Thread:Extension talk:LDAP Authentication/Cannot restrict editing access for Users group

I cannot restrict a user's ability to edit content on our Wiki. I am able to assign other permissions, such as deleting, but for whatever reason, I cannot restrict the ability of LDAP users to edit. My theory is that there is another permission setting that is overriding the user settings that are applied, but if that is the case, I cannot find it anywhere.

When a member of DWWIKI_USERS logs in, all permissions I have set work fine, except for the edit permission. The log file shows a user logging in and being placed into DWWIKI_USERS. During that same session, I was still able to log in and edit pages. All other permissions were assigned correctly.

Any help is greatly appreciated. My localsettings.php and log file are below.

LocalSettings.php // The names of one or more domains you wish to use // These names will be used for the other options, it is freely choosable and not dependent // on your system. These names will show in the Login-Screen, so it is important that the user // understands the meaning. // // REQUIRED // // Default: none $wgLDAPDomainNames = array( 'DWP' ); // The fully qualified name of one or more servers per domain you wish to use. If you are // going to use SSL or StartTLS, it is important that the server names provided here exactly // match the name provided by the SSL certificate returned by the server; otherwise, you may // have problems. // REQUIRED // Default: none $wgLDAPServerNames = array( 'DWP' => 'dwp.redacted.com' ); // Allow the use of the local database as well as the LDAP database. // Mostly for transitional purposes. Unless you *really* know what you are doing, // don't use this option. It will likely cause you annoying problems, and // it will cause me annoying support headaches. // Warning: Using this option will allow MediaWiki to leak LDAP passwords into // its local database. It's highly recommended that this setting not be used for // anything other than transitional purposes. // Default: false $wgLDAPUseLocal = false; // The type of encryption you would like to use when connecting to the LDAP server. // Available options are 'tls', 'ssl', and 'clear' // Default: tls $wgLDAPEncryptionType = array( 'DWP' => 'clear', ); // Connect with a non-standard port // Available in 1.2b+ // Default: 389 for clear/tls, 636 for ssl $wgLDAPPort = array( 'DWP' => 389, );

// Custom LDAP configuration options; allows you to set options specified at // http://www.php.net/manual/en/function.ldap-set-option.php // Default: none //$wgLDAPOptions = array( // 'TLD' => array( LDAP_OPT_DEREF, 0 ), //);

// The search string to be used for straight binds to the directory; USER-NAME will be // replaced by the username of the user logging in. // This option is not required (and shouldn't be provided) if you are using a proxyagent // and proxyagent password. // If you are using AD style binding (TDOMAIN\\USER-NAME or USER-NAME@TDOMAIN) and // want to be able to use group syncing, preference pulling, etc., you'll need to set // $wgLDAPBaseDNs and $wgLDAPSearchAttributes for the domain. $wgLDAPSearchStrings = array( "DWP" => "USER-NAME@DWP" );

// Option for getting debug output from the plugin. 1-3 available. 1 will show // non-sensitive info, 2 will show possibly sensitive user info, 3+ will show // sensitive system info. Setting this on a live public site is probably a bad // idea. // Default: 0 $wgLDAPDebug = 1; $wgDebugLogGroups['ldap'] = '/tmp/ldapdebug.log'; $wgShowExceptionDetails = true; //for debugging MediaWiki

//tell the plugin how to map users to group members $wgLDAPGroupUseFullDN = array( 'DWP'=>true ); $wgLDAPBaseDNs = array( 'DWP' => 'DC=DWP,DC=redacted,DC=COM' ); $wgLDAPSearchAttributes = array( 'DWP' => 'sAMAccountName' );

$wgLDAPGroupsUseMemberOf = array( 'DWP' => true );

//set group synchronization on $wgLDAPUseLDAPGroups = array( "DWP"=>true );

//Implicit group for all visitors $wgGroupPermissions['*']['read'] = true; $wgGroupPermissions['*']['edit'] = false; $wgGroupPermissions['*']['editprotected'] = false; $wgGroupPermissions['*']['delete'] = false; $wgGroupPermissions['*']['createaccount'] = false; $wgGroupPermissions['*']['createpage'] = false;

//DWWIKI_User group (DWWIKI_User) $wgGroupPermissions['DWWIKI_User']['read'] = true; $wgGroupPermissions['DWWIKI_User']['delete'] = false; $wgGroupPermissions['DWWIKI_User']['edit'] = false; $wgGroupPermissions['DWWIKI_User']['createpage'] = false; $wgGroupPermissions['DWWIKI_User']['editinterface'] = false; $wgGroupPermissions['DWWIKI_User']['move'] = false; $wgGroupPermissions['DWWIKI_User']['move-subpages'] = false; $wgGroupPermissions['DWWIKI_User']['move-rootuserpages'] = false; // can move root userpages $wgGroupPermissions['DWWIKI_User']['movefile'] = false; $wgGroupPermissions['DWWIKI_User']['createtalk'] = false; $wgGroupPermissions['DWWIKI_User']['writeapi'] = false; $wgGroupPermissions['DWWIKI_User']['upload'] = false; $wgGroupPermissions['DWWIKI_User']['reupload'] = false; $wgGroupPermissions['DWWIKI_User']['reupload-own'] = false; $wgGroupPermissions['DWWIKI_User']['reupload-shared'] = false; $wgGroupPermissions['DWWIKI_User']['minoredit'] = false; $wgGroupPermissions['DWWIKI_User']['purge'] = false; // can use ?action=purge without clicking "ok" $wgGroupPermissions['DWWIKI_User']['sendemail'] = false; $wgGroupPermissions['DWWIKI_User']['block'] = false; $wgGroupPermissions['DWWIKI_User']['createaccount'] = false; $wgGroupPermissions['DWWIKI_User']['bigdelete'] = false; // can be separately configured for pages with > $wgDeleteRevisionsLimit revs $wgGroupPermissions['DWWIKI_User']['deletedhistory'] = false; // can view deleted history entries, but not see or restore the text $wgGroupPermissions['DWWIKI_User']['deletedtext'] = false; // can view deleted revision text $wgGroupPermissions['DWWIKI_User']['undelete'] = false; $wgGroupPermissions['DWWIKI_User']['editusercss'] = false; $wgGroupPermissions['DWWIKI_User']['edituserjs'] = false; $wgGroupPermissions['DWWIKI_User']['import'] = false; $wgGroupPermissions['DWWIKI_User']['importupload'] = false; $wgGroupPermissions['DWWIKI_User']['patrol'] = false; $wgGroupPermissions['DWWIKI_User']['autopatrol'] = false; $wgGroupPermissions['DWWIKI_User']['protect'] = false; $wgGroupPermissions['DWWIKI_User']['proxyunbannable'] = false; $wgGroupPermissions['DWWIKI_User']['rollback'] = false; $wgGroupPermissions['DWWIKI_User']['unwatchedpages'] = false; $wgGroupPermissions['DWWIKI_User']['autoconfirmed'] = false; $wgGroupPermissions['DWWIKI_User']['ipblock-exempt'] = false; $wgGroupPermissions['DWWIKI_User']['blockemail'] = false; $wgGroupPermissions['DWWIKI_User']['markbotedits'] = false; $wgGroupPermissions['DWWIKI_User']['apihighlimits'] = false; $wgGroupPermissions['DWWIKI_User']['browsearchive'] = false; $wgGroupPermissions['DWWIKI_User']['noratelimit'] = false; $wgGroupPermissions['DWWIKI_User']['unblockself'] = false; $wgGroupPermissions['DWWIKI_User']['suppressredirect'] = false; $wgGroupPermissions['DWWIKI_User']['upload_by_url'] = false; $wgGroupPermissions['DWWIKI_User']['mergehistory'] = false; $wgGroupPermissions['DWWIKI_User']['userrights'] = false; $wgGroupPermissions['DWWIKI_User']['editprotected'] = false;

//administrators/sysop group (DWWIKI_Admin) $wgGroupPermissions['DWWIKI_Admin']['read'] = true; $wgGroupPermissions['DWWIKI_Admin']['edit'] = true; $wgGroupPermissions['DWWIKI_Admin']['block'] = true; $wgGroupPermissions['DWWIKI_Admin']['createaccount'] = true; $wgGroupPermissions['DWWIKI_Admin']['delete'] = true; $wgGroupPermissions['DWWIKI_Admin']['bigdelete'] = true; // can be separately configured for pages with > $wgDeleteRevisionsLimit revs $wgGroupPermissions['DWWIKI_Admin']['deletedhistory'] = true; // can view deleted history entries, but not see or restore the text $wgGroupPermissions['DWWIKI_Admin']['deletedtext'] = true; // can view deleted revision text $wgGroupPermissions['DWWIKI_Admin']['undelete'] = true; $wgGroupPermissions['DWWIKI_Admin']['editinterface'] = true; $wgGroupPermissions['DWWIKI_Admin']['editusercss'] = true; $wgGroupPermissions['DWWIKI_Admin']['edituserjs'] = true; $wgGroupPermissions['DWWIKI_Admin']['import'] = true; $wgGroupPermissions['DWWIKI_Admin']['importupload'] = true; $wgGroupPermissions['DWWIKI_Admin']['move'] = true; $wgGroupPermissions['DWWIKI_Admin']['move-subpages'] = true; $wgGroupPermissions['DWWIKI_Admin']['move-rootuserpages'] = true; $wgGroupPermissions['DWWIKI_Admin']['patrol'] = true; $wgGroupPermissions['DWWIKI_Admin']['autopatrol'] = true; $wgGroupPermissions['DWWIKI_Admin']['protect'] = true; $wgGroupPermissions['DWWIKI_Admin']['proxyunbannable'] = true; $wgGroupPermissions['DWWIKI_Admin']['rollback'] = true; $wgGroupPermissions['DWWIKI_Admin']['upload'] = true; $wgGroupPermissions['DWWIKI_Admin']['reupload'] = true; $wgGroupPermissions['DWWIKI_Admin']['reupload-shared'] = true; $wgGroupPermissions['DWWIKI_Admin']['unwatchedpages'] = true; $wgGroupPermissions['DWWIKI_Admin']['autoconfirmed'] = true; $wgGroupPermissions['DWWIKI_Admin']['ipblock-exempt'] = true; $wgGroupPermissions['DWWIKI_Admin']['blockemail'] = true; $wgGroupPermissions['DWWIKI_Admin']['markbotedits'] = true; $wgGroupPermissions['DWWIKI_Admin']['apihighlimits'] = true; $wgGroupPermissions['DWWIKI_Admin']['browsearchive'] = true; $wgGroupPermissions['DWWIKI_Admin']['noratelimit'] = true; $wgGroupPermissions['DWWIKI_Admin']['movefile'] = true; $wgGroupPermissions['DWWIKI_Admin']['unblockself'] = true; $wgGroupPermissions['DWWIKI_Admin']['suppressredirect'] = true; $wgGroupPermissions['DWWIKI_Admin']['upload_by_url'] = true; $wgGroupPermissions['DWWIKI_Admin']['mergehistory'] = true; $wgGroupPermissions['DWWIKI_Admin']['userrights'] = true;

// Permission to change users' group assignments //$wgGroupPermissions['bureaucrat']['read'] = true; //$wgGroupPermissions['bureaucrat']['userrights'] = true; //$wgGroupPermissions['bureaucrat']['noratelimit'] = true; // Permission to change users' groups assignments across wikis // Permission to export pages including linked pages regardless of $wgExportMaxLinkDepth
 * 1) $wgGroupPermissions['bureaucrat']['userrights-interwiki'] = true;
 * 1) $wgGroupPermissions['bureaucrat']['override-export-depth'] = true;

// To hide usernames from users and Sysops // To hide revisions/log items from users and Sysops // For private suppression log access
 * 1) $wgGroupPermissions['sysop']['deletelogentry'] = true;
 * 2) $wgGroupPermissions['sysop']['deleterevision'] = true;
 * 1) $wgGroupPermissions['suppress']['hideuser'] = true;
 * 1) $wgGroupPermissions['suppress']['suppressrevision'] = true;
 * 1) $wgGroupPermissions['suppress']['suppressionlog'] = true;

Log File 2013-10-28 16:50:40 mediawiki mediawiki: 2.0d Entering getDomain 2013-10-28 16:50:40 mediawiki mediawiki: 2.0d Pulling domain from session. 2013-10-28 16:50:40 mediawiki mediawiki: 2.0d Setting domain as: DWP 2013-10-28 16:50:40 mediawiki mediawiki: 2.0d Entering allowPasswordChange 2013-10-28 16:50:40 mediawiki mediawiki: 2.0d Entering getDomain 2013-10-28 16:50:40 mediawiki mediawiki: 2.0d Pulling domain from session. 2013-10-28 16:50:40 mediawiki mediawiki: 2.0d Entering getDomain 2013-10-28 16:50:40 mediawiki mediawiki: 2.0d Pulling domain from session. 2013-10-28 16:50:40 mediawiki mediawiki: 2.0d Entering getDomain 2013-10-28 16:50:40 mediawiki mediawiki: 2.0d Pulling domain from session. 2013-10-28 16:50:40 mediawiki mediawiki: 2.0d Entering modifyUITemplate 2013-10-28 16:50:40 mediawiki mediawiki: 2.0d Entering getDomain 2013-10-28 16:50:40 mediawiki mediawiki: 2.0d Pulling domain from session. 2013-10-28 16:50:40 mediawiki mediawiki: 2.0d Entering getDomain 2013-10-28 16:50:40 mediawiki mediawiki: 2.0d Pulling domain from session. 2013-10-28 16:50:40 mediawiki mediawiki: 2.0d Entering getDomain 2013-10-28 16:50:40 mediawiki mediawiki: 2.0d Pulling domain from session. 2013-10-28 16:50:40 mediawiki mediawiki: 2.0d Entering getDomain 2013-10-28 16:50:40 mediawiki mediawiki: 2.0d Pulling domain from session. 2013-10-28 16:50:40 mediawiki mediawiki: 2.0d Entering getDomain 2013-10-28 16:50:40 mediawiki mediawiki: 2.0d Pulling domain from session. 2013-10-28 16:50:43 mediawiki mediawiki: 2.0d Entering validDomain 2013-10-28 16:50:43 mediawiki mediawiki: 2.0d User is using a valid domain (DWP). 2013-10-28 16:50:43 mediawiki mediawiki: 2.0d Setting domain as: DWP 2013-10-28 16:50:43 mediawiki mediawiki: 2.0d Entering getCanonicalName 2013-10-28 16:50:43 mediawiki mediawiki: 2.0d Username is: NameRedacted 2013-10-28 16:50:43 mediawiki mediawiki: 2.0d Entering getDomain 2013-10-28 16:50:43 mediawiki mediawiki: 2.0d Pulling domain from session. 2013-10-28 16:50:43 mediawiki mediawiki: 2.0d Munged username: NameRedacted 2013-10-28 16:50:44 mediawiki mediawiki: 2.0d Entering authenticate for username NameRedacted 2013-10-28 16:50:44 mediawiki mediawiki: 2.0d Entering getDomain 2013-10-28 16:50:44 mediawiki mediawiki: 2.0d Pulling domain from session. 2013-10-28 16:50:44 mediawiki mediawiki: 2.0d Entering getDomain 2013-10-28 16:50:44 mediawiki mediawiki: 2.0d Pulling domain from session. 2013-10-28 16:50:44 mediawiki mediawiki: 2.0d Entering getDomain 2013-10-28 16:50:44 mediawiki mediawiki: 2.0d Pulling domain from session. 2013-10-28 16:50:44 mediawiki mediawiki: 2.0d Entering Connect 2013-10-28 16:50:44 mediawiki mediawiki: 2.0d Entering getDomain 2013-10-28 16:50:44 mediawiki mediawiki: 2.0d Pulling domain from session. 2013-10-28 16:50:44 mediawiki mediawiki: 2.0d Entering getDomain 2013-10-28 16:50:44 mediawiki mediawiki: 2.0d Pulling domain from session. 2013-10-28 16:50:44 mediawiki mediawiki: 2.0d Entering getDomain 2013-10-28 16:50:44 mediawiki mediawiki: 2.0d Pulling domain from session. 2013-10-28 16:50:44 mediawiki mediawiki: 2.0d Entering getDomain 2013-10-28 16:50:44 mediawiki mediawiki: 2.0d Pulling domain from session. 2013-10-28 16:50:44 mediawiki mediawiki: 2.0d PHP's LDAP connect method returned true (note, this does not imply it connected to the server). 2013-10-28 16:50:44 mediawiki mediawiki: 2.0d Entering getDomain 2013-10-28 16:50:44 mediawiki mediawiki: 2.0d Pulling domain from session. 2013-10-28 16:50:44 mediawiki mediawiki: 2.0d Entering getSearchString 2013-10-28 16:50:44 mediawiki mediawiki: 2.0d Entering getDomain 2013-10-28 16:50:44 mediawiki mediawiki: 2.0d Pulling domain from session. 2013-10-28 16:50:44 mediawiki mediawiki: 2.0d Doing a straight bind 2013-10-28 16:50:44 mediawiki mediawiki: 2.0d Entering getDomain 2013-10-28 16:50:44 mediawiki mediawiki: 2.0d Pulling domain from session. 2013-10-28 16:50:44 mediawiki mediawiki: 2.0d Entering getDomain 2013-10-28 16:50:44 mediawiki mediawiki: 2.0d Pulling domain from session. 2013-10-28 16:50:44 mediawiki mediawiki: 2.0d Binding as the user 2013-10-28 16:50:44 mediawiki mediawiki: 2.0d Bound successfully 2013-10-28 16:50:44 mediawiki mediawiki: 2.0d Entering getDomain 2013-10-28 16:50:44 mediawiki mediawiki: 2.0d Pulling domain from session. 2013-10-28 16:50:44 mediawiki mediawiki: 2.0d Entering getUserDN 2013-10-28 16:50:44 mediawiki mediawiki: 2.0d Entering getDomain 2013-10-28 16:50:44 mediawiki mediawiki: 2.0d Pulling domain from session. 2013-10-28 16:50:44 mediawiki mediawiki: 2.0d Entering getBaseDN 2013-10-28 16:50:44 mediawiki mediawiki: 2.0d Entering getDomain 2013-10-28 16:50:44 mediawiki mediawiki: 2.0d Pulling domain from session. 2013-10-28 16:50:44 mediawiki mediawiki: 2.0d basedn is not set for this type of entry, trying to get the default basedn. 2013-10-28 16:50:44 mediawiki mediawiki: 2.0d Entering getBaseDN 2013-10-28 16:50:44 mediawiki mediawiki: 2.0d Entering getDomain 2013-10-28 16:50:44 mediawiki mediawiki: 2.0d Pulling domain from session. 2013-10-28 16:50:44 mediawiki mediawiki: 2.0d Fetched UserDN: CN=NameRedacted,CN=Users,DC=DWP,DC=redacted,DC=com 2013-10-28 16:50:44 mediawiki mediawiki: 2.0d Entering getDomain 2013-10-28 16:50:44 mediawiki mediawiki: 2.0d Pulling domain from session. 2013-10-28 16:50:44 mediawiki mediawiki: 2.0d Entering getGroups 2013-10-28 16:50:44 mediawiki mediawiki: 2.0d Entering getDomain 2013-10-28 16:50:44 mediawiki mediawiki: 2.0d Pulling domain from session. 2013-10-28 16:50:44 mediawiki mediawiki: 2.0d Entering getDomain 2013-10-28 16:50:44 mediawiki mediawiki: 2.0d Pulling domain from session. 2013-10-28 16:50:44 mediawiki mediawiki: 2.0d Retrieving LDAP group membership 2013-10-28 16:50:44 mediawiki mediawiki: 2.0d Entering getDomain 2013-10-28 16:50:44 mediawiki mediawiki: 2.0d Pulling domain from session. 2013-10-28 16:50:44 mediawiki mediawiki: 2.0d Entering getDomain 2013-10-28 16:50:44 mediawiki mediawiki: 2.0d Pulling domain from session. 2013-10-28 16:50:44 mediawiki mediawiki: 2.0d Using memberOf 2013-10-28 16:50:44 mediawiki mediawiki: 2.0d Entering getDomain 2013-10-28 16:50:44 mediawiki mediawiki: 2.0d Pulling domain from session. 2013-10-28 16:50:44 mediawiki mediawiki: 2.0d Entering checkGroups 2013-10-28 16:50:44 mediawiki mediawiki: 2.0d Entering getDomain 2013-10-28 16:50:44 mediawiki mediawiki: 2.0d Pulling domain from session. 2013-10-28 16:50:44 mediawiki mediawiki: 2.0d Entering getDomain 2013-10-28 16:50:44 mediawiki mediawiki: 2.0d Pulling domain from session. 2013-10-28 16:50:44 mediawiki mediawiki: 2.0d Entering getPreferences 2013-10-28 16:50:44 mediawiki mediawiki: 2.0d Entering getDomain 2013-10-28 16:50:44 mediawiki mediawiki: 2.0d Pulling domain from session. 2013-10-28 16:50:44 mediawiki mediawiki: 2.0d Authentication passed 2013-10-28 16:50:44 mediawiki mediawiki: 2.0d Entering updateUser 2013-10-28 16:50:44 mediawiki mediawiki: 2.0d Entering getDomain 2013-10-28 16:50:44 mediawiki mediawiki: 2.0d Pulling domain from session. 2013-10-28 16:50:44 mediawiki mediawiki: 2.0d Entering getDomain 2013-10-28 16:50:44 mediawiki mediawiki: 2.0d Pulling domain from session. 2013-10-28 16:50:44 mediawiki mediawiki: 2.0d Setting user groups. 2013-10-28 16:50:44 mediawiki mediawiki: 2.0d Entering setGroups. 2013-10-28 16:50:44 mediawiki mediawiki: 2.0d Entering getDomain 2013-10-28 16:50:44 mediawiki mediawiki: 2.0d Pulling domain from session. 2013-10-28 16:50:44 mediawiki mediawiki: 2.0d Entering getDomain 2013-10-28 16:50:44 mediawiki mediawiki: 2.0d Pulling domain from session. 2013-10-28 16:50:44 mediawiki mediawiki: 2.0d Available groups are: bot::sysop::bureaucrat::DWWIKI_User::DWWIKI_Admin 2013-10-28 16:50:44 mediawiki mediawiki: 2.0d Effective groups are: DWWIKI_User::*::user::autoconfirmed 2013-10-28 16:50:44 mediawiki mediawiki: 2.0d Checking to see if user is in: bot 2013-10-28 16:50:44 mediawiki mediawiki: 2.0d Entering hasLDAPGroup 2013-10-28 16:50:44 mediawiki mediawiki: 2.0d Checking to see if user is in: sysop 2013-10-28 16:50:44 mediawiki mediawiki: 2.0d Entering hasLDAPGroup 2013-10-28 16:50:44 mediawiki mediawiki: 2.0d Checking to see if user is in: bureaucrat 2013-10-28 16:50:44 mediawiki mediawiki: 2.0d Entering hasLDAPGroup 2013-10-28 16:50:44 mediawiki mediawiki: 2.0d Checking to see if we need to remove user from: DWWIKI_User 2013-10-28 16:50:44 mediawiki mediawiki: 2.0d Entering hasLDAPGroup 2013-10-28 16:50:44 mediawiki mediawiki: 2.0d Checking to see if user is in: DWWIKI_Admin 2013-10-28 16:50:44 mediawiki mediawiki: 2.0d Entering hasLDAPGroup 2013-10-28 16:50:44 mediawiki mediawiki: 2.0d User has a token, setting domain in user options. 2013-10-28 16:50:44 mediawiki mediawiki: 2.0d Saving user settings.