Thread:Extension talk:LDAP Authentication/AD auth works, but no group based restrictions for wiki farm

I'm trying to use LdapAuthentication in wiki farm, which configured to have one login for all wikis. Single login and group restrictions work for local (MediaWiki) authentication. Now I would like to switch to Active Directory users. AD user can login and edit the common wiki wich does not have a restriction. But I cannot gain an access to the wiki which has a group access restriction. I has a local (MediaWiki) group "admins" and created AD group "wiki-admins". To test the access I use AD user "admpm" which is a member of "wiki-admins" group in AD.

Here is a log after admpm has logged-in to main wiki: testwiki-main__: 2.0d User is using a valid domain (workgroup). testwiki-main__: 2.0d Setting domain as: workgroup testwiki-main__: 2.0d Entering getCanonicalName testwiki-main__: 2.0d Username is: Admpm testwiki-main__: 2.0d Entering getDomain testwiki-main__: 2.0d Pulling domain from session. testwiki-main__: 2.0d Munged username: Admpm testwiki-main__: 2.0d Entering authenticate for username Admpm ... testwiki-main__: 2.0d PHP's LDAP connect method returned true (note, this does not imply it connected to the server). ... testwiki-main__: 2.0d basedn is cn=Domain Users,ou=Users,dc=workgroup,dc=coke,dc=kmr,dc=kuzbass,dc=net testwiki-main__: 2.0d Couldn't find an entry testwiki-main__: 2.0d Fetched UserDN: testwiki-main__: 2.0d Entering getDomain testwiki-main__: 2.0d Pulling domain from session. testwiki-main__: 2.0d Entering getGroups ... testwiki-main__: 2.0d basedn is ou=Access-Groups,dc=workgroup,dc=coke,dc=kmr,dc=kuzbass,dc=net testwiki-main__: 2.0d Entering getDomain testwiki-main__: 2.0d Pulling domain from session. ... testwiki-main__: 2.0d basedn is ou=Access-Groups,dc=workgroup,dc=coke,dc=kmr,dc=kuzbass,dc=net testwiki-main__: 2.0d Entering getDomain testwiki-main__: 2.0d Pulling domain from session. ... testwiki-main__: 2.0d basedn is ou=Access-Groups,dc=workgroup,dc=coke,dc=kmr,dc=kuzbass,dc=net testwiki-main__: 2.0d Entering getDomain testwiki-main__: 2.0d Pulling domain from session. ... testwiki-main__: 2.0d Available groups are: bot::sysop::bureaucrat::wiki-grpo::grpo::gtoo::asutp::admins testwiki-main__: 2.0d Effective groups are: *::user::autoconfirmed testwiki-main__: 2.0d Checking to see if user is in: bot testwiki-main__: 2.0d Entering hasLDAPGroup testwiki-main__: 2.0d Checking to see if user is in: sysop testwiki-main__: 2.0d Entering hasLDAPGroup testwiki-main__: 2.0d Checking to see if user is in: bureaucrat testwiki-main__: 2.0d Entering hasLDAPGroup testwiki-main__: 2.0d Checking to see if user is in: admins testwiki-main__: 2.0d Entering hasLDAPGroup testwiki-main__: 2.0d User has a token, setting domain in user options. testwiki-main__: 2.0d Saving user settings. testwiki-main__: 2.0d Entering getCanonicalName testwiki-main__: 2.0d Username is: Admpm testwiki-main__: 2.0d Entering getDomain testwiki-main__: 2.0d Pulling domain from session. testwiki-main__: 2.0d Munged username: Admpm testwiki-main__: 2.0d Entering getCanonicalName testwiki-main__: 2.0d Username is: Admpm

In above I can see that it cheched AD user just in Mediawiki groups. That's fine for now, since I'm not trying to access the admins wiki. Now, when I do, I have the following lines in log: testwiki-admins__: 2.0d Entering getCanonicalName testwiki-admins__: 2.0d Username is: Admpm testwiki-admins__: 2.0d Entering getDomain testwiki-admins__: 2.0d Pulling domain from session. testwiki-admins__: 2.0d Munged username: Admpm repeated 4 times. So there is no AD request.

Please guide me how should I configure LDAP Authentication to make it work in my wiki farm.


 * MediaWiki: 1.19.3
 * LDAP Authentication Plugin: 2.0d
 * All AD users are the members of "Domain Users" group, which is in "Users" organizational unit
 * All AD access groups are in "Access-Groups" organizational unit

require_once( "$IP/extensions/LdapAuthentication/LdapAuthentication.php" ); $wgAuth = new LdapAuthenticationPlugin;
 * Configuration:

$wgLDAPDomainNames 	= array('workgroup'); $wgLDAPServerNames 	= array('workgroup' => 'dc02.workgroup.coke.kmr.kuzbass.net dc01.workgroup.coke.kmr.kuzbass.net'); $wgLDAPSearchStrings 	= array('workgroup' => 'WORKGROUP\\USER-NAME'); $wgLDAPEncryptionType 	= array('workgroup' => 'clear'); $wgLDAPUseLocal        = false; $wgMinimalPasswordLength = 1;

$wgLDAPBaseDNs 			= array('workgroup' => 'dc=workgroup,dc=coke,dc=kmr,dc=kuzbass,dc=net'); $wgLDAPUserBaseDNs 		= array('workgroup' => 'cn=Domain Users,ou=Users,dc=workgroup,dc=coke,dc=kmr,dc=kuzbass,dc=net'); $wgLDAPGroupBaseDNs		= array('workgroup' => 'ou=Access-Groups,dc=workgroup,dc=coke,dc=kmr,dc=kuzbass,dc=net');

$wgLDAPGroupUseFullDN 		= array('workgroup' => true ); $wgLDAPGroupObjectclass 	= array('workgroup' => 'group' ); $wgLDAPGroupAttribute 		= array('workgroup' => 'member' ); $wgLDAPGroupSearchNestedGroups 	= array('workgroup' => true ); $wgLDAPGroupNameAttribute 	= array('workgroup' => 'cn' ); $wgLDAPUseLDAPGroups 		= array('workgroup' => true );