Extension talk:ConfirmAccount

Jump to navigation Jump to search

About this board


Why is the confirmaccount-email-body not used on account approval

2
Ken Roy (talkcontribs)

I posted the question on the Support Desk

Topic:W154oo8jj3wwk5go

but maybe it should be posted here

I was trying to figure out why the lang.json files are not being used to send out the approval email in the language the request was submitted in by the user when I noticed the email message was very different than the "confirmaccount-email-body": in line 82 of the wiki/extensions/ConfirmAccount/i18n/requestaccount/en.json

Ken Roy (talkcontribs)

Looks like the account created email message is coming from the wiki/languages/i18n/en.json file

"createaccount-text": "The account you requested for this email address on MediaWiki ($4) named \"$2\", with a temporary password \"$3\" has been created.\nYou should log in and change your password now.\n\nYou may ignore this message, if this account was created in error.",

and is being issued by the wiki/includes/auth/TemporaryPasswordPrimaryAuthenticationProvider.php

in the function sendNewAccountEmail

It also appears that the following instruction

       $userLanguage = $user->getOption( 'language' );

does not get the language used by the user when Registering for a Username

Why is the ConfirmAccount not issuing the email?

Reply to "Why is the confirmaccount-email-body not used on account approval"

email confirmation not preserved

1
Kghbln (talkcontribs)

a user who has confirmed his or her e-mail for account creation has to again confirm the e-mail for mediawiki once the account was created. Requiring e-mail confirmation twice is really bad.

Reply to "email confirmation not preserved"

ConfirmAccount missing on Login page (1.35)

1
Rrosenfeld (talkcontribs)

On upgrading from 1.31 to 1.35 I have the problem, that the link to the ConfirmLogin special page (requestaccount-loginnotice) is missing on the login special page.

I tracked this down to includes/frontend/ConfirmAccountUI.hooks.php where addRequestLoginText() should add this information to the hook. But addRequestLoginText() is never called in 1.35 (tried it out by adding a division by zero error at the top of addRequestLoginText() in both 1.31 and 1.35. Any idea, what I'm doing wrong? Anything that I have to do to enforce using the hooks?

For testing reasons I tried with a freshly created LocalSettings.php with only ConfirmLogin extension enabled but with the same result: No link to Special:RequestAccount in the login form, so this should hurt every user here...

Reply to "ConfirmAccount missing on Login page (1.35)"
Waanders (talkcontribs)
Reply to "$wgConfirmAccountCaptchas"
Wmat (talkcontribs)

I have an account request that was rejected in error. Can it be unrejected? I asked the User to request a new account but they're receiving a message that the Username is already taken and if they try a new username, they get a message that the email address is already taken.

Reply to "Unreject an account request"

Auto-creation of a local account failed: You have not specified a valid username

31
213.55.220.217 (talkcontribs)

Hello Together

We have updated the mediawiki in our company from version 1.23.15 to version 1.27 and then to 1.34.

After we changed the login to LDAPAuthentication2 we could log in. Now we have the following problems:

1. the matching between "User" ==> "Groups" does not work correctly

2. new users can no longer register.

Below I have our LocalSettings.php, the error message when logging in is the following:

"Auto-creation of a local account failed: You have not specified a valid username"

Side note:

We want the login with the e-mail address firstname.lastname@domain

Sometime users could log in, but then the correct value was not entered into the database (Firstname Lastname) instead of (firstname.lastname@domain)

Has anyone an idea what we did wrong?

$wgDebugLogFile = '/var/www/html/wiki/debug_log.log';

$wgShowExceptionDetails;

$wgDebugToolbar;

$wgDebugLogGroups['LDAPGrops'] = '/var/www/html/wiki/LDAPGroups.log';

error_reporting( -1 );

ini_set( 'display_errors', 1 );

ini_set( 'display_startup_errors', 1 );

$wgDebugLogGroups['LDAPAuthentication2'] = "/var/www/html/wiki/LDAPAuthentication2.log";

  wfLoadExtension( 'WikiEditor' );

  wfLoadExtension( 'PluggableAuth' );

  wfLoadExtension( 'LDAPProvider' );

  wfLoadExtension( 'LDAPAuthentication2' );

  wfLoadExtension( 'LDAPAuthorization' );

  wfLoadExtension( 'LDAPUserInfo' );

  wfLoadExtension( 'LDAPGroups' );


$wgEmailConfirmToEdit = false;

$wgGroupPermissions['*']['edit'] = false;

$wgGroupPermissions['*']['autocreateaccount'] = true;

$wgBlockDisablesLogin = true;

$LDAPAuthorizationAutoAuthRemoteUserStringParser = 'ldapuser@some.domain';

$LDAPAuthentication2AllowLocalLogin = true;

$wgAuthRemoteUserAllowUserSwitch = true;

$wgPluggableAuth_ButtonLabel = "Log In";

$LDAPProviderDomainConfigProvider = function(){

       $config = [

               'some.domain' => [

                       'connection' => [

                               "server" => "ADServer.some.domain",

               "user" => "ldapuser@some.domain",

               "pass" => "LDAPPasswd",

               "port" => "636",

               "enctype" => "ssl",

               "options" => [

                                       "LDAP_OPT_DEREF" => 1

                               ],

                               "basedn" => "dc=some,dc=domain",

                               "groupbasedn" => "dc=some,dc=domain",

                               "userbasedn" => "dc=some,dc=domain",

                               "searchattribute" => "userprincipalname",

                               "searchstring" => "",

                               "realnameattribute" => "cn",

                               "usernameattribute" => "userprincipalname",

                               "emailattribute" => "mail",

                               "grouprequest" => "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\GroupMember::factory"

                       ],

           "authorization" =>

           [

               "rules" =>

               [

                   "required" =>

                   [

                           "wiki-admin",

                           "wiki-user"

                   ]

               ]

           ],

           "userinfo" =>

           [

               "attributes-map" =>

               [

                   "email" => "mail",

                   "realname" => "userprincipalname"

               ]

           ],

           "groupsync" => 

           [

               "mechanism" => "mappedgroups",

               "mapping" =>

               [

                   "sysop" =>  "wiki-admin",

                   "user" =>  "wiki-user" 

               ]

           ]  

       ]

   ];

   return new \MediaWiki\Extension\LDAPProvider\DomainConfigProvider\InlinePHPArray( $config );

};

Best regards

Scoobydoo321 (talkcontribs)

@Osnard

sorry i first wrote this Topic (as 213.55.220.217) and after that i created a login.

i found out, that the login with an email address is not supported. and now i've tried to change the login with other AD Credentials.

But now i can't login in the log i see that the user is authenticated but after that the autocreate user account wants to create an user with the ip as username.

have anyone an idea, where i have the failure?

i now use a file for the connection (ldap.json).


Best regards

Osnard (talkcontribs)

This is probably because the "authorization" part fails. The values "wiki-admin" and "wiki-user" in "authorization.rules.required.groups" should be DNs, like "CN=wiki-admin,OU=Groups,OU=Company,...". Check the output of "extensions/LDAPProvider/maintenance/ShowUserGroups.php" to see what you need to put in there. For testing you can also make "authorization.rules.required.groups" empty.

Scoobydoo321 (talkcontribs)

Hi Osnard

Thanks for the reply. I checked the output, i got some Full DNs and Short names. I copied the output from the ShowUserGroup.php but it still doesen't work.

Sorry but im new in json, so i hope this one is correct when you mean empty:

{

   "my.domain": {

       "connection": {

           "server": "ADServer.my.domain",

           "port": "636",

           "user": "CN=ldapuser,OU=ServiceAccounts,DC=domain,DC=my",

           "pass": "somePassword",

           "enctype": "ssl",

           "options": {

               "LDAP_OPT_DEREF": "1"

           },

           "basedn": "dc.domain,dc=my",

           "groupbasedn": "dc.domain,dc=my",

           "userbasedn": "dc.domain,dc=my",

           "searchattribute": "userprincipalname",

           "usernameattribute": "samaccountname",

           "realnameattribute": "cn",

           "emailattribute": "mail",

           "grouprequest": "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\UserMemberOf::factory"

       },

       "userinfo": {

           "attributes-map": {

               "email": "mail",

               "realname": "cn"

           }

       },

       "authorization": {

           "rules": {

               "required": {

                   "groups": []

               }

           }

       },

       "groupsync": {

           "mapping": {

               "sysop": "CN=WikiAdmin,OU=Groups,DC=domain,DC=my",

               "user": "CN=WikiUser,OU=Groups,DC=domain,DC=my",

           }

       }

   }

}
Osnard (talkcontribs)
Scoobydoo321 (talkcontribs)

Yes the "CheckLogin.php" returns OK


Output from ldap.log whit disabled LDAPAuthorization

2020-07-22 09:15:08 srv-wiki-1 wiki_db: In execute()
2020-07-22 09:15:08 srv-wiki-1 wiki_db: Getting PluggableAuth singleton
2020-07-22 09:15:08 srv-wiki-1 wiki_db: Class name: MediaWiki\Extension\LDAPAuthentication2\PluggableAuth
2020-07-22 09:15:08 srv-wiki-1 wiki_db: ldap_connect( $hostname = 'ldaps://ADServer.my.domain:636', $port = 389 );
2020-07-22 09:15:08 srv-wiki-1 wiki_db: # __METHOD__ returns Resource id #259
2020-07-22 09:15:08 srv-wiki-1 wiki_db: Setting LDAP_OPT_PROTOCOL_VERSION to 3
2020-07-22 09:15:08 srv-wiki-1 wiki_db: ldap_set_option( $linkID, $option = 17, $newval = 3 );
2020-07-22 09:15:08 srv-wiki-1 wiki_db: # returns 1
2020-07-22 09:15:08 srv-wiki-1 wiki_db: Setting LDAP_OPT_REFERRALS to 0
2020-07-22 09:15:08 srv-wiki-1 wiki_db: ldap_set_option( $linkID, $option = 8, $newval = 0 );
2020-07-22 09:15:08 srv-wiki-1 wiki_db: # returns 1
2020-07-22 09:15:08 srv-wiki-1 wiki_db: Setting LDAP_OPT_DEREF to 1
2020-07-22 09:15:08 srv-wiki-1 wiki_db: ldap_set_option( $linkID, $option = 2, $newval = 1 );
2020-07-22 09:15:08 srv-wiki-1 wiki_db: # returns 1
2020-07-22 09:15:08 srv-wiki-1 wiki_db: ldap_bind( $linkID, $bindRDN = 'CN=ldapuser,OU=ServiceAccounts,OU=someOU,DC=my,DC=domain', $bindPassword = 'XXXX' );
2020-07-22 09:15:08 srv-wiki-1 wiki_db: # returns 1
2020-07-22 09:15:08 srv-wiki-1 wiki_db: MediaWiki\Extension\LDAPProvider\Client::getUserDN: search with array (
  'base' => 'DC=my,DC=domain',
  'filter' => '(userprincipalname=fred@my.domain)',
  'attributes' => 
  array (
    0 => '*',
    1 => 'memberof',
  ),
)
2020-07-22 09:15:08 srv-wiki-1 wiki_db: ldap_search( $linkID, $baseDN = 'DC=my,DC=domain', $filter = '(userprincipalname=fred@my.domain)', $attributes = [ '*', 'memberof' ], $attrsonly = , $sizelimit = , $timelimit = , $deref =  );
2020-07-22 09:15:08 srv-wiki-1 wiki_db: # returns Resource id #275
2020-07-22 09:15:08 srv-wiki-1 wiki_db: ldap_count_entries( $linkiID, $result = 'Resource id #275' );
2020-07-22 09:15:08 srv-wiki-1 wiki_db: # returns 1
2020-07-22 09:15:08 srv-wiki-1 wiki_db: ldap_get_entries( $linkID, $resultID );
2020-07-22 09:15:08 srv-wiki-1 wiki_db: # returns: array (
  'count' => 1,
  0 => 
  array (
    'objectclass' => 
    array (
      'count' => 4,
      0 => 'top',
      1 => 'person',
      2 => 'organizationalPerson',
      3 => 'user',
    ),
    0 => 'objectclass',
    'cn' => 
    array (
      'count' => 1,
      0 => 'tester',
    ),
    1 => 'cn',
    'sn' => 
    array (
      'count' => 1,
      0 => 'tester',
    ),
    2 => 'sn',
    'description' => 
    array (
      'count' => 1,
      0 => 'Test User',
    ),
    3 => 'description',
    'telephonenumber' => 
    array (
      'count' => 1,
      0 => '4 52 41',
    ),
    4 => 'telephonenumber',
    'givenname' => 
    array (
      'count' => 1,
      0 => 'hp',
    ),
    5 => 'givenname',
    'initials' => 
    array (
      'count' => 1,
      0 => 'fred',
    ),
    6 => 'initials',
    'distinguishedname' => 
    array (
      'count' => 1,
      0 => 'CN=tester,OU=Test,OU=Users,OU=someOU,DC=my,DC=domain',
    ),
    7 => 'distinguishedname',
    'instancetype' => 
    array (
      'count' => 1,
      0 => '4',
    ),
    8 => 'instancetype',
    'whencreated' => 
    array (
      'count' => 1,
      0 => '20131218141516.0Z',
    ),
    9 => 'whencreated',
    'whenchanged' => 
    array (
      'count' => 1,
      0 => '20200716080258.0Z',
    ),
    10 => 'whenchanged',
    'displayname' => 
    array (
      'count' => 1,
      0 => 'tester',
    ),
    11 => 'displayname',
    'usncreated' => 
    array (
      'count' => 1,
      0 => '30230',
    ),
    12 => 'usncreated',
    'memberof' => 
    array (
      'count' => 10,
      0 => 'CN=WikiAdmin,OU=Application_Groups,OU=Groups,OU=someOU,DC=my,DC=domain',
      1 => '####',
      2 => '####',
      3 => '####',
      4 => '####',
      5 => 'CN=WikiUsers,OU=Application_Groups,OU=Groups,OU=someOU,DC=my,DC=domain',
      6 => '####',
      7 => '####',
      8 => '####',
      9 => '####',
    ),
    13 => 'memberof',
    'usnchanged' => 
    array (
      'count' => 1,
      0 => '3982289',
    ),
    14 => 'usnchanged',
    'proxyaddresses' => 
    array (
      'count' => 7,
      0 => 'smtp:####',
      1 => 'smtp:####',
      2 => 'smtp:####',
      3 => 'SMTP:####',
      4 => 'sip:####',
      5 => 'smtp:####',
      6 => 'smtp:####',
    ),
    15 => 'proxyaddresses',
    'homemdb' => 
    array (
      'count' => 1,
      0 => '####',
    ),
    16 => 'homemdb',
    'mdbusedefaults' => 
    array (
      'count' => 1,
      0 => 'TRUE',
    ),
    17 => 'mdbusedefaults',
    'mailnickname' => 
    array (
      'count' => 1,
      0 => 'fred',
    ),
    18 => 'mailnickname',
    'name' => 
    array (
      'count' => 1,
      0 => 'tester',
    ),
    19 => 'name',
    'objectguid' => 
    array (
      'count' => 1,
      0 => '<2‹.Àª	EœÌÅï��oî',
    ),
    20 => 'objectguid',
    'useraccountcontrol' => 
    array (
      'count' => 1,
      0 => '66048',
    ),
    21 => 'useraccountcontrol',
    'badpwdcount' => 
    array (
      'count' => 1,
      0 => '0',
    ),
    22 => 'badpwdcount',
    'codepage' => 
    array (
      'count' => 1,
      0 => '0',
    ),
    23 => 'codepage',
    'countrycode' => 
    array (
      'count' => 1,
      0 => '0',
    ),
    24 => 'countrycode',
    'badpasswordtime' => 
    array (
      'count' => 1,
      0 => '132397147069218117',
    ),
    25 => 'badpasswordtime',
    'lastlogoff' => 
    array (
      'count' => 1,
      0 => '0',
    ),
    26 => 'lastlogoff',
    'lastlogon' => 
    array (
      'count' => 1,
      0 => '132397149483435657',
    ),
    27 => 'lastlogon',
    'pwdlastset' => 
    array (
      'count' => 1,
      0 => '132393601472194926',
    ),
    28 => 'pwdlastset',
    'primarygroupid' => 
    array (
      'count' => 1,
      0 => '513',
    ),
    29 => 'primarygroupid',
    'profilepath' => 
    array (
      'count' => 1,
      0 => '####',
    ),
    30 => 'profilepath',
    'objectsid' => 
    array (
      'count' => 1,
      0 => '��' . "\0" . '' . "\0" . '' . "\0" . '' . "\0" . '' . "\0" . '��' . "\0" . '' . "\0" . '' . "\0" . '¶Dä#�Àê2Ûë�P}-' . "\0" . '' . "\0" . '',
    ),
    31 => 'objectsid',
    'admincount' => 
    array (
      'count' => 1,
      0 => '1',
    ),
    32 => 'admincount',
    'accountexpires' => 
    array (
      'count' => 1,
      0 => '9223372036854775807',
    ),
    33 => 'accountexpires',
    'logoncount' => 
    array (
      'count' => 1,
      0 => '0',
    ),
    34 => 'logoncount',
    'samaccountname' => 
    array (
      'count' => 1,
      0 => 'fred',
    ),
    35 => 'samaccountname',
    'samaccounttype' => 
    array (
      'count' => 1,
      0 => '805306368',
    ),
    36 => 'samaccounttype',
    'showinaddressbook' => 
    array (
      'count' => 4,
      0 => '####',
      1 => '####',
      2 => '####',
      3 => '####',
    ),
    37 => 'showinaddressbook',
    'legacyexchangedn' => 
    array (
      'count' => 1,
      0 => '####',
    ),
    38 => 'legacyexchangedn',
    'userprincipalname' => 
    array (
      'count' => 1,
      0 => 'fred@my.domain',
    ),
    39 => 'userprincipalname',
    'lockouttime' => 
    array (
      'count' => 1,
      0 => '0',
    ),
    40 => 'lockouttime',
    'lastknownparent' => 
    array (
      'count' => 1,
      0 => 'OU=Test,OU=Users,OU=someOU,DC=my,DC=domain',
    ),
    41 => 'lastknownparent',
    'objectcategory' => 
    array (
      'count' => 1,
      0 => 'CN=Person,CN=Schema,CN=Configuration,DC=my,DC=domain',
    ),
    42 => 'objectcategory',
    'dscorepropagationdata' => 
    array (
      'count' => 1,
      0 => '16010101000000.0Z',
    ),
    43 => 'dscorepropagationdata',
    'lastlogontimestamp' => 
    array (
      'count' => 1,
      0 => '132393601780066773',
    ),
    44 => 'lastlogontimestamp',
    'msds-supportedencryptiontypes' => 
    array (
      'count' => 1,
      0 => '0',
    ),
    45 => 'msds-supportedencryptiontypes',
    'msds-lastknownrdn' => 
    array (
      'count' => 1,
      0 => 'tester',
    ),
    46 => 'msds-lastknownrdn',
    'mail' => 
    array (
      'count' => 1,
      0 => 'fred@my.domain',
    ),
    47 => 'mail',
    'thumbnailphoto' => 
    array (
      'count' => 1,
      0 => '####	
),
    48 => 'thumbnailphoto',
    'msexchhomeservername' => 
    array (
      'count' => 1,
      0 => '####',
    ),
    49 => 'msexchhomeservername',
    'msexchmailboxsecuritydescriptor' => 
    array (
      'count' => 1,
      0 => ####
	),
    50 => 'msexchmailboxsecuritydescriptor',
    'msexchuseraccountcontrol' => 
    array (
      'count' => 1,
      0 => '0',
    ),
    51 => 'msexchuseraccountcontrol',
    'msexchmailboxguid' => 
    array (
      'count' => 1,
      0 => 'I©�„¥CJ°ùX„Nùi',
    ),
    52 => 'msexchmailboxguid',
    'msexchpoliciesincluded' => 
    array (
      'count' => 2,
      0 => '4dde4918-7608-4c22-b276-64f5eb00c3e4',
      1 => '{26491cfc-9e50-4857-861b-0cb8df22b5d7}',
    ),
    53 => 'msexchpoliciesincluded',
    'msrtcsip-internetaccessenabled' => 
    array (
      'count' => 1,
      0 => 'TRUE',
    ),
    54 => 'msrtcsip-internetaccessenabled',
    'msexchmailboxtemplatelink' => 
    array (
      'count' => 1,
      0 => '####',
    ),
    55 => 'msexchmailboxtemplatelink',
    'msexchdelegatelistlink' => 
    array (
      'count' => 1,
      0 => '####',
    ),
    56 => 'msexchdelegatelistlink',
    'msrtcsip-optionflags' => 
    array (
      'count' => 1,
      0 => '2305',
    ),
    57 => 'msrtcsip-optionflags',
    'msrtcsip-userpolicies' => 
    array (
      'count' => 1,
      0 => '0=666577031',
    ),
    58 => 'msrtcsip-userpolicies',
    'msexchumdtmfmap' => 
    array (
      'count' => 4,
      0 => 'reversedPhone:14254',
      1 => 'emailAddress:3733',
      2 => 'lastNameFirstName:83783747',
      3 => 'firstNameLastName:47837837',
    ),
    59 => 'msexchumdtmfmap',
    'msexchmdbrulesquota' => 
    array (
      'count' => 1,
      0 => '256',
    ),
    60 => 'msexchmdbrulesquota',
    'msexchprevioushomemdb' => 
    array (
      'count' => 1,
      0 => '####',
    ),
    61 => 'msexchprevioushomemdb',
    'msexchrecipientdisplaytype' => 
    array (
      'count' => 1,
      0 => '1073741824',
    ),
    62 => 'msexchrecipientdisplaytype',
    'msrtcsip-primaryuseraddress' => 
    array (
      'count' => 1,
      0 => 'sip:fred@my.domain',
    ),
    63 => 'msrtcsip-primaryuseraddress',
    'msrtcsip-deploymentlocator' => 
    array (
      'count' => 1,
      0 => 'SRV:',
    ),
    64 => 'msrtcsip-deploymentlocator',
    'msexchpublicfoldermailbox' => 
    array (
      'count' => 1,
      0 => '####',
    ),
    65 => 'msexchpublicfoldermailbox',
    'msrtcsip-userroutinggroupid' => 
    array (
      'count' => 1,
      0 => 'yôn×Ä�-_¬¤TòíÔ³�',
    ),
    66 => 'msrtcsip-userroutinggroupid',
    'msrtcsip-userenabled' => 
    array (
      'count' => 1,
      0 => 'TRUE',
    ),
    67 => 'msrtcsip-userenabled',
    'msexchelcmailboxflags' => 
    array (
      'count' => 1,
      0 => '2',
    ),
    68 => 'msexchelcmailboxflags',
    'msexchwhenmailboxcreated' => 
    array (
      'count' => 1,
      0 => '20160115162536.0Z',
    ),
    69 => 'msexchwhenmailboxcreated',
    'msexchrbacpolicylink' => 
    array (
      'count' => 1,
      0 => '####',
    ),
    70 => 'msexchrbacpolicylink',
    'msrtcsip-primaryhomeserver' => 
    array (
      'count' => 1,
      0 => '####',
    ),
    71 => 'msrtcsip-primaryhomeserver',
    'msexchsafesendershash' => 
    array (
      'count' => 1,
      0 => 't¨¤§',
    ),
    72 => 'msexchsafesendershash',
    'msexchversion' => 
    array (
      'count' => 1,
      0 => '88218628259840',
    ),
    73 => 'msexchversion',
    'msrtcsip-federationenabled' => 
    array (
      'count' => 1,
      0 => 'TRUE',
    ),
    74 => 'msrtcsip-federationenabled',
    'msexchrecipienttypedetails' => 
    array (
      'count' => 1,
      0 => '1',
    ),
    75 => 'msexchrecipienttypedetails',
    'count' => 76,
    'dn' => 'CN=tester,OU=Test,OU=Users,OU=someOU,DC=my,DC=domain',
  ),
)
2020-07-22 09:15:08 srv-wiki-1 wiki_db: Found user DN: 'CN=tester,OU=Test,OU=Users,OU=someOU,DC=my,DC=domain'
2020-07-22 09:15:08 srv-wiki-1 wiki_db: MediaWiki\Extension\LDAPProvider\Client::getSearchString: User DN is: 'CN=tester,OU=Test,OU=Users,OU=someOU,DC=my,DC=domain'
2020-07-22 09:15:08 srv-wiki-1 wiki_db: ldap_bind( $linkID, $bindRDN = 'CN=tester,OU=Test,OU=Users,OU=someOU,DC=my,DC=domain', $bindPassword = 'XXXX' );
2020-07-22 09:15:08 srv-wiki-1 wiki_db: # returns 1
2020-07-22 09:15:08 srv-wiki-1 wiki_db: ldap_bind( $linkID, $bindRDN = 'CN=srvwikiadauth,OU=ServiceAccounts,OU=someOU,DC=my,DC=domain', $bindPassword = 'XXXX' );
2020-07-22 09:15:08 srv-wiki-1 wiki_db: # returns 1
2020-07-22 09:15:08 srv-wiki-1 wiki_db: ldap_search( $linkID, $baseDN = 'DC=my,DC=domain', $filter = '(userprincipalname=fred@my.domain)', $attributes = [ '*', 'memberof' ], $attrsonly = , $sizelimit = , $timelimit = , $deref =  );
2020-07-22 09:15:08 srv-wiki-1 wiki_db: # returns Resource id #289
2020-07-22 09:15:08 srv-wiki-1 wiki_db: ldap_get_entries( $linkID, $resultID );
2020-07-22 09:15:08 srv-wiki-1 wiki_db: # returns: array (
  'count' => 1,
  0 => 
  array (
    'objectclass' => 
    array (
      'count' => 4,
      0 => 'top',
      1 => 'person',
      2 => 'organizationalPerson',
      3 => 'user',
    ),
    0 => 'objectclass',
    'cn' => 
    array (
      'count' => 1,
      0 => 'tester',
    ),
    1 => 'cn',
    'sn' => 
    array (
      'count' => 1,
      0 => 'tester',
    ),
    2 => 'sn',
    'description' => 
    array (
      'count' => 1,
      0 => 'Test User',
    ),
    3 => 'description',
    'telephonenumber' => 
    array (
      'count' => 1,
      0 => '4 52 41',
    ),
    4 => 'telephonenumber',
    'givenname' => 
    array (
      'count' => 1,
      0 => 'hp',
    ),
    5 => 'givenname',
    'initials' => 
    array (
      'count' => 1,
      0 => 'fred',
    ),
    6 => 'initials',
    'distinguishedname' => 
    array (
      'count' => 1,
      0 => 'CN=tester,OU=Test,OU=Users,OU=someOU,DC=my,DC=domain',
    ),
    7 => 'distinguishedname',
    'instancetype' => 
    array (
      'count' => 1,
      0 => '4',
    ),
    8 => 'instancetype',
    'whencreated' => 
    array (
      'count' => 1,
      0 => '20131218141516.0Z',
    ),
    9 => 'whencreated',
    'whenchanged' => 
    array (
      'count' => 1,
      0 => '20200716080258.0Z',
    ),
    10 => 'whenchanged',
    'displayname' => 
    array (
      'count' => 1,
      0 => 'tester',
    ),
    11 => 'displayname',
    'usncreated' => 
    array (
      'count' => 1,
      0 => '30230',
    ),
    12 => 'usncreated',
    'memberof' => 
    array (
      'count' => 10,
      0 => 'CN=WikiAdmin,OU=Application_Groups,OU=Groups,OU=someOU,DC=my,DC=domain',
      1 => '####',
      2 => '####',
      3 => '####',
      4 => '####',
      5 => 'CN=WikiUsers,OU=Application_Groups,OU=Groups,OU=someOU,DC=my,DC=domain',
      6 => '####',
      7 => '####',
      8 => '####',
      9 => '####',
    ),
    13 => 'memberof',
    'usnchanged' => 
    array (
      'count' => 1,
      0 => '3982289',
    ),
    14 => 'usnchanged',
    'proxyaddresses' => 
    array (
      'count' => 7,
      0 => '####',
      1 => '####',
      2 => '####',
      3 => '####',
      4 => '####',
      5 => '####',
      6 => '####',
    ),
    15 => 'proxyaddresses',
    'homemdb' => 
    array (
      'count' => 1,
      0 => '####',
    ),
    16 => 'homemdb',
    'mdbusedefaults' => 
    array (
      'count' => 1,
      0 => 'TRUE',
    ),
    17 => 'mdbusedefaults',
    'mailnickname' => 
    array (
      'count' => 1,
      0 => 'fred',
    ),
    18 => 'mailnickname',
    'name' => 
    array (
      'count' => 1,
      0 => 'tester',
    ),
    19 => 'name',
    'objectguid' => 
    array (
      'count' => 1,
      0 => '<2‹.Àª	EœÌÅï��oî',
    ),
    20 => 'objectguid',
    'useraccountcontrol' => 
    array (
      'count' => 1,
      0 => '66048',
    ),
    21 => 'useraccountcontrol',
    'badpwdcount' => 
    array (
      'count' => 1,
      0 => '0',
    ),
    22 => 'badpwdcount',
    'codepage' => 
    array (
      'count' => 1,
      0 => '0',
    ),
    23 => 'codepage',
    'countrycode' => 
    array (
      'count' => 1,
      0 => '0',
    ),
    24 => 'countrycode',
    'badpasswordtime' => 
    array (
      'count' => 1,
      0 => '132397147069218117',
    ),
    25 => 'badpasswordtime',
    'lastlogoff' => 
    array (
      'count' => 1,
      0 => '0',
    ),
    26 => 'lastlogoff',
    'lastlogon' => 
    array (
      'count' => 1,
      0 => '132397149483435657',
    ),
    27 => 'lastlogon',
    'pwdlastset' => 
    array (
      'count' => 1,
      0 => '132393601472194926',
    ),
    28 => 'pwdlastset',
    'primarygroupid' => 
    array (
      'count' => 1,
      0 => '513',
    ),
    29 => 'primarygroupid',
    'profilepath' => 
    array (
      'count' => 1,
      0 => '####',
    ),
    30 => 'profilepath',
    'objectsid' => 
    array (
      'count' => 1,
      0 => '��' . "\0" . '' . "\0" . '' . "\0" . '' . "\0" . '' . "\0" . '��' . "\0" . '' . "\0" . '' . "\0" . '¶Dä#�Àê2Ûë�P}-' . "\0" . '' . "\0" . '',
    ),
    31 => 'objectsid',
    'admincount' => 
    array (
      'count' => 1,
      0 => '1',
    ),
    32 => 'admincount',
    'accountexpires' => 
    array (
      'count' => 1,
      0 => '9223372036854775807',
    ),
    33 => 'accountexpires',
    'logoncount' => 
    array (
      'count' => 1,
      0 => '0',
    ),
    34 => 'logoncount',
    'samaccountname' => 
    array (
      'count' => 1,
      0 => 'fred',
    ),
    35 => 'samaccountname',
    'samaccounttype' => 
    array (
      'count' => 1,
      0 => '805306368',
    ),
    36 => 'samaccounttype',
    'showinaddressbook' => 
    array (
      'count' => 4,
      0 => '####',
      1 => '####',
      2 => '####',
      3 => '####',
    ),
    37 => 'showinaddressbook',
    'legacyexchangedn' => 
    array (
      'count' => 1,
      0 => '####',
    ),
    38 => 'legacyexchangedn',
    'userprincipalname' => 
    array (
      'count' => 1,
      0 => 'fred@my.domain',
    ),
    39 => 'userprincipalname',
    'lockouttime' => 
    array (
      'count' => 1,
      0 => '0',
    ),
    40 => 'lockouttime',
    'lastknownparent' => 
    array (
      'count' => 1,
      0 => 'OU=Test,OU=Users,OU=someOU,DC=my,DC=domain',
    ),
    41 => 'lastknownparent',
    'objectcategory' => 
    array (
      'count' => 1,
      0 => '####',
    ),
    42 => 'objectcategory',
    'dscorepropagationdata' => 
    array (
      'count' => 1,
      0 => '16010101000000.0Z',
    ),
    43 => 'dscorepropagationdata',
    'lastlogontimestamp' => 
    array (
      'count' => 1,
      0 => '132393601780066773',
    ),
    44 => 'lastlogontimestamp',
    'msds-supportedencryptiontypes' => 
    array (
      'count' => 1,
      0 => '0',
    ),
    45 => 'msds-supportedencryptiontypes',
    'msds-lastknownrdn' => 
    array (
      'count' => 1,
      0 => 'tester',
    ),
    46 => 'msds-lastknownrdn',
    'mail' => 
    array (
      'count' => 1,
      0 => 'fred@my.domain',
    ),
    47 => 'mail',
    'thumbnailphoto' => 
    array (
      'count' => 1,
      0 =>####
    ),
    48 => 'thumbnailphoto',
    'msexchhomeservername' => 
    array (
      'count' => 1,
      0 => '####',
    ),
    49 => 'msexchhomeservername',
    'msexchmailboxsecuritydescriptor' => 
    array (
      'count' => 1,
      0 => '�' . "\0" . '�Œ�' . "\0" . '' . "\0" . '' . "\0" . ' ' . "\0" . '' . "\0" . '' . "\0" . '' . "\0" . '' . "\0" . '' . "\0" . '' . "\0" . ',' . "\0" . '' . "\0" . '' . "\0" . '��' . "\0" . '' . "\0" . '' . "\0" . '' . "\0" . '' . "\0" . '�
' . "\0" . '' . "\0" . '' . "\0" . '��' . "\0" . '' . "\0" . '' . "\0" . '' . "\0" . '' . "\0" . '�
' . "\0" . '' . "\0" . '' . "\0" . '�' . "\0" . '@' . "\0" . '�' . "\0" . '' . "\0" . '' . "\0" . '' . "\0" . '��' . "\0" . '�' . "\0" . '�' . "\0" . '��' . "\0" . '' . "\0" . '' . "\0" . '' . "\0" . '' . "\0" . '�
' . "\0" . '' . "\0" . '' . "\0" . '' . "\0" . '�$' . "\0" . '�' . "\0" . '' . "\0" . '' . "\0" . '��' . "\0" . '' . "\0" . '' . "\0" . '' . "\0" . '' . "\0" . '��' . "\0" . '' . "\0" . '' . "\0" . '¶Dä#�Àê2Ûë�PÎ+' . "\0" . '' . "\0" . '',
    ),
    50 => 'msexchmailboxsecuritydescriptor',
    'msexchuseraccountcontrol' => 
    array (
      'count' => 1,
      0 => '0',
    ),
    51 => 'msexchuseraccountcontrol',
    'msexchmailboxguid' => 
    array (
      'count' => 1,
      0 => 'I©�„¥CJ°ùX„Nùi',
    ),
    52 => 'msexchmailboxguid',
    'msexchpoliciesincluded' => 
    array (
      'count' => 2,
      0 => '4dde4918-7608-4c22-b276-64f5eb00c3e4',
      1 => '{26491cfc-9e50-4857-861b-0cb8df22b5d7}',
    ),
    53 => 'msexchpoliciesincluded',
    'msrtcsip-internetaccessenabled' => 
    array (
      'count' => 1,
      0 => 'TRUE',
    ),
    54 => 'msrtcsip-internetaccessenabled',
    'msexchmailboxtemplatelink' => 
    array (
      'count' => 1,
      0 => '####',
    ),
    55 => 'msexchmailboxtemplatelink',
    'msexchdelegatelistlink' => 
    array (
      'count' => 1,
      0 => '####',
    ),
    56 => 'msexchdelegatelistlink',
    'msrtcsip-optionflags' => 
    array (
      'count' => 1,
      0 => '2305',
    ),
    57 => 'msrtcsip-optionflags',
    'msrtcsip-userpolicies' => 
    array (
      'count' => 1,
      0 => '0=666577031',
    ),
    58 => 'msrtcsip-userpolicies',
    'msexchumdtmfmap' => 
    array (
      'count' => 4,
      0 => 'reversedPhone:14254',
      1 => 'emailAddress:3733',
      2 => 'lastNameFirstName:83783747',
      3 => 'firstNameLastName:47837837',
    ),
    59 => 'msexchumdtmfmap',
    'msexchmdbrulesquota' => 
    array (
      'count' => 1,
      0 => '256',
    ),
    60 => 'msexchmdbrulesquota',
    'msexchprevioushomemdb' => 
    array (
      'count' => 1,
      0 => '####',
    ),
    61 => 'msexchprevioushomemdb',
    'msexchrecipientdisplaytype' => 
    array (
      'count' => 1,
      0 => '1073741824',
    ),
    62 => 'msexchrecipientdisplaytype',
    'msrtcsip-primaryuseraddress' => 
    array (
      'count' => 1,
      0 => 'sip:fred@my.domain',
    ),
    63 => 'msrtcsip-primaryuseraddress',
    'msrtcsip-deploymentlocator' => 
    array (
      'count' => 1,
      0 => 'SRV:',
    ),
    64 => 'msrtcsip-deploymentlocator',
    'msexchpublicfoldermailbox' => 
    array (
      'count' => 1,
      0 => '####',
    ),
    65 => 'msexchpublicfoldermailbox',
    'msrtcsip-userroutinggroupid' => 
    array (
      'count' => 1,
      0 => 'yôn×Ä�-_¬¤TòíÔ³�',
    ),
    66 => 'msrtcsip-userroutinggroupid',
    'msrtcsip-userenabled' => 
    array (
      'count' => 1,
      0 => 'TRUE',
    ),
    67 => 'msrtcsip-userenabled',
    'msexchelcmailboxflags' => 
    array (
      'count' => 1,
      0 => '2',
    ),
    68 => 'msexchelcmailboxflags',
    'msexchwhenmailboxcreated' => 
    array (
      'count' => 1,
      0 => '20160115162536.0Z',
    ),
    69 => 'msexchwhenmailboxcreated',
    'msexchrbacpolicylink' => 
    array (
      'count' => 1,
      0 => '####',
    ),
    70 => 'msexchrbacpolicylink',
    'msrtcsip-primaryhomeserver' => 
    array (
      'count' => 1,
      0 => '####',
    ),
    71 => 'msrtcsip-primaryhomeserver',
    'msexchsafesendershash' => 
    array (
      'count' => 1,
      0 => 't¨¤§',
    ),
    72 => 'msexchsafesendershash',
    'msexchversion' => 
    array (
      'count' => 1,
      0 => '88218628259840',
    ),
    73 => 'msexchversion',
    'msrtcsip-federationenabled' => 
    array (
      'count' => 1,
      0 => 'TRUE',
    ),
    74 => 'msrtcsip-federationenabled',
    'msexchrecipienttypedetails' => 
    array (
      'count' => 1,
      0 => '1',
    ),
    75 => 'msexchrecipienttypedetails',
    'count' => 76,
    'dn' => '####',
  ),
)
2020-07-22 09:15:08 srv-wiki-1 wiki_db: Ran LDAP search for '(userprincipalname=fred@my.domain)' in 0.0019741058349609 seconds.

2020-07-22 09:15:08 srv-wiki-1 wiki_db: Authenticated new user: fred
2020-07-22 09:15:09 srv-wiki-1 wiki_db: User is authorized.

Osnard (talkcontribs)

So the last two lines look good. So there is still the message "Auto-creation of a local account failed: You have not specified a valid username"? In which context?

Scoobydoo321 (talkcontribs)

This message appears when i try to login with <username>@<my.domain>

Osnard (talkcontribs)

And if you don't use a username with "@"? Which error do you get then? Because

2020-07-22 09:15:08 srv-wiki-1 wiki_db: Authenticated new user: fred
2020-07-22 09:15:09 srv-wiki-1 wiki_db: User is authorized.

looks good.

Scoobydoo321 (talkcontribs)

Whit the config as is i get following error Could not authenticate credentials against domain "my.domain" when i change the searchattribute setting to samaccountname i get the same error as before.

Osnard (talkcontribs)

If you are getting Could not authenticate credentials against domain "my.domain" then it is form based authentication (FBA). This should be the exact same mechanism as the CheckLogin.php CLI script.

Scoobydoo321 (talkcontribs)

The message Could not authenticate credentials against domain "my.domain" i get only when i have a missmatch to what i check for login and what i use. When i use the right credentials i always get Auto-creation of a local account failed: You have not specified a valid username .

Osnard (talkcontribs)

I have noticed a difference in the two contigutations you have shared (#1: PHP, #2: JSON): In the PHP configuration you have "usernameattribute" => "userprincipalname", , while in the JSON you have "usernameattribute": "samaccountname", .

Can you tell which one of them is currently used?

Because the one from the JSON file seems to be correct (samaccountname ), while the one from PHP will result in a username with an "@", which could lead to Auto-creation of a local account failed: You have not specified a valid username</could>.

Scoobydoo321 (talkcontribs)

currently used is the JSON, with the samaccountname

Scoobydoo321 (talkcontribs)

Which element example: usernameattribute is used for the DB column user_name? Have i mixed up something so that the authorization works but it uses the wrong attribute for the DB?

Osnard (talkcontribs)
Scoobydoo321 (talkcontribs)

i can now login with an administrator accoutn samaccountname=admintest but with an normal user samaccountname=u12345678 i still have the error Auto-creation of a local account failed: You have not specified a valid username. i've searched this wiki i didn't found any restriction that the username can't be with a letter and numbers.

Osnard (talkcontribs)
Scoobydoo321 (talkcontribs)

in the error log i see the correct username and in the ldap.log i get following output: MediaWiki\Extension\LDAPProvier\Client::getSearchString: User DN is 'BASE DN'

ldap_bind( $linkID, $bindRDN = 'BASE DN', $bindPasswor = 'XXXX' );

#returns 1

Authenticated new user: username

User is authorized

Osnard (talkcontribs)

So everything is okay. Sorry, I can not spot an error.

Scoobydoo321 (talkcontribs)

hmm ok.

Then i have only one question, is it possible, that the old users with an "@" in the username can make some problems?

I think they wount be a problem but this is the last thing i can imagen.


Best regards and thanks for the perfect support!

Osnard (talkcontribs)

Okay. Can you please again share you complete current configuration (PHP and JSON, is used). Don't forget to remove sensitive data of course. Also please tell me what username you enter into the "Special:Login" field and how the command line for the working "CheckLogin.php" and "ShowUserInfo.php" looks like. Thanks.

2001:1284:F016:9AB4:714A:804:A9D5:8776 (talkcontribs)

I have the similar problem (Auto-creation of a local account failed: You have not specified a valid username) when a try login in a existent dababase, but in a new database created with the 1.34.2 version that's work. I use the same configuration file, changing only the database config.

Scoobydoo321 (talkcontribs)

I have found a ugly workarround i added folowing line to the LocalSettings.php $wgInvalidUsernameCharacters = '#€'; The "ShowUserInfo.php" returns the user informations and the "CheckLogin.php" returns OK.

Here is my LocalSettings.php:

<?php
#This file was automatically generated by the MediaWiki 1.23.15
#installer. If you make manual changes, please keep track in case you
#need to recreate them later.
#
#See includes/DefaultSettings.php for all configurable settings
#and their default values, but don't forget to make changes in _this_
#file, not there.
#
#Further documentation for configuration settings may be found at:
#https://www.mediawiki.org/wiki/Manual:Configuration_settings

#Protect against web entry
if ( !defined( 'MEDIAWIKI' ) ) {
	exit;
}

##Uncomment this to disable output compression
#$wgDisableOutputCompression = true;

$wgSitename = "Wiki";
$wgOverrideHostname = "MediaWiki-Server";
##The URL base path to the directory containing the wiki;
##defaults for all runtime URL paths are based off of this.
##For more information on customizing the URLs
##(like /w/index.php/Page_title to /wiki/Page_title) please see:
##https://www.mediawiki.org/wiki/Manual:Short_URL
$wgScriptPath = "";
$wgScriptExtension = ".php";

##The protocol and server name to use in fully-qualified URLs
$wgServer = "https://MediaWiki-Server";

##The relative URL path to the skins directory
$wgStylePath = "$wgScriptPath/skins";

##The relative URL path to the logo.  Make sure you change this from the default,
##or else you'll overwrite your logo when you upgrade!
$wgLogo = "$wgStylePath/common/images/logo.png";

##UPO means: this is also a user preference option

$wgEnableEmail = false;
$wgEnableUserEmail = false; # UPO

$wgEmergencyContact = "apache@MediaWiki-Server";
$wgPasswordSender = "apache@MediaWiki-Server";

$wgEnotifUserTalk = false; # UPO
$wgEnotifWatchlist = false; # UPO
#$wgEmailAuthentication = true;

##Database settings
$wgDBtype = "mysql";
$wgDBserver = "MediaWiki-DB";
$wgDBname = "WikiDB";
$wgDBuser = "WikiDBUser";
$wgDBpassword = "SecretPassword";

#MySQL specific settings
$wgDBprefix = "";

#MySQL table options to use during installation or update
$wgDBTableOptions = "ENGINE=InnoDB, DEFAULT CHARSET=binary";

#Experimental charset support for MySQL 5.0.
$wgDBmysql5 = false;

##Shared memory settings
$wgMainCacheType = CACHE_NONE;
$wgMemCachedServers = array();
##To enable image uploads, make sure the 'images' directory
##is writable, then set this to true:
$wgEnableUploads = true;
#$wgUseImageMagick = true;
#$wgImageMagickConvertCommand = "/usr/bin/convert";

#InstantCommons allows wiki to use images from http://commons.wikimedia.org
$wgUseInstantCommons = false;

##If you use ImageMagick (or any other shell command) on a
##Linux server, this will need to be set to the name of an
##available UTF-8 locale
$wgShellLocale = "en_US.utf8";

##If you want to use image uploads under safe mode,
##create the directories images/archive, images/thumb and
##images/temp, and make them all writable. Then uncomment
##this, if it's not already uncommented:
#$wgHashedUploadDirectory = false;

##Set $wgCacheDirectory to a writable directory on the web server
##to make your wiki go slightly faster. The directory should not
##be publically accessible from the web.
#$wgCacheDirectory = "$IP/cache";

#Site language code, should be one of the list in ./languages/Names.php
$wgLanguageCode = "en";

$wgSecretKey = "SomeSecretKey";

#Site upgrade key. Must be set to a string (default provided) to turn on the
#web installer while LocalSettings.php is in place
$wgUpgradeKey = "SomeUpgradeKey";

##Default skin: you can change the default skin. Use the internal symbolic
##names, ie 'cologneblue', 'monobook', 'vector':
$wgDefaultSkin = "vector";

##For attaching licensing metadata to pages, and displaying an
##appropriate copyright notice / icon. GNU Free Documentation
##License and Creative Commons licenses are supported so far.
$wgRightsPage = ""; # Set to the title of a wiki page that describes your license/copyright
$wgRightsUrl = "";
$wgRightsText = "";
$wgRightsIcon = "";

#Path to the GNU diff3 utility. Used for conflict resolution.
$wgDiff3 = "/usr/bin/diff3";

###Debug Log Path ###

$wgShowExceptionDetails;

 
$wgDebugLogGroups['PluggableAuth'] =
$wgDebugLogGroups['LDAP'] =
$wgDebugLogGroups['MediaWiki\\Extension\\LDAPProvider\\Client'] =
$wgDebugLogGroups['LDAPUserInfo'] =
$wgDebugLogGroups['LDAPAuthentication2'] =
$wgDebugLogGroups['LDAPAuthorization'] = '/var/www/html/wiki/ldap.log';



$wgGroupPermissions['*']['edit'] = false;
$wgGroupPermissions['*']['read'] = true;


$wgGroupPermissions['user']['edit'] = true;
$wgGroupPermissions['user']['editsemiprotected'] = false;
$wgGroupPermissions['user']['editprotected'] = false;
$wgEmailConfirmToEdit = false;


$wgGroupPermissions['Media-Wiki-Admin'] = $wgGroupPermissions['sysop'];

$wgGroupPermissions['*']['createaccount'] = false;
$wgGroupPermissions['*']['autocreateaccount'] = true;


$wgBlockDisablesLogin = true;


$ldapJsonFile = "$IP/ldap.json";
$ldapConfig = false;
if (is_file($ldapJsonFile) && is_dir("$IP/extensions/LDAPProvider")) {
	$testJson = @json_decode(file_get_contents($ldapJsonFile),true);
	if (is_array($testJson)) {
		$ldapConfig = true;
	} else {
		error_log("Found invalid JSON in file: $IP/ldap.json");
	}
}
if ( $ldapConfig ) {
####Load Extensions ###
  wfLoadExtension( 'Auth_remoteuser' );
  wfLoadExtension( 'WikiEditor' );
  wfLoadExtension( 'PluggableAuth' );
  wfLoadExtension( 'LDAPProvider' );
  wfLoadExtension( 'LDAPAuthentication2' );
  #wfLoadExtension( 'LDAPAuthorization' );
  #wfLoadExtension( 'LDAPUserInfo' );
  wfLoadExtension( 'LDAPGroups' );
  $LDAPProviderDomainConfigs = $ldapJsonFile;
  $wgPluggableAuth_ButtonLabel = "Json works";
#if ($wikiRequestSafe) {$LDAPAuthentication2AllowLocalLogin = true; }
}

$LDAPAuthentication2AllowLocalLogin = true;

$wgAuthRemoteuserUserNameReplaceFilter = [
	'@some.domain$' => 
];
$wgInvalidUsernameCharacters = '#'; #Now the login and autocreate of User works ==> but the e-mail is in the user_name field which is not recomended by WIKI


$LDAPAuthentication2UsernameNormalizer = 'strtolower';
$LDAPProviderDomainConfigs = "$IP/ldap.json";

wfLoadSkin( 'CologneBlue' );
wfLoadSkin( 'Modern' );
wfLoadSkin( 'MonoBook' );
wfLoadSkin( 'Timeless' );
wfLoadSkin( 'Vector' );

and here is my ldap.json:

{
	"some.domain": {
		"connection": {
			"server": "adserver.some.domain",
			"port": "636",
                        "user": "CN=srvwikiadauth,OU=ServiceAccounts,OU=other,DC=some,DC=domain",
                        "pass": "SecretPassword",
			"enctype": "ssl",
			"options": {
				"LDAP_OPT_DEREF": "1"
			},
			"basedn": "dc=some,dc=domain",
                        "groupbasedn": "dc=some,dc=domain",
                        "userbasedn": "dc=some,dc=domain",
                        "searchattribute": "userprincipalname",
			"usernameattribute": "userprincipalname",
			"realnameattribute": "cn",
			"emailattribute": "userprincipalname",
			"grouprequest": "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\UserMemberOf::factory"

		},
                "userinfo": {
                        "attributes-map": {
                                "email": "mail",
                                "realname": "cn"
                        }
                },
		"authorization": {
			"rules": {
				"groups": {
					"required": 
						["CN=Media-Wiki-Admin,OU=Application_Groups,OU=Groups,OU=other,DC=some,DC=domain", "CN=Media-Wiki-User,OU=Application_Groups,OU=Groups,OU=other,DC=some,DC=domain"]
				}
			}
		},

		"groupsync": {
			"mapping": {
				"Media-Wiki-Admin": "CN=Media-Wiki-Admin,OU=Application_Groups,OU=Groups,OU=other,DC=some,DC=domain",
				"user": "CN=Media-Wiki-User,OU=Application_Groups,OU=Groups,OU=other,DC=some,DC=domain"
			}
		}
	}
}

best regards

Osnard (talkcontribs)
  1. You should not have your "ldap.json" witin $IP. The webserver might make it public.
  2. There is no need to have "user" in the "groupsync.mapping", as everybody that gets logged in is automatically in "user"
  3. You have "Extension:LDAPAuthorization" disabled, so the "authorization" section in the domain config will have no effect
  4. "connection.usernameattribute", as well as "connection.searchattribute" should be "samaccountname", not "userprincipalname". Users must then use "Fred" instead of "fred@some.domain" in the login form
    1. Looks like you are using network-based authentication (Kerberos) with "Extension:Auth_remoteuser". You should enable "Extension:LDAPAuthorization" and set $LDAPAuthorizationAutoAuthRemoteUserStringParser = 'username-at-domain';. You can then get rid of the $wgAuthRemoteuserUserNameReplaceFilter setting
Scoobydoo321 (talkcontribs)

I tried your changes, the login works for the adminuser, but when i trie to login with "Fred" i get the same error. When i test with a normal user (samaccountname=B12345678) i get the error Auto-creation of a local account failed: You have not specified a valid username does the wiki check if a username contains a lot of numbers?

Osnard (talkcontribs)

Have you re-enabled LDAPAuthorization? Does LDAPProvider/maintenance/ShowUserGroups.php list the group DNs you have configured in the "authorization.rules.groups.required" section?

Scoobydoo321 (talkcontribs)

Yes i have re-enabled LDAPAuthorization, and the result from "ShowUserGroups.php" is like defined in the "authorization.rules.goroups.required" In the "ldap.log" i see Authenticated new user: fred User is authorized

Osnard (talkcontribs)

So you are not having $wgAuthRemoteuserUserNameReplaceFilter set anymore? But instead configured$LDAPAuthorizationAutoAuthRemoteUserStringParser = 'username-at-domain';?

Any other Auth_remoteuser related config?

I am running out of ideas. If it says Authenticated new user: fred User is authorized anything should be fine.

Scoobydoo321 (talkcontribs)

i had $LDAPAuthorizationAutoAuthRemoteUserStringParser = 'username-at-domain'; not activated, if i activate this and set "usernameattribute": "samaccountname", in ldap.json i get the message in the UI user u12345678 not authorized and the log says authorization failure and the CheckLogin.php returns OK

Osnard (talkcontribs)

Sorry to ask again, but you are sure you have not set $wgAuthRemoteuserUserNameReplaceFilter anymore? Please check if $username that arrives here is actually in the format <username@domain.

Reply to "Auto-creation of a local account failed: You have not specified a valid username"

Admin(s) spammed by confirmed email account requests

1
2.218.206.44 (talkcontribs)

As an admin I seem to get multiple emails asking me to approve the same account that has had its email confirmed. These all arrive within a few minutes of each other. I originally assumed this was spammers deliberately clicking on the "confirm email" link multiple times. However, since upgrading my wiki (to 1.31.8 LTS) I have been doing some testing and found that Outlook's Safelinks protection will check this link, so that would lead to me as an admin receiving an "account request with confirmed email" email even before the user would have had a chance to click on the link the "confirm email" email. Also, I suspect it is easy to accidentally click the link multiple times or a user might just think they have done something wrong when their account is not immediately activated and click the link a second or third time.

It would be useful if there was some timeout to prevent multiple emails being sent out in a short space of time to the accounts admin(s). At the moment I have hacked the code so that admins only ever receive one email for any account request. This is sufficient for my needs, as the urgency of requests is low but the frequency is sufficiently high that if I miss one I will deal with that when I get another account request a day or two later.

Reply to "Admin(s) spammed by confirmed email account requests"

Many repeating notification emails to admin

6
Wmat (talkcontribs)

Whenever someone requests an account on my wiki, I get notified of the account request via email, which is good. However, I get notified up to 7 times. Could this be caused by the extension, or is this likely a mail setup issue?

Wmat (talkcontribs)

Still an issue with REL1_31. I get 7 email when an account is requested.

Reboulip (talkcontribs)

I get the same issue, but with only 2 e-mails (same for all bureaucrats)

Reboulip (talkcontribs)

I tried the following fix, and it worked for my case: set the following properties in LocalSettings.php:

$wgConfirmAccountContact = ''; # to make sure this variable is set

$wgGroupPermissions['*']['confirmaccount-notify'] = false; # withdraw all notifications

$wgGroupPermissions['bureaucrat']['confirmaccount-notify'] = true; # enable notification to bureaucrats

However, I'm not sure why this worked...

Reboulip (talkcontribs)

(I actually still get double notifications sometimes)

Ulrich C. Thiess (talkcontribs)

Wiki 1.34.2

The administrator and the user will receive a confirmation email with the confirmation link.

Reply to "Many repeating notification emails to admin"

[SOLVED] Request account button not showing up on main page for 1.34 -- working for 1.33

5
Paulette00 (talkcontribs)

I must have done something idiotic but somehow I can't make the "request account" to appear for potential new users. The mediawiki (1.34) setup is private. The extension is also 1.34 compatible. Permissions are set up as:

$wgGroupPermissions['*']['read'] = false;

with

$wgWhitelistRead = array(

  "Special:Request account",

  "Spécial:Demander un compte"

);


What is missing ?

Many thanks.

Spas.Z.Spasov (talkcontribs)

Hello, please read this post of mine. I think it could help.

Paulette00 (talkcontribs)

Ok thanks, I've seen it, and I don't have errors (when for example using mediawiki:loginprompt to make the request account page appear).

Nevertheless, I'll have a go at what you suggest, and report here.

Paulette00 (talkcontribs)

Hello, I did do as you suggested by adding/rewriting the hook to display the RequestAccount button. I did not touch at the ConfirmEdit bit: there are no errors showing up in the logs.

But the whole lot didn't work.


However: this feature worked with the MW version 1.33. I did not check when upgrading to 1.34 if the the feature was still alive. So, to make sure, I replaced the ConfirmAccount directory from 1.34 by the one from 1.33. And .... it did work. So I don't really know what's happening here: a quick diff on both directories didn't enlightnen me.


Conclusion: I stay with ConfirmAccount 1.33 until I have better ideas...

Paulette00 (talkcontribs)

Here we go, I found my answer (got it of course from comparing 1.34 with 1.33):

in frontend/ConfirmAccountUI.hooks.php, line 32:

replace

if ( isset( $personal_urls['login'] ) ) {

with

if ( isset( $personal_urls['login'] )

        || isset( $personal_urls['login-private'] ) ) {

... which shows that the problem originated from my wiki being private!


Reply to "[SOLVED] Request account button not showing up on main page for 1.34 -- working for 1.33"

ConfirmAccount doesn't work with MW 1.33 and 1.34 [Solved]

2
Summary by Spas.Z.Spasov

The main troublemaker was the parameter $wgCaptchaClass = 'SimpleCaptcha';, which I was set according to Extension:ConfirmEdit's setup. Read my last replay below for more details.

Spas.Z.Spasov (talkcontribs)

Hello, last month I've updated to MW 1.33, since then the Extension:ConfirmAccount doesn't work.

  1. *Request account* is not displayed within the users interface while $wgGroupPermissions['*']['read'] = false;, no matter the other settings.
  1. Specal:RequestAccount returns HTTP ERROR 500 (actually I'm using bulgarian language and the name of the page is Специални:RequestAccount).

Im using the extension since MW 1.27, here is the relevant part of my `LocalSettings.php` (that serves well befotre MW 1.33 update):

require_once "$IP/extensions/ConfirmAccount/ConfirmAccount.php";
$wgConfirmAccountContact = 'my@e.mail';

$wgWhitelistRead[] = 'Начална_страница';
$wgWhitelistRead[] = 'Special:RequestAccount';
$wgWhitelistRead[] = 'Специални:RequestAccount';

// $wgConfirmAccountRequestFormItems['Biography']['enabled'] = false;
// $wgConfirmAccountRequestFormItems['Biography']['minWords'] = 5;
// $wgGroupPermissions['sysop']['createaccount'] = false;


$wgMakeUserPageFromBio = false;
$wgAutoWelcomeNewUsers = false;
$wgConfirmAccountRequestFormItems = array(
        'UserName'        => array( 'enabled' => true ),
        'RealName'        => array( 'enabled' => false ),
        'Biography'       => array( 'enabled' => false, 'minWords' => 5 ),
        'AreasOfInterest' => array( 'enabled' => false ),
        'CV'              => array( 'enabled' => false ),
        'Notes'           => array( 'enabled' => true, ),
        'Links'           => array( 'enabled' => false ),
        'TermsOfService'  => array( 'enabled' => false ),
);

// Add properly "Request Accaunt" ("Заявка за смерка") link in the user's interface
$wgHooks['PersonalUrls'][] = 'onPersonalUrls';
function onPersonalUrls( array &$personal_urls, Title $title, SkinTemplate $skin  ) {
    // Add a link to Special:RequestAccount if a link exists for login
    if ( isset( $personal_urls['login'] ) || isset( $personal_urls['anonlogin'] ) ) {
        $personal_urls['createaccount'] = array(
            'text' => wfMessage( 'requestaccount' )->text(),
            'href' => SpecialPage::getTitleFor( 'RequestAccount' )->getFullURL()
        );
    }
    return true;
}

Is there some solution?

Spas.Z.Spasov (talkcontribs)

Finally I managed to solve my issue.

The main troublemaker was the parameter $wgCaptchaClass = 'SimpleCaptcha';, which I was set according to Extension:ConfirmEdit's setup. I switched to wfLoadExtension( 'ConfirmEdit/MathCaptcha' ); and now Extension:ConfirmAccount works properly.

Another issue was the condition:

if ( isset( $personal_urls['login'] ) || isset( $personal_urls['anonlogin'] ) ) { ... }

Here is my current setup that works as it is expected with MW 1.33 and 1.34:

## Extension:ConfirmAccount -----
require_once "$IP/extensions/ConfirmAccount/ConfirmAccount.php";

$wgWhitelistRead = array_merge($wgWhitelistRead, array('Специални:Създаване_на_сметка', 'Special:RequestAccount', 'Специални:RequestAccount'));

$wgMakeUserPageFromBio = false;
$wgAutoWelcomeNewUsers = false;

$wgConfirmAccountRequestFormItems = array(
	'UserName'        => array( 'enabled' => true ),
	'RealName'        => array( 'enabled' => false ),
	'Biography'       => array( 'enabled' => false, 'minWords' => 5 ),
	'AreasOfInterest' => array( 'enabled' => false ),
	'CV'              => array( 'enabled' => false ),
	'Notes'           => array( 'enabled' => true, ),
	'Links'           => array( 'enabled' => false ),
	'TermsOfService'  => array( 'enabled' => false ),
);
// $wgConfirmAccountRequestFormItems['Biography']['enabled'] = false;
// $wgConfirmAccountRequestFormItems['Biography']['minWords'] = 5;
// $wgGroupPermissions['sysop']['createaccount'] = false;

$wgConfirmAccountContact = 'admin@trivictoria.org';

$wgHooks['PersonalUrls'][] = 'ConfirmAccountCustomHooks::onPersonalUrls';
class ConfirmAccountCustomHooks {
	public static function onPersonalUrls( array &$personal_urls, Title $title, SkinTemplate $skin ) {
	    if (isset($personal_urls['login-private']['text'])) {
		    $personal_urls['createaccount'] = array(
					'text' => wfMessage( 'requestaccount' )->text(),
					'href' => SpecialPage::getTitleFor( 'RequestAccount' )->getFullURL()
			);
	    }
		return true;
	}
}


## Extension:ConfirmEdit -----
//wfLoadExtension( 'ConfirmEdit' );
//$wgCaptchaClass = 'SimpleCaptcha';

//wfLoadExtensions([ 'ConfirmEdit', 'ConfirmEdit/FancyCaptcha' ]);
//$wgCaptchaClass = 'FancyCaptcha';

wfLoadExtension( 'ConfirmEdit/MathCaptcha' );