Thread:Extension talk:LDAP Authentication/Unable to pull LDAP group members to set rights in MediaWiki

Ryan, great job, this works wonderfully and I am sure I am missing something here. I can authenticate, use a required LDAP group for authentication and pull preferences, but I cannot pull group memberships from AD (server 2008 and TurnKey MediaWiki) to set User Group Rights. The list of members for AD groups is always empty in Special Pages, User Group Rights (either wiki_auth_users or support in this example). Here is the config and a log:

These settings are for LDAP authentication to the Wiki require_once 'extensions/LdapAuthentication/LdapAuthentication.php'; $wgLDAPDebug = 3; $wgDebugLogGroups['ldap'] = '/tmp/debug.log'; $wgAuth = new LdapAuthenticationPlugin; $wgLDAPDomainNames = array('WikiDomain'); $wgLDAPServerNames = array('WikiDomain' => 'AD1.WikiDomain.com AD2.WikiDomain.com AD3.WikiDomain.com'); $wgLDAPUseLocal = false; $wgLDAPSearchAttributes = array('WikiDomain' => 'sAMAccountName'); $wgLDAPBaseDNs = array('WikiDomain' => 'dc=WikiDomain,dc=com'); $wgLDAPEncryptionType = array('WikiDomain' => 'clear'); $wgMinimalPasswordLength = 0; $wgLDAPRequireAuthAttribute = array( 'WikiDomain' => true); $wgHooks['SetUsernameAttributeFromLDAP'][] = 'SetUsernameAttribute'; function SetUsernameAttribute(&$LDAPUsername, $info) { $LDAPUsername = $info[0]['samaccountname'][0]; return true; } $wgLDAPPreferences = array('WikiDomain' => array ( 'email'=>'mail','realname'=>'cn','nickname'=>'sAMAccountName','language'=>'preferredLanguage')); $wgLDAPGroupObjectclass = array( 'WikiDomain' => 'group' ); $wgLDAPGroupAttribute = array( 'WikiDomain' => 'member' ); $wgLDAPGroupNameAttribute = array( 'WikiDomain' => 'cn' ); $wgLDAPGroupUseFullDN = array('WikiDomain' => 'true'); $wgLDAPLowerCaseUsername = array('WikiDomain' => 'true'); $wgLDAPGroupsUseMemberOf = array('WikiDomain' => 'true'); $wgLDAPUseLDAPGroups = array('WikiDomain' => 'true'); $wgLDAPGroupSearchNestedGroups = array( 'WikiDomain' => 'true' ); $wgLDAPRequiredGroups = array( 'WikiDomain' => array('cn=wiki_auth_users,ou=security groups,ou=groups,ou=users_WikiDomain,dc=WikiDomain,dc=com')); $wgGroupPermissions['wiki_auth_users']['edit'] = true; $wgGroupPermissions['support'] = $wgGroupPermissions['sysop']; $wgLDAPProxyAgent = array('WikiDomain' => 'cn=Ldap User,ou=Generic Logons,ou=Users_WikiDomain,dc=WikiDomain,dc=com'); $wgLDAPProxyAgentPassword = array('WikiDomain' => 'Ld8p2sR8ss');
 * 1) This is a user account to enable search in AD

Logs: wiki_db: Entering validDomain wiki_db: User is not using a valid domain. wiki_db: Setting domain as: invaliddomain wiki_db: Entering allowPasswordChange wiki_db: Entering modifyUITemplate wiki_db: Entering validDomain wiki_db: User is using a valid domain. wiki_db: Setting domain as: WikiDomain wiki_db: Entering getCanonicalName wiki_db: Username isn't empty. wiki_db: Munged username: WikiUser wiki_db: Entering userExists wiki_db: wiki_db: Entering authenticate wiki_db: wiki_db: Entering Connect wiki_db: Using TLS or not using encryption. wiki_db: Using servers: ldap://AD1.WikiDomain.com ldap://AD2.WikiDomain.com ldap://AD3.WikiDomain.com wiki_db: Connected successfully wiki_db: Lowercasing the username: WikiUser wiki_db: Entering getSearchString wiki_db: Doing a proxy bind wiki_db: Entering getUserDN wiki_db: Created a regular filter: (sAMAccountName=WikiUser) wiki_db: Entering getBaseDN wiki_db: basedn is not set for this type of entry, trying to get the default basedn. wiki_db: Entering getBaseDN wiki_db: basedn is dc=WikiDomain,dc=com wiki_db: Using base: dc=WikiDomain,dc=com wiki_db: userdn is: CN=Wiki User,OU=Employees,OU=Users_WikiDomain,DC=WikiDomain,DC=com wiki_db: wiki_db: Binding as the user wiki_db: Bound successfully wiki_db: Entering getGroups wiki_db: Retrieving LDAP group membership wiki_db: Using memberOf wiki_db: Entering checkGroups wiki_db: Checking for (new style) group membership wiki_db: Required groups: cn=wiki_auth_users,ou=security groups,ou=groups,ou=users_WikiDomain,dc=WikiDomain,dc=com wiki_db: Checking against: cn=wiki_auth_users,ou=security groups,ou=groups,ou=users_WikiDomain,dc=WikiDomain,dc=com wiki_db: Found user in a group. wiki_db: Entering getPreferences wiki_db: Retrieving preferences wiki_db: Retrieved email (WikiUser@WikiDomain.com) using attribute (mail) wiki_db: Retrieved realname (Wiki User) using attribute (cn) wiki_db: Entering synchUsername wiki_db: Authentication passed wiki_db: Entering allowPasswordChange wiki_db: Entering initUser wiki_db: Entering updateUser wiki_db: Setting user preferences. wiki_db: Setting realname. wiki_db: Setting email. wiki_db: Setting user groups. wiki_db: Entering setGroups. wiki_db: Locally managed groups is unset, using defaults: bot::sysop::bureaucrat wiki_db: Available groups are: bot::sysop::bureaucrat::Forum:Admin::Forum:Mod::Forum:CantView::Forum:CantPost::Forum:CantEdit::Forum:CantDelete::Forum:CantSearch::Forum:NoSigs::wiki_auth_users::support wiki_db: Effective groups are: *::user::autoconfirmed wiki_db: Checking to see if user is in: bot wiki_db: Entering hasLDAPGroup wiki_db: Checking to see if user is in: sysop wiki_db: Entering hasLDAPGroup wiki_db: Checking to see if user is in: bureaucrat wiki_db: Entering hasLDAPGroup wiki_db: Checking to see if user is in: Forum:Admin wiki_db: Entering hasLDAPGroup wiki_db: Checking to see if user is in: Forum:Mod wiki_db: Entering hasLDAPGroup wiki_db: Checking to see if user is in: Forum:CantView wiki_db: Entering hasLDAPGroup wiki_db: Checking to see if user is in: Forum:CantPost wiki_db: Entering hasLDAPGroup wiki_db: Checking to see if user is in: Forum:CantEdit wiki_db: Entering hasLDAPGroup wiki_db: Checking to see if user is in: Forum:CantDelete wiki_db: Entering hasLDAPGroup wiki_db: Checking to see if user is in: Forum:CantSearch wiki_db: Entering hasLDAPGroup wiki_db: Checking to see if user is in: Forum:NoSigs wiki_db: Entering hasLDAPGroup wiki_db: Checking to see if user is in: wiki_auth_users wiki_db: Entering hasLDAPGroup wiki_db: Checking to see if user is in: support wiki_db: Entering hasLDAPGroup wiki_db: Saving user settings. wiki_db: Entering authenticate wiki_db: wiki_db: Entering Connect wiki_db: Using TLS or not using encryption. wiki_db: Using servers: ldap://AD1.WikiDomain.com ldap://AD2.WikiDomain.com ldap://AD3.WikiDomain.com wiki_db: Connected successfully wiki_db: Lowercasing the username: WikiUser wiki_db: Entering getSearchString wiki_db: Doing a proxy bind wiki_db: Entering getUserDN wiki_db: Created a regular filter: (sAMAccountName=WikiUser) wiki_db: Entering getBaseDN wiki_db: basedn is not set for this type of entry, trying to get the default basedn. wiki_db: Entering getBaseDN wiki_db: basedn is dc=WikiDomain,dc=com wiki_db: Using base: dc=WikiDomain,dc=com wiki_db: userdn is: CN=Wiki User,OU=Employees,OU=Users_WikiDomain,DC=WikiDomain,DC=com wiki_db: wiki_db: Binding as the user wiki_db: Bound successfully wiki_db: Entering getGroups wiki_db: Retrieving LDAP group membership wiki_db: Using memberOf wiki_db: Entering checkGroups wiki_db: Checking for (new style) group membership wiki_db: Required groups: cn=wiki_auth_users,ou=security groups,ou=groups,ou=users_WikiDomain,dc=WikiDomain,dc=com wiki_db: Checking against: cn=wiki_auth_users,ou=security groups,ou=groups,ou=users_WikiDomain,dc=WikiDomain,dc=com wiki_db: Found user in a group. wiki_db: Entering getPreferences wiki_db: Retrieving preferences wiki_db: Retrieved email (WikiUser@WikiDomain.com) using attribute (mail) wiki_db: Retrieved realname (Wiki User) using attribute (cn) wiki_db: Entering synchUsername wiki_db: Authentication passed wiki_db: Entering updateUser wiki_db: Setting user preferences. wiki_db: Setting realname. wiki_db: Setting email. wiki_db: Setting user groups. wiki_db: Entering setGroups. wiki_db: Locally managed groups is unset, using defaults: bot::sysop::bureaucrat wiki_db: Available groups are: bot::sysop::bureaucrat::Forum:Admin::Forum:Mod::Forum:CantView::Forum:CantPost::Forum:CantEdit::Forum:CantDelete::Forum:CantSearch::Forum:NoSigs::wiki_auth_users::support wiki_db: Effective groups are: *::user::autoconfirmed wiki_db: Checking to see if user is in: bot wiki_db: Entering hasLDAPGroup wiki_db: Checking to see if user is in: sysop wiki_db: Entering hasLDAPGroup wiki_db: Checking to see if user is in: bureaucrat wiki_db: Entering hasLDAPGroup wiki_db: Checking to see if user is in: Forum:Admin wiki_db: Entering hasLDAPGroup wiki_db: Checking to see if user is in: Forum:Mod wiki_db: Entering hasLDAPGroup wiki_db: Checking to see if user is in: Forum:CantView wiki_db: Entering hasLDAPGroup wiki_db: Checking to see if user is in: Forum:CantPost wiki_db: Entering hasLDAPGroup wiki_db: Checking to see if user is in: Forum:CantEdit wiki_db: Entering hasLDAPGroup wiki_db: Checking to see if user is in: Forum:CantDelete wiki_db: Entering hasLDAPGroup wiki_db: Checking to see if user is in: Forum:CantSearch wiki_db: Entering hasLDAPGroup wiki_db: Checking to see if user is in: Forum:NoSigs wiki_db: Entering hasLDAPGroup wiki_db: Checking to see if user is in: wiki_auth_users wiki_db: Entering hasLDAPGroup wiki_db: Checking to see if user is in: support wiki_db: Entering hasLDAPGroup wiki_db: Saving user settings.