Thread:Extension talk:LDAP Authentication/Can't get group authentication to work

Hi there,

I'm having great troubles in getting group authentication to work. Have searched this talk and using Google, but was unable to find a solution. The versions : Mediawiki 1.21.1 ; LDAP Authentication Plugin 2.0d

First of all, let me say that plain LDAP authentication works perfectly. The trouble starts when I want to restrict access based on AD groups. I followed Ryan D. Lane's instructions, and everything seems to work, but when I login, I get a message that my password is not correct.

When doing a login, I get the following in debug.log :

2014-02-27 09:34:37 wikpla01 my_wiki: 2.0d Entering validDomain 2014-02-27 09:34:37 wikpla01 my_wiki: 2.0d Entering getDomain 2014-02-27 09:34:37 wikpla01 my_wiki: 2.0d Pulling domain from session. 2014-02-27 09:34:37 wikpla01 my_wiki: 2.0d User is not using a valid domain. 2014-02-27 09:34:37 wikpla01 my_wiki: 2.0d Entering getDomain 2014-02-27 09:34:37 wikpla01 my_wiki: 2.0d Pulling domain from session. 2014-02-27 09:34:37 wikpla01 my_wiki: 2.0d Setting domain as: OURDOMAIN 2014-02-27 09:34:37 wikpla01 my_wiki: 2.0d Entering allowPasswordChange 2014-02-27 09:34:37 wikpla01 my_wiki: 2.0d Entering getDomain 2014-02-27 09:34:37 wikpla01 my_wiki: 2.0d Pulling domain from session. 2014-02-27 09:34:37 wikpla01 my_wiki: 2.0d Entering getDomain 2014-02-27 09:34:37 wikpla01 my_wiki: 2.0d Pulling domain from session. 2014-02-27 09:34:37 wikpla01 my_wiki: 2.0d Entering getDomain 2014-02-27 09:34:37 wikpla01 my_wiki: 2.0d Pulling domain from session. 2014-02-27 09:34:37 wikpla01 my_wiki: 2.0d Entering modifyUITemplate 2014-02-27 09:34:37 wikpla01 my_wiki: 2.0d Entering getDomain 2014-02-27 09:34:37 wikpla01 my_wiki: 2.0d Pulling domain from session. 2014-02-27 09:34:37 wikpla01 my_wiki: 2.0d Entering getDomain 2014-02-27 09:34:37 wikpla01 my_wiki: 2.0d Pulling domain from session. 2014-02-27 09:34:37 wikpla01 my_wiki: 2.0d Entering getDomain 2014-02-27 09:34:37 wikpla01 my_wiki: 2.0d Pulling domain from session. 2014-02-27 09:34:37 wikpla01 my_wiki: 2.0d Entering getDomain 2014-02-27 09:34:37 wikpla01 my_wiki: 2.0d Pulling domain from session. 2014-02-27 09:34:37 wikpla01 my_wiki: 2.0d Entering getDomain 2014-02-27 09:34:37 wikpla01 my_wiki: 2.0d Pulling domain from session. 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Entering validDomain 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d User is using a valid domain (OURDOMAIN). 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Setting domain as: OURDOMAIN 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Entering getCanonicalName 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Username is: Ustjla 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Entering getDomain 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Pulling domain from session. 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Munged username: Ustjla 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Entering authenticate for username Ustjla 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Entering getDomain 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Pulling domain from session. 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Entering getDomain 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Pulling domain from session. 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Entering getDomain 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Pulling domain from session. 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Entering Connect 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Entering getDomain 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Pulling domain from session. 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Using SSL 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Entering getDomain 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Pulling domain from session. 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Entering getDomain 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Pulling domain from session. 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Entering getDomain 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Pulling domain from session. 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Using servers: ldaps://ldap.server.intern:636 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Entering getDomain 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Pulling domain from session. 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d PHP's LDAP connect method returned true (note, this does not imply it connected to the server). 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Entering getDomain 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Pulling domain from session. 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Entering getSearchString 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Entering getDomain 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Pulling domain from session. 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Doing a straight bind 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d userdn is: OURDOMAIN\Ustjla 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Entering getDomain 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Pulling domain from session. 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Entering getDomain 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Pulling domain from session. 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Binding as the user 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Bound successfully 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Entering getDomain 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Pulling domain from session. 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Entering getUserDN 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Entering getDomain 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Pulling domain from session. 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Created a regular filter: (sAMAccountName=Ustjla) 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Entering getBaseDN 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Entering getDomain 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Pulling domain from session. 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d basedn is not set for this type of entry, trying to get the default basedn. 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Entering getBaseDN 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Entering getDomain 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Pulling domain from session. 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Using base: ou=Users,dc=ourdomain,dc=our 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Fetched UserDN: CN=USTJLA,OU=Netherlands,OU=Win7,OU=Users,DC=ourdomain,DC=our 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Entering getDomain 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Pulling domain from session. 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Entering getGroups 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Entering getDomain 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Pulling domain from session. 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Retrieving LDAP group membership 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Entering getDomain 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Pulling domain from session. 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Entering getDomain 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Pulling domain from session. 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Searching for the groups 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Entering searchGroups 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Entering getBaseDN 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Entering getDomain 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Pulling domain from session. 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d basedn is not set for this type of entry, trying to get the default basedn. 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Entering getBaseDN 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Entering getDomain 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Pulling domain from session. 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Entering getDomain 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Pulling domain from session. 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Entering getDomain 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Pulling domain from session. 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Entering getDomain 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Pulling domain from session. 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Entering getDomain 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Pulling domain from session. 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d User Filter: (&(distinguishedName=CN=USTJLA,OU=Netherlands,OU=Win7,OU=Users,DC=ourdomain,DC=our)(objectclass=user)) 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Primary Group Filter: (&(objectSid=\01\05\00\00\00\00\00\05\15\00\00\00\15\25\af\47\23\f3\f6\63\43\17\0a\32\01\02\00\00)(objectclass=)) 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Search string: (&(member=CN=USTJLA,OU=Netherlands,OU=Win7,OU=Users,DC=ourdomain,DC=our)(objectclass=)) 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Returned groups: 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Entering getDomain 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Pulling domain from session. 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Entering getDomain 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Pulling domain from session. 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Entering checkGroups 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d USERNAME IS: Ustjla 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Entering getDomain 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Pulling domain from session. 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Entering getDomain 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Pulling domain from session. 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Checking for (new style) group membership 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Required groups: cn=d-ait-x-itisdba,ou=data,ou=groups,ou=users,dc=ourdomain,dc=our 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Checking against: 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Couldn't find the user in any groups. 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Entering strict. 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Entering getDomain 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Pulling domain from session. 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Entering getDomain 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Pulling domain from session. 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Returning true in strict. 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Entering allowPasswordChange 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Entering getDomain 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Pulling domain from session. 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Entering getDomain 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Pulling domain from session. 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Entering getDomain 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Pulling domain from session. 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Entering modifyUITemplate 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Entering getDomain 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Pulling domain from session. 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Entering getDomain 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Pulling domain from session. 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Entering getDomain 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Pulling domain from session. 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Entering getDomain 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Pulling domain from session. 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Entering getDomain 2014-02-27 09:34:44 wikpla01 my_wiki: 2.0d Pulling domain from session.

I notice that Returned groups is empty, as is Checking against... I'm guessing this is not correct. And I have no idea what is going wrong here. I'm hoping it is a simple misconfiguration on my part, but at the moment I have no clue where to look for the fault. I'm not a LDAP expert (far from it).

Can anyone help me out a bit, please ?

Thank you, Hans