Thread:Extension talk:LDAP Authentication/$wgLDAPRequiredGroups by OU

Hello Ryan Lane,

I created a user that has the following configuration: sAMAccountName: 123456789 distinguishedName: CN=123456789,OU=ti_linux,OU=tecnology,OU=all users,OU=paulista,DC=OURDOMAIN,DC=corp Our Active Directory is based on OU (organizational unit) so we aren't using the Active Directory groups.

That's the configuration: require_once( 'LdapAuthentication.php' ); $wgAuth = new LdapAuthenticationPlugin; $wgLDAPDomainNames = array( "OURDOMAIN" ); $wgLDAPServerNames = array( "OURDOMAIN"=> "ad.OURDOMAIN" ); $wgLDAPSearchStrings = array( "OURDOMAIN"=> "MYDOMAIN\\USER-NAME" ); $wgLDAPEncryptionType = array( "OURDOMAIN"=> "clear" ); $wgLDAPGroupUseFullDN = array( "OURDOMAIN"=> true ); $wgLDAPGroupUseRetrievedUsername = array( "OURDOMAIN"=> true ); $wgLDAPBaseDNs = array( "OURDOMAIN" => "OU=tecnology,OU=all users,OU=paulista,DC=OURDOMAIN,DC=corp" ); $wgLDAPSearchAttributes = array( "OURDOMAIN"=> "sAMAccountName" ); $wgLDAPGroupObjectclass = array( "OURDOMAIN"=>"group" ); $wgLDAPGroupAttribute = array( "OURDOMAIN"=>"member" ); $wgLDAPGroupNameAttribute = array( "OURDOMAIN"=>"cn" ); $wgLDAPSearchAttributes = array( "OURDOMAIN"=> "sAMAccountName" ); $wgLDAPGroupsUseMemberOf = array( "OURDOMAIN" => true ); $wgLDAPRequiredGroups = array( "OURDOMAIN"=> array ( "OU=ti_linux,OU=tecnology,OU=all users,OU=paulista,DC=OURDOMAIN,DC=corp" ) ); $wgShowExceptionDetails = true; $wgLDAPPreferences = array('OURDOMAIN'=>array("email"=>"mail","realname"=>"cn","nickname"=>"sAMAccountName")); $wgLDAPDebug = 3; $wgDebugLogGroups["ldap"] = "/tmp/debug.log" ;

With this configuration i'm getting "Login error Incorrect password entered. Please try again".

That's the log: 2010-08-04 19:14:20 nginx: Entering validDomain 2010-08-04 19:14:20 nginx: User is not using a valid domain. 2010-08-04 19:14:20 nginx: Setting domain as: invaliddomain 2010-08-04 19:14:20 nginx: Entering allowPasswordChange 2010-08-04 19:14:20 nginx: Entering modifyUITemplate 2010-08-04 19:14:28 nginx: Entering validDomain 2010-08-04 19:14:28 nginx: User is using a valid domain. 2010-08-04 19:14:28 nginx: Setting domain as: OURDOMAIN 2010-08-04 19:14:28 nginx: Entering getCanonicalName 2010-08-04 19:14:28 nginx: Username isn't empty. 2010-08-04 19:14:28 nginx: Munged username: 123456789 2010-08-04 19:14:28 nginx: Entering authenticate 2010-08-04 19:14:28 nginx: 2010-08-04 19:14:28 nginx: Entering Connect 2010-08-04 19:14:28 nginx: Using TLS or not using encryption. 2010-08-04 19:14:28 nginx: Using servers:  ldap://ad.OURDOMAIN 2010-08-04 19:14:28 nginx: Connected successfully 2010-08-04 19:14:28 nginx: Entering getSearchString 2010-08-04 19:14:28 nginx: Doing a straight bind 2010-08-04 19:14:28 nginx: userdn is: OURDOMAIN\123456789 2010-08-04 19:14:28 nginx: 2010-08-04 19:14:28 nginx: Binding as the user 2010-08-04 19:14:28 nginx: Bound successfully 2010-08-04 19:14:28 nginx: Entering getUserDN 2010-08-04 19:14:28 nginx: Created a regular filter: (sAMAccountName=123456789) 2010-08-04 19:14:28 nginx: Entering getBaseDN 2010-08-04 19:14:28 nginx: basedn is not set for this type of entry, trying to get the default basedn. 2010-08-04 19:14:28 nginx: Entering getBaseDN 2010-08-04 19:14:28 nginx: basedn is OU=tecnology,OU=all users,OU=paulista,DC=OURDOMAIN,DC=corp 2010-08-04 19:14:28 nginx: Using base: OU=tecnology,OU=all users,OU=paulista,DC=OURDOMAIN,DC=corp 2010-08-04 19:14:28 nginx: Fetched username is not a string (check your hook code...). This message can be safely ignored if you do not have the SetUsernameAttributeFromLDAP hook defined. 2010-08-04 19:14:28 nginx: Pulled the user's DN: 2010-08-04 19:14:28 nginx: Entering getGroups 2010-08-04 19:14:28 nginx: Retrieving LDAP group membership 2010-08-04 19:14:28 nginx: Using memberOf 2010-08-04 19:14:28 nginx: Entering checkGroups 2010-08-04 19:14:28 nginx: Checking for (new style) group membership 2010-08-04 19:14:28 nginx: Required groups: OU=ti_linux,OU=tecnology,OU=all users,OU=paulista,DC=OURDOMAIN,DC=corp 2010-08-04 19:14:28 nginx: Couldn't find the user in any groups. 2010-08-04 19:14:28 nginx: Entering strict. 2010-08-04 19:14:28 nginx: Returning true in strict. 2010-08-04 19:14:28 nginx: Entering allowPasswordChange 2010-08-04 19:14:28 nginx: Entering modifyUITemplate

Points that I realized

- I dont know why the log got 3 hours ahead, though the date/time/timezone of operating system are correct and have checked this information in Active Directory too.

- The log is not bringing the field: Pulled the user's DN

- If i remove the $wgLDAPRequiredGroups, i can access the mediawiki, so i guess the authentication is working.

- I have tried also: $wgLDAPSearchStrings = array( "OURDOMAIN"=> "MYDOMAIN\\USER-NAME" ); $wgLDAPSearchStrings = array( "OURDOMAIN"=> "USER-NAME@OURDOMAIN" );

Could you help us ? it is not working.

Thanks in advance.

James Gava