Extension talk:LDAPAuthentication2

Jump to navigation Jump to search

About this board

When reporting an error, please be sure to include version information for MediaWiki and all relevant extensions as well as configuration information. Also, please turn on debug logging as described at Manual:How to debug#Logging and include the relevant portions of the debug log.

46.133.5.92 (talkcontribs)

Hi there,

LDAP AD Authentication work fine with "$LDAPAuthentication2UsernameNormalizer = false;" I use this manual: LDAP hub/Migration from extension LDAPAuthentication

but if I set "$LDAPAuthentication2UsernameNormalizer = true;" as recommended in manual, get following error:

[226dad3678b7525b2a4d5a08] /index.php/Special:PluggableAuthLogin MWException from line 78 of /var/www/html/extensions/LDAPAuthentication2/src/PluggableAuth.php: The UsernameNormalizer for LDAPAuthentiation2 should be callable

Backtrace:

#0 /var/www/html/extensions/LDAPAuthentication2/src/PluggableAuth.php(53): MediaWiki\Extension\LDAPAuthentication2\PluggableAuth->normalizeUsername()

#1 /var/www/html/extensions/PluggableAuth/includes/PluggableAuthLogin.php(36): MediaWiki\Extension\LDAPAuthentication2\PluggableAuth->authenticate()

#2 /var/www/html/includes/specialpage/SpecialPage.php(600): PluggableAuthLogin->execute()

#3 /var/www/html/includes/specialpage/SpecialPageFactory.php(635): SpecialPage->run()

#4 /var/www/html/includes/MediaWiki.php(307): MediaWiki\SpecialPage\SpecialPageFactory->executePath()

#5 /var/www/html/includes/MediaWiki.php(940): MediaWiki->performRequest()

#6 /var/www/html/includes/MediaWiki.php(543): MediaWiki->main()

#7 /var/www/html/index.php(53): MediaWiki->run()

#8 /var/www/html/index.php(46): wfIndexMain()

#9 {main}


List extensions:

LDAPAuthentication2-REL1_35-58e281c.tar.gz

LDAPGroups-REL1_35-97e04b2.tar.gz

LDAPProvider-REL1_35-ca854c1.tar.gz

LDAPUserInfo-REL1_35-39cca83.tar.gz

LdapAuthentication-REL1_35-dbc56f1.tar.gz

PluggableAuth-REL1_35-2a465ae.tar.gz

mediawiki-1.35.1.tar.gz

46.133.28.171 (talkcontribs)

Sorry maybe i don't need "$LDAPAuthentication2UsernameNormalizer" it for "earlier Version".

Use this function for normalizing username for LDAP, for example 'strtolower'. Needed after migration from earlier Version. (defaults to "" )

Osnard (talkcontribs)

The example you are referring to was wrong.Sorry for that. Please set `$LDAPAuthentication2UsernameNormalizer = 'strtolower';` if required

Reply to "UsernameNormalizer"

Fatal exception of type MWException when activating LDAPAuthentication2

6
AID-PMBD (talkcontribs)

Hello,


I'm having trouble trying to connect my Mediawiki Installation to an LDAP Server. I'm using the extensions Pluggable Auth, LDAPProvider and LDAPAuthentication2.


My Installation:

Ubuntu 18.04

Mediawiki 1.31.6

PHP 7.2.24-0ubuntu0.18.04.7 (apache2handler)

MySQL 5.7.32-0ubuntu0.18.04.1


Extensions:

PluggableAuth 5.4 (300ac44) 05:28, 14. Apr. 2018

LDAPProvider 1.0.5 (098cd58) 14:33, 1. Sep. 2020

LDAP Authentication for Mediawiki 1.31


Content of my ldap.json file:


{

       "LDAP": {

               "connection": {

                       "server": "server-ldap.local",

                       "port": "389"

                       "user": "CN=Mediawiki-auth,OU=people,DC=server-ldap,DC=loc$

                       "pass": "password",

                       "enctype": "tls",

                       "options": {

                               "LDAP_OPT_DEREF": 1

                       },

                       "basedn": "dc=server-ldap,dc=local",

                       "groupbasedn": "dc=server-ldap,dc=local",

                       "userbasedn": "dc=server-ldap,dc=local",

                       "searchattribute": "uid",

                       "searchstring": "uid=USER-NAME,dc=server-ldap,dc=local",

                       "usernameattribute": "uid",

                       "realnameattribute": "cn",

                       "emailattribute": "mail"

               }

       }

}


Whenever I'm enabling the LDAPAuthentication2 extension in my LocalSettings.php through wfLoadExtension( 'LDAPAuthentication2' ); I get the error "[7b001ef83ac85982732e6fad] 2021-01-03 15:12:39: Fatal exception of type MWException" when trying to access my wiki.


Can anyone offer advice?


Thank you

AID-PMBD (talkcontribs)

My logfile returns:

[exception] [2244535a0f53ec76a495bf27] /xxxx/index.php/Spezial:Version   MWException from line 42 of /var/www/html/xxxx/extensions/LDAPProvider/src/DomainConfi$

Auf die Konfigurationsdatei „/etc/mediawiki/ldapprovider.json“ konnte nicht zugegriffen werden!

AID-PMBD (talkcontribs)

So I set up the domainconfig in LocalSettings.php through $LDAPProviderDomainConfigProvider = "var/www/ldap.json/ldap.json";

pointing to my ldap.json file.


The error now says: [exception] [470280d9192d6b1dc7874308] /xxxx/index.php/Spezial:Version   Error from line 49 of /var/www/html/xxxx/extensions/LDAPProvider/src/DomainConfigFactory.php: Call to a member function getConfigArray() on null

AID-PMBD (talkcontribs)

Full error message:

[ac67fda33191723225f91cbc] /xxxx/index.php?title=Spezial:Anmelden&returnto=Hauptseite Error from line 49 of /var/www/html/xxxx/extensions/LDAPProvider/src/DomainConfigFactory.php: Call to a member function getConfigArray() on null

Backtrace:

#0 /var/www/html/xxxx/extensions/LDAPProvider/src/DomainConfigFactory.php(109): MediaWiki\Extension\LDAPProvider\DomainConfigFactory->__construct(NULL)

#1 /var/www/html/xxxx/extensions/LDAPAuthentication2/src/Setup.php(14): MediaWiki\Extension\LDAPProvider\DomainConfigFactory::getInstance()

#2 /var/www/html/xxxx/includes/Setup.php(948): MediaWiki\Extension\LDAPAuthentication2\Setup::init()

#3 /var/www/html/xxxx/includes/WebStart.php(88): require_once(string)

#4 /var/www/html/xxxx/index.php(39): require(string)

#5 {main}

Osnard (talkcontribs)
AID-PMBD (talkcontribs)

Thank you so much Osnard. It worked! I decided to go for the php array in general as configuration method instead of the ldap.json file, because it seems less fuss. The I had to install php-ldap and restart Apache2, now it works. Again thank you so much.

Reply to "Fatal exception of type MWException when activating LDAPAuthentication2"

Authentication Problems with Active Directory - Credentials Not Associated with User on Wiki

7
Chattadude (talkcontribs)

Hi,

It seems that the following error is a common occurrence when someone tries to tie Mediawiki into an Active Directory domain: "The supplied credentials are not associated with any user on this wiki."


Osnard, as you know from a separate post in Extension talk:PluggableAuth, I was trying to get Mediawiki talking to a FreeIPA (Red Hat IdM) LDAP directory.

I still intend to reach out to someone with Red Hat or FreeIPA to help determine why there seems to be two "users" in the database associated with the same uid.


That said, my ultimate goal is to bind Media Wiki to an Active Directory (and use FreeIPA as a "proxy" of sorts).

In part of my troubleshooting, I decided to try to connect Mediawiki directly to AD without FreeIPA in the middle.


And that leads me to the error I'm currently getting, that "The supplied credentials are not associated with any user on this wiki."

If I enter in incorrect credentials, I confirm that there is a failure to authenticate.


I can confirm that I AM able to get correct output when I run:

php /var/www/html/extensions/LDAPProvider/maintenance/ShowUserInfo.php --domain LDAP --username {my-user}


My /etc/mediawiki/ldapprovider.json file contains the following:

                       "server": "10.10.10.10",

                       "user": "cn=bind_user,ou=MediaWiki,ou=Applications,ou=Foo,dc=example,dc=com",

                       "pass": "REDACTED",

                       "port":"389",

                       "enctype":"clear",

                       "basedn": "dc=example,dc=com",

                       "groupbasedn": "ou=Network Users,dc=example,dc=com",

                       "userbasedn": "ou=Network Users,dc=example,dc=com",

                       "searchattribute": "samaccountname",

                       "searchstring": "USER-NAME",

                       "usernameattribute": "samaccountname",

                       "realnameattribute": "cn",

                       "emailattribute": "mail"


My LocalSettings.php file contains:

wfLoadExtension( 'PluggableAuth' );

wfLoadExtension( 'LDAPProvider' );

wfLoadExtension( 'LDAPAuthentication2' );

wfLoadExtension( 'LDAPUserInfo' );

$LDAPProviderDomainConfigs = "/etc/mediawiki/ldapprovider.json";

$LDAPAuthentication2AllowLocalLogin = false;


I have the following versions:

- Mediawiki 1.34

- PluggableAuth-REL1_34

- LDAPUserInfo-REL1_31

- LDAPAuthentication2-master-2aa5664 (I've also tried LDAPAuthentication2-REL1_31)

- LDAPProvider-master-963bd84 (I've also tried LDAPProvider-REL1_31)


I'm not sure where to go from here.

Chattadude (talkcontribs)

I have just done a "fresh install" of MediaWiki 1.34 to rule out any possible issue in the database itself.

Using the same codebase and configuration options as described above in the (new) LocalSettings.php of the new install, I am still getting the symptoms I described earlier. My user credentials are clearly working, but I keep getting the error message "The supplied credentials are not associated with any user on this wiki." when I do try to login.


I'm completely at a loss at this point.

209.3.130.226 (talkcontribs)

Have you found a solution yet, this is where I'm at.

Chattadude (talkcontribs)

Nope, I still don't have this working. I was hoping someone else would be able to provide some guidance.

I'll keep troubleshooting, and if I get it working, will be sure to post back here. If you come up with a solution for yourself, please consider posting back here with your solution as well.

80.89.157.0 (talkcontribs)

Just enable logs with


$wgDebugLogFile = "/var/www/mediawiki/debug.log";

You could see the error there

Kevin.murilo (talkcontribs)

I'm a little late to the party, but I had this issue a few days ago and even posted about it here Topic:Vues871fgeqbz0p0, here's a snip of my comment on how I solved this, my installation is now working properly.

to solve this, keep in mind the JSON fields MUST be in all lower case letters, so instead of sAMAccountname you must use samaccountname and so on for all fields used by the JSON file.

Emikulic (talkcontribs)

Hello, I have had some mediawiki servers running and am working on a fresh 1.35 install. I only noticed your note from a search. I also have RHEL IDM working w/AD we setup over a year ago with RH.

The only thing I wanted to note is that you will not get everything from AD through IDM; its a subset of information. RH Is working on expanding that. Like email address, will not be passed as it is part of IDM. Groups get passed depending on how you configure IDM.

IDM is amazing and better than all the other solutions to date, and getting better. Definitely helps move enterprises in the direction of 'single account' with all their linux users.

Reply to "Authentication Problems with Active Directory - Credentials Not Associated with User on Wiki"
Dimassc (talkcontribs)

I'm trying to migrate from the old LdapAuthentication to the new LDAP Hub extensions. Now I can login with the ldap domain but can't login with local users.

Sorry, I created a similar entry in Topic:Vu74cyrkefdaua69 but I think LDAPAutentication2 is the responsable plugin, you can delete the other post.

If I've $LDAPAuthentication2AllowLocalLogin = true and $wgPluggableAuth_EnableAutoLogin = false it don't work (i select 'local' domain of course). But if I set it the other way around I can login with a local user (it appears two login buttons, the first works, the second don't work because it tries to login to the domain).

For the local login I created a user like this:

php ./wikiutic/maintenance/createAndPromote.php --force --bureaucrat admin password

My LocalSettings.php :

# Autenticació LDAP

wfLoadExtensions( [

   'PluggableAuth', // Autenticació base

   'LDAPProvider', // Autenticació base

   'LDAPAuthentication2', // Autenticació base

   'LDAPAuthorization', // Per restringir accés per grups

   'LDAPGroups' // Per sincronitzar grups ldap amb locals

] );

// $wgPluggableAuth_EnableAutoLogin = true; /* Si activem desactiva la opció de fer logout */

$wgPluggableAuth_EnableLocalLogin = false;

$wgPluggableAuth_ButtonLabel = "Inicia sessió";

$LDAPAuthentication2UsernameNormalizer = 'strtoupper'; // strtolower no funciona

$LDAPAuthentication2AllowLocalLogin = true;

$wgLDAPUseLocal = false; // Permetre autentificació local wiki. Mirar que no estigui sobreescrit a LdapAuthentication.php

$LDAPProviderDomainConfigProvider = function() {

   $config = [

       'LDAP' => [

           'connection' => [

               "server" => "golum.trueta.intranet",

               "enctype" => 'clear',

               "basedn" => "dc=htrueta,dc=intranet",

               "userbasedn" => "dc=htrueta,dc=intranet", // u=Users,dc=htrueta,dc=intranet

               "searchstring" => "uid=USER-NAME,ou=Users,dc=htrueta,dc=intranet",

               "searchattribute" => "uid",

               "usernameattribute" => "uid",

               "realnameattribute" => "cn",

               "emailattribute" => "mail",

               "groupbasedn" => "dc=htrueta,dc=intranet", // ou=Groups,dc=htrueta,dc=intranet

               "groupattribute" => "memberuid",

               "groupobjectclass" => "posixgroup",

               "grouprequest" => "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\Configurable::factory"

           ],

           'authorization' => [

               'rules' => [

                   'groups' => [

                       'required' => [ "cn=Domain Admins,ou=Groups,dc=htrueta,dc=intranet",

                                       "cn=s103,ou=Groups,dc=htrueta,dc=intranet",

                                       "cn=wikiUtic,ou=Groups,dc=htrueta,dc=intranet",

                                       "cn=wikiUticLectura,ou=Groups,dc=htrueta,dc=intranet",

                                       "cn=lt2b,ou=Groups,dc=htrueta,dc=intranet",

                                       "cn=lt1,ou=Groups,dc=htrueta,dc=intranet",

                                       "cn=lt15,ou=Groups,dc=htrueta,dc=intranet"]

                   ]

               ]

           ],

           'groupsync' => [

               "mechanism" => "allgroups",

               "mapping" => [

                   "s103" => "cn=s103,ou=Groups,dc=htrueta,dc=intranet",

                   "Domain admins" => "cn=Domain Admins,ou=Groups,dc=htrueta,dc=intranet"

               ],

               "locally-managed" => [ "local", "wiki", "group", "names" ]

           ]

       ]

   ];

   return new \MediaWiki\Extension\LDAPProvider\DomainConfigProvider\InlinePHPArray( $config );

};

I tried with $wgPluggableAuth_EnableLocalLogin to true but two login buttons appears. No one works.

I tried with $wgLDAPUseLocal to true and it don't work (i had it enabled in the old installation and old ldapauthentication plugin).

When I try to login I select "local" in the domain (it appears below my "ldap" domain).

Osnard (talkcontribs)

$wgLDAPUseLocal will not work with "LDAPAuthentication2". Usually $LDAPAuthentication2AllowLocalLogin = true; and selcting local in the domain drop down should be fine. Maybe it is related to the "authorization" part. Can you please disable "LDAPAuthorization" and test it again?

Dimassc (talkcontribs)

Sorry, now is working with $LDAPAuthentication2AllowLocalLogin = true; but I don't know why :-(

Intermittent Login Failures via LDAP

8
Nwroble (talkcontribs)

I have been trying to get LDAP Authentication configured on our MediaWiki installation I am bringing up on our network. We are confguring with enctype = ssl in our ldap.json file over port 636. Have tried other combinations, but this seems to get me closest to fully functional. I am using LDAPAuthentication2/PluggableAuth and all the other required extensions in the LDAP stack.


I can sometimes log in properly, but will almost immediately get the following error if I try again with another browser after logging out, or even with the same browser in a subsequent attempt.

"MWException from line 169 of /var/www/mediawiki-1.34.2/extensions/LDAPProvider/src/Client.php: Could not bind to LDAP: (-1) Can't contact LDAP server”

It will work intermittently, but then fail. We believe the issue may have to do with a load balanced LDAP server. Not sure if anyone else has had either success or intermittent failures with hitting a load balanced Ldap server for authentication.

Would like to know if there is anything I need to set to possibly accommodate this if this is the issue. I have been told by our System Administrators that their load balancer is configured properly and has the proper Persistence, etc.. settings set properly, and that other applications that hit it work fine.

Has anyone had any similar issue or could offer any advice?

Thank you.

Osnard (talkcontribs)
Nwroble (talkcontribs)

Osnard, no, nothing compelling. And as an update to this, what is strange it seems that i can most of the time hit the Refresh on the browser, and then i get it in. There just doesnt seem to be any predictability to when it will fail or not.

Osnard (talkcontribs)

Can you try to set $LDAPProviderCacheType = CACHE_NONE; and tell me if it occurs more frequently.

Nwroble (talkcontribs)

I have added the $LDAPProviderCacheType = CACHE_NONE; into my LocalSettings.php file and tried a bunch of times. I'd say at least it is probably about the same number of intermittent failures as prior to doing so. Behavior is still the same following the error. Clicking refresh on browser then gets me in.

Nwroble (talkcontribs)

Also, just to let you know. I have changed my configuration in my ldap.json file to use tls/port 389 instead of ssl/port 636. Also I am now hitting a domain controller directly instead of the load balancer. At this point none of those variables seem to matter. I just get the intermittent failures and hitting the browser refresh gets me in. Also, an FYI, the error message is slightly different, for TLS, but I think that is just because it is going down a different code path for TLS vs SSL. Error message is now this: "MWException from line 141 of /var/www/mediawiki-1.34.2/extensions/LDAPProvider/src/Client.php: Could not start TLS!"

Nwroble (talkcontribs)

@Osnard, a follow up to this. I have now eliminated the intermittent LDAP login behavior. It ended up being that I needed to restart the php-fpm service (# systemctl restart php-fpm on RH 8). When I was making all my various changes in combination between servers/protocols/ports in the ldap.json and cert changes in ldap.conf, I was doing update.php everytime, but I never restarted php-fpm. I just happened to stumble upon this when trying to track down whether I had proper packages installed and was researching. Unfortunately, I am new to Linux and web servers in general. Thank for your help and taking interest.

Osnard (talkcontribs)

Sorry, I have no idea. If connection works once in a web request context it should work always. Also if the "CheckLogin.php" maintenance script works, we can assume that the LDAP configuration in general is okay. Could you please share the debug log, maybe I can spot something you didn't notice?

Reply to "Intermittent Login Failures via LDAP"

trying to get ldap authentication working

8
Seth2740 (talkcontribs)

I have mediawiki 1.34.2 on fedora 32 with apache 2.4.43, mysql 8.0.21 and php 7.4.8. I installed ldapprovider, pluggableauth and ldapauthentication2; autocreate account set to true and have a json file with my ldap config (domain controller, base dn, etc. and hope it's correct). when trying to login, it says it can't authenticate credentials against the domain. I tried to set debug logging for the extension to a log file but didn't create a file. i'm just trying to authenticate against a domain controller. I have pluggableauth, ldapauthentication2, ldapprovider, ldapuserinfo, ldapgroups. not sure if all of those are required for this but seems the documentation is confusing only because there are so many extensions and not sure if all of them are required for this. maybe getting the logging to work to get some debugging or more info as to why it throws that error would be a start

Osnard (talkcontribs)

Have you tried authenticating using the LDAPProvider/maintenance/CheckLogin.php script? Can you please share your configuration? LDAP_hub#Migrating_from_old_LdapAuthentication should give you a clear idea of what extensions you need from the stack.

Seth2740 (talkcontribs)

checklogin.php returns FAILED though showuserinfo.php pulls all the info of my account. i do have ldapprovider, ldapauthentication2 and pluggableauth so that should be fine

Osnard (talkcontribs)

Okay, so the general connection and is configured properly. Can you confirm that your LDAP backend even allows "binding" for the concrete user?

Seth2740 (talkcontribs)

yes the account being used is also used by other applications for ldap lookups

Osnard (talkcontribs)

Can you please share the exact commandline of CheckLogin.php (with arguments) and your domain config?

Seth2740 (talkcontribs)

php CheckLogin.php --domain domain.com --username user

what domain config?

Osnard (talkcontribs)

The JSON of PHP file that contains the LDAP credentials and other config.

Reply to "trying to get ldap authentication working"

Fatal error authenticating user (only a specific user)

4
AdamX8888 (talkcontribs)

I have an entirely new wiki / database / extensions setup (first time doing this).

I am using the full LDAP stack loaded as extenstions, using a LDAP.json file to configure.

I've tested the php commands by hand, they query LDAP server fine and get user info, etc.

My users get a login box, with domain in the drop down, can log in fine.


One user got in once, then got errors. Now she still gets this same error above. Only her, so far. Five other users have had no problem. I've used the UserMerge extention to delete her old user. Still has this error. She has cleared her cache, used two different machines, still the same problem. She is in the correct AD group as the rest of us.


I have the extended debugging still turned on, and she is getting

"trying to access array offset on value of type null in PluggableAuth.php" (on lines 42, 43, 44)


these are the extensions I'm loading, and the order.


wfLoadExtension( 'PluggableAuth' );

  wfLoadExtension( 'LDAPProvider' );

  wfLoadExtension( 'LDAPAuthentication2' );

  wfLoadExtension( 'LDAPAuthorization' );

  wfLoadExtension( 'LDAPUserInfo' );

  wfLoadExtension( 'LDAPGroups' );

  wfLoadExtension( 'Auth_remoteuser' );


Any ideas? The 'realnames' isn't working either, but maybe that's a separate issue.

Cannot figure out why this one user cannot log in but the others can.

Osnard (talkcontribs)

"trying to access array offset on value of type null in PluggableAuth.php" (on lines 42, 43, 44) means that the code can not extract "username", "password" and "domain" from the session data [1]. Can you please check if the client sends the session cookie and if the session id stays the same between the request of Special:Login and the POST request when the form is sumbitted.

[1] https://github.com/wikimedia/mediawiki-extensions-LDAPAuthentication2/blob/519d88ed2429157bb6cae800295d34a072e292cc/src/PluggableAuth.php#L42-L44

AdamX8888 (talkcontribs)

I will check when I can - I am currently blocked from Github.

Can you think of any reason this wouldn't be functioning on only one user? All of us should be using similar machines & browser configs, etc. I am going to have her try directly on the server IE11 itself as my login works fine there, just to see if there is any different behavior.


Thanks

Osnard (talkcontribs)

No idea. Especially as you have already tried different machines/browsers.

Reply to "Fatal error authenticating user (only a specific user)"

Fatal error authenticating on Active Directory

6
Abiuan (talkcontribs)

Hello,

I'm trying to configure a MW installation to use AD for authentication. I modified LocalSettings.php and created ldap.json.

I run extensions/LDAPProvider/maintenance/ShowUserInfo.php, ShowUserGroups.php and CheckLogin.php scripts and all three works fine. Therefore at this point I was confident. But...

When I try to login I receive the message "Fatal error authenticating user" and I find three lines like the following in the log file:

ErrorException from line 42 of /var/www/mediawiki-1.34.1/extensions/LDAPAuthentication2/src/PluggableAuth.php: PHP Notice: Trying to access array offset on value of type null

The same for lines 43 and 44. This means that the variable $extraLoginFields is empty. But why? Why it needs extra login fields? Documentation, about $wgPluggableAuth_ExtraLoginFields says "This configuration variable may be set by authentication plugins and should not be set by wiki site administrators".

It happens even if I use a fake username or a wrong password therefore it seems it's not an authentication issue.

I tried with or without LDAPAuthorization and LDAPGroup extensions enabled but the result is the same.


Any suggest?


Best regards


My configuration:

MW: 1.34.1

Php: 7.4.3

LDAPAuthentication2, LDAPAuthorization, LDAPGroups, LDAPProvider, LDAPUserInfo, PluggableAuth: latest version


my LocalSettings.php modifications:

$ldapJsonFile = "$IP/ldap.json";

wfLoadExtension( 'PluggableAuth' );

wfLoadExtension( 'LDAPProvider' );

wfLoadExtension( 'LDAPAuthentication2' );

wfLoadExtension( 'LDAPAuthorization' );

wfLoadExtension( 'LDAPUserInfo' );

wfLoadExtension( 'LDAPGroups' );

$LDAPProviderDomainConfigs = $ldapJsonFile;

$LDAPAuthentication2AllowLocalLogin = false;

$wgPluggableAuth_ButtonLabel = "Log In";


my ldap.json:

{

   "MY.DOMAIN": {

       "connection": {

           "server": "adserver.ip.domain",

           "user": "aduser",

           "pass": "pass",

           "options": {

               "LDAP_OPT_DEREF": 1

           },

           "port": "636",

           "enctype": "ssl",

           "basedn": "DC=my,DC=domain",

           "userbasedn": "OU=Users,OU=organization,DC=my,DC=domain",

           "groupbasedn": "OU=Groups,OU=organization,DC=my,DC=domain",

           "grouprequest": "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\UserMemberOf::factory",

           "searchattribute": "sAMAccountName",

           "usernameattribute": "sAMAccountName",

           "realnameattribute": "cn",

           "emailattribute": "mail",

           "presearchusernamemodifiers": [ "spacestounderscores", "lowercase" ]

       },

       "userinfo": [],

       "groupsync": []

   }

}

Osnard (talkcontribs)

The values for $wgPluggableAuth_ExtraLoginFields are defined in LDAPAuthentication2/src/ExtraLoginFields.php. It is set in Setup.php of the same extension. Could you try to debug this, by checking whether the variable is properly set in that function?

Abiuan (talkcontribs)

I did some debug. It seems it is not a problem with ExtraLoginFields. It is set and has original values form DOMAIN, USERNAME and PASSWORD attributes.

The issue is with the call of AuthManager->getAuthenticationSessionData() method.

Authmanager is set using

$authManager = AuthManager::singleton();

It is defined and it seems correct.

Instead, the call of $authManager->getAuthenticationSessionData(PluggableAuthLogin::EXTRALOGINFIELDS_SESSION_KEY) returns null;

PluggableAuthLogin::EXTRALOGINFIELDS_SESSION_KEY has the value "PluggableAuthLoginExtraLoginFields".


I did some debug on authManager->getAuthenticationSessionData().

Before the login, if I do a refresh of the page, it works and gives the values of the previous login attempt. After click on "Login" button the call of

$this->request->getSession()->getSecret( 'authData' );

returns null.

Quite strange.


Sorry if it is not clear but I not a big expert of php.


Osnard (talkcontribs)

This looks like you might have an issue with the session storage in general. If you disable the LDAP-Stack extension, can you log in with a local user and stay logged in?

Abiuan (talkcontribs)

You put me on the right direction. I set up the local authentication before. Then, after some tweaking, it works now.


Thank you

Osnard (talkcontribs)

Glad I could help

Reply to "Fatal error authenticating on Active Directory"

LDAPSearch: Custom Filter, Result Search and List of mapping fields

2
Guims08 (talkcontribs)

MW. 1.34.1

PHP. 7.2.18

LDAPAuthentication2. 1.0.1

LDAPProvider 1.0.3

PluggableAuth. 5.7

extensions/LDAPProvider/src/PlatformFunctionWrapper.php


Hello every one, I do not know if it is the right place, because I have no bug but a request for advice.

I recently upgrade my MW, installed LDAPAuthentication2 and use it with Sun Directory Server Enterprise Edition 7.

Everything works fine.


But when I look at the logs (/var/www/mediawiki/debug.log). I note that the search filter is not optimal, that the search result returns me all the LDAP attributes of the user (which is useless).

It seems that the LDAP search function is in the file "extensions/LDAPProvider/src/PlatformFunctionWrapper.php " but i don't know how to "custom" it, it's frustrating.

I think we should modify this request [ldap_search( $linkID, $baseDN = 'dc=mycompagny,dc=country,dc=glob', $filter = '(uid=guims08)', $attributes = [ '*', 'memberof' ], $attrsonly = , $sizelimit = , $timelimit = , $deref =  );]

but maybe it's not here.


Anyone know where can I custom filter and search results ?

Last point: Where i can find a list of Mappings Data ?


If anyone can answer my questions.


Thank you very much

Osnard (talkcontribs)

Hi!

Thanks for your request!

  • Q: Anyone know where can I custom filter and search results?
    • At the moment there is no good way to do it. You will probably need to hack UserInfoRequest.php . If you explain your motivation of changing the filtering, maybe I can implement something that suits your needs.
  • Q: Where i can find a list of Mappings Data ?
    • Unfortunately I don't understand completely. "LDAPAuthentication2" will only sync "username", "realname" and "email". If you need further syncing you will probably need Extension:LDAPUserInfo. This allows you to map whatever field is available in the "UserInfoRequest"-reponse to a MediaWiki user property. You can also specify a callback function that allows additional processing of user info data.
Reply to "LDAPSearch: Custom Filter, Result Search and List of mapping fields"

Credentials are not associated with any user on this wiki.

8
109.197.247.94 (talkcontribs)

Hello,

I recently upgraded the mediawiki package on a debian buster server and i am configuring the ldap authentication with LDAPAuthentication2 instead of the old extension 'LdapAuthentication'.

When i try the ldap authentication, i got the message "The supplied credentials are not associated with any user on this wiki".

This 2 scripts below are ok and retrieve information from our ldap directory.

  1. php extensions/LDAPProvider/maintenance/ShowUserInfo.php --domain "ldap.sub.mydomain.com" --username Nicolasgo
  2. php extensions/LDAPProvider/maintenance/CheckLogin.php --domain "ldap.sub.mydomain.com" --username Nicolasgo

Password:mypass OK

Here is my LDAP section from LocalSettings.php

... $wgShowDBErrorBacktrace = false; $wgDebugDumpSql = false; $wgShowSQLErrors = false; $wgShowExceptionDetails = true; $wgDebugToolbar = true; $wgDebugLogFile = "/tmp/wikimedia.log";

wfLoadExtension( 'PluggableAuth' ); wfLoadExtension( 'LDAPProvider' ); wfLoadExtension( 'LDAPAuthentication2' ); wfLoadExtension( 'LDAPAuthorization' ); wfLoadExtension( 'LDAPUserInfo' );

//$LDAPAuthentication2UsernameNormalizer = 'strtolower'; $wgPluggableAuth_EnableAutoLogin = true; $wgPluggableAuth_EnableLocalLogin = false; $wgPluggableAuth_EnableLocalProperties = false; ...

Here is my ldapprovider.json configuration :

{

       "ldap.sub.mydomain.com": {
               "connection": {
                       "server": "ldap.sub.mydomain.com",
                       "user": "loginId=nicolasgo,ou=users,dc=sub,dc=mydomain,dc=com",
                       "pass": "mypass",
                       "options": {
                               "LDAP_OPT_DEREF": 1
                       },
                       "port": 636,
                       "enctype": "ssl",
                       "basedn": "dc=sub,dc=mydomain,dc=com",
                       "groupbasedn": "dc=sub,dc=mydomain,dc=com",
                       "userbasedn": "ou=users,dc=sub,dc=mydomain,dc=com",
                       "searchattribute": "loginId",
                       "searchstring": "loginId=USER-NAME,ou=users,dc=sub,dc=mydomain,dc=com",
                       "usernameattribute": "loginId",
                       "realnameattribute": "cn",
                       "emailattribute": "mail"
               },
               "authorization": {
                       "rules": {
                       }
               },
               "userinfo": {
                       "attributes-map": {
                               "email": "mail",
                               "realname": "cn"
                       }
               }
       }

}

Here are some lines from /tmp/wikimedia.log when trying to authenticate :

"Start request GET /index.php?title=Sp%C3%A9cial:Connexion HTTP HEADERS: COOKIE: mediawiki_dbUserName=Nicolasgo; mediawiki_db_session=e4gn5jc5la5rbtd82k6ffihsl6isr4ib TE: trailers UPGRADE-INSECURE-REQUESTS: 1 REFERER: h t t p s : / / wiki2.sub.mydomain.com/index.php?title=Sp%C3%A9cial:Connexion ACCEPT-ENCODING: gzip, deflate, br ACCEPT-LANGUAGE: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3 ACCEPT: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 USER-AGENT: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36 HOST: wiki2.sub.mydomain.com CONTENT-LENGTH: CONTENT-TYPE: [caches] cluster: APCUBagOStuff, WAN: mediawiki-main-default, stash: db-replicated, message: APCUBagOStuff, session: APCUBagOStuff [caches] LocalisationCache: using store LCStoreDB [DBConnection] Wikimedia\Rdbms\LoadBalancer::openConnection: calling initLB() before first connection. [DBReplication] Cannot use ChronologyProtector with EmptyBagOStuff. [DBReplication] Wikimedia\Rdbms\LBFactory::getChronologyProtector: using request info { "IPAddress": "10.XX.XX.XX", "UserAgent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/61.0.3163.100 Safari\/537.36", "ChronologyProtection": false, "ChronologyPositionIndex": 0 } [DBConnection] Wikimedia\Rdbms\LoadBalancer::openConnection: connected to database 0 at 'localhost'. [session] Session "e4gn5jc5la5rbtd82k6ffihsl6isr4ib" requested without UserID cookie Unstubbing $wgParser on call of $wgParser::setHook from require_once Parser: using preprocessor: Preprocessor_DOM [CryptRand] 0 bytes of randomness leftover in the buffer. [session] SessionBackend "e4gn5jc5la5rbtd82k6ffihsl6isr4ib" data dirty due to dirty(): AuthManagerSpecialPage->handleReturnBeforeExecute/MediaWiki\Auth\AuthManager->removeAuthenticationSessionData/MediaWiki\Session\Session->setSecret/MediaWiki\Session\Session->set/MediaWiki\Session\SessionBackend->dirty [session] SessionBackend "e4gn5jc5la5rbtd82k6ffihsl6isr4ib" save: dataDirty=1 metaDirty=0 forcePersist=0 [MessageCache] MessageCache::load: Loading fr... local cache is empty, got from global cache Unstubbing $wgLang on call of $wgLang::_unstub from ParserOptions->__construct QuickTemplate::__construct was called with no Config instance passed to it [CryptRand] 0 bytes of randomness leftover in the buffer. [session] SessionBackend "e4gn5jc5la5rbtd82k6ffihsl6isr4ib" data dirty due to dirty(): PluggableAuthContinueAuthenticationRequest->loadFromSubmission/MediaWiki\Auth\AuthManager->removeAuthenticationSessionData/MediaWiki\Session\Session->setSecret/MediaWiki\Session\Session->set/MediaWiki\Session\SessionBackend->dirty [session] SessionBackend "e4gn5jc5la5rbtd82k6ffihsl6isr4ib" save: dataDirty=1 metaDirty=0 forcePersist=0 [authentication] Primary login with PluggableAuthPrimaryAuthenticationProvider succeeded [authentication] Primary login with PluggableAuthPrimaryAuthenticationProvider succeeded, but returned no user [CryptRand] 0 bytes of randomness leftover in the buffer. [session] SessionBackend "e4gn5jc5la5rbtd82k6ffihsl6isr4ib" data dirty due to dirty(): AuthManagerSpecialPage->performAuthenticationStep/MediaWiki\Auth\AuthManager->continueAuthentication/MediaWiki\Session\Session->setSecret/MediaWiki\Session\Session->set/MediaWiki\Session\SessionBackend->dirty [session] SessionBackend "e4gn5jc5la5rbtd82k6ffihsl6isr4ib" save: dataDirty=1 metaDirty=0 forcePersist=0 [authevents] Login attempt QuickTemplate::__construct was called with no Config instance passed to it MediaWiki::preOutputCommit: primary transaction round committed MediaWiki::preOutputCommit: pre-send deferred updates completed MediaWiki::preOutputCommit: LBFactory shutdown completed [MessageCache] MessageCache::load: Loading en... local cache is empty, got from global cache [gitinfo] Computed cacheFile=/usr/share/mediawiki/gitinfo.json for /usr/share/mediawiki [gitinfo] Cache incomplete for /usr/share/mediawiki"

Here are some observation :

- MediaWiki: 1.31.7 PHP: 7.3.14-1~deb10u1 Time: 1.01150 Memory: 20,48 Mio (Peak: 20,66 Mio) - If i comment out '$LDAPAuthentication2UsernameNormalizer = 'strtolower';' i got a backtrace with error 'DomainException from line 616 of /usr/share/mediawiki/includes/auth/AuthManager.php: PluggableAuthPrimaryAuthenticationProvider returned an invalid username'

Could you give me some hints to resolve this please ? Thank you in advance.

Nicolas

Osnard (talkcontribs)

Please try to remove the "authorization" section from your domain config completely.

109.197.247.94 (talkcontribs)

Hello,

Thank you for your answer. I removed the "authorization" section from ldapprovider.json file and i don't load LDAPAuthorization extension anymore from LocalSettings.php.

But the result is the same. Do you have an other idea ?

Best regards, Nicolas.

109.197.247.94 (talkcontribs)

I'm not sure if i am using the right version of php, i notice this PHP warning in the PluggableAuthLogin logs.

"[error] [72c6d20312d838d0d3ef852a] /index.php?title=Sp%C3%A9cial:PluggableAuthLogin ErrorException from line 89 of /var/lib/mediawiki/extensions/PluggableAuth/includes/PluggableAuthLogin.php: PHP Warning: count(): Parameter must be an array or an object that implements Countable"

Do you already seen this error ?

I tried to get around this count function in "PluggableAuth/includes/PluggableAuthLogin.php" (because my $returnToUrl variable is not null, but it seems to be a string instead of array), but always the same result.

Thank you.

Osnard (talkcontribs)

If you are getting a DomainException you might set $LDAPProviderDefaultDomain = "ldap.sub.mydomain.com";

109.197.247.94 (talkcontribs)

Hello, thank you for the hint.

I added "$LDAPProviderDefaultDomain = "ldap.sub.mydomain.com";" in my LocalSettings.php. I still have the Domain Exception.

Here is the full backtrace i didn't post the last time :

[c6dab44f11ea607a1a3646b7] /index.php?title=Sp%C3%A9cial:Connexion DomainException from line 616 of /usr/share/mediawiki/includes/auth/AuthManager.php: PluggableAuthPrimaryAuthenticationProvider returned an invalid username:

Backtrace:

  1. 0 /usr/share/mediawiki/includes/specialpage/AuthManagerSpecialPage.php(355): MediaWiki\Auth\AuthManager->continueAuthentication(array)
  2. 1 /usr/share/mediawiki/includes/specialpage/AuthManagerSpecialPage.php(482): AuthManagerSpecialPage->performAuthenticationStep(string, array)
  3. 2 /usr/share/mediawiki/includes/htmlform/HTMLForm.php(660): AuthManagerSpecialPage->handleFormSubmit(array, VFormHTMLForm)
  4. 3 /usr/share/mediawiki/includes/specialpage/AuthManagerSpecialPage.php(416): HTMLForm->trySubmit()
  5. 4 /usr/share/mediawiki/includes/specialpage/LoginSignupSpecialPage.php(316): AuthManagerSpecialPage->trySubmit()
  6. 5 /usr/share/mediawiki/includes/specialpage/SpecialPage.php(565): LoginSignupSpecialPage->execute(NULL)
  7. 6 /usr/share/mediawiki/includes/specialpage/SpecialPageFactory.php(568): SpecialPage->run(NULL)
  8. 7 /usr/share/mediawiki/includes/MediaWiki.php(288): SpecialPageFactory::executePath(Title, RequestContext)
  9. 8 /usr/share/mediawiki/includes/MediaWiki.php(861): MediaWiki->performRequest()
  10. 9 /usr/share/mediawiki/includes/MediaWiki.php(524): MediaWiki->main()
  11. 10 /usr/share/mediawiki/index.php(42): MediaWiki->run()
  12. 11 {main}

In the "Debug log", i got this line : "[authentication] [Auth] username: , user"

I checked in /usr/share/mediawiki/includes/auth/AuthManager.php, line 612. $res->username is empty

Best regards.

Osnard (talkcontribs)

Which version of PluggableAuth are you using? There is no call to count in PluggableAuthLogin.php anymore. Please check whether the field "loginId" is actually listed in the result of LDAPProvider/maintenance/ShowUserInfo.php. Be aware that the extension is case sensitive here. You might check other variants like "loginid" or "loginID".

109.197.247.94 (talkcontribs)

Thank you Osnard, you find the solution. Authentication works now.

I am using PluggableAuth: REL1_31 (2019-05-20T02:40:46).

The field "loginid" is listed in the result of LDAPProvider/maintenance/ShowUserInfo.php but i was using "loginId" in my ldapprovider.json configuration.

Reply to "Credentials are not associated with any user on this wiki."