Extension talk:ConfirmAccount

Jump to navigation Jump to search

About this board


Captcha result is ignored when submiting account creation request

2
MyWikis-JeffreyWang (talkcontribs)

It seems like there's some issues with ConfirmAccount working with ConfirmEdit. Namely, the captcha value doesn't need to be valid in order to be submitted! Topic:Vky60p231ng9i1i4 seems to report the same issue. I can confirm this is not only affecting QuestyCaptcha but also other types such as hCaptcha, and affects versions between MediaWiki 1.31 and 1.35.

Apparently this has been an issue for nearly 4 years. https://phabricator.wikimedia.org/T168783

MyWikis-JeffreyWang (talkcontribs)

Borrowing Kghbln's terminology in another thread, an immediate but not final solution is offered here for hCaptcha only. (It is not very pretty and needs a lot of revising to commit to the codebase, but it works as a patch.) Make patches to the following files by replacing their contents with the contents in the link:

MediaWiki 1.35+:

MediaWiki 1.31:

FAQs:

1. You might ask, how would I get hCaptcha working on MediaWiki 1.31 when it is only for MediaWiki 1.35+?

Simple, just make sure you change line 139 protected function addCaptchaAPI( (as seen at https://github.com/wikimedia/mediawiki-extensions-ConfirmEdit/blob/master/hCaptcha/includes/HCaptcha.php#L139) to public function addCaptchaAPI(. That's it! Follow instructions for installing hCaptcha as normal otherwise and ignore the fact that it is only made for 1.35+. Another issue might appear that will cause pages such as Special:CreateAccount to error with the call to the addCSPSources() method on line 41 of HTMLHCaptchaField.php, but it can be fixed by removing that function call, since MediaWiki 1.31 doesn't offer support for this (as seen at https://github.com/wikimedia/mediawiki-extensions-ConfirmEdit/blob/master/hCaptcha/includes/HTMLHCaptchaField.php#L41).

2. Why does this patch only work for hCaptcha?

The way that ConfirmEdit and ConfirmAccount work together currently to "handle" captchas (or more precisely, don't handle captchas) is not easily fixable. This interim solution simply enables the form to accept the necessary captcha fields and adds a cURL request to the hCaptcha endpoint and evaluates its response. This was pretty easy to implement without referring to too many ConfirmEdit configuration variables and functions. We only made this patch for hCaptcha because MyWikis has moved to using hCaptcha on all wikis instead of QuestyCaptcha or reCAPTCHA. Our reasons for this choice are listed on our blog, and in our experience, reCAPTCHA is useless and has long been cracked by spambots. If you have a compelling reason for us to develop a temporary patch for QuestyCaptcha, leave a message below.

3. Are there any known issues with this patch?

I should note there is a small bug where hCaptcha doesn't populate the token passed along in the form submission if you previously submitted the form and ConfirmAccount gave you an error. But the patch makes up for it by adding an error message that encourages the user to leave and come back to the page to try again. Plus, nobody would be submitting the page without a captcha done in the first place except by mistake.

Reply to "Captcha result is ignored when submiting account creation request"

IPv6 // Error 1406: Data too long for column 'acr_storage_key' at row 1 in tables "account_requests" and "account_credentials"

3
Kghbln (talkcontribs)

There seems to be an issue in some environments for MW 1.35.x, probably also for other versions. Tracked with task T275522.

Kghbln (talkcontribs)

Turns out that the extension is not yet up for requests from users with IPv6. :|

Kghbln (talkcontribs)

An immediate but not final solution is offered at task T275522

Reply to "IPv6 // Error 1406: Data too long for column 'acr_storage_key' at row 1 in tables "account_requests" and "account_credentials""

How do I a make the Real Name a required field

1
Ken Roy (talkcontribs)

How do I make the Real Name a required field in the MW 1.35 LocalSettings.php. I have the following

defined in LocalSettings.php after the extension is loaded

## option to create User: page set to true

$wgMakeUserPageFromBio = true;

## option to create User talk: page set to true

$wgAutoWelcomeNewUsers = true;

$wgConfirmAccountRequestFormItems = [
    'UserName'        => [ 'enabled' => true ],
    'RealName'        => [ 'enabled' => true ],
    'Biography'       => [ 'enabled' => true, 'minWords' => 1 ],
    'AreasOfInterest' => [ 'enabled' => false ],
    'CV'              => [ 'enabled' => false ],
    'Notes'           => [ 'enabled' => false ],
    'Links'           => [ 'enabled' => false ],
    'TermsOfService'  => [ 'enabled' => true ],
];

In testing I am able to submit a request account with an empty field for the real name, which we use in the User: profile

Extension:ConfirmAccount page indicates

The default values are in ConfirmAccount.config.php, but you should not edit that file.

but I am not able to find that file.

Reply to "How do I a make the Real Name a required field"

Why is the confirmaccount-email-body not used on account approval

5
Ken Roy (talkcontribs)

I posted the question on the Support Desk

Topic:W154oo8jj3wwk5go

but maybe it should be posted here

I was trying to figure out why the lang.json files are not being used to send out the approval email in the language the request was submitted in by the user when I noticed the email message was very different than the "confirmaccount-email-body": in line 82 of the wiki/extensions/ConfirmAccount/i18n/requestaccount/en.json

Ken Roy (talkcontribs)

Looks like the account created email message is coming from the wiki/languages/i18n/en.json file

"createaccount-text": "The account you requested for this email address on MediaWiki ($4) named \"$2\", with a temporary password \"$3\" has been created.\nYou should log in and change your password now.\n\nYou may ignore this message, if this account was created in error.",

and is being issued by the wiki/includes/auth/TemporaryPasswordPrimaryAuthenticationProvider.php

in the function sendNewAccountEmail

It also appears that the following instruction

       $userLanguage = $user->getOption( 'language' );

does not get the language used by the user when Registering for a Username

Why is the ConfirmAccount not issuing the email?

Ken Roy (talkcontribs)

I upgraded to MediaWiki 1.35.1 over the weekend and I cannot find where the Account created email is coming from.

It now starts with

Someone created an account for your email address on TNG Wiki ...

Can someone please identify where that message is within MediaWiki 1.35.1

Installed software

Product     Version

MediaWiki     1.35.1

PHP     7.4.9 (cgi-fcgi)

MySQL     5.7.31-percona-sure1-log

ICU     63.1

Lua     5.1.5

$wgDefaultSkin = "vector";

Extensions

wfLoadExtension( 'CategoryTree' );

wfLoadExtension( 'Cite' );

wfLoadExtension( 'CiteThisPage' );

wfLoadExtension( 'CodeEditor' );

wfLoadExtension( 'CollapsibleVector' );

wfLoadExtension( 'ConfirmAccount' );

wfLoadExtension( 'ConfirmEdit' );

wfLoadExtension( 'EditUser' );

wfLoadExtension( 'Gadgets' );

require_once "$IP/extensions/GoogleTranslator/GoogleTranslator.php";

wfLoadExtension( 'ImageMap' );

wfLoadExtension( 'InputBox' );

require_once "$IP/extensions/LanguageSelector/LanguageSelector.php";

wfLoadExtension( 'LocalisationUpdate' );

wfLoadExtension( 'Lockdown' );

require_once "$IP/extensions/MobileDetect/MobileDetect.php";

wfLoadExtension( 'MobileFrontend' );

wfLoadExtension( 'MyVariables' );

wfLoadExtension( 'NewUserMessage' );

wfLoadExtension( 'ParserFunctions' );

wfLoadExtension( 'Poem' );

require_once "$IP/extensions/Polyglot/Polyglot.php";

wfLoadExtension( 'Renameuser' );

wfLoadExtension( 'ReplaceText' );

wfLoadExtension( 'Scribunto' );

wfLoadExtension( 'SecureLinkFixer' );

wfLoadExtension( 'SyntaxHighlight_GeSHi' );

wfLoadExtension( 'TemplateData' );

wfLoadExtension( 'TextExtracts' );

wfLoadExtension( 'TitleKey' );

wfLoadExtension( 'UserMerge' );

wfLoadExtension( 'VisualEditor' );

wfLoadExtension( 'WikiEditor' );


working on getting the ConfirmAccount Request Account form in different languages on the same wiki using LanguageSelector. Have most of it working, but cannot find where the account created message is defined. It is not in the ConfirmAccount en.json files

Thanks in advance for any help you all can provide

Ken Roy (talkcontribs)

Mea culpa,

It is heck getting old and upgrading MediaWiki software only every 3 years or so. I completely forgot that I had changed that message when I upgraded to MW 1.27.3

It would be nice though if the account approved email came from the ConfirmAccount extension confirmaccount-email-body message instead the generic createaccount-text in the wiki/languages/i18n json files

Sorry raising this issue

Marx.FelipeForte (talkcontribs)

I have the same issue, and I have to change createaccount-text for the moment to work it out.

Reply to "Why is the confirmaccount-email-body not used on account approval"

email confirmation not preserved

1
Kghbln (talkcontribs)

a user who has confirmed his or her e-mail for account creation has to again confirm the e-mail for mediawiki once the account was created. Requiring e-mail confirmation twice is really bad.

Reply to "email confirmation not preserved"

ConfirmAccount missing on Login page (1.35)

1
Rrosenfeld (talkcontribs)

On upgrading from 1.31 to 1.35 I have the problem, that the link to the ConfirmLogin special page (requestaccount-loginnotice) is missing on the login special page.

I tracked this down to includes/frontend/ConfirmAccountUI.hooks.php where addRequestLoginText() should add this information to the hook. But addRequestLoginText() is never called in 1.35 (tried it out by adding a division by zero error at the top of addRequestLoginText() in both 1.31 and 1.35. Any idea, what I'm doing wrong? Anything that I have to do to enforce using the hooks?

For testing reasons I tried with a freshly created LocalSettings.php with only ConfirmLogin extension enabled but with the same result: No link to Special:RequestAccount in the login form, so this should hurt every user here...

Reply to "ConfirmAccount missing on Login page (1.35)"
Waanders (talkcontribs)
Reply to "$wgConfirmAccountCaptchas"
Wmat (talkcontribs)

I have an account request that was rejected in error. Can it be unrejected? I asked the User to request a new account but they're receiving a message that the Username is already taken and if they try a new username, they get a message that the email address is already taken.

Reply to "Unreject an account request"

Auto-creation of a local account failed: You have not specified a valid username

31
213.55.220.217 (talkcontribs)

Hello Together

We have updated the mediawiki in our company from version 1.23.15 to version 1.27 and then to 1.34.

After we changed the login to LDAPAuthentication2 we could log in. Now we have the following problems:

1. the matching between "User" ==> "Groups" does not work correctly

2. new users can no longer register.

Below I have our LocalSettings.php, the error message when logging in is the following:

"Auto-creation of a local account failed: You have not specified a valid username"

Side note:

We want the login with the e-mail address firstname.lastname@domain

Sometime users could log in, but then the correct value was not entered into the database (Firstname Lastname) instead of (firstname.lastname@domain)

Has anyone an idea what we did wrong?

$wgDebugLogFile = '/var/www/html/wiki/debug_log.log';

$wgShowExceptionDetails;

$wgDebugToolbar;

$wgDebugLogGroups['LDAPGrops'] = '/var/www/html/wiki/LDAPGroups.log';

error_reporting( -1 );

ini_set( 'display_errors', 1 );

ini_set( 'display_startup_errors', 1 );

$wgDebugLogGroups['LDAPAuthentication2'] = "/var/www/html/wiki/LDAPAuthentication2.log";

  wfLoadExtension( 'WikiEditor' );

  wfLoadExtension( 'PluggableAuth' );

  wfLoadExtension( 'LDAPProvider' );

  wfLoadExtension( 'LDAPAuthentication2' );

  wfLoadExtension( 'LDAPAuthorization' );

  wfLoadExtension( 'LDAPUserInfo' );

  wfLoadExtension( 'LDAPGroups' );


$wgEmailConfirmToEdit = false;

$wgGroupPermissions['*']['edit'] = false;

$wgGroupPermissions['*']['autocreateaccount'] = true;

$wgBlockDisablesLogin = true;

$LDAPAuthorizationAutoAuthRemoteUserStringParser = 'ldapuser@some.domain';

$LDAPAuthentication2AllowLocalLogin = true;

$wgAuthRemoteUserAllowUserSwitch = true;

$wgPluggableAuth_ButtonLabel = "Log In";

$LDAPProviderDomainConfigProvider = function(){

       $config = [

               'some.domain' => [

                       'connection' => [

                               "server" => "ADServer.some.domain",

               "user" => "ldapuser@some.domain",

               "pass" => "LDAPPasswd",

               "port" => "636",

               "enctype" => "ssl",

               "options" => [

                                       "LDAP_OPT_DEREF" => 1

                               ],

                               "basedn" => "dc=some,dc=domain",

                               "groupbasedn" => "dc=some,dc=domain",

                               "userbasedn" => "dc=some,dc=domain",

                               "searchattribute" => "userprincipalname",

                               "searchstring" => "",

                               "realnameattribute" => "cn",

                               "usernameattribute" => "userprincipalname",

                               "emailattribute" => "mail",

                               "grouprequest" => "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\GroupMember::factory"

                       ],

           "authorization" =>

           [

               "rules" =>

               [

                   "required" =>

                   [

                           "wiki-admin",

                           "wiki-user"

                   ]

               ]

           ],

           "userinfo" =>

           [

               "attributes-map" =>

               [

                   "email" => "mail",

                   "realname" => "userprincipalname"

               ]

           ],

           "groupsync" => 

           [

               "mechanism" => "mappedgroups",

               "mapping" =>

               [

                   "sysop" =>  "wiki-admin",

                   "user" =>  "wiki-user" 

               ]

           ]  

       ]

   ];

   return new \MediaWiki\Extension\LDAPProvider\DomainConfigProvider\InlinePHPArray( $config );

};

Best regards

Scoobydoo321 (talkcontribs)

@Osnard

sorry i first wrote this Topic (as 213.55.220.217) and after that i created a login.

i found out, that the login with an email address is not supported. and now i've tried to change the login with other AD Credentials.

But now i can't login in the log i see that the user is authenticated but after that the autocreate user account wants to create an user with the ip as username.

have anyone an idea, where i have the failure?

i now use a file for the connection (ldap.json).


Best regards

Osnard (talkcontribs)

This is probably because the "authorization" part fails. The values "wiki-admin" and "wiki-user" in "authorization.rules.required.groups" should be DNs, like "CN=wiki-admin,OU=Groups,OU=Company,...". Check the output of "extensions/LDAPProvider/maintenance/ShowUserGroups.php" to see what you need to put in there. For testing you can also make "authorization.rules.required.groups" empty.

Scoobydoo321 (talkcontribs)

Hi Osnard

Thanks for the reply. I checked the output, i got some Full DNs and Short names. I copied the output from the ShowUserGroup.php but it still doesen't work.

Sorry but im new in json, so i hope this one is correct when you mean empty:

{

   "my.domain": {

       "connection": {

           "server": "ADServer.my.domain",

           "port": "636",

           "user": "CN=ldapuser,OU=ServiceAccounts,DC=domain,DC=my",

           "pass": "somePassword",

           "enctype": "ssl",

           "options": {

               "LDAP_OPT_DEREF": "1"

           },

           "basedn": "dc.domain,dc=my",

           "groupbasedn": "dc.domain,dc=my",

           "userbasedn": "dc.domain,dc=my",

           "searchattribute": "userprincipalname",

           "usernameattribute": "samaccountname",

           "realnameattribute": "cn",

           "emailattribute": "mail",

           "grouprequest": "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\UserMemberOf::factory"

       },

       "userinfo": {

           "attributes-map": {

               "email": "mail",

               "realname": "cn"

           }

       },

       "authorization": {

           "rules": {

               "required": {

                   "groups": []

               }

           }

       },

       "groupsync": {

           "mapping": {

               "sysop": "CN=WikiAdmin,OU=Groups,DC=domain,DC=my",

               "user": "CN=WikiUser,OU=Groups,DC=domain,DC=my",

           }

       }

   }

}
Osnard (talkcontribs)
Scoobydoo321 (talkcontribs)

Yes the "CheckLogin.php" returns OK


Output from ldap.log whit disabled LDAPAuthorization

2020-07-22 09:15:08 srv-wiki-1 wiki_db: In execute()
2020-07-22 09:15:08 srv-wiki-1 wiki_db: Getting PluggableAuth singleton
2020-07-22 09:15:08 srv-wiki-1 wiki_db: Class name: MediaWiki\Extension\LDAPAuthentication2\PluggableAuth
2020-07-22 09:15:08 srv-wiki-1 wiki_db: ldap_connect( $hostname = 'ldaps://ADServer.my.domain:636', $port = 389 );
2020-07-22 09:15:08 srv-wiki-1 wiki_db: # __METHOD__ returns Resource id #259
2020-07-22 09:15:08 srv-wiki-1 wiki_db: Setting LDAP_OPT_PROTOCOL_VERSION to 3
2020-07-22 09:15:08 srv-wiki-1 wiki_db: ldap_set_option( $linkID, $option = 17, $newval = 3 );
2020-07-22 09:15:08 srv-wiki-1 wiki_db: # returns 1
2020-07-22 09:15:08 srv-wiki-1 wiki_db: Setting LDAP_OPT_REFERRALS to 0
2020-07-22 09:15:08 srv-wiki-1 wiki_db: ldap_set_option( $linkID, $option = 8, $newval = 0 );
2020-07-22 09:15:08 srv-wiki-1 wiki_db: # returns 1
2020-07-22 09:15:08 srv-wiki-1 wiki_db: Setting LDAP_OPT_DEREF to 1
2020-07-22 09:15:08 srv-wiki-1 wiki_db: ldap_set_option( $linkID, $option = 2, $newval = 1 );
2020-07-22 09:15:08 srv-wiki-1 wiki_db: # returns 1
2020-07-22 09:15:08 srv-wiki-1 wiki_db: ldap_bind( $linkID, $bindRDN = 'CN=ldapuser,OU=ServiceAccounts,OU=someOU,DC=my,DC=domain', $bindPassword = 'XXXX' );
2020-07-22 09:15:08 srv-wiki-1 wiki_db: # returns 1
2020-07-22 09:15:08 srv-wiki-1 wiki_db: MediaWiki\Extension\LDAPProvider\Client::getUserDN: search with array (
  'base' => 'DC=my,DC=domain',
  'filter' => '(userprincipalname=fred@my.domain)',
  'attributes' => 
  array (
    0 => '*',
    1 => 'memberof',
  ),
)
2020-07-22 09:15:08 srv-wiki-1 wiki_db: ldap_search( $linkID, $baseDN = 'DC=my,DC=domain', $filter = '(userprincipalname=fred@my.domain)', $attributes = [ '*', 'memberof' ], $attrsonly = , $sizelimit = , $timelimit = , $deref =  );
2020-07-22 09:15:08 srv-wiki-1 wiki_db: # returns Resource id #275
2020-07-22 09:15:08 srv-wiki-1 wiki_db: ldap_count_entries( $linkiID, $result = 'Resource id #275' );
2020-07-22 09:15:08 srv-wiki-1 wiki_db: # returns 1
2020-07-22 09:15:08 srv-wiki-1 wiki_db: ldap_get_entries( $linkID, $resultID );
2020-07-22 09:15:08 srv-wiki-1 wiki_db: # returns: array (
  'count' => 1,
  0 => 
  array (
    'objectclass' => 
    array (
      'count' => 4,
      0 => 'top',
      1 => 'person',
      2 => 'organizationalPerson',
      3 => 'user',
    ),
    0 => 'objectclass',
    'cn' => 
    array (
      'count' => 1,
      0 => 'tester',
    ),
    1 => 'cn',
    'sn' => 
    array (
      'count' => 1,
      0 => 'tester',
    ),
    2 => 'sn',
    'description' => 
    array (
      'count' => 1,
      0 => 'Test User',
    ),
    3 => 'description',
    'telephonenumber' => 
    array (
      'count' => 1,
      0 => '4 52 41',
    ),
    4 => 'telephonenumber',
    'givenname' => 
    array (
      'count' => 1,
      0 => 'hp',
    ),
    5 => 'givenname',
    'initials' => 
    array (
      'count' => 1,
      0 => 'fred',
    ),
    6 => 'initials',
    'distinguishedname' => 
    array (
      'count' => 1,
      0 => 'CN=tester,OU=Test,OU=Users,OU=someOU,DC=my,DC=domain',
    ),
    7 => 'distinguishedname',
    'instancetype' => 
    array (
      'count' => 1,
      0 => '4',
    ),
    8 => 'instancetype',
    'whencreated' => 
    array (
      'count' => 1,
      0 => '20131218141516.0Z',
    ),
    9 => 'whencreated',
    'whenchanged' => 
    array (
      'count' => 1,
      0 => '20200716080258.0Z',
    ),
    10 => 'whenchanged',
    'displayname' => 
    array (
      'count' => 1,
      0 => 'tester',
    ),
    11 => 'displayname',
    'usncreated' => 
    array (
      'count' => 1,
      0 => '30230',
    ),
    12 => 'usncreated',
    'memberof' => 
    array (
      'count' => 10,
      0 => 'CN=WikiAdmin,OU=Application_Groups,OU=Groups,OU=someOU,DC=my,DC=domain',
      1 => '####',
      2 => '####',
      3 => '####',
      4 => '####',
      5 => 'CN=WikiUsers,OU=Application_Groups,OU=Groups,OU=someOU,DC=my,DC=domain',
      6 => '####',
      7 => '####',
      8 => '####',
      9 => '####',
    ),
    13 => 'memberof',
    'usnchanged' => 
    array (
      'count' => 1,
      0 => '3982289',
    ),
    14 => 'usnchanged',
    'proxyaddresses' => 
    array (
      'count' => 7,
      0 => 'smtp:####',
      1 => 'smtp:####',
      2 => 'smtp:####',
      3 => 'SMTP:####',
      4 => 'sip:####',
      5 => 'smtp:####',
      6 => 'smtp:####',
    ),
    15 => 'proxyaddresses',
    'homemdb' => 
    array (
      'count' => 1,
      0 => '####',
    ),
    16 => 'homemdb',
    'mdbusedefaults' => 
    array (
      'count' => 1,
      0 => 'TRUE',
    ),
    17 => 'mdbusedefaults',
    'mailnickname' => 
    array (
      'count' => 1,
      0 => 'fred',
    ),
    18 => 'mailnickname',
    'name' => 
    array (
      'count' => 1,
      0 => 'tester',
    ),
    19 => 'name',
    'objectguid' => 
    array (
      'count' => 1,
      0 => '<2‹.Àª	EœÌÅï��oî',
    ),
    20 => 'objectguid',
    'useraccountcontrol' => 
    array (
      'count' => 1,
      0 => '66048',
    ),
    21 => 'useraccountcontrol',
    'badpwdcount' => 
    array (
      'count' => 1,
      0 => '0',
    ),
    22 => 'badpwdcount',
    'codepage' => 
    array (
      'count' => 1,
      0 => '0',
    ),
    23 => 'codepage',
    'countrycode' => 
    array (
      'count' => 1,
      0 => '0',
    ),
    24 => 'countrycode',
    'badpasswordtime' => 
    array (
      'count' => 1,
      0 => '132397147069218117',
    ),
    25 => 'badpasswordtime',
    'lastlogoff' => 
    array (
      'count' => 1,
      0 => '0',
    ),
    26 => 'lastlogoff',
    'lastlogon' => 
    array (
      'count' => 1,
      0 => '132397149483435657',
    ),
    27 => 'lastlogon',
    'pwdlastset' => 
    array (
      'count' => 1,
      0 => '132393601472194926',
    ),
    28 => 'pwdlastset',
    'primarygroupid' => 
    array (
      'count' => 1,
      0 => '513',
    ),
    29 => 'primarygroupid',
    'profilepath' => 
    array (
      'count' => 1,
      0 => '####',
    ),
    30 => 'profilepath',
    'objectsid' => 
    array (
      'count' => 1,
      0 => '��' . "\0" . '' . "\0" . '' . "\0" . '' . "\0" . '' . "\0" . '��' . "\0" . '' . "\0" . '' . "\0" . '¶Dä#�Àê2Ûë�P}-' . "\0" . '' . "\0" . '',
    ),
    31 => 'objectsid',
    'admincount' => 
    array (
      'count' => 1,
      0 => '1',
    ),
    32 => 'admincount',
    'accountexpires' => 
    array (
      'count' => 1,
      0 => '9223372036854775807',
    ),
    33 => 'accountexpires',
    'logoncount' => 
    array (
      'count' => 1,
      0 => '0',
    ),
    34 => 'logoncount',
    'samaccountname' => 
    array (
      'count' => 1,
      0 => 'fred',
    ),
    35 => 'samaccountname',
    'samaccounttype' => 
    array (
      'count' => 1,
      0 => '805306368',
    ),
    36 => 'samaccounttype',
    'showinaddressbook' => 
    array (
      'count' => 4,
      0 => '####',
      1 => '####',
      2 => '####',
      3 => '####',
    ),
    37 => 'showinaddressbook',
    'legacyexchangedn' => 
    array (
      'count' => 1,
      0 => '####',
    ),
    38 => 'legacyexchangedn',
    'userprincipalname' => 
    array (
      'count' => 1,
      0 => 'fred@my.domain',
    ),
    39 => 'userprincipalname',
    'lockouttime' => 
    array (
      'count' => 1,
      0 => '0',
    ),
    40 => 'lockouttime',
    'lastknownparent' => 
    array (
      'count' => 1,
      0 => 'OU=Test,OU=Users,OU=someOU,DC=my,DC=domain',
    ),
    41 => 'lastknownparent',
    'objectcategory' => 
    array (
      'count' => 1,
      0 => 'CN=Person,CN=Schema,CN=Configuration,DC=my,DC=domain',
    ),
    42 => 'objectcategory',
    'dscorepropagationdata' => 
    array (
      'count' => 1,
      0 => '16010101000000.0Z',
    ),
    43 => 'dscorepropagationdata',
    'lastlogontimestamp' => 
    array (
      'count' => 1,
      0 => '132393601780066773',
    ),
    44 => 'lastlogontimestamp',
    'msds-supportedencryptiontypes' => 
    array (
      'count' => 1,
      0 => '0',
    ),
    45 => 'msds-supportedencryptiontypes',
    'msds-lastknownrdn' => 
    array (
      'count' => 1,
      0 => 'tester',
    ),
    46 => 'msds-lastknownrdn',
    'mail' => 
    array (
      'count' => 1,
      0 => 'fred@my.domain',
    ),
    47 => 'mail',
    'thumbnailphoto' => 
    array (
      'count' => 1,
      0 => '####	
),
    48 => 'thumbnailphoto',
    'msexchhomeservername' => 
    array (
      'count' => 1,
      0 => '####',
    ),
    49 => 'msexchhomeservername',
    'msexchmailboxsecuritydescriptor' => 
    array (
      'count' => 1,
      0 => ####
	),
    50 => 'msexchmailboxsecuritydescriptor',
    'msexchuseraccountcontrol' => 
    array (
      'count' => 1,
      0 => '0',
    ),
    51 => 'msexchuseraccountcontrol',
    'msexchmailboxguid' => 
    array (
      'count' => 1,
      0 => 'I©�„¥CJ°ùX„Nùi',
    ),
    52 => 'msexchmailboxguid',
    'msexchpoliciesincluded' => 
    array (
      'count' => 2,
      0 => '4dde4918-7608-4c22-b276-64f5eb00c3e4',
      1 => '{26491cfc-9e50-4857-861b-0cb8df22b5d7}',
    ),
    53 => 'msexchpoliciesincluded',
    'msrtcsip-internetaccessenabled' => 
    array (
      'count' => 1,
      0 => 'TRUE',
    ),
    54 => 'msrtcsip-internetaccessenabled',
    'msexchmailboxtemplatelink' => 
    array (
      'count' => 1,
      0 => '####',
    ),
    55 => 'msexchmailboxtemplatelink',
    'msexchdelegatelistlink' => 
    array (
      'count' => 1,
      0 => '####',
    ),
    56 => 'msexchdelegatelistlink',
    'msrtcsip-optionflags' => 
    array (
      'count' => 1,
      0 => '2305',
    ),
    57 => 'msrtcsip-optionflags',
    'msrtcsip-userpolicies' => 
    array (
      'count' => 1,
      0 => '0=666577031',
    ),
    58 => 'msrtcsip-userpolicies',
    'msexchumdtmfmap' => 
    array (
      'count' => 4,
      0 => 'reversedPhone:14254',
      1 => 'emailAddress:3733',
      2 => 'lastNameFirstName:83783747',
      3 => 'firstNameLastName:47837837',
    ),
    59 => 'msexchumdtmfmap',
    'msexchmdbrulesquota' => 
    array (
      'count' => 1,
      0 => '256',
    ),
    60 => 'msexchmdbrulesquota',
    'msexchprevioushomemdb' => 
    array (
      'count' => 1,
      0 => '####',
    ),
    61 => 'msexchprevioushomemdb',
    'msexchrecipientdisplaytype' => 
    array (
      'count' => 1,
      0 => '1073741824',
    ),
    62 => 'msexchrecipientdisplaytype',
    'msrtcsip-primaryuseraddress' => 
    array (
      'count' => 1,
      0 => 'sip:fred@my.domain',
    ),
    63 => 'msrtcsip-primaryuseraddress',
    'msrtcsip-deploymentlocator' => 
    array (
      'count' => 1,
      0 => 'SRV:',
    ),
    64 => 'msrtcsip-deploymentlocator',
    'msexchpublicfoldermailbox' => 
    array (
      'count' => 1,
      0 => '####',
    ),
    65 => 'msexchpublicfoldermailbox',
    'msrtcsip-userroutinggroupid' => 
    array (
      'count' => 1,
      0 => 'yôn×Ä�-_¬¤TòíÔ³�',
    ),
    66 => 'msrtcsip-userroutinggroupid',
    'msrtcsip-userenabled' => 
    array (
      'count' => 1,
      0 => 'TRUE',
    ),
    67 => 'msrtcsip-userenabled',
    'msexchelcmailboxflags' => 
    array (
      'count' => 1,
      0 => '2',
    ),
    68 => 'msexchelcmailboxflags',
    'msexchwhenmailboxcreated' => 
    array (
      'count' => 1,
      0 => '20160115162536.0Z',
    ),
    69 => 'msexchwhenmailboxcreated',
    'msexchrbacpolicylink' => 
    array (
      'count' => 1,
      0 => '####',
    ),
    70 => 'msexchrbacpolicylink',
    'msrtcsip-primaryhomeserver' => 
    array (
      'count' => 1,
      0 => '####',
    ),
    71 => 'msrtcsip-primaryhomeserver',
    'msexchsafesendershash' => 
    array (
      'count' => 1,
      0 => 't¨¤§',
    ),
    72 => 'msexchsafesendershash',
    'msexchversion' => 
    array (
      'count' => 1,
      0 => '88218628259840',
    ),
    73 => 'msexchversion',
    'msrtcsip-federationenabled' => 
    array (
      'count' => 1,
      0 => 'TRUE',
    ),
    74 => 'msrtcsip-federationenabled',
    'msexchrecipienttypedetails' => 
    array (
      'count' => 1,
      0 => '1',
    ),
    75 => 'msexchrecipienttypedetails',
    'count' => 76,
    'dn' => 'CN=tester,OU=Test,OU=Users,OU=someOU,DC=my,DC=domain',
  ),
)
2020-07-22 09:15:08 srv-wiki-1 wiki_db: Found user DN: 'CN=tester,OU=Test,OU=Users,OU=someOU,DC=my,DC=domain'
2020-07-22 09:15:08 srv-wiki-1 wiki_db: MediaWiki\Extension\LDAPProvider\Client::getSearchString: User DN is: 'CN=tester,OU=Test,OU=Users,OU=someOU,DC=my,DC=domain'
2020-07-22 09:15:08 srv-wiki-1 wiki_db: ldap_bind( $linkID, $bindRDN = 'CN=tester,OU=Test,OU=Users,OU=someOU,DC=my,DC=domain', $bindPassword = 'XXXX' );
2020-07-22 09:15:08 srv-wiki-1 wiki_db: # returns 1
2020-07-22 09:15:08 srv-wiki-1 wiki_db: ldap_bind( $linkID, $bindRDN = 'CN=srvwikiadauth,OU=ServiceAccounts,OU=someOU,DC=my,DC=domain', $bindPassword = 'XXXX' );
2020-07-22 09:15:08 srv-wiki-1 wiki_db: # returns 1
2020-07-22 09:15:08 srv-wiki-1 wiki_db: ldap_search( $linkID, $baseDN = 'DC=my,DC=domain', $filter = '(userprincipalname=fred@my.domain)', $attributes = [ '*', 'memberof' ], $attrsonly = , $sizelimit = , $timelimit = , $deref =  );
2020-07-22 09:15:08 srv-wiki-1 wiki_db: # returns Resource id #289
2020-07-22 09:15:08 srv-wiki-1 wiki_db: ldap_get_entries( $linkID, $resultID );
2020-07-22 09:15:08 srv-wiki-1 wiki_db: # returns: array (
  'count' => 1,
  0 => 
  array (
    'objectclass' => 
    array (
      'count' => 4,
      0 => 'top',
      1 => 'person',
      2 => 'organizationalPerson',
      3 => 'user',
    ),
    0 => 'objectclass',
    'cn' => 
    array (
      'count' => 1,
      0 => 'tester',
    ),
    1 => 'cn',
    'sn' => 
    array (
      'count' => 1,
      0 => 'tester',
    ),
    2 => 'sn',
    'description' => 
    array (
      'count' => 1,
      0 => 'Test User',
    ),
    3 => 'description',
    'telephonenumber' => 
    array (
      'count' => 1,
      0 => '4 52 41',
    ),
    4 => 'telephonenumber',
    'givenname' => 
    array (
      'count' => 1,
      0 => 'hp',
    ),
    5 => 'givenname',
    'initials' => 
    array (
      'count' => 1,
      0 => 'fred',
    ),
    6 => 'initials',
    'distinguishedname' => 
    array (
      'count' => 1,
      0 => 'CN=tester,OU=Test,OU=Users,OU=someOU,DC=my,DC=domain',
    ),
    7 => 'distinguishedname',
    'instancetype' => 
    array (
      'count' => 1,
      0 => '4',
    ),
    8 => 'instancetype',
    'whencreated' => 
    array (
      'count' => 1,
      0 => '20131218141516.0Z',
    ),
    9 => 'whencreated',
    'whenchanged' => 
    array (
      'count' => 1,
      0 => '20200716080258.0Z',
    ),
    10 => 'whenchanged',
    'displayname' => 
    array (
      'count' => 1,
      0 => 'tester',
    ),
    11 => 'displayname',
    'usncreated' => 
    array (
      'count' => 1,
      0 => '30230',
    ),
    12 => 'usncreated',
    'memberof' => 
    array (
      'count' => 10,
      0 => 'CN=WikiAdmin,OU=Application_Groups,OU=Groups,OU=someOU,DC=my,DC=domain',
      1 => '####',
      2 => '####',
      3 => '####',
      4 => '####',
      5 => 'CN=WikiUsers,OU=Application_Groups,OU=Groups,OU=someOU,DC=my,DC=domain',
      6 => '####',
      7 => '####',
      8 => '####',
      9 => '####',
    ),
    13 => 'memberof',
    'usnchanged' => 
    array (
      'count' => 1,
      0 => '3982289',
    ),
    14 => 'usnchanged',
    'proxyaddresses' => 
    array (
      'count' => 7,
      0 => '####',
      1 => '####',
      2 => '####',
      3 => '####',
      4 => '####',
      5 => '####',
      6 => '####',
    ),
    15 => 'proxyaddresses',
    'homemdb' => 
    array (
      'count' => 1,
      0 => '####',
    ),
    16 => 'homemdb',
    'mdbusedefaults' => 
    array (
      'count' => 1,
      0 => 'TRUE',
    ),
    17 => 'mdbusedefaults',
    'mailnickname' => 
    array (
      'count' => 1,
      0 => 'fred',
    ),
    18 => 'mailnickname',
    'name' => 
    array (
      'count' => 1,
      0 => 'tester',
    ),
    19 => 'name',
    'objectguid' => 
    array (
      'count' => 1,
      0 => '<2‹.Àª	EœÌÅï��oî',
    ),
    20 => 'objectguid',
    'useraccountcontrol' => 
    array (
      'count' => 1,
      0 => '66048',
    ),
    21 => 'useraccountcontrol',
    'badpwdcount' => 
    array (
      'count' => 1,
      0 => '0',
    ),
    22 => 'badpwdcount',
    'codepage' => 
    array (
      'count' => 1,
      0 => '0',
    ),
    23 => 'codepage',
    'countrycode' => 
    array (
      'count' => 1,
      0 => '0',
    ),
    24 => 'countrycode',
    'badpasswordtime' => 
    array (
      'count' => 1,
      0 => '132397147069218117',
    ),
    25 => 'badpasswordtime',
    'lastlogoff' => 
    array (
      'count' => 1,
      0 => '0',
    ),
    26 => 'lastlogoff',
    'lastlogon' => 
    array (
      'count' => 1,
      0 => '132397149483435657',
    ),
    27 => 'lastlogon',
    'pwdlastset' => 
    array (
      'count' => 1,
      0 => '132393601472194926',
    ),
    28 => 'pwdlastset',
    'primarygroupid' => 
    array (
      'count' => 1,
      0 => '513',
    ),
    29 => 'primarygroupid',
    'profilepath' => 
    array (
      'count' => 1,
      0 => '####',
    ),
    30 => 'profilepath',
    'objectsid' => 
    array (
      'count' => 1,
      0 => '��' . "\0" . '' . "\0" . '' . "\0" . '' . "\0" . '' . "\0" . '��' . "\0" . '' . "\0" . '' . "\0" . '¶Dä#�Àê2Ûë�P}-' . "\0" . '' . "\0" . '',
    ),
    31 => 'objectsid',
    'admincount' => 
    array (
      'count' => 1,
      0 => '1',
    ),
    32 => 'admincount',
    'accountexpires' => 
    array (
      'count' => 1,
      0 => '9223372036854775807',
    ),
    33 => 'accountexpires',
    'logoncount' => 
    array (
      'count' => 1,
      0 => '0',
    ),
    34 => 'logoncount',
    'samaccountname' => 
    array (
      'count' => 1,
      0 => 'fred',
    ),
    35 => 'samaccountname',
    'samaccounttype' => 
    array (
      'count' => 1,
      0 => '805306368',
    ),
    36 => 'samaccounttype',
    'showinaddressbook' => 
    array (
      'count' => 4,
      0 => '####',
      1 => '####',
      2 => '####',
      3 => '####',
    ),
    37 => 'showinaddressbook',
    'legacyexchangedn' => 
    array (
      'count' => 1,
      0 => '####',
    ),
    38 => 'legacyexchangedn',
    'userprincipalname' => 
    array (
      'count' => 1,
      0 => 'fred@my.domain',
    ),
    39 => 'userprincipalname',
    'lockouttime' => 
    array (
      'count' => 1,
      0 => '0',
    ),
    40 => 'lockouttime',
    'lastknownparent' => 
    array (
      'count' => 1,
      0 => 'OU=Test,OU=Users,OU=someOU,DC=my,DC=domain',
    ),
    41 => 'lastknownparent',
    'objectcategory' => 
    array (
      'count' => 1,
      0 => '####',
    ),
    42 => 'objectcategory',
    'dscorepropagationdata' => 
    array (
      'count' => 1,
      0 => '16010101000000.0Z',
    ),
    43 => 'dscorepropagationdata',
    'lastlogontimestamp' => 
    array (
      'count' => 1,
      0 => '132393601780066773',
    ),
    44 => 'lastlogontimestamp',
    'msds-supportedencryptiontypes' => 
    array (
      'count' => 1,
      0 => '0',
    ),
    45 => 'msds-supportedencryptiontypes',
    'msds-lastknownrdn' => 
    array (
      'count' => 1,
      0 => 'tester',
    ),
    46 => 'msds-lastknownrdn',
    'mail' => 
    array (
      'count' => 1,
      0 => 'fred@my.domain',
    ),
    47 => 'mail',
    'thumbnailphoto' => 
    array (
      'count' => 1,
      0 =>####
    ),
    48 => 'thumbnailphoto',
    'msexchhomeservername' => 
    array (
      'count' => 1,
      0 => '####',
    ),
    49 => 'msexchhomeservername',
    'msexchmailboxsecuritydescriptor' => 
    array (
      'count' => 1,
      0 => '�' . "\0" . '�Œ�' . "\0" . '' . "\0" . '' . "\0" . ' ' . "\0" . '' . "\0" . '' . "\0" . '' . "\0" . '' . "\0" . '' . "\0" . '' . "\0" . ',' . "\0" . '' . "\0" . '' . "\0" . '��' . "\0" . '' . "\0" . '' . "\0" . '' . "\0" . '' . "\0" . '�
' . "\0" . '' . "\0" . '' . "\0" . '��' . "\0" . '' . "\0" . '' . "\0" . '' . "\0" . '' . "\0" . '�
' . "\0" . '' . "\0" . '' . "\0" . '�' . "\0" . '@' . "\0" . '�' . "\0" . '' . "\0" . '' . "\0" . '' . "\0" . '��' . "\0" . '�' . "\0" . '�' . "\0" . '��' . "\0" . '' . "\0" . '' . "\0" . '' . "\0" . '' . "\0" . '�
' . "\0" . '' . "\0" . '' . "\0" . '' . "\0" . '�$' . "\0" . '�' . "\0" . '' . "\0" . '' . "\0" . '��' . "\0" . '' . "\0" . '' . "\0" . '' . "\0" . '' . "\0" . '��' . "\0" . '' . "\0" . '' . "\0" . '¶Dä#�Àê2Ûë�PÎ+' . "\0" . '' . "\0" . '',
    ),
    50 => 'msexchmailboxsecuritydescriptor',
    'msexchuseraccountcontrol' => 
    array (
      'count' => 1,
      0 => '0',
    ),
    51 => 'msexchuseraccountcontrol',
    'msexchmailboxguid' => 
    array (
      'count' => 1,
      0 => 'I©�„¥CJ°ùX„Nùi',
    ),
    52 => 'msexchmailboxguid',
    'msexchpoliciesincluded' => 
    array (
      'count' => 2,
      0 => '4dde4918-7608-4c22-b276-64f5eb00c3e4',
      1 => '{26491cfc-9e50-4857-861b-0cb8df22b5d7}',
    ),
    53 => 'msexchpoliciesincluded',
    'msrtcsip-internetaccessenabled' => 
    array (
      'count' => 1,
      0 => 'TRUE',
    ),
    54 => 'msrtcsip-internetaccessenabled',
    'msexchmailboxtemplatelink' => 
    array (
      'count' => 1,
      0 => '####',
    ),
    55 => 'msexchmailboxtemplatelink',
    'msexchdelegatelistlink' => 
    array (
      'count' => 1,
      0 => '####',
    ),
    56 => 'msexchdelegatelistlink',
    'msrtcsip-optionflags' => 
    array (
      'count' => 1,
      0 => '2305',
    ),
    57 => 'msrtcsip-optionflags',
    'msrtcsip-userpolicies' => 
    array (
      'count' => 1,
      0 => '0=666577031',
    ),
    58 => 'msrtcsip-userpolicies',
    'msexchumdtmfmap' => 
    array (
      'count' => 4,
      0 => 'reversedPhone:14254',
      1 => 'emailAddress:3733',
      2 => 'lastNameFirstName:83783747',
      3 => 'firstNameLastName:47837837',
    ),
    59 => 'msexchumdtmfmap',
    'msexchmdbrulesquota' => 
    array (
      'count' => 1,
      0 => '256',
    ),
    60 => 'msexchmdbrulesquota',
    'msexchprevioushomemdb' => 
    array (
      'count' => 1,
      0 => '####',
    ),
    61 => 'msexchprevioushomemdb',
    'msexchrecipientdisplaytype' => 
    array (
      'count' => 1,
      0 => '1073741824',
    ),
    62 => 'msexchrecipientdisplaytype',
    'msrtcsip-primaryuseraddress' => 
    array (
      'count' => 1,
      0 => 'sip:fred@my.domain',
    ),
    63 => 'msrtcsip-primaryuseraddress',
    'msrtcsip-deploymentlocator' => 
    array (
      'count' => 1,
      0 => 'SRV:',
    ),
    64 => 'msrtcsip-deploymentlocator',
    'msexchpublicfoldermailbox' => 
    array (
      'count' => 1,
      0 => '####',
    ),
    65 => 'msexchpublicfoldermailbox',
    'msrtcsip-userroutinggroupid' => 
    array (
      'count' => 1,
      0 => 'yôn×Ä�-_¬¤TòíÔ³�',
    ),
    66 => 'msrtcsip-userroutinggroupid',
    'msrtcsip-userenabled' => 
    array (
      'count' => 1,
      0 => 'TRUE',
    ),
    67 => 'msrtcsip-userenabled',
    'msexchelcmailboxflags' => 
    array (
      'count' => 1,
      0 => '2',
    ),
    68 => 'msexchelcmailboxflags',
    'msexchwhenmailboxcreated' => 
    array (
      'count' => 1,
      0 => '20160115162536.0Z',
    ),
    69 => 'msexchwhenmailboxcreated',
    'msexchrbacpolicylink' => 
    array (
      'count' => 1,
      0 => '####',
    ),
    70 => 'msexchrbacpolicylink',
    'msrtcsip-primaryhomeserver' => 
    array (
      'count' => 1,
      0 => '####',
    ),
    71 => 'msrtcsip-primaryhomeserver',
    'msexchsafesendershash' => 
    array (
      'count' => 1,
      0 => 't¨¤§',
    ),
    72 => 'msexchsafesendershash',
    'msexchversion' => 
    array (
      'count' => 1,
      0 => '88218628259840',
    ),
    73 => 'msexchversion',
    'msrtcsip-federationenabled' => 
    array (
      'count' => 1,
      0 => 'TRUE',
    ),
    74 => 'msrtcsip-federationenabled',
    'msexchrecipienttypedetails' => 
    array (
      'count' => 1,
      0 => '1',
    ),
    75 => 'msexchrecipienttypedetails',
    'count' => 76,
    'dn' => '####',
  ),
)
2020-07-22 09:15:08 srv-wiki-1 wiki_db: Ran LDAP search for '(userprincipalname=fred@my.domain)' in 0.0019741058349609 seconds.

2020-07-22 09:15:08 srv-wiki-1 wiki_db: Authenticated new user: fred
2020-07-22 09:15:09 srv-wiki-1 wiki_db: User is authorized.

Osnard (talkcontribs)

So the last two lines look good. So there is still the message "Auto-creation of a local account failed: You have not specified a valid username"? In which context?

Scoobydoo321 (talkcontribs)

This message appears when i try to login with <username>@<my.domain>

Osnard (talkcontribs)

And if you don't use a username with "@"? Which error do you get then? Because

2020-07-22 09:15:08 srv-wiki-1 wiki_db: Authenticated new user: fred
2020-07-22 09:15:09 srv-wiki-1 wiki_db: User is authorized.

looks good.

Scoobydoo321 (talkcontribs)

Whit the config as is i get following error Could not authenticate credentials against domain "my.domain" when i change the searchattribute setting to samaccountname i get the same error as before.

Osnard (talkcontribs)

If you are getting Could not authenticate credentials against domain "my.domain" then it is form based authentication (FBA). This should be the exact same mechanism as the CheckLogin.php CLI script.

Scoobydoo321 (talkcontribs)

The message Could not authenticate credentials against domain "my.domain" i get only when i have a missmatch to what i check for login and what i use. When i use the right credentials i always get Auto-creation of a local account failed: You have not specified a valid username .

Osnard (talkcontribs)

I have noticed a difference in the two contigutations you have shared (#1: PHP, #2: JSON): In the PHP configuration you have "usernameattribute" => "userprincipalname", , while in the JSON you have "usernameattribute": "samaccountname", .

Can you tell which one of them is currently used?

Because the one from the JSON file seems to be correct (samaccountname ), while the one from PHP will result in a username with an "@", which could lead to Auto-creation of a local account failed: You have not specified a valid username</could>.

Scoobydoo321 (talkcontribs)

currently used is the JSON, with the samaccountname

Scoobydoo321 (talkcontribs)

Which element example: usernameattribute is used for the DB column user_name? Have i mixed up something so that the authorization works but it uses the wrong attribute for the DB?

Osnard (talkcontribs)
Scoobydoo321 (talkcontribs)

i can now login with an administrator accoutn samaccountname=admintest but with an normal user samaccountname=u12345678 i still have the error Auto-creation of a local account failed: You have not specified a valid username. i've searched this wiki i didn't found any restriction that the username can't be with a letter and numbers.

Osnard (talkcontribs)
Scoobydoo321 (talkcontribs)

in the error log i see the correct username and in the ldap.log i get following output: MediaWiki\Extension\LDAPProvier\Client::getSearchString: User DN is 'BASE DN'

ldap_bind( $linkID, $bindRDN = 'BASE DN', $bindPasswor = 'XXXX' );

#returns 1

Authenticated new user: username

User is authorized

Osnard (talkcontribs)

So everything is okay. Sorry, I can not spot an error.

Scoobydoo321 (talkcontribs)

hmm ok.

Then i have only one question, is it possible, that the old users with an "@" in the username can make some problems?

I think they wount be a problem but this is the last thing i can imagen.


Best regards and thanks for the perfect support!

Osnard (talkcontribs)

Okay. Can you please again share you complete current configuration (PHP and JSON, is used). Don't forget to remove sensitive data of course. Also please tell me what username you enter into the "Special:Login" field and how the command line for the working "CheckLogin.php" and "ShowUserInfo.php" looks like. Thanks.

2001:1284:F016:9AB4:714A:804:A9D5:8776 (talkcontribs)

I have the similar problem (Auto-creation of a local account failed: You have not specified a valid username) when a try login in a existent dababase, but in a new database created with the 1.34.2 version that's work. I use the same configuration file, changing only the database config.

Scoobydoo321 (talkcontribs)

I have found a ugly workarround i added folowing line to the LocalSettings.php $wgInvalidUsernameCharacters = '#€'; The "ShowUserInfo.php" returns the user informations and the "CheckLogin.php" returns OK.

Here is my LocalSettings.php:

<?php
#This file was automatically generated by the MediaWiki 1.23.15
#installer. If you make manual changes, please keep track in case you
#need to recreate them later.
#
#See includes/DefaultSettings.php for all configurable settings
#and their default values, but don't forget to make changes in _this_
#file, not there.
#
#Further documentation for configuration settings may be found at:
#https://www.mediawiki.org/wiki/Manual:Configuration_settings

#Protect against web entry
if ( !defined( 'MEDIAWIKI' ) ) {
	exit;
}

##Uncomment this to disable output compression
#$wgDisableOutputCompression = true;

$wgSitename = "Wiki";
$wgOverrideHostname = "MediaWiki-Server";
##The URL base path to the directory containing the wiki;
##defaults for all runtime URL paths are based off of this.
##For more information on customizing the URLs
##(like /w/index.php/Page_title to /wiki/Page_title) please see:
##https://www.mediawiki.org/wiki/Manual:Short_URL
$wgScriptPath = "";
$wgScriptExtension = ".php";

##The protocol and server name to use in fully-qualified URLs
$wgServer = "https://MediaWiki-Server";

##The relative URL path to the skins directory
$wgStylePath = "$wgScriptPath/skins";

##The relative URL path to the logo.  Make sure you change this from the default,
##or else you'll overwrite your logo when you upgrade!
$wgLogo = "$wgStylePath/common/images/logo.png";

##UPO means: this is also a user preference option

$wgEnableEmail = false;
$wgEnableUserEmail = false; # UPO

$wgEmergencyContact = "apache@MediaWiki-Server";
$wgPasswordSender = "apache@MediaWiki-Server";

$wgEnotifUserTalk = false; # UPO
$wgEnotifWatchlist = false; # UPO
#$wgEmailAuthentication = true;

##Database settings
$wgDBtype = "mysql";
$wgDBserver = "MediaWiki-DB";
$wgDBname = "WikiDB";
$wgDBuser = "WikiDBUser";
$wgDBpassword = "SecretPassword";

#MySQL specific settings
$wgDBprefix = "";

#MySQL table options to use during installation or update
$wgDBTableOptions = "ENGINE=InnoDB, DEFAULT CHARSET=binary";

#Experimental charset support for MySQL 5.0.
$wgDBmysql5 = false;

##Shared memory settings
$wgMainCacheType = CACHE_NONE;
$wgMemCachedServers = array();
##To enable image uploads, make sure the 'images' directory
##is writable, then set this to true:
$wgEnableUploads = true;
#$wgUseImageMagick = true;
#$wgImageMagickConvertCommand = "/usr/bin/convert";

#InstantCommons allows wiki to use images from http://commons.wikimedia.org
$wgUseInstantCommons = false;

##If you use ImageMagick (or any other shell command) on a
##Linux server, this will need to be set to the name of an
##available UTF-8 locale
$wgShellLocale = "en_US.utf8";

##If you want to use image uploads under safe mode,
##create the directories images/archive, images/thumb and
##images/temp, and make them all writable. Then uncomment
##this, if it's not already uncommented:
#$wgHashedUploadDirectory = false;

##Set $wgCacheDirectory to a writable directory on the web server
##to make your wiki go slightly faster. The directory should not
##be publically accessible from the web.
#$wgCacheDirectory = "$IP/cache";

#Site language code, should be one of the list in ./languages/Names.php
$wgLanguageCode = "en";

$wgSecretKey = "SomeSecretKey";

#Site upgrade key. Must be set to a string (default provided) to turn on the
#web installer while LocalSettings.php is in place
$wgUpgradeKey = "SomeUpgradeKey";

##Default skin: you can change the default skin. Use the internal symbolic
##names, ie 'cologneblue', 'monobook', 'vector':
$wgDefaultSkin = "vector";

##For attaching licensing metadata to pages, and displaying an
##appropriate copyright notice / icon. GNU Free Documentation
##License and Creative Commons licenses are supported so far.
$wgRightsPage = ""; # Set to the title of a wiki page that describes your license/copyright
$wgRightsUrl = "";
$wgRightsText = "";
$wgRightsIcon = "";

#Path to the GNU diff3 utility. Used for conflict resolution.
$wgDiff3 = "/usr/bin/diff3";

###Debug Log Path ###

$wgShowExceptionDetails;

 
$wgDebugLogGroups['PluggableAuth'] =
$wgDebugLogGroups['LDAP'] =
$wgDebugLogGroups['MediaWiki\\Extension\\LDAPProvider\\Client'] =
$wgDebugLogGroups['LDAPUserInfo'] =
$wgDebugLogGroups['LDAPAuthentication2'] =
$wgDebugLogGroups['LDAPAuthorization'] = '/var/www/html/wiki/ldap.log';



$wgGroupPermissions['*']['edit'] = false;
$wgGroupPermissions['*']['read'] = true;


$wgGroupPermissions['user']['edit'] = true;
$wgGroupPermissions['user']['editsemiprotected'] = false;
$wgGroupPermissions['user']['editprotected'] = false;
$wgEmailConfirmToEdit = false;


$wgGroupPermissions['Media-Wiki-Admin'] = $wgGroupPermissions['sysop'];

$wgGroupPermissions['*']['createaccount'] = false;
$wgGroupPermissions['*']['autocreateaccount'] = true;


$wgBlockDisablesLogin = true;


$ldapJsonFile = "$IP/ldap.json";
$ldapConfig = false;
if (is_file($ldapJsonFile) && is_dir("$IP/extensions/LDAPProvider")) {
	$testJson = @json_decode(file_get_contents($ldapJsonFile),true);
	if (is_array($testJson)) {
		$ldapConfig = true;
	} else {
		error_log("Found invalid JSON in file: $IP/ldap.json");
	}
}
if ( $ldapConfig ) {
####Load Extensions ###
  wfLoadExtension( 'Auth_remoteuser' );
  wfLoadExtension( 'WikiEditor' );
  wfLoadExtension( 'PluggableAuth' );
  wfLoadExtension( 'LDAPProvider' );
  wfLoadExtension( 'LDAPAuthentication2' );
  #wfLoadExtension( 'LDAPAuthorization' );
  #wfLoadExtension( 'LDAPUserInfo' );
  wfLoadExtension( 'LDAPGroups' );
  $LDAPProviderDomainConfigs = $ldapJsonFile;
  $wgPluggableAuth_ButtonLabel = "Json works";
#if ($wikiRequestSafe) {$LDAPAuthentication2AllowLocalLogin = true; }
}

$LDAPAuthentication2AllowLocalLogin = true;

$wgAuthRemoteuserUserNameReplaceFilter = [
	'@some.domain$' => 
];
$wgInvalidUsernameCharacters = '#'; #Now the login and autocreate of User works ==> but the e-mail is in the user_name field which is not recomended by WIKI


$LDAPAuthentication2UsernameNormalizer = 'strtolower';
$LDAPProviderDomainConfigs = "$IP/ldap.json";

wfLoadSkin( 'CologneBlue' );
wfLoadSkin( 'Modern' );
wfLoadSkin( 'MonoBook' );
wfLoadSkin( 'Timeless' );
wfLoadSkin( 'Vector' );

and here is my ldap.json:

{
	"some.domain": {
		"connection": {
			"server": "adserver.some.domain",
			"port": "636",
                        "user": "CN=srvwikiadauth,OU=ServiceAccounts,OU=other,DC=some,DC=domain",
                        "pass": "SecretPassword",
			"enctype": "ssl",
			"options": {
				"LDAP_OPT_DEREF": "1"
			},
			"basedn": "dc=some,dc=domain",
                        "groupbasedn": "dc=some,dc=domain",
                        "userbasedn": "dc=some,dc=domain",
                        "searchattribute": "userprincipalname",
			"usernameattribute": "userprincipalname",
			"realnameattribute": "cn",
			"emailattribute": "userprincipalname",
			"grouprequest": "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\UserMemberOf::factory"

		},
                "userinfo": {
                        "attributes-map": {
                                "email": "mail",
                                "realname": "cn"
                        }
                },
		"authorization": {
			"rules": {
				"groups": {
					"required": 
						["CN=Media-Wiki-Admin,OU=Application_Groups,OU=Groups,OU=other,DC=some,DC=domain", "CN=Media-Wiki-User,OU=Application_Groups,OU=Groups,OU=other,DC=some,DC=domain"]
				}
			}
		},

		"groupsync": {
			"mapping": {
				"Media-Wiki-Admin": "CN=Media-Wiki-Admin,OU=Application_Groups,OU=Groups,OU=other,DC=some,DC=domain",
				"user": "CN=Media-Wiki-User,OU=Application_Groups,OU=Groups,OU=other,DC=some,DC=domain"
			}
		}
	}
}

best regards

Osnard (talkcontribs)
  1. You should not have your "ldap.json" witin $IP. The webserver might make it public.
  2. There is no need to have "user" in the "groupsync.mapping", as everybody that gets logged in is automatically in "user"
  3. You have "Extension:LDAPAuthorization" disabled, so the "authorization" section in the domain config will have no effect
  4. "connection.usernameattribute", as well as "connection.searchattribute" should be "samaccountname", not "userprincipalname". Users must then use "Fred" instead of "fred@some.domain" in the login form
    1. Looks like you are using network-based authentication (Kerberos) with "Extension:Auth_remoteuser". You should enable "Extension:LDAPAuthorization" and set $LDAPAuthorizationAutoAuthRemoteUserStringParser = 'username-at-domain';. You can then get rid of the $wgAuthRemoteuserUserNameReplaceFilter setting
Scoobydoo321 (talkcontribs)

I tried your changes, the login works for the adminuser, but when i trie to login with "Fred" i get the same error. When i test with a normal user (samaccountname=B12345678) i get the error Auto-creation of a local account failed: You have not specified a valid username does the wiki check if a username contains a lot of numbers?

Osnard (talkcontribs)

Have you re-enabled LDAPAuthorization? Does LDAPProvider/maintenance/ShowUserGroups.php list the group DNs you have configured in the "authorization.rules.groups.required" section?

Scoobydoo321 (talkcontribs)

Yes i have re-enabled LDAPAuthorization, and the result from "ShowUserGroups.php" is like defined in the "authorization.rules.goroups.required" In the "ldap.log" i see Authenticated new user: fred User is authorized

Osnard (talkcontribs)

So you are not having $wgAuthRemoteuserUserNameReplaceFilter set anymore? But instead configured$LDAPAuthorizationAutoAuthRemoteUserStringParser = 'username-at-domain';?

Any other Auth_remoteuser related config?

I am running out of ideas. If it says Authenticated new user: fred User is authorized anything should be fine.

Scoobydoo321 (talkcontribs)

i had $LDAPAuthorizationAutoAuthRemoteUserStringParser = 'username-at-domain'; not activated, if i activate this and set "usernameattribute": "samaccountname", in ldap.json i get the message in the UI user u12345678 not authorized and the log says authorization failure and the CheckLogin.php returns OK

Osnard (talkcontribs)

Sorry to ask again, but you are sure you have not set $wgAuthRemoteuserUserNameReplaceFilter anymore? Please check if $username that arrives here is actually in the format <username@domain.

Reply to "Auto-creation of a local account failed: You have not specified a valid username"

Admin(s) spammed by confirmed email account requests

1
2.218.206.44 (talkcontribs)

As an admin I seem to get multiple emails asking me to approve the same account that has had its email confirmed. These all arrive within a few minutes of each other. I originally assumed this was spammers deliberately clicking on the "confirm email" link multiple times. However, since upgrading my wiki (to 1.31.8 LTS) I have been doing some testing and found that Outlook's Safelinks protection will check this link, so that would lead to me as an admin receiving an "account request with confirmed email" email even before the user would have had a chance to click on the link the "confirm email" email. Also, I suspect it is easy to accidentally click the link multiple times or a user might just think they have done something wrong when their account is not immediately activated and click the link a second or third time.

It would be useful if there was some timeout to prevent multiple emails being sent out in a short space of time to the accounts admin(s). At the moment I have hacked the code so that admins only ever receive one email for any account request. This is sufficient for my needs, as the urgency of requests is low but the frequency is sufficiently high that if I miss one I will deal with that when I get another account request a day or two later.

Reply to "Admin(s) spammed by confirmed email account requests"