Thread:Extension talk:LDAP Authentication/Trouble with Group Restricted Login/reply (11)

Hello Ryan Lane,

I got the same configuration indicated above and placed in LocalSettings.php

I created a user that has the following configuration:

sAMAccountName: 123456789 distinguishedName: CN=my test user,CN=Users,DC=OURDOMAIN,DC=corp

That's the configuration:

require_once( 'LdapAuthentication.php' ); $wgAuth = new LdapAuthenticationPlugin; $wgLDAPDomainNames = array('OURDOMAIN'); $wgLDAPServerNames = array('OURDOMAIN' => 'ad.OURDOMAIN.corp'); $wgLDAPSearchStrings = array('OURDOMAIN' => 'OURDOMAIN\\USER-NAME');  #in the OURDOMAIN\\USER-NAME, ourdomain is short. $wgLDAPEncryptionType = array('OURDOMAIN' => 'clear'); $wgLDAPGroupNameAttribute = array("OURDOMAIN"=>"cn"); $wgLDAPBaseDNs = array("OURDOMAIN"=>"DC=OURDOMAIN,DC=corp"); $wgLDAPGroupSearchNestedGroups = array("OURDOMAIN"=>true); $wgLDAPRequiredGroups = array("OURDOMAIN"=>array("CN=Users,DC=OURDOMAIN,DC=corp")); $wgLDAPGroupUseFullDN = array("OURDOMAIN"=>true); $wgLDAPSearchAttributes = array("OURDOMAIN" => 'sAMAccountName'); $wgLDAPGroupObjectclass = array("OURDOMAIN"=>'group'); $wgLDAPGroupAttribute = array("OURDOMAIN"=>'member'); $wgLDAPDebug = 3; $wgDebugLogGroups["ldap"] = "/tmp/debug.log";

That's the log:

2010-07-30 22:43:11 nginx: Entering validDomain 2010-07-30 22:43:11 nginx: User is using a valid domain. 2010-07-30 22:43:11 nginx: Setting domain as: OURDOMAIN 2010-07-30 22:43:11 nginx: Entering getCanonicalName 2010-07-30 22:43:11 nginx: Username isn't empty. 2010-07-30 22:43:11 nginx: Munged username: 123456789 2010-07-30 22:43:11 nginx: Entering authenticate 2010-07-30 22:43:11 nginx: 2010-07-30 22:43:11 nginx: Entering Connect 2010-07-30 22:43:11 nginx: Using TLS or not using encryption. 2010-07-30 22:43:11 nginx: Using servers:  ldap://ad.OURDOMAIN.corp 2010-07-30 22:43:11 nginx: Connected successfully 2010-07-30 22:43:11 nginx: Entering getSearchString 2010-07-30 22:43:11 nginx: Doing a straight bind 2010-07-30 22:43:11 nginx: userdn is: OURDOMAIN\123456789 2010-07-30 22:43:11 nginx: 2010-07-30 22:43:11 nginx: Binding as the user 2010-07-30 22:43:11 nginx: Bound successfully 2010-07-30 22:43:11 nginx: Entering getUserDN 2010-07-30 22:43:11 nginx: Created a regular filter: (sAMAccountName=123456789) 2010-07-30 22:43:11 nginx: Entering getBaseDN 2010-07-30 22:43:11 nginx: basedn is not set for this type of entry, trying to get the default basedn. 2010-07-30 22:43:11 nginx: Entering getBaseDN 2010-07-30 22:43:11 nginx: basedn is DC=OURDOMAIN,DC=corp 2010-07-30 22:43:11 nginx: Using base: DC=OURDOMAIN,DC=corp 2010-07-30 22:43:11 nginx: Fetched username is not a string (check your hook code...). This message can be safely ignored if you do not have the SetUsernameAttributeFromLDAP hook defined. 2010-07-30 22:43:11 nginx: Pulled the user's DN: 2010-07-30 22:43:11 nginx: Entering getGroups 2010-07-30 22:43:11 nginx: Retrieving LDAP group membership 2010-07-30 22:43:11 nginx: Searching for the groups 2010-07-30 22:43:11 nginx: Entering searchGroups 2010-07-30 22:43:11 nginx: Entering getBaseDN 2010-07-30 22:43:11 nginx: basedn is not set for this type of entry, trying to get the default basedn. 2010-07-30 22:43:11 nginx: Entering getBaseDN 2010-07-30 22:43:11 nginx: basedn is DC=OURDOMAIN,DC=corp 2010-07-30 22:43:11 nginx: Search string: (&(member=)(objectclass=group)) 2010-07-30 22:43:11 nginx: Returned groups: 2010-07-30 22:43:11 nginx: Entering searchNestedGroups 2010-07-30 22:43:11 nginx: No more groups to search. 2010-07-30 22:43:11 nginx: Got the following nested groups: 2010-07-30 22:43:11 nginx: Entering checkGroups 2010-07-30 22:43:11 nginx: Checking for (new style) group membership 2010-07-30 22:43:11 nginx: Required groups: cn=users,dc=OURDOMAIN,DC=corp 2010-07-30 22:43:11 nginx: Couldn't find the user in any groups. 2010-07-30 22:43:11 nginx: Entering strict. 2010-07-30 22:43:11 nginx: Returning true in strict. 2010-07-30 22:43:11 nginx: Entering allowPasswordChange 2010-07-30 22:43:11 nginx: Entering modifyUITemplate

Points that I realized

- I dont know why the log got 3 hours ahead, though the date/time/timezone of operating system are correct and have checked this information in Active Directory too.

- The search is not bringing in the log: Pulled the user's DN

Could you help us ? it is not working.

Thanks in advance.

James Gava