Thread:Extension talk:LDAP Authentication/Can't get group authentication to work

Hi there,

I'm having great troubles in getting group authentication to work. Have searched this talk and using Google, but was unable to find a solution. The versions : Mediawiki 1.21.1 ; LDAP Authentication Plugin 2.0d

First of all, let me say that plain LDAP authentication works perfectly. The trouble starts when I want to restrict access based on AD groups. I followed Ryan D. Lane's instructions ( http://ryandlane.com/blog/2009/07/09/using-the-ldap-authentication-plugin-for-mediawiki-%e2%80%93-the-basics-part-3/ ), and everything seems to work, but when I login, I get a message that my password is not correct.

My Localsettings.php looks like this require_once( "$IP/extensions/ldapauthentication/LdapAuthentication.php" ); $wgAuth = new LdapAuthenticationPlugin; $wgLDAPDomainNames = array( "OURDOMAIN" ); $wgLDAPServerNames = array( "OURDOMAIN" => "ldap.server.intern" ); $wgLDAPSearchStrings = array( "OURDOMAIN" => "OURDOMAIN\\USER-NAME" ); $wgLDAPEncryptionType = array( "OURDOMAIN" => "ssl" ); $wgLDAPGroupUseFullDN = array( "OURDOMAIN" => true ); $wgLDAPBaseDNs = array( "OURDOMAIN" => "dc=ourdomain,dc=our" ); $wgLDAPSearchAttributes = array( "OURDOMAIN" => "sAMAccountName" ); $wgLDAPGroupUseRetrievedUserName = array( "OURDOMAIN" => true ); $wgLDAPGroupObjectClass = array( "OURDOMAIN" => "group" ); $wgLDAPGroupAttribute = array( "OURDOMAIN" => "member" ); $wgLDAPGroupNameAttribute = array( "OURDOMAIN" => "cn" ); $wgMinimalPasswordLength = 1; $wgLDAPRetrievePrefs = array( "OURDOMAIN" => "true" ); $wgLDAPPreferences = array('OURDOMAIN' => array( 'email' => 'mail','realname' => 'displayname')); $wgLDAPDebug = 4; //for debugging LDAP $wgDebugLogFile = "/tmp/log.txt"; $wgDebugLogGroups["ldap"] = "/tmp/debug.log"; $wgGroupPermissions['*']['edit'] = false; # # $wgLDAPRequiredGroups = array( "OURDOMAIN" => array( "CN=D-AIT-X-ITISDBA,OU=Data,OU=Groups,OU=Users,DC=ourdomain,DC=our"));
 * 1) $wgLDAPUseLocal = false;
 * 1) This will automatically map the users e-mail address and full name from Active Directory to their account in MediaWiki
 * 1) $wgShowExceptionDetails = true; //for debugging MediaWiki
 * 1) Restrict access to wiki based on LDAP group

When doing a login, I get the following in debug.log :

2014-02-27 09:34:37 wikpla01 my_wiki: 2.0d Entering validDomain 2014-02-27 09:34:37 wikpla01 my_wiki: 2.0d Entering getDomain 2014-02-27 09:34:37 wikpla01 my_wiki: 2.0d Pulling domain from session. 2014-02-27 09:34:37 wikpla01 my_wiki: 2.0d User is not using a valid domain. 2014-02-27 09:34:37 wikpla01 my_wiki: 2.0d Entering getDomain 2014-02-27 09:34:37 wikpla01 my_wiki: 2.0d Pulling domain from session. 2014-02-27 09:34:37 wikpla01 my_wiki: 2.0d Setting domain as: OURDOMAIN 2014-02-27 09:34:37 wikpla01 my_wiki: 2.0d Entering allowPasswordChange 2014-02-27 09:34:37 wikpla01 my_wiki: 2.0d Entering getDomain 2014-02-27 09:34:37 wikpla01 my_wiki: 2.0d Pulling domain from session. 2014-02-27 09:34:37 wikpla01 my_wiki: 2.0d Entering getDomain 2014-02-27 09:34:37 wikpla01 my_wiki: 2.0d Pulling domain from session. 2014-02-27 09:34:37 wikpla01 my_wiki: 2.0d Entering getDomain 2014-02-27 09:34:37 wikpla01 my_wiki: 2.0d Pulling domain from session. 2014-02-27 09:34:37 wikpla01 my_wiki: 2.0d Entering modifyUITemplate 2014-02-27 09:34:37 wikpla01 my_wiki: 2.0d Entering getDomain 2014-02-27 09:34:37 wikpla01 my_wiki: 2.0d Pulling domain from session. 2014-02-27 09:34:37 wikpla01 my_wiki: 2.0d Entering getDomain 2014-02-27 09:34:37 wikpla01 my_wiki: 2.0d Pulling domain from session. 2014-02-27 09:34:37 wikpla01 my_wiki: 2.0d Entering getDomain 2014-02-27 09:34:37 wikpla01 my_wiki: 2.0d Pulling domain from session. 2014-02-27 09:34:37 wikpla01 my_wiki: 2.0d Entering getDomain 2014-02-27 09:34:37 wikpla01 my_wiki: 2.0d Pulling domain from session. 2014-02-27 09:34:37 wikpla01 my_wiki: 2.0d Entering getDomain 2014-02-27 09:34:37 wikpla01 my_wiki: 2.0d Pulling domain from session. 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Entering validDomain 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d User is using a valid domain (OURDOMAIN). 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Setting domain as: OURDOMAIN 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Entering getCanonicalName 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Username is: Ustjla 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Entering getDomain 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Pulling domain from session. 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Munged username: Ustjla 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Entering authenticate for username Ustjla 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Entering getDomain 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Pulling domain from session. 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Entering getDomain 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Pulling domain from session. 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Entering getDomain 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Pulling domain from session. 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Entering Connect 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Entering getDomain 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Pulling domain from session. 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Using SSL 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Entering getDomain 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Pulling domain from session. 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Entering getDomain 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Pulling domain from session. 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Entering getDomain 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Pulling domain from session. 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Using servers: ldaps://ldap.server.intern:636 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Entering getDomain 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Pulling domain from session. 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d PHP's LDAP connect method returned true (note, this does not imply it connected to the server). 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Entering getDomain 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Pulling domain from session. 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Entering getSearchString 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Entering getDomain 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Pulling domain from session. 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Doing a straight bind 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d userdn is: OURDOMAIN\Ustjla 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Entering getDomain 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Pulling domain from session. 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Entering getDomain 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Pulling domain from session. 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Binding as the user 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Bound successfully 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Entering getDomain 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Pulling domain from session. 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Entering getUserDN 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Entering getDomain 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Pulling domain from session. 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Created a regular filter: (sAMAccountName=Ustjla) 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Entering getBaseDN 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Entering getDomain 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Pulling domain from session. 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d basedn is not set for this type of entry, trying to get the default basedn. 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Entering getBaseDN 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Entering getDomain 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Pulling domain from session. 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Using base: ou=Users,dc=ourdomain,dc=our 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Fetched UserDN: CN=USTJLA,OU=Netherlands,OU=Win7,OU=Users,DC=ourdomain,DC=our 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Entering getDomain 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Pulling domain from session. 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Entering getGroups 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Entering getDomain 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Pulling domain from session. 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Retrieving LDAP group membership 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Entering getDomain 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Pulling domain from session. 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Entering getDomain 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Pulling domain from session. 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Searching for the groups 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Entering searchGroups 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Entering getBaseDN 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Entering getDomain 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Pulling domain from session. 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d basedn is not set for this type of entry, trying to get the default basedn. 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Entering getBaseDN 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Entering getDomain 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Pulling domain from session. 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Entering getDomain 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Pulling domain from session. 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Entering getDomain 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Pulling domain from session. 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Entering getDomain 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Pulling domain from session. 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Entering getDomain 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Pulling domain from session. 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d User Filter: (&(distinguishedName=CN=USTJLA,OU=Netherlands,OU=Win7,OU=Users,DC=ourdomain,DC=our)(objectclass=user)) 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Primary Group Filter: (&(objectSid=\01\05\00\00\00\00\00\05\15\00\00\00\15\25\af\47\23\f3\f6\63\43\17\0a\32\01\02\00\00)(objectclass=)) 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Search string: (&(member=CN=USTJLA,OU=Netherlands,OU=Win7,OU=Users,DC=ourdomain,DC=our)(objectclass=)) 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Returned groups: 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Entering getDomain 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Pulling domain from session. 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Entering getDomain 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Pulling domain from session. 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Entering checkGroups 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d USERNAME IS: Ustjla 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Entering getDomain 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Pulling domain from session. 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Entering getDomain 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Pulling domain from session. 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Checking for (new style) group membership 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Required groups: cn=d-ait-x-itisdba,ou=data,ou=groups,ou=users,dc=ourdomain,dc=our 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Checking against: 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Couldn't find the user in any groups. 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Entering strict. 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Entering getDomain 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Pulling domain from session. 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Entering getDomain 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Pulling domain from session. 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Returning true in strict. 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Entering allowPasswordChange 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Entering getDomain 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Pulling domain from session. 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Entering getDomain 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Pulling domain from session. 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Entering getDomain 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Pulling domain from session. 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Entering modifyUITemplate 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Entering getDomain 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Pulling domain from session. 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Entering getDomain 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Pulling domain from session. 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Entering getDomain 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Pulling domain from session. 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Entering getDomain 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Pulling domain from session. 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Entering getDomain 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Pulling domain from session.

I notice that Returned groups is empty, as is Checking against... I'm guessing this is not correct. And I have no idea what is going wrong here. I'm hoping it is a simple misconfiguration on my part, but at the moment I have no clue where to look for the fault. I'm not a LDAP expert (far from it).

Can anyone help me out a bit, please ?

Thank you, Hans