Thread:Extension talk:LDAP Authentication/Group synchronization won't update groups a user is in

MediaWiki: 1.16.2 LDAP Authentication: 1.2d

I configured LDAP Authentication for an Active Directory. Group based login restrictions work fine. As we need group synchronization I configured that too, details can be found in the configuration below. The problem is, that none of the required groups (which my test user is in) get added to MediaWiki. So they don't show up (or get updated) in Special:ListGroupRights. However, a previous testgroup which _was_ defined in $wgLDAPRequiredGroups before is used as my test users group (shown in Special:Preferences).

So to actually be able to use $wgGroupPermission we need the actual group which granted access in MediaWiki.

Can anyone see a problem with my configuration?

LocalSettings.php
require_once ("$IP/extensions/LdapAuthentication/LdapAuthentication.php"); $wgAuth = new LdapAuthenticationPlugin;

$wgLDAPDebug = 99; # 3 $wgDebugLogGroups["ldap"] = "/tmp/debug-tech.log" ;

$wgLDAPDomainNames = array('foo'); $wgLDAPRetrievePrefs = array('foo' => true); $wgLDAPPreferences = array('foo' => array("email" => "mail", "realname" => "displayname", "nickname" => "samaccountname", "language" => "msexchuserculture")); # AD attribute names lowercase! $wgLDAPSearchAttributes = array('foo' => 'sAMAccountName');

$wgLDAPUseLDAPGroups = array('foo' => true); $wgLDAPGroupsPrevail = array('foo' => true);
 * 1) Synchronizing LDAP groups with MediaWiki security groups

$wgLDAPRequiredGroups = array('foo'=> array("cn=techwiki-sysop,ou=roles,ou=p_techwiki,ou=applications,ou=somecompany,dc=blah,dc=foo,dc=example,dc=org")); //$wgLDAPLocallyManagedGroups = array('foo' => array("techwiki-sysop","techwiki-user"));
 * 1) All users must be in this group

$wgLDAPServerNames = array('foo' => 'ad.foo.example.org'); $wgLDAPSearchStrings = array('foo' => 'FOO\\USER-NAME'); # Don't touch USER-NAME $wgLDAPEncryptionType = array('foo' => 'clear'); # ssl, clear $wgLDAPUseLocal = true; $wgMinimalPasswordLength = 1;

$wgLDAPGroupUseFullDN = array('foo' => true); $wgLDAPLowerCaseUsername = array('foo' => true); $wgLDAPGroupObjectclass = array('foo' => 'group'); $wgLDAPGroupAttribute = array('foo' => 'member'); $wgLDAPGroupNameAttribute = array('foo' => 'cn'); $wgLDAPGroupMemberOfAttribute = array('foo' => "memberOf"); $wgLDAPGroupsUseMemberOf = array('foo' => true); $wgLDAPGroupSearchNestedGroups = array('foo' => true);

$wgLDAPBaseDNs = array('foo' => 'dc=foo,dc=example,dc=org'); $wgLDAPGroupBaseDNs = array('foo' => 'dc=foo,dc=example,dc=org'); $wgLDAPUserBaseDNs = array('foo' => 'ou=somegroup,ou=user,ou=somecompany,dc=blah,dc=foo,dc=example,dc=org');

debug logfile
2011-04-04 11:49:44 wiki_tech: 1.2d Entering validDomain 2011-04-04 11:49:44 wiki_tech: 1.2d User is not using a valid domain. 2011-04-04 11:49:44 wiki_tech: 1.2d Setting domain as: invaliddomain 2011-04-04 11:49:44 wiki_tech: 1.2d Entering allowPasswordChange 2011-04-04 11:49:44 wiki_tech: 1.2d Entering modifyUITemplate 2011-04-04 11:49:44 wiki_tech: 1.2d Allowing the local domain, adding it to the list. 2011-04-04 11:49:48 wiki_tech: 1.2d Entering validDomain 2011-04-04 11:49:48 wiki_tech: 1.2d User is using a valid domain (FOO). 2011-04-04 11:49:48 wiki_tech: 1.2d Setting domain as: FOO 2011-04-04 11:49:48 wiki_tech: 1.2d Entering getCanonicalName 2011-04-04 11:49:48 wiki_tech: 1.2d Username isn't empty. 2011-04-04 11:49:48 wiki_tech: 1.2d Munged username: testuser 2011-04-04 11:49:48 wiki_tech: 1.2d Entering authenticate 2011-04-04 11:49:48 wiki_tech: 1.2d 2011-04-04 11:49:48 wiki_tech: 1.2d Entering Connect 2011-04-04 11:49:48 wiki_tech: 1.2d Using TLS or not using encryption. 2011-04-04 11:49:48 wiki_tech: 1.2d Using servers:  ldap://ad.foo.example.org 2011-04-04 11:49:48 wiki_tech: 1.2d Connected successfully 2011-04-04 11:49:48 wiki_tech: 1.2d Lowercasing the username: testuser 2011-04-04 11:49:48 wiki_tech: 1.2d Entering getSearchString 2011-04-04 11:49:48 wiki_tech: 1.2d Doing a straight bind 2011-04-04 11:49:48 wiki_tech: 1.2d userdn is: FOO\testuser 2011-04-04 11:49:48 wiki_tech: 1.2d 2011-04-04 11:49:48 wiki_tech: 1.2d Binding as the user 2011-04-04 11:49:48 wiki_tech: 1.2d Bound successfully 2011-04-04 11:49:48 wiki_tech: 1.2d Entering getUserDN 2011-04-04 11:49:48 wiki_tech: 1.2d Created a regular filter: (sAMAccountName=testuser) 2011-04-04 11:49:48 wiki_tech: 1.2d Entering getBaseDN 2011-04-04 11:49:48 wiki_tech: 1.2d basedn is ou=somegroup,ou=user,ou=somecompany,dc=blah,dc=foo,dc=example,dc=org 2011-04-04 11:49:48 wiki_tech: 1.2d Using base: ou=somegroup,ou=user,ou=somecompany,dc=blah,dc=foo,dc=example,dc=org 2011-04-04 11:49:48 wiki_tech: 1.2d Fetched username is not a string (check your hook code...). This message can be safely ignored if you do not have the SetUsernameAttributeFromLDAP hook defined. 2011-04-04 11:49:48 wiki_tech: 1.2d Pulled the user's DN: CN=testuser,OU=somegroup,OU=User,OU=somecompany,DC=blah,DC=foo,DC=example,DC=org 2011-04-04 11:49:48 wiki_tech: 1.2d Entering getGroups 2011-04-04 11:49:48 wiki_tech: 1.2d Retrieving LDAP group membership 2011-04-04 11:49:48 wiki_tech: 1.2d Using memberOf 2011-04-04 11:49:48 wiki_tech: 1.2d Got the following groups: cn=p_famiwiki-sysop,ou=roles,ou=p_techwiki,ou=applications,ou=somecompany,dc=blah,dc=foo,dc=example,dc=org::cn=p_famiwiki-user,ou=roles,ou=p_techwiki,ou=applications,ou=somecompany,dc=blah,dc=foo,dc=example,dc=org::cn=p_techwiki-sysop,ou=roles,ou=p_techwiki,ou=applications,ou=somecompany,dc=blah,dc=foo,dc=example,dc=org::cn=p_techwiki-user,ou=roles,ou=p_techwiki,ou=applications,ou=somecompany,dc=blah,dc=foo,dc=example,dc=org::cn=_extern,ou=somecompany,ou=green,dc=blah,dc=foo,dc=example,dc=org: 2011-04-04 11:49:48 wiki_tech: 1.2d Entering searchGroups 2011-04-04 11:49:48 wiki_tech: 1.2d Entering getBaseDN 2011-04-04 11:49:48 wiki_tech: 1.2d basedn is dc=foo,dc=example,dc=org 2011-04-04 11:49:48 wiki_tech: 1.2d Search string: (&(member=*)(objectclass=group)) 2011-04-04 11:49:48 wiki_tech: 1.2d Returned groups: 2011-04-04 11:49:48 wiki_tech: 1.2d Entering checkGroups 2011-04-04 11:49:48 wiki_tech: 1.2d Checking for (new style) group membership 2011-04-04 11:49:48 wiki_tech: 1.2d Required groups: cn=p_techwiki-sysop,ou=applications,ou=somecompany,dc=blah,dc=foo,dc=example,dc=org::cn=p_techwiki-user,ou=applications,ou=somecompany,dc=blah,dc=foo,dc=example,dc=org 2011-04-04 11:49:48 wiki_tech: 1.2d Checking against: cn=p_famiwiki-sysop,ou=applications,ou=somecompany,dc=blah,dc=foo,dc=example,dc=org 2011-04-04 11:49:48 wiki_tech: 1.2d Checking against: cn=p_famiwiki-user,ou=applications,ou=somecompany,dc=blah,dc=foo,dc=example,dc=org 2011-04-04 11:49:48 wiki_tech: 1.2d Checking against: cn=p_techwiki-sysop,ou=applications,ou=somecompany,dc=blah,dc=foo,dc=example,dc=org 2011-04-04 11:49:48 wiki_tech: 1.2d Found user in a group. 2011-04-04 11:49:48 wiki_tech: 1.2d Entering getPreferences 2011-04-04 11:49:48 wiki_tech: 1.2d Retrieving preferences 2011-04-04 11:49:48 wiki_tech: 1.2d Retrieved email (testuser@example.org) using attribute (mail) 2011-04-04 11:49:48 wiki_tech: 1.2d Retrieved realname (Test User) using attribute (displayname) 2011-04-04 11:49:48 wiki_tech: 1.2d Retrieved nickname (testuser) using attribute (samaccountname) 2011-04-04 11:49:48 wiki_tech: 1.2d Retrieved language (de-CH) using attribute (msexchuserculture) 2011-04-04 11:49:48 wiki_tech: 1.2d Entering synchUsername 2011-04-04 11:49:48 wiki_tech: 1.2d Authentication passed 2011-04-04 11:49:48 wiki_tech: 1.2d Entering updateUser 2011-04-04 11:49:48 wiki_tech: 1.2d Setting user preferences. 2011-04-04 11:49:48 wiki_tech: 1.2d Setting language. 2011-04-04 11:49:48 wiki_tech: 1.2d Setting nickname. 2011-04-04 11:49:48 wiki_tech: 1.2d Setting realname. 2011-04-04 11:49:48 wiki_tech: 1.2d Setting email. 2011-04-04 11:49:48 wiki_tech: 1.2d Setting user groups. 2011-04-04 11:49:48 wiki_tech: 1.2d Entering setGroups. 2011-04-04 11:49:48 wiki_tech: 1.2d Adding all groups to wgGroupPermissions:  Array::Array 2011-04-04 11:49:48 wiki_tech: 1.2d Locally managed groups is unset, using defaults:  bot::sysop::bureaucrat 2011-04-04 11:49:48 wiki_tech: 1.2d Available groups are:  bot::sysop::bureaucrat::_extern::oldgroup1::oldgroup2 2011-04-04 11:49:48 wiki_tech: 1.2d Effective groups are:  _extern::*::user::autoconfirmed 2011-04-04 11:49:48 wiki_tech: 1.2d Checking to see if user is in: bot 2011-04-04 11:49:48 wiki_tech: 1.2d Entering hasLDAPGroup 2011-04-04 11:49:48 wiki_tech: 1.2d Checking to see if user is in: sysop 2011-04-04 11:49:48 wiki_tech: 1.2d Entering hasLDAPGroup 2011-04-04 11:49:48 wiki_tech: 1.2d Checking to see if user is in: bureaucrat 2011-04-04 11:49:48 wiki_tech: 1.2d Entering hasLDAPGroup 2011-04-04 11:49:48 wiki_tech: 1.2d Checking to see if user is in: _extern 2011-04-04 11:49:48 wiki_tech: 1.2d Entering hasLDAPGroup 2011-04-04 11:49:48 wiki_tech: 1.2d Adding user to: _extern 2011-04-04 11:49:48 wiki_tech: 1.2d Checking to see if user is in: oldgroup1 2011-04-04 11:49:48 wiki_tech: 1.2d Entering hasLDAPGroup 2011-04-04 11:49:48 wiki_tech: 1.2d Checking to see if user is in: oldgroup2 2011-04-04 11:49:48 wiki_tech: 1.2d Entering hasLDAPGroup 2011-04-04 11:49:48 wiki_tech: 1.2d Saving user settings.

As you can see in the debug logfile, the group "_extern" seems to match. Don't know why, but that's the problem. I want a group from $wgLDAPRequiredGroups to be shown there to be able to use it in $wgGroupPermission. The testuser is not in any of the two groups oldgroup1/oldgroup2. He was earlier, but somehow these groups are saved in MediaWiki.

Thanks in advance for any hint.