ALL );

6 ini_set( 'display_errors', 1 );

7 $wgShowExceptionDetails = true;

8 $wgDebugToolbar = true;

9 $wgShowErrors = true;

10 $wgShowError = true;

11 $wgShowDebug = true;

12 $wgDebugLogFile = '/tmp/debug.log';

13

14 $wgDebugLogGroups = array(

15 'PluggableAuth' => '/tmp/pa.log',

16 'LDAP' => '/tmp/LDAP.log',

17 'LDAPProvider' => '/tmp/LDAPProvider.log',

18 'LDAPAuthentication2' => '/tmp/LDAPAuthentication2.log',

19 'LDAPAuthorization' => '/tmp/LDAPAuthorization.log',

20 'LDAPUserInfo' => '/tmp/LDAPUser.log',

21 'LDAPGroups' => '/tmp/LDAPGroups.log',

22 'MediaWiki\\Extension\\LDAPProvider\\Client' => '/tmp/ldapprovider_client.log'

23 );

462 ##################################################################

463 # LDAP JSON FILE #

464 ##################################################################

465

466 $safeIPs = array('127.0.0.1','localhost');

467 $ipsVars = array('HTTP_X_FORWARDED_FOR', 'HTTP_X_REAL_IP', 'REMOTE_ADDR');

468 foreach ($ipsVars as $ipsVar) {

469 if (isset($_SERVER[$ipsVar]) && mb_strlen($_SERVER[$ipsVar]) > 3 ) { $wikiRequestIP = $_SERVER[$ipsVar];

470 break; }

471 }

472 $wikiRequestSafe = ( isset($wikiRequestIP) && ( in_array($wikiRequestIP,$safeIPs) ));

473

474 // Create Wiki-Group 'engineering' from default user group

475 $wgGroupPermissions['engineering'] = $wgGroupPermissions['user'];

476

477 // Private Wiki. External LDAP Login. Default NS requires login.

478 $wgEmailConfirmToEdit = false;

479 $wgGroupPermissions['*']['edit'] = false;

480 $wgGroupPermissions['*']['read'] = false;

481 $wgGroupPermissions['*']['createaccount'] = false;

482 $wgGroupPermissions['sysop']['createaccount'] = false;

483 $wgGroupPermissions['*']['autocreateaccount'] = true;

484 $wgBlockDisablesLogin = true;

485

486 $ldapConfig = false;

487 $ldapJsonFile = "/var/www/ldapprovider.json";

488 if (is_file($ldapJsonFile) && is_dir("/var/www/mediawiki/w/extensions/LDAPProvider")) {

489 $testJson = @json_decode(file_get_contents($ldapJsonFile), true);

490 if (is_array($testJson)) {

491 $ldapConfig = true;

492

493 } else {

494 error_log("Found invalid JSON in file: /var/www/ldapprovider.json");

495 }

496 }

497

498 if ($ldapConfig) {

499

500 wfLoadExtension('LDAPProvider');

501 wfLoadExtension('LDAPAuthentication2');

502 #wfLoadExtension('LDAPAuthorization');

503 #wfLoadExtension('LDAPUserInfo');

504 #wfLoadExtension('LDAPGroups');

505 wfLoadExtension('PluggableAuth');

$LDAPProviderDomainConfigs = $ldapJsonFile;

509

510 $wgLDAPDebug = 3;//for debugging LDAP

511

512 $wgLDAPProvider["CacheType"] = "CACHE_NONE";

513 $wgLDAPProvider["CacheTime"] = 3600;

514

515 // Force LDAPGroups to sync by choosing a domain (e.g. first JSON object in ldapprovider.json)

516 $LDAPProviderDefaultDomain = array_key_first(json_decode(file_get_contents($LDAPProviderDomainConfigs), true));

517

518 $wgPluggableAuth_EnableAutoLogin = false;

519 $wgPluggableAuth_EnableLocalLogin = false; # required to show the username and password field on login page

520 $wgPluggableAuth_EnableFastLogout = true;

521

522

523 $wgPluggableAuth_Config = array(

524 array(

525 "plugin" => "LDAPAuthentication2",

526 "buttonLabelMessage" => "Domain Login",

527 "data" => ["domain" => $LDAPProviderDefaultDomain]

528 ),

529 #array("plugin" => "LDAPAuthorization"),

530 );

531

532 if ($wikiRequestSafe) { $LDAPAuthentication2AllowLocalLogin = false; }

533 }

534

# LDAPAuthentication2

608

609 // Whether or not to display a "local" psuedo-domain in the domain selector on "Special:Login", thus allowing to authenticate against the local user database. (defaults to false if not specified)

610 $LDAPAuthentication2AllowLocalLogin = true;

611

612 // Use this function for normalizing username for LDAP, for example 'strtolower'. (defaults to "")

613 $LDAPAuthentication2UsernameNormalizer = "";

614

615 # Auth_remoteuser

616 // Set the name for mapping into the local wiki user database. If the value is `null`, the extension defaults to using the enviornment variables `REMOTE_USER` and `REDIRECT_REMOTE_USER`

617

618 $wgAuthRemoteuserUserName = null; //default

619

620 #$wgAuthRemoteuserUserName = [

621 # $_SERVER[ 'REMOTE_USER' ],

622 # $_SERVER[ 'REDIRECT_REMOTE_USER' ]

623 #];

624

625 $wgAuthRemoteuserUserNameReplaceFilter = null; //default

626

627

628

629

630 # PluggableAuth Extension Configuration

631

632 // Should user login occur automatically when a user visits the wiki?

633 $wgPluggableAuth_EnableAutoLogin = true;

634

635 // Should user also be presented with username/password fields on the login page to allow local password-based login to the wiki

636 $wgPluggableAuth_EnableLocalLogin = true;

Here is my ldapprovider.json located at /var/www/:

{

"test.local": {

"connection": {

"server": "{IP_ADDRESS_HERE}",

"port": "389",

"user": "CN=XXXXX,CN=Users,DC=test,DC=local",

"pass": "XXXXXXX",

"enctype": "clear",

"options": {

"LDAP_OPT_DEREF": 1

},

"basedn": "dc=test,dc=local",

"userbasedn": "dc=test,dc=local",

"groupbasedn": "dc=test,dc=local",

"searchattributes": {

"realname": "cn",

"username": "samaccountname"

},

"grouprequest": {

"groupAttribute": "member",

"isMemberCritical": true

},

"userinfo": [],

"authorization": [],

"groupsync": {

"mapping": {

"bureaucrat": ["CN=Domain Admins,CN=Users,DC=test,DC=local", "CN=Adminstrators,CN=Users,DN=test,DN=local"],

"interface-admin": ["CN=Domain Admins,CN=Users,DC=test,DC=local", "CN=Adminstrators,CN=Users,DN=test,DN=local"],

"sysop": ["CN=Domain Admins,CN=Users,DC=test,DC=local", "CN=Adminstrators,CN=Users,DN=test,DN=local"]

}

Reply 18:47, 25 April 2024 22 days ago

Cindy.cicalese (talkcontribs)

Your best bet for getting help is to post at Extension talk:LDAPAuthentication2. Include debug logs from Manual:How to debug.