Thread:Extension talk:LDAP Authentication/User creation error: Incorrect password entered. Please try again.

Ryan,

Thanks for this extension, it makes dealing with our corporate LDAP much easier.


 * MediaWiki 1.22.0
 * PHP 5.3.3
 * MySQL 5.1.71
 * LDAP Authentication Plugin 2.0f

We use the extension for username/password authentication only. We don't use groups. Our requirements:


 * Anonymous users do not have read/write access
 * Only valid users have full read/write access
 * Only a WikiSysop privileged user can create a valid user account for another user

To accomplish this, auto account creation and anonymous read access are disabled:

$wgGroupPermissions['*']['createaccount'] = false;
 * 1) Don't offer a 'Create Account' option on login page

$wgGroupPermissions['*']['edit'] = false;
 * 1) Don't allow anonymous editing

$wgGroupPermissions['*']['read'] = false;
 * 1) Don't allow anonymous reading

$wgLDAPDisableAutoCreate = array( 'ACME' => true );
 * 1) Prevents users from auto creating a user account when logging in

In addition, the extension is configured like so:

// Enable these for LDAP debugging. Value can be 1-3, 3 shows // sensitive info! Careful! // $wgLDAPDebug = 3; // $wgDebugLogGroups['ldap'] = "/tmp/ldap-debug.log";

$wgLDAPDomainNames = array( 'ACME', ); $wgLDAPServerNames = array( 'ACME' => 'ldap-prod.acme.org', ); $wgLDAPSearchStrings = array( 'ACME' => 'uid=USER-NAME,ou=People,o=acme.org', ); $wgLDAPEncryptionType = array( 'ACME' => 'tls', ); $wgLDAPBaseDNs = array( 'ACME' => 'o=acme.org', ); $wgLDAPGroupBaseDNs = array( 'ACME' => 'ou=Group,o=acme.org', ); $wgLDAPUserBaseDNs = array( 'ACME' => 'ou=People,o=acme.org', );

$wgMinimalPasswordLength = 1;

I don't know when this changed but a few months ago we were able to use the Special Pages > Create account link to create a new account for a user. We would enter the username (matched their LDAP username), some random password that would be ignored, and their real name. Once the account was created, the user would login using their username and password. The extension would authenticate them against the corporate LDAP server and all was well.

Now, when we go to create a user we get the error "Account creation error Incorrect password entered. Please try again." I assume because I'm not using the users LDAP password (which I don't know)? We don't want users to be created in LDAP, they already have LDAP accounts. We just want them to have a MediaWiki account who's username matches their LDAP account so they can authenticate. Is that possible?

One more thing to note. We've figured out a workaround to add a user using the maintenance script.

Thanks, Jeremy