Thread:Extension talk:LDAP Authentication/LDAP Group restriction skipped

Hi everybody, need some help to fix a configuration problem with the LDAP plugin We have multi-domain environment so configuration is pointing at our global catalog. Groups can be in domain1 or domain2, authentication works fine and I can see all the groups coming down but $wgLDAPRequiredGroups is completely ignored and there is not trace in the debug log. My user is in DOMAIN2 but got also groups of DOMAIN1.

Thanks Vale

CentOS release 6.4 (Final) Mediawiki 1.20.4 php-5.3.3 mysql-5.1.69 LDAP plugin 2.0c

require_once( "$IP/extensions/LdapAuthentication/LdapAuthentication.php" ); $wgAuth = new LdapAuthenticationPlugin;
 * 1) CONFIGURATION
 * 2) Ldap Auth

$wgLDAPDebug             = 9; $wgShowExceptionDetails = true; $wgDebugLogGroups["ldap"] = "/tmp/debugldap.log" ;
 * 1) Ldap Debugging options

$wgLDAPUseLocal                = false; $wgLDAPDomainNames             = array("DOMAIN1", "DOMAIN2", "DOMAIN3"); $wgLDAPServerNames             = array("DOMAIN1"=>"ldap1.domain1.com ldap2.domain1.com",      "DOMAIN2" => "ldap1.domain1.com ldap2.domain1.com",  "DOMAIN3" => "ldap1.domain1.com ldap2.domain1.com"); $wgLDAPPort 			= array("DOMAIN1" => 3269, "DOMAIN2" => 3269, "DOMAIN3" => 3269); $wgLDAPSearchStrings           = array("DOMAIN1"=>"DOMAIN1\\USER-NAME",      "DOMAIN2" => "DOMAIN2\\USER-NAME", "DOMAIN3" => "DOMAIN3\\USER-NAME"); $wgLDAPEncryptionType          = array("DOMAIN1"=>"ssl",                      "DOMAIN2" => "ssl",           "DOMAIN3" => "ssl"); $wgLDAPUseLDAPGroups           = array("DOMAIN1"=>true,                     "DOMAIN2" => true,           "DOMAIN3" => true); $wgLDAPGroupNameAttribute      = array("DOMAIN1"=>"cn",                       "DOMAIN2" => "cn",             "DOMAIN3" => "cn"); $wgLDAPGroupUseFullDN          = array("DOMAIN1"=>true,                       "DOMAIN2" => true,             "DOMAIN3" => true); $wgLDAPGroupObjectclass        = array("DOMAIN1"=>"group",                    "DOMAIN2" => "group",          "DOMAIN3" => "group"); $wgLDAPGroupAttribute          = array("DOMAIN1"=>"member",                   "DOMAIN2" => "member",         "DOMAIN3" => "member"); $wgLDAPGroupSearchNestedGroups = array("DOMAIN1"=>false,                      "DOMAIN2" => false,            "DOMAIN3" => false); $wgLDAPSearchAttributes        = array("DOMAIN1"=>"sAMAccountName",           "DOMAIN2" => "sAMAccountName", "DOMAIN3" => "sAMAccountName", ); $wgLDAPActiveDirectory         = array("DOMAIN1"=>true,                       "DOMAIN2" => true,             "DOMAIN3" => true);
 * 1) LDAP conf

$wgLDAPBaseDNs                 = array( "DOMAIN1", "DOMAIN2", "DOMAIN3"=>"dc=ADLDAP, dc=DOMAIN2, dc=DOMAIN1, dc=com" );

$wgLDAPUserBaseDNs 		= array("DOMAIN1", "DOMAIN2", "DOMAIN3"=>"dc=ADLDAP, dc=DOMAIN2, dc=DOMAIN1, dc=com" ); $wgLDAPGroupBaseDNs 		= array("DOMAIN1", "DOMAIN2", "DOMAIN3"=>"dc=ADLDAP, dc=dc=DOMAIN2, dc=DOMAIN1, dc=com" );

$wgLDAPRequiredGroups = array( "ALLDOMAIN" => array( "cn=testldap,ou=global groups,dc=ADLDAP,dc=DOMAIN1,dc=com" ) );
 * 1) testldap this groups doesn't exist in ldap, this is a test
 * 1)      "cn=linux,ou=ou=global groups,dc=DOMAIN1,dc=com",
 * 2)      "cn=linuxsysadmin,ou=distribution groups,dc=DOMAIN1,dc=com",

$wgLDAPUserBaseDNs = array("DOMAIN1", "DOMAIN2", "DOMAIN3"=>"dc=ADLDAP, dc=DOMAIN2, dc=DOMAIN1, dc=com" ); $wgLDAPGroupBaseDNs = array("DOMAIN1", "DOMAIN2", "DOMAIN3"=>"dc=ADLDAP, dc=DOMAIN2, dc=DOMAIN1, dc=com" );

2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Entering validDomain 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c User is using a valid domain (DOMAIN2). 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Setting domain as: DOMAIN2 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Entering getCanonicalName 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Username is: Valentina 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Entering getDomain 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Pulling domain from session. 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Munged username: Valentina 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Entering authenticate for username Valentina 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Entering getDomain 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Pulling domain from session. 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Entering getDomain 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Pulling domain from session. 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Entering getDomain 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Pulling domain from session. 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Entering Connect 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Entering getDomain 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Pulling domain from session. 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Using SSL 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Entering getDomain 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Pulling domain from session. 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Entering getDomain 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Pulling domain from session. 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Using non-standard port: 3269 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Entering getDomain 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Pulling domain from session. 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Using non-standard port: 3269 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Using servers: ldaps://ldap1.domain1.com:3269 ldaps://ldap2.domain1.com:3269 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Entering getDomain 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Pulling domain from session. 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c PHP's LDAP connect method returned true (note, this does not imply it connected to the server). 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Entering getDomain 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Pulling domain from session. 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Entering getSearchString 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Entering getDomain 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Pulling domain from session. 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Doing a straight bind 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c userdn is: DOMAIN2\Valentina 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Entering getDomain 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Pulling domain from session. 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Entering getDomain 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Pulling domain from session. 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Binding as the user 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Bound successfully 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Entering getDomain 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Pulling domain from session. 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Entering getUserDN 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Entering getDomain 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Pulling domain from session. 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Created a regular filter: (sAMAccountName=Valentina) 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Entering getBaseDN 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Entering getDomain 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Pulling domain from session. 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c basedn is not set for this type of entry, trying to get the default basedn. 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Entering getBaseDN 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Entering getDomain 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Pulling domain from session. 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c basedn is not set. 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Using base: 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Fetched UserDN: CN=Valentina,OU=Platforms, OU=IT,OU=Users,OU=Office,OU=DOMAIN, OU=ADMIN,DC=DOMAIN2,DC=co,DC=uk 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Entering getDomain 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Pulling domain from session. 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Entering getGroups 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Entering getDomain 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Pulling domain from session. 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Entering getDomain 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Pulling domain from session. 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Retrieving LDAP group membership 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Entering getDomain 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Pulling domain from session. 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Entering getDomain 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Pulling domain from session. 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Searching for the groups 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Entering searchGroups 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Entering getBaseDN 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Entering getDomain 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Pulling domain from session. 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c basedn is not set for this type of entry, trying to get the default basedn. 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Entering getBaseDN 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Entering getDomain 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Pulling domain from session. 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c basedn is not set. 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Entering getDomain 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Pulling domain from session. 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Entering getDomain 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Pulling domain from session. 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Entering getDomain 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Pulling domain from session. 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Entering getDomain 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Pulling domain from session. 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c User Filter: (&(distinguishedName=CN=Valentina,OU=Platforms,OU=IT,OU=Users,OU=Office,OU=ADMIN,OU=DOMAIN,DC=DOMAIN2,DC=co,DC=uk)(objectclass=user)) 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Primary Group Filter: (&(objectSid=\01\05\00\00\00\00\00\05\15\00\00\00\38\82\b2\f3\b3\8b\0d\5f\fc\5a\f7\02\01\02\00\00)(objectclass=group)) 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Search string: (&(member=CN=Valentina,OU=Platforms,OU=IT,OU=Users,OU=Office,OU=ADMIN,OU=DOMAIN,DC=DOMAIN2,DC=co,DC=uk)(objectclass=group)) 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Returned groups: cn=domain users,cn=users,dc=DOMAIN2,dc=co,dc=uk::cn=linux,ou=global groups,dc=DOMAIN1,dc=com::cn=linuxsysadmin,ou=woking distribution groups,ou=distributiongroups,ou=exchange,dc=DOMAIN1,dc=com 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Entering getDomain 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Pulling domain from session. 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Entering getDomain 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Pulling domain from session. 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Entering checkGroups 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Entering getDomain 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Pulling domain from session. 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Entering getDomain 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Pulling domain from session. 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Entering getPreferences 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Entering getDomain 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Pulling domain from session. 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Authentication passed 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Entering updateUser 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Entering getDomain 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Pulling domain from session. 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Entering getDomain 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Pulling domain from session. 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Setting user groups. 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Entering setGroups. 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Entering getDomain 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Pulling domain from session. 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Entering getDomain 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Pulling domain from session. 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Locally managed groups: bot::sysop::bureaucrat::sysop, bureaucrat 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Available groups are: bot::sysop::bureaucrat::linuxsysadmin::linux::wikireader 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Effective groups are: linux::linuxsysadmin::*::user 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Checking to see if user is in: bot 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Entering hasLDAPGroup 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Checking to see if user is in: sysop 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Entering hasLDAPGroup 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Checking to see if user is in: bureaucrat 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Entering hasLDAPGroup 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Checking to see if we need to remove user from: linuxsysadmin 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Entering hasLDAPGroup 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Checking to see if we need to remove user from: linux 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Entering hasLDAPGroup 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Checking to see if user is in: wikireader 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Entering hasLDAPGroup 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c User has a token, setting domain in user options. 2013-07-02 10:53:35 linuxwiki.local.com wikitest: 2.0c Saving user settings.
 * 1) debug