Thread:Extension talk:LDAP Authentication/Trouble configuring group membership check

I am running a fresh install of LdapAuthentication 1.2d (2010-11-23) from the snapshot, MediaWiki 1.16.2, with LDAP. I am not an LDAP admin.

I want to accomplish the equivalent of this department-member check to authenticate users for MediaWiki:

/opt/openldap-2.3.33/bin/ldapsearch -LLL -D "uid=username,ou=authenticate,dc=domain,dc=com" -b "ou=authorize,dc=domain,dc=com" -H ldaps://ldap.domain.com -w “password” "(&(uid=username)(chx=1234))"

Or with php 5.2.6:

$ds = ldap_connect("ldaps://ldap.domain.com"); $r = ldap_bind($ds, "cn=username,ou=authenticate,dc=domain,dc=com", "password"); $sr = ldap_search($ds, "ou=authorize,dc=domain,dc=com", "(&(uid=username)(chx=1234))");

“username” should be unique so if the check returns any entries at all, “username” should be authorized. (If not our LDAP has a problem.) The “username” should be used both to authenticate and to bind to perform the search for filter "(&(uid=username)(chx=1234))".

I can do simple authentication using LdapAuthentication with the following configuration:

require_once( "$IP/extensions/LdapAuthentication/LdapAuthentication.php" ); $wgAuth = new LdapAuthenticationPlugin; $wgLDAPDomainNames = array( "myLDAP" ); $wgLDAPServerNames = array( "myLDAP" => "ldap.purdue.edu" ); $wgLDAPUseLocal = false; $wgLDAPEncryptionType = array( "myLDAP"=>"ssl" ); $wgLDAPPort = array( "myLDAP"=>636 ); $wgLDAPSearchStrings = array( "myLDAP"=>"uid=USER-NAME,ou=authenticate,dc=domain,dc=com" ); $wgLDAPBaseDNs = array( "myLDAP"=>"dc=domain,dc=com" ); $wgLDAPGroupBaseDNs = array( "myLDAP"=>"ou=authorize,dc=domain,dc=com" ); $wgLDAPDebug = 3; $wgDebugLogGroups["ldap"] = "/tmp/debug.log" ; $wgLDAPLowerCaseUsername = array( "myLDAP"=>true ); $wgMinimalPasswordLength = 1;

Once I try to search for group (chx=1234) I find myself flailing. What do I need to do to perform the above search with LdapAuthentication, or does it not do this type of search?

I tried adding to the above LdapAuthentication simple bind, the following:

$wgLDAPRequiredGroups = array( "myLDAP"=>array("1234") ); $wgLDAPGroupUseFullDN = array( "myLDAP"=>false ); $wgLDAPGroupObjectclass = array( "myLDAP"=>"1234" ); $wgLDAPGroupAttribute = array( "myLDAP"=>"uid" ); $wgLDAPGroupSearchNestedGroups = array( "myLDAP"=>false ); $wgLDAPGroupNameAttribute = array( "myLDAP"=>"chx" );

I also hacked LdapAuthentication.php to change in function searchGroups:

$filter = "(&($attribute=$value)(chx=$objectclass))";

My debug.log returns:

2011-05-17 20:20:44 wikidb-mw_: Entering validDomain 2011-05-17 20:20:44 wikidb-mw_: User is using a valid domain. 2011-05-17 20:20:44 wikidb-mw_: Setting domain as: myLDAP 2011-05-17 20:20:44 wikidb-mw_: Entering getCanonicalName 2011-05-17 20:20:44 wikidb-mw_: Username isn't empty. 2011-05-17 20:20:44 wikidb-mw_: Munged username: Username 2011-05-17 20:20:44 wikidb-mw_: Entering authenticate 2011-05-17 20:20:44 wikidb-mw_: 2011-05-17 20:20:44 wikidb-mw_: Entering Connect 2011-05-17 20:20:44 wikidb-mw_: Using SSL 2011-05-17 20:20:44 wikidb-mw_: Using servers:  ldaps://ldap.domain.com 2011-05-17 20:20:44 wikidb-mw_: Connected successfully 2011-05-17 20:20:44 wikidb-mw_: Lowercasing the username: Username 2011-05-17 20:20:44 wikidb-mw_: Entering getSearchString 2011-05-17 20:20:44 wikidb-mw_: Doing a straight bind 2011-05-17 20:20:44 wikidb-mw_: userdn is: uid=username,ou=authenticate,dc=domain,dc=com 2011-05-17 20:20:44 wikidb-mw_: 2011-05-17 20:20:44 wikidb-mw_: Binding as the user 2011-05-17 20:20:44 wikidb-mw_: Bound successfully 2011-05-17 20:20:44 wikidb-mw_: Entering getGroups 2011-05-17 20:20:44 wikidb-mw_: Retrieving LDAP group membership 2011-05-17 20:20:44 wikidb-mw_: Searching for the groups 2011-05-17 20:20:44 wikidb-mw_: Entering searchGroups 2011-05-17 20:20:44 wikidb-mw_: Entering getBaseDN 2011-05-17 20:20:44 wikidb-mw_: basedn is ou=authorize,dc=domain,dc=com 2011-05-17 20:20:44 wikidb-mw_: Search string: (&(uid=username)(chx=1234)) 2011-05-17 20:20:44 wikidb-mw_: Returned groups: uid=username,ou=authenticate,dc=domain,dc=com 2011-05-17 20:20:44 wikidb-mw_: Entering checkGroups 2011-05-17 20:20:44 wikidb-mw_: Checking for (new style) group membership 2011-05-17 20:20:44 wikidb-mw_: Required groups: 1234 2011-05-17 20:20:44 wikidb-mw_: Checking against: uid=username,ou=authenticate,dc=domain,dc=com 2011-05-17 20:20:44 wikidb-mw_: Couldn't find the user in any groups. 2011-05-17 20:20:44 wikidb-mw_: Entering strict. 2011-05-17 20:20:44 wikidb-mw_: Returning true in strict. 2011-05-17 20:20:44 wikidb-mw_: Entering allowPasswordChange 2011-05-17 20:20:44 wikidb-mw_: Entering modifyUITemplate

MediaWiki reports: Login error Incorrect password entered. Please try again.