Thread:Extension talk:LDAP Authentication/Group synchronization not working

Hi,

I've got some troubles while setting up group sync with LDAP. Maybe i'm not understanding well the group sync feature. If so please let me know.

What i'm trying to do is making every member of an LDAP group to be sysop.

Here is my Localsettings.php

require_once( "$IP/extensions/LdapAuthentication/LdapAuthentication.php" ); $wgAuth = new LdapAuthenticationPlugin; $wgLDAPDomainNames = array( "AD" ); $wgLDAPServerNames = array( "AD"=>"srv-pdc.lan.AD.tv" ); $wgLDAPUseLocal = false; $wgLDAPEncryptionType = array( "AD"=>"clear" ); $wgLDAPSearchStrings = array( "AD"=>"AD\\USER-NAME" ); $wgLDAPProxyAgent = array( "AD"=>"cn=wiki,cn=Users,dc=lan,dc=AD,dc=tv" ); $wgLDAPProxyAgentPassword = array( "AD"=>"wiki" ); $wgLDAPSearchAttributes = array( "AD"=>"sAMAccountName" ); $wgLDAPBaseDNs = array( "AD"=>"dc=lan,dc=AD,dc=tv" ); $wgLDAPGroupBaseDNs = array( "AD"=>"ou=Groupe,dc=lan,dc=AD,dc=tv" ); $wgLDAPUserBaseDNs = array( "AD"=>"cn=Users,dc=lan,dc=AD,dc=tv" ); $wgLDAPGroupUseFullDN = array( "AD"=>true ); $wgLDAPGroupObjectclass = array( "AD"=>"group" ); $wgLDAPGroupAttribute = array( "AD"=>"member" ); $wgLDAPGroupNameAttribute = array( "AD"=>"cn" ); $wgLDAPGroupsUseMemberOf = array( "AD"=>true ); $wgLDAPUseLDAPGroups = array( "AD"=>true ); $wgLDAPAddLDAPUsers = array("AD" => "true"); $wgLDAPGroupsPrevail = array( "AD"=>true ); /* $wgLDAPRequiredGroups = array( "AD"=>array( "cn=wiki-1,ou=Groupe,dc=lan,dc=AD,dc=tv", "cn=wiki-adm,ou=Groupe,dc=lan,dc=AD,dc=tv", "cn=wiki3,ou=Groupe,dc=lan,dc=AD,dc=tv", "cn=wiki4,ou=Groupe,dc=lan,dc=AD,dc=tv", "cn=wiki5,ou=Groupe,dc=lan,dc=AD,dc=tv", "cn=wiki6,ou=Groupe,dc=lan,dc=AD,dc=tv" )); */ $wgLDAPAuthAttribute = array( "AD"=>"!(userAccountControl:1.2.840.113556.1.4.803:=2)" ); $wgLDAPRetrievePrefs = array( "AD"=>true ); $wgLDAPPreferences = array( "AD"=>array( "email"=>"mail", "realname"=>"cn", "nickname"=>"sAMAccountName" )); $wgGroupPermissions['wiki-adm'] = $wgGroupPermissions['sysop']; $wgHooks['SetUsernameAttributeFromLDAP'][] = 'SetUsernameAttribute'; function SetUsernameAttribute(&$LDAPUsername, $info) { $LDAPUsername = $info[0]['samaccountname'][0]; return true; } $wgLDAPDebug = 3; $wgDebugLogGroups["ldap"] = "/tmp/debug.log" ;

and my debug log :

2011-01-26 13:04:28 mgwiki-mgw_: Entering validDomain 2011-01-26 13:04:28 mgwiki-mgw_: User is not using a valid domain. 2011-01-26 13:04:28 mgwiki-mgw_: Setting domain as: invaliddomain 2011-01-26 13:04:28 mgwiki-mgw_: Entering allowPasswordChange 2011-01-26 13:04:28 mgwiki-mgw_: Entering modifyUITemplate 2011-01-26 13:04:35 mgwiki-mgw_: Entering validDomain 2011-01-26 13:04:35 mgwiki-mgw_: User is using a valid domain. 2011-01-26 13:04:35 mgwiki-mgw_: Setting domain as: AD 2011-01-26 13:04:35  mgwiki-mgw_: Entering getCanonicalName 2011-01-26 13:04:35 mgwiki-mgw_: Username isn't empty. 2011-01-26 13:04:35 mgwiki-mgw_: Munged username: Cjuif 2011-01-26 13:04:36 mgwiki-mgw_: Entering authenticate 2011-01-26 13:04:36 mgwiki-mgw_: 2011-01-26 13:04:36 mgwiki-mgw_: Entering Connect 2011-01-26 13:04:36 mgwiki-mgw_: Using TLS or not using encryption. 2011-01-26 13:04:36 mgwiki-mgw_: Using servers:  ldap://srv-pdc.lan.AD.tv 2011-01-26 13:04:36  mgwiki-mgw_: Connected successfully 2011-01-26 13:04:36 mgwiki-mgw_: Entering getSearchString 2011-01-26 13:04:36 mgwiki-mgw_: Doing a straight bind 2011-01-26 13:04:36 mgwiki-mgw_: userdn is: AD\Cjuif 2011-01-26 13:04:36 mgwiki-mgw_: 2011-01-26 13:04:36 mgwiki-mgw_: Binding as the user 2011-01-26 13:04:36 mgwiki-mgw_: Bound successfully 2011-01-26 13:04:36 mgwiki-mgw_: Entering getUserDN 2011-01-26 13:04:36 mgwiki-mgw_: 2011-01-26 13:04:36 mgwiki-mgw_: Created a regular filter: (sAMAccountName=Cjuif) 2011-01-26 13:04:36 mgwiki-mgw_: Entering getBaseDN 2011-01-26 13:04:36 mgwiki-mgw_: basedn is cn=Users,dc=lan,dc=AD,dc=tv 2011-01-26 13:04:36 mgwiki-mgw_: Using base: cn=Users,dc=lan,dc=AD,dc=tv 2011-01-26 13:04:36 mgwiki-mgw_: Pulled the user's DN: CN=Claude Juif,CN=Users,DC=lan,DC=AD,DC=tv 2011-01-26 13:04:36 mgwiki-mgw_: Checking for auth attributes 2011-01-26 13:04:36 mgwiki-mgw_: Entering getGroups 2011-01-26 13:04:36 mgwiki-mgw_: Retrieving LDAP group membership 2011-01-26 13:04:36 mgwiki-mgw_: Using memberOf 2011-01-26 13:04:36 mgwiki-mgw_: Entering searchGroups 2011-01-26 13:04:36 mgwiki-mgw_: Entering getBaseDN 2011-01-26 13:04:36 mgwiki-mgw_: basedn is ou=Groupe,dc=lan,dc=AD,dc=tv 2011-01-26 13:04:36 mgwiki-mgw_: Search string: (&(member=*)(objectclass=group)) 2011-01-26 13:04:36 mgwiki-mgw_: Binding as the proxyagent 2011-01-26 13:04:36 mgwiki-mgw_: Returned groups: cn=remote,ou=groupe,dc=lan,dc=AD,dc=tv::cn=wiki-adm,ou=groupe,dc=lan,dc=AD,dc=tv 2011-01-26 13:04:36 mgwiki-mgw_: Entering checkGroups 2011-01-26 13:04:36 mgwiki-mgw_: Entering getPreferences 2011-01-26 13:04:36 mgwiki-mgw_: Retrieving preferences 2011-01-26 13:04:36 mgwiki-mgw_: Retrieved email (claude.juif@AD.tv) using attribute (mail) 2011-01-26 13:04:36 mgwiki-mgw_: Retrieved realname (Claude Juif) using attribute (cn) 2011-01-26 13:04:36 mgwiki-mgw_: Entering synchUsername 2011-01-26 13:04:36 mgwiki-mgw_: Authentication passed 2011-01-26 13:04:36 mgwiki-mgw_: Entering updateUser 2011-01-26 13:04:36 mgwiki-mgw_: Setting user preferences. 2011-01-26 13:04:36 mgwiki-mgw_: Setting realname. 2011-01-26 13:04:36 mgwiki-mgw_: Setting email. 2011-01-26 13:04:36 mgwiki-mgw_: Setting user groups. 2011-01-26 13:04:36 mgwiki-mgw_: Entering setGroups. 2011-01-26 13:04:36 mgwiki-mgw_: Locally managed groups is unset, using defaults:  bot::sysop::bureaucrat 2011-01-26 13:04:36 mgwiki-mgw_: Adding all groups to wgGroupPermissions:  Array::Array 2011-01-26 13:04:36 mgwiki-mgw_: Available groups are:  bot::sysop::bureaucrat::wiki-adm 2011-01-26 13:04:36 mgwiki-mgw_: Effective groups are:  sysop::*::user::autoconfirmed 2011-01-26 13:04:36 mgwiki-mgw_: Checking to see if user is in: bot 2011-01-26 13:04:36 mgwiki-mgw_: Entering hasLDAPGroup 2011-01-26 13:04:36 mgwiki-mgw_: Checking to see if we need to remove user from: sysop 2011-01-26 13:04:36 mgwiki-mgw_: Entering hasLDAPGroup 2011-01-26 13:04:36 mgwiki-mgw_: Checking to see if user is in: bureaucrat 2011-01-26 13:04:36 mgwiki-mgw_: Entering hasLDAPGroup 2011-01-26 13:04:36 mgwiki-mgw_: Checking to see if user is in: wiki-adm 2011-01-26 13:04:36 mgwiki-mgw_: Entering hasLDAPGroup 2011-01-26 13:04:36 mgwiki-mgw_: Saving user settings.

I can log in using my LDAP account, my preference are correctly retrieve but when i check group right in wikimedia, i can see that the group wiki-adm is well created, but there is no member in it. What am i doing wrong ?

Best regards,