Thread:Extension talk:LDAP Authentication/Authentication against AD downgrades group membershiåp/reply (2)

Version:

LdapAuthentication-MW1.15-r45350.tar.gz

No, I'm not using group sync.

Configuration:

$wgGroupPermissions['*']['edit'] = false; $wgGroupPermissions['user']['edit'] = false; $wgGroupPermissions['sysop']['edit'] = true; $wgGroupPermissions['bureaucrat']['edit'] = true; $wgShowIPinHeader = false; $wgGroupPermissions['*']['read'] = false; $wgWhitelistRead = array ( "Main Page", "Special:Userlogin", "Help:Contents"); require_once( "$IP/extensions/LdapAuthentication/LdapAuthentication.php" ); $wgAuth = new LdapAuthenticationPlugin; $wgLDAPDomainNames = array("mydomain"); $wgLDAPServerNames = array("mydomain"=>"xxx.mydomain.loc"); $wgLDAPUseLocal = false; $wgLDAPEncryptionType = array("mydomain"=>"tls"); $wgLDAPBaseDNs = array( "mydomain"=>"dc=mydomain,dc=loc" ); $wgLDAPUserBaseDNs = array("mydomain"=>"dc=mydomain,dc=loc"); $wgLDAPSearchAttributes = array( "mydomain"=>"sAMAccountName" ); $wgLDAPSearchStrings = array("mydomain"=>"mydomain\\USER-NAME"); $wgLDAPDebug = 3; $wgDebugLogGroups["ldap"] = "/tmp/debug.log" ;
 * 1) Disable reading by anonymous users
 * 1) But allow them to read e.g., these pages:

Debug output:

2010-05-10 11:07:10 wikidb: Entering validDomain 2010-05-10 11:07:10 wikidb: User is not using a valid domain. 2010-05-10 11:07:10 wikidb: Setting domain as: invaliddomain 2010-05-10 11:07:10 wikidb: Entering allowPasswordChange 2010-05-10 11:07:10 wikidb: Entering modifyUITemplate 2010-05-10 11:07:21 wikidb: Entering validDomain 2010-05-10 11:07:21 wikidb: User is using a valid domain. 2010-05-10 11:07:21 wikidb: Setting domain as: mydomain 2010-05-10 11:07:21 wikidb: Entering getCanonicalName 2010-05-10 11:07:21 wikidb: Username isn't empty. 2010-05-10 11:07:21 wikidb: Munged username: Wikiadmin 2010-05-10 11:07:21 wikidb: Entering authenticate 2010-05-10 11:07:21 wikidb: 2010-05-10 11:07:21 wikidb: Entering Connect 2010-05-10 11:07:21 wikidb: Using TLS or not using encryption. 2010-05-10 11:07:21 wikidb: Using servers:  ldap://xxx.mydomain.loc 2010-05-10 11:07:21 wikidb: Using TLS 2010-05-10 11:07:21 wikidb: Failed to start TLS. 2010-05-10 11:07:21 wikidb: Connected successfully 2010-05-10 11:07:21 wikidb: Entering getSearchString 2010-05-10 11:07:21 wikidb: Doing a straight bind 2010-05-10 11:07:21 wikidb: userdn is: mydomain\Wikiadmin 2010-05-10 11:07:21 wikidb: 2010-05-10 11:07:21 wikidb: Binding as the user 2010-05-10 11:07:21 wikidb: Bound successfully 2010-05-10 11:07:21 wikidb: Entering getUserDN 2010-05-10 11:07:21 wikidb: Created a regular filter: (sAMAccountName=Wikiadmin) 2010-05-10 11:07:21 wikidb: Entering getBaseDN 2010-05-10 11:07:21 wikidb: basedn is dc=mydomain,dc=loc 2010-05-10 11:07:21 wikidb: Using base: dc=mydomain,dc=loc 2010-05-10 11:07:21 wikidb: Fetched username is not a string (check your hook code...). This message can be safely ignored if you do not have the SetUsernameAttributeFromLDAP hook defined. 2010-05-10 11:07:21 wikidb: Pulled the user's DN: CN=Wiki Admin,CN=Users,DC=mydomain,DC=loc 2010-05-10 11:07:21 wikidb: Entering getGroups 2010-05-10 11:07:21 wikidb: Entering checkGroups 2010-05-10 11:07:21 wikidb: Entering getPreferences 2010-05-10 11:07:21 wikidb: Entering synchUsername 2010-05-10 11:07:21 wikidb: Authentication passed 2010-05-10 11:07:21 wikidb: Entering updateUser