Thread:Extension talk:LDAP Authentication/Another required groups issue (2)

Hi there,

here's another group issue where I didn'f find a solution in older threads...: We try to allow page creation etc. only to a AD group 'IT'.

Behaviour: If we uncomment the line $wgLDAPRequiredGroups = array( "MyDomain"=> array( "dc=My,dc=Dom,dc=ain" ) ); we can logon. If the line is active we get a "wrong password" error message. In either case there is no check if the user is in the group 'IT'.


 * Settings:
 * Wiki-Version: 1.19.0
 * PHP: 5.4.4-7 (apache2handler)
 * MySQL: 5.5.24-9
 * LDAP Authentication Plugin (Version 2.0a) <-- Version 2.0c couldn't be downloaded...

require_once( "$IP/extensions/LdapAuthentication/LdapAuthentication.php" ); $wgAuth = new LdapAuthenticationPlugin;
 * LocalSettings.php
 * 1) Enable LDAP Authentication

$wgLDAPDomainNames = array( "MyDomain" ); $wgLDAPServerNames = array( "MyDomain" => "PrimDomContrl.MyDomain" ); $wgLDAPSearchStrings = array( "MyDomain" => "My\\USER-NAME" ); $wgLDAPEncryptionType = array( "MyDomain" => "clear" ); $wgLDAPAccessDeniedPage = array( "MyDomain" => "Missing rights!" ); $wgMinimalPasswordLength = 1; $wgLDAPBaseDNs = array( "MyDomain" => "dc=My,dc=Dom,dc=ain" ); $wgLDAPSearchAttributes = array( "MyDomain" => "sAMAccountName" ); $wgLDAPRetrievePrefs = array( "MyDomain" => "true" ); $wgLDAPDebug = 3; //for debugging LDAP $wgDebugLogGroups["ldap"] = "/tmp/ldaplog.log"; $wgShowExceptionDetails = true; //for debugging MediaWiki $wgLDAPGroupUseFullDN = array( "MyDomain"=>true ); $wgLDAPGroupsUseMemberOf = array( "MyDomain" => true ); $wgLDAPGroupObjectclass = array( "MyDomain"=>"group" ); $wgLDAPGroupAttribute = array( "MyDomain"=>"member" ); $wgLDAPGroupSearchNestedGroups = array( "MyDomain" => true ); $wgLDAPGroupNameAttribute = array( "MyDomain"=>"cn" );
 * 1) $wgLDAPUseLocal = true;

$wgGroupPermissions['*']['createaccount'] = false; $wgGroupPermissions['*']['edit'] = false; $wgGroupPermissions['*']['read'] = false; $wgGroupPermissions['*']['createpage'] = false; $wgGroupPermissions['*']['createtalk'] = false;
 * 1) The following permissions were set based on your choice in the installer

$wgLDAPRequiredGroups = array( "MyDomain"=> array( "dc=My,dc=Dom,dc=ain" ) );

# # $wgWhitelistRead = array ("Special:Userlogin"); # # $wgGroupPermissions['it']['move']           = true; $wgGroupPermissions['it']['read']           = true; $wgGroupPermissions['it']['edit']           = true; $wgGroupPermissions['it']['createpage']     = true; $wgGroupPermissions['it']['createtalk']     = true; $wgGroupPermissions['it']['upload']         = true; $wgGroupPermissions['it']['reupload']       = true; $wgGroupPermissions['it']['reupload-shared'] = true; $wgGroupPermissions['it']['minoredit']      = true;
 * 1) This section defines permissions which allow only logged-in users to edit
 * 1) Deny access to Anonymous
 * 2) But allow Anonymous to login
 * 1) Allow logged in users to do these things

2012-10-18 08:56:48 Localhost mywiki: 2.0a Entering validDomain 2012-10-18 08:56:48 Localhost mywiki: 2.0a User is not using a valid domain. 2012-10-18 08:56:48 Localhost mywiki: 2.0a Setting domain as: MyDomain 2012-10-18 08:56:48 Localhost mywiki: 2.0a Entering allowPasswordChange 2012-10-18 08:56:48 Localhost mywiki: 2.0a Entering modifyUITemplate 2012-10-18 08:56:48 Localhost mywiki: 2.0a Allowing the ain domain, adding it to the list. 2012-10-18 08:56:52 Localhost mywiki: 2.0a Entering validDomain 2012-10-18 08:56:52 Localhost mywiki: 2.0a User is using a valid domain (MyDomain). 2012-10-18 08:56:52 Localhost mywiki: 2.0a Setting domain as: MyDomain 2012-10-18 08:56:52 Localhost mywiki: 2.0a Entering getCanonicalName 2012-10-18 08:56:52 Localhost mywiki: 2.0a Username isn't empty. 2012-10-18 08:56:52 Localhost mywiki: 2.0a Entering Connect 2012-10-18 08:56:52 Localhost mywiki: 2.0a Using TLS or not using encryption. 2012-10-18 08:56:52 Localhost mywiki: 2.0a Using servers: ldap://PrimDomContrl.MyDomain:389 2012-10-18 08:56:52 Localhost mywiki: 2.0a PHP's LDAP connect method returned true (note, this does not imply it connected to the server). 2012-10-18 08:56:52 Localhost mywiki: 2.0a Entering getUserDN 2012-10-18 08:56:52 Localhost mywiki: 2.0a Doing an anonymous bind 2012-10-18 08:56:52 Localhost mywiki: 2.0a Created a regular filter: (sAMAccountName=XXX-TESTUSER) 2012-10-18 08:56:52 Localhost mywiki: 2.0a Entering getBaseDN 2012-10-18 08:56:52 Localhost mywiki: 2.0a basedn is not set for this type of entry, trying to get the default basedn. 2012-10-18 08:56:52 Localhost mywiki: 2.0a Entering getBaseDN 2012-10-18 08:56:52 Localhost mywiki: 2.0a Using base: dc=My,dc=Dom,dc=ain 2012-10-18 08:56:52 Localhost mywiki: 2.0a Couldn't find an entry 2012-10-18 08:56:52 Localhost mywiki: 2.0a Fetched username is not a string (check your hook code...). This message can be safely ignored if you do not have the SetUsernameAttributeFromLDAP hook defined. 2012-10-18 08:56:52 Localhost mywiki: 2.0a Munged username: XXX-TESTUSER 2012-10-18 08:56:52 Localhost mywiki: 2.0a Entering authenticate for username XXX-TESTUSER 2012-10-18 08:56:52 Localhost mywiki: 2.0a 2012-10-18 08:56:52 Localhost mywiki: 2.0a Entering Connect 2012-10-18 08:56:52 Localhost mywiki: 2.0a Using TLS or not using encryption. 2012-10-18 08:56:52 Localhost mywiki: 2.0a Using servers: ldap://PrimDomContrl.MyDomain:389 2012-10-18 08:56:52 Localhost mywiki: 2.0a PHP's LDAP connect method returned true (note, this does not imply it connected to the server). 2012-10-18 08:56:52 Localhost mywiki: 2.0a Entering getSearchString 2012-10-18 08:56:52 Localhost mywiki: 2.0a Doing a straight bind 2012-10-18 08:56:52 Localhost mywiki: 2.0a userdn is: My\XXX-TESTUSER 2012-10-18 08:56:52 Localhost mywiki: 2.0a 2012-10-18 08:56:52 Localhost mywiki: 2.0a Binding as the user 2012-10-18 08:56:52 Localhost mywiki: 2.0a Bound successfully 2012-10-18 08:56:52 Localhost mywiki: 2.0a Entering getUserDN 2012-10-18 08:56:52 Localhost mywiki: 2.0a Created a regular filter: (sAMAccountName=XXX-TESTUSER) 2012-10-18 08:56:52 Localhost mywiki: 2.0a Entering getBaseDN 2012-10-18 08:56:52 Localhost mywiki: 2.0a basedn is not set for this type of entry, trying to get the default basedn. 2012-10-18 08:56:52 Localhost mywiki: 2.0a Entering getBaseDN 2012-10-18 08:56:52 Localhost mywiki: 2.0a Using base: dc=My,dc=Dom,dc=ain 2012-10-18 08:56:52 Localhost mywiki: 2.0a Fetched UserDN: CN=TESTUSER\, XXX-,OU=Undef. User,OU=MyBranch,OU=MyComp,DC=My,DC=Dom,DC=ain 2012-10-18 08:56:52 Localhost mywiki: 2.0a Entering getGroups 2012-10-18 08:56:52 Localhost mywiki: 2.0a Retrieving LDAP group membership 2012-10-18 08:56:52 Localhost mywiki: 2.0a Using memberOf 2012-10-18 08:56:52 Localhost mywiki: 2.0a Got the following groups: cn=xxx-user,ou=xxx-lists,dc=My,dc=Dom,dc=ain::cn=xxx-admins,ou=it,dc=My,dc=Dom,dc=ain:: [...] 2012-10-18 08:56:52 Localhost mywiki: 2.0a Entering checkGroups 2012-10-18 08:56:52 Localhost mywiki: 2.0a Checking for (new style) group membership 2012-10-18 08:56:52 Localhost mywiki: 2.0a Required groups: dc=My,dc=Dom,dc=ain 2012-10-18 08:56:52 Localhost mywiki: 2.0a Checking against: cn=xxx-user,ou=xxx-lists,dc=My,dc=Dom,dc=ain 2012-10-18 08:56:52 Localhost mywiki: 2.0a Checking against: cn=xxx-admins,ou=it,dc=My,dc=Dom,dc=ain [...] 2012-10-18 08:56:52 Localhost mywiki: 2.0a Couldn't find the user in any groups. 2012-10-18 08:56:52 Localhost mywiki: 2.0a Entering strict. 2012-10-18 08:56:52 Localhost mywiki: 2.0a Returning false in strict. 2012-10-18 08:56:52 Localhost mywiki: 2.0a Entering allowPasswordChange 2012-10-18 08:56:52 Localhost mywiki: 2.0a Entering modifyUITemplate 2012-10-18 08:56:52 Localhost mywiki: 2.0a Allowing the local domain, adding it to the list.
 * Log-Output:

Any hints?