Extension talk:LDAPAuthentication2

Jump to navigation Jump to search

About this board

When reporting an error, please be sure to include version information for MediaWiki and all relevant extensions as well as configuration information. Also, please turn on debug logging as described at Manual:How to debug#Logging and include the relevant portions of the debug log.

No local login and no group sync

2
Dimassc (talkcontribs)

I'm trying to migrate from the old LdapAuthentication to the new LDAP Hub extensions. Now I can login with the ldap domain but can't login with local users.

Sorry, I created a similar entry in Topic:Vu74cyrkefdaua69 but I think LDAPAutentication2 is the responsable plugin, you can delete the other post.

If I've $LDAPAuthentication2AllowLocalLogin = true and $wgPluggableAuth_EnableAutoLogin = false it don't work (i select 'local' domain of course). But if I set it the other way around I can login with a local user (it appears two login buttons, the first works, the second don't work because it tries to login to the domain).

For the local login I created a user like this:

php ./wikiutic/maintenance/createAndPromote.php --force --bureaucrat admin password

My LocalSettings.php :

# Autenticació LDAP

wfLoadExtensions( [

   'PluggableAuth', // Autenticació base

   'LDAPProvider', // Autenticació base

   'LDAPAuthentication2', // Autenticació base

   'LDAPAuthorization', // Per restringir accés per grups

   'LDAPGroups' // Per sincronitzar grups ldap amb locals

] );

// $wgPluggableAuth_EnableAutoLogin = true; /* Si activem desactiva la opció de fer logout */

$wgPluggableAuth_EnableLocalLogin = false;

$wgPluggableAuth_ButtonLabel = "Inicia sessió";

$LDAPAuthentication2UsernameNormalizer = 'strtoupper'; // strtolower no funciona

$LDAPAuthentication2AllowLocalLogin = true;

$wgLDAPUseLocal = false; // Permetre autentificació local wiki. Mirar que no estigui sobreescrit a LdapAuthentication.php

$LDAPProviderDomainConfigProvider = function() {

   $config = [

       'LDAP' => [

           'connection' => [

               "server" => "golum.trueta.intranet",

               "enctype" => 'clear',

               "basedn" => "dc=htrueta,dc=intranet",

               "userbasedn" => "dc=htrueta,dc=intranet", // u=Users,dc=htrueta,dc=intranet

               "searchstring" => "uid=USER-NAME,ou=Users,dc=htrueta,dc=intranet",

               "searchattribute" => "uid",

               "usernameattribute" => "uid",

               "realnameattribute" => "cn",

               "emailattribute" => "mail",

               "groupbasedn" => "dc=htrueta,dc=intranet", // ou=Groups,dc=htrueta,dc=intranet

               "groupattribute" => "memberuid",

               "groupobjectclass" => "posixgroup",

               "grouprequest" => "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\Configurable::factory"

           ],

           'authorization' => [

               'rules' => [

                   'groups' => [

                       'required' => [ "cn=Domain Admins,ou=Groups,dc=htrueta,dc=intranet",

                                       "cn=s103,ou=Groups,dc=htrueta,dc=intranet",

                                       "cn=wikiUtic,ou=Groups,dc=htrueta,dc=intranet",

                                       "cn=wikiUticLectura,ou=Groups,dc=htrueta,dc=intranet",

                                       "cn=lt2b,ou=Groups,dc=htrueta,dc=intranet",

                                       "cn=lt1,ou=Groups,dc=htrueta,dc=intranet",

                                       "cn=lt15,ou=Groups,dc=htrueta,dc=intranet"]

                   ]

               ]

           ],

           'groupsync' => [

               "mechanism" => "allgroups",

               "mapping" => [

                   "s103" => "cn=s103,ou=Groups,dc=htrueta,dc=intranet",

                   "Domain admins" => "cn=Domain Admins,ou=Groups,dc=htrueta,dc=intranet"

               ],

               "locally-managed" => [ "local", "wiki", "group", "names" ]

           ]

       ]

   ];

   return new \MediaWiki\Extension\LDAPProvider\DomainConfigProvider\InlinePHPArray( $config );

};

I tried with $wgPluggableAuth_EnableLocalLogin to true but two login buttons appears. No one works.

I tried with $wgLDAPUseLocal to true and it don't work (i had it enabled in the old installation and old ldapauthentication plugin).

When I try to login I select "local" in the domain (it appears below my "ldap" domain).

Osnard (talkcontribs)

$wgLDAPUseLocal will not work with "LDAPAuthentication2". Usually $LDAPAuthentication2AllowLocalLogin = true; and selcting local in the domain drop down should be fine. Maybe it is related to the "authorization" part. Can you please disable "LDAPAuthorization" and test it again?

Reply to "No local login and no group sync"

Intermittent Login Failures via LDAP

8
Nwroble (talkcontribs)

I have been trying to get LDAP Authentication configured on our MediaWiki installation I am bringing up on our network. We are confguring with enctype = ssl in our ldap.json file over port 636. Have tried other combinations, but this seems to get me closest to fully functional. I am using LDAPAuthentication2/PluggableAuth and all the other required extensions in the LDAP stack.


I can sometimes log in properly, but will almost immediately get the following error if I try again with another browser after logging out, or even with the same browser in a subsequent attempt.

"MWException from line 169 of /var/www/mediawiki-1.34.2/extensions/LDAPProvider/src/Client.php: Could not bind to LDAP: (-1) Can't contact LDAP server”

It will work intermittently, but then fail. We believe the issue may have to do with a load balanced LDAP server. Not sure if anyone else has had either success or intermittent failures with hitting a load balanced Ldap server for authentication.

Would like to know if there is anything I need to set to possibly accommodate this if this is the issue. I have been told by our System Administrators that their load balancer is configured properly and has the proper Persistence, etc.. settings set properly, and that other applications that hit it work fine.

Has anyone had any similar issue or could offer any advice?

Thank you.

Osnard (talkcontribs)
Nwroble (talkcontribs)

Osnard, no, nothing compelling. And as an update to this, what is strange it seems that i can most of the time hit the Refresh on the browser, and then i get it in. There just doesnt seem to be any predictability to when it will fail or not.

Osnard (talkcontribs)

Can you try to set $LDAPProviderCacheType = CACHE_NONE; and tell me if it occurs more frequently.

Nwroble (talkcontribs)

I have added the $LDAPProviderCacheType = CACHE_NONE; into my LocalSettings.php file and tried a bunch of times. I'd say at least it is probably about the same number of intermittent failures as prior to doing so. Behavior is still the same following the error. Clicking refresh on browser then gets me in.

Nwroble (talkcontribs)

Also, just to let you know. I have changed my configuration in my ldap.json file to use tls/port 389 instead of ssl/port 636. Also I am now hitting a domain controller directly instead of the load balancer. At this point none of those variables seem to matter. I just get the intermittent failures and hitting the browser refresh gets me in. Also, an FYI, the error message is slightly different, for TLS, but I think that is just because it is going down a different code path for TLS vs SSL. Error message is now this: "MWException from line 141 of /var/www/mediawiki-1.34.2/extensions/LDAPProvider/src/Client.php: Could not start TLS!"

Nwroble (talkcontribs)

@Osnard, a follow up to this. I have now eliminated the intermittent LDAP login behavior. It ended up being that I needed to restart the php-fpm service (# systemctl restart php-fpm on RH 8). When I was making all my various changes in combination between servers/protocols/ports in the ldap.json and cert changes in ldap.conf, I was doing update.php everytime, but I never restarted php-fpm. I just happened to stumble upon this when trying to track down whether I had proper packages installed and was researching. Unfortunately, I am new to Linux and web servers in general. Thank for your help and taking interest.

Osnard (talkcontribs)

Sorry, I have no idea. If connection works once in a web request context it should work always. Also if the "CheckLogin.php" maintenance script works, we can assume that the LDAP configuration in general is okay. Could you please share the debug log, maybe I can spot something you didn't notice?

Reply to "Intermittent Login Failures via LDAP"

trying to get ldap authentication working

8
Seth2740 (talkcontribs)

I have mediawiki 1.34.2 on fedora 32 with apache 2.4.43, mysql 8.0.21 and php 7.4.8. I installed ldapprovider, pluggableauth and ldapauthentication2; autocreate account set to true and have a json file with my ldap config (domain controller, base dn, etc. and hope it's correct). when trying to login, it says it can't authenticate credentials against the domain. I tried to set debug logging for the extension to a log file but didn't create a file. i'm just trying to authenticate against a domain controller. I have pluggableauth, ldapauthentication2, ldapprovider, ldapuserinfo, ldapgroups. not sure if all of those are required for this but seems the documentation is confusing only because there are so many extensions and not sure if all of them are required for this. maybe getting the logging to work to get some debugging or more info as to why it throws that error would be a start

Osnard (talkcontribs)

Have you tried authenticating using the LDAPProvider/maintenance/CheckLogin.php script? Can you please share your configuration? LDAP_hub#Migrating_from_old_LdapAuthentication should give you a clear idea of what extensions you need from the stack.

Seth2740 (talkcontribs)

checklogin.php returns FAILED though showuserinfo.php pulls all the info of my account. i do have ldapprovider, ldapauthentication2 and pluggableauth so that should be fine

Osnard (talkcontribs)

Okay, so the general connection and is configured properly. Can you confirm that your LDAP backend even allows "binding" for the concrete user?

Seth2740 (talkcontribs)

yes the account being used is also used by other applications for ldap lookups

Osnard (talkcontribs)

Can you please share the exact commandline of CheckLogin.php (with arguments) and your domain config?

Seth2740 (talkcontribs)

php CheckLogin.php --domain domain.com --username user

what domain config?

Osnard (talkcontribs)

The JSON of PHP file that contains the LDAP credentials and other config.

Reply to "trying to get ldap authentication working"

Fatal error authenticating user (only a specific user)

4
AdamX8888 (talkcontribs)

I have an entirely new wiki / database / extensions setup (first time doing this).

I am using the full LDAP stack loaded as extenstions, using a LDAP.json file to configure.

I've tested the php commands by hand, they query LDAP server fine and get user info, etc.

My users get a login box, with domain in the drop down, can log in fine.


One user got in once, then got errors. Now she still gets this same error above. Only her, so far. Five other users have had no problem. I've used the UserMerge extention to delete her old user. Still has this error. She has cleared her cache, used two different machines, still the same problem. She is in the correct AD group as the rest of us.


I have the extended debugging still turned on, and she is getting

"trying to access array offset on value of type null in PluggableAuth.php" (on lines 42, 43, 44)


these are the extensions I'm loading, and the order.


wfLoadExtension( 'PluggableAuth' );

  wfLoadExtension( 'LDAPProvider' );

  wfLoadExtension( 'LDAPAuthentication2' );

  wfLoadExtension( 'LDAPAuthorization' );

  wfLoadExtension( 'LDAPUserInfo' );

  wfLoadExtension( 'LDAPGroups' );

  wfLoadExtension( 'Auth_remoteuser' );


Any ideas? The 'realnames' isn't working either, but maybe that's a separate issue.

Cannot figure out why this one user cannot log in but the others can.

Osnard (talkcontribs)

"trying to access array offset on value of type null in PluggableAuth.php" (on lines 42, 43, 44) means that the code can not extract "username", "password" and "domain" from the session data [1]. Can you please check if the client sends the session cookie and if the session id stays the same between the request of Special:Login and the POST request when the form is sumbitted.

[1] https://github.com/wikimedia/mediawiki-extensions-LDAPAuthentication2/blob/519d88ed2429157bb6cae800295d34a072e292cc/src/PluggableAuth.php#L42-L44

AdamX8888 (talkcontribs)

I will check when I can - I am currently blocked from Github.

Can you think of any reason this wouldn't be functioning on only one user? All of us should be using similar machines & browser configs, etc. I am going to have her try directly on the server IE11 itself as my login works fine there, just to see if there is any different behavior.


Thanks

Osnard (talkcontribs)

No idea. Especially as you have already tried different machines/browsers.

Reply to "Fatal error authenticating user (only a specific user)"

Fatal error authenticating on Active Directory

6
Abiuan (talkcontribs)

Hello,

I'm trying to configure a MW installation to use AD for authentication. I modified LocalSettings.php and created ldap.json.

I run extensions/LDAPProvider/maintenance/ShowUserInfo.php, ShowUserGroups.php and CheckLogin.php scripts and all three works fine. Therefore at this point I was confident. But...

When I try to login I receive the message "Fatal error authenticating user" and I find three lines like the following in the log file:

ErrorException from line 42 of /var/www/mediawiki-1.34.1/extensions/LDAPAuthentication2/src/PluggableAuth.php: PHP Notice: Trying to access array offset on value of type null

The same for lines 43 and 44. This means that the variable $extraLoginFields is empty. But why? Why it needs extra login fields? Documentation, about $wgPluggableAuth_ExtraLoginFields says "This configuration variable may be set by authentication plugins and should not be set by wiki site administrators".

It happens even if I use a fake username or a wrong password therefore it seems it's not an authentication issue.

I tried with or without LDAPAuthorization and LDAPGroup extensions enabled but the result is the same.


Any suggest?


Best regards


My configuration:

MW: 1.34.1

Php: 7.4.3

LDAPAuthentication2, LDAPAuthorization, LDAPGroups, LDAPProvider, LDAPUserInfo, PluggableAuth: latest version


my LocalSettings.php modifications:

$ldapJsonFile = "$IP/ldap.json";

wfLoadExtension( 'PluggableAuth' );

wfLoadExtension( 'LDAPProvider' );

wfLoadExtension( 'LDAPAuthentication2' );

wfLoadExtension( 'LDAPAuthorization' );

wfLoadExtension( 'LDAPUserInfo' );

wfLoadExtension( 'LDAPGroups' );

$LDAPProviderDomainConfigs = $ldapJsonFile;

$LDAPAuthentication2AllowLocalLogin = false;

$wgPluggableAuth_ButtonLabel = "Log In";


my ldap.json:

{

   "MY.DOMAIN": {

       "connection": {

           "server": "adserver.ip.domain",

           "user": "aduser",

           "pass": "pass",

           "options": {

               "LDAP_OPT_DEREF": 1

           },

           "port": "636",

           "enctype": "ssl",

           "basedn": "DC=my,DC=domain",

           "userbasedn": "OU=Users,OU=organization,DC=my,DC=domain",

           "groupbasedn": "OU=Groups,OU=organization,DC=my,DC=domain",

           "grouprequest": "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\UserMemberOf::factory",

           "searchattribute": "sAMAccountName",

           "usernameattribute": "sAMAccountName",

           "realnameattribute": "cn",

           "emailattribute": "mail",

           "presearchusernamemodifiers": [ "spacestounderscores", "lowercase" ]

       },

       "userinfo": [],

       "groupsync": []

   }

}

Osnard (talkcontribs)

The values for $wgPluggableAuth_ExtraLoginFields are defined in LDAPAuthentication2/src/ExtraLoginFields.php. It is set in Setup.php of the same extension. Could you try to debug this, by checking whether the variable is properly set in that function?

Abiuan (talkcontribs)

I did some debug. It seems it is not a problem with ExtraLoginFields. It is set and has original values form DOMAIN, USERNAME and PASSWORD attributes.

The issue is with the call of AuthManager->getAuthenticationSessionData() method.

Authmanager is set using

$authManager = AuthManager::singleton();

It is defined and it seems correct.

Instead, the call of $authManager->getAuthenticationSessionData(PluggableAuthLogin::EXTRALOGINFIELDS_SESSION_KEY) returns null;

PluggableAuthLogin::EXTRALOGINFIELDS_SESSION_KEY has the value "PluggableAuthLoginExtraLoginFields".


I did some debug on authManager->getAuthenticationSessionData().

Before the login, if I do a refresh of the page, it works and gives the values of the previous login attempt. After click on "Login" button the call of

$this->request->getSession()->getSecret( 'authData' );

returns null.

Quite strange.


Sorry if it is not clear but I not a big expert of php.


Osnard (talkcontribs)

This looks like you might have an issue with the session storage in general. If you disable the LDAP-Stack extension, can you log in with a local user and stay logged in?

Abiuan (talkcontribs)

You put me on the right direction. I set up the local authentication before. Then, after some tweaking, it works now.


Thank you

Osnard (talkcontribs)

Glad I could help

Reply to "Fatal error authenticating on Active Directory"

LDAPSearch: Custom Filter, Result Search and List of mapping fields

2
Guims08 (talkcontribs)

MW. 1.34.1

PHP. 7.2.18

LDAPAuthentication2. 1.0.1

LDAPProvider 1.0.3

PluggableAuth. 5.7

extensions/LDAPProvider/src/PlatformFunctionWrapper.php


Hello every one, I do not know if it is the right place, because I have no bug but a request for advice.

I recently upgrade my MW, installed LDAPAuthentication2 and use it with Sun Directory Server Enterprise Edition 7.

Everything works fine.


But when I look at the logs (/var/www/mediawiki/debug.log). I note that the search filter is not optimal, that the search result returns me all the LDAP attributes of the user (which is useless).

It seems that the LDAP search function is in the file "extensions/LDAPProvider/src/PlatformFunctionWrapper.php " but i don't know how to "custom" it, it's frustrating.

I think we should modify this request [ldap_search( $linkID, $baseDN = 'dc=mycompagny,dc=country,dc=glob', $filter = '(uid=guims08)', $attributes = [ '*', 'memberof' ], $attrsonly = , $sizelimit = , $timelimit = , $deref =  );]

but maybe it's not here.


Anyone know where can I custom filter and search results ?

Last point: Where i can find a list of Mappings Data ?


If anyone can answer my questions.


Thank you very much

Osnard (talkcontribs)

Hi!

Thanks for your request!

  • Q: Anyone know where can I custom filter and search results?
    • At the moment there is no good way to do it. You will probably need to hack UserInfoRequest.php . If you explain your motivation of changing the filtering, maybe I can implement something that suits your needs.
  • Q: Where i can find a list of Mappings Data ?
    • Unfortunately I don't understand completely. "LDAPAuthentication2" will only sync "username", "realname" and "email". If you need further syncing you will probably need Extension:LDAPUserInfo. This allows you to map whatever field is available in the "UserInfoRequest"-reponse to a MediaWiki user property. You can also specify a callback function that allows additional processing of user info data.
Reply to "LDAPSearch: Custom Filter, Result Search and List of mapping fields"

Credentials are not associated with any user on this wiki.

8
109.197.247.94 (talkcontribs)

Hello,

I recently upgraded the mediawiki package on a debian buster server and i am configuring the ldap authentication with LDAPAuthentication2 instead of the old extension 'LdapAuthentication'.

When i try the ldap authentication, i got the message "The supplied credentials are not associated with any user on this wiki".

This 2 scripts below are ok and retrieve information from our ldap directory.

  1. php extensions/LDAPProvider/maintenance/ShowUserInfo.php --domain "ldap.sub.mydomain.com" --username Nicolasgo
  2. php extensions/LDAPProvider/maintenance/CheckLogin.php --domain "ldap.sub.mydomain.com" --username Nicolasgo

Password:mypass OK

Here is my LDAP section from LocalSettings.php

... $wgShowDBErrorBacktrace = false; $wgDebugDumpSql = false; $wgShowSQLErrors = false; $wgShowExceptionDetails = true; $wgDebugToolbar = true; $wgDebugLogFile = "/tmp/wikimedia.log";

wfLoadExtension( 'PluggableAuth' ); wfLoadExtension( 'LDAPProvider' ); wfLoadExtension( 'LDAPAuthentication2' ); wfLoadExtension( 'LDAPAuthorization' ); wfLoadExtension( 'LDAPUserInfo' );

//$LDAPAuthentication2UsernameNormalizer = 'strtolower'; $wgPluggableAuth_EnableAutoLogin = true; $wgPluggableAuth_EnableLocalLogin = false; $wgPluggableAuth_EnableLocalProperties = false; ...

Here is my ldapprovider.json configuration :

{

       "ldap.sub.mydomain.com": {
               "connection": {
                       "server": "ldap.sub.mydomain.com",
                       "user": "loginId=nicolasgo,ou=users,dc=sub,dc=mydomain,dc=com",
                       "pass": "mypass",
                       "options": {
                               "LDAP_OPT_DEREF": 1
                       },
                       "port": 636,
                       "enctype": "ssl",
                       "basedn": "dc=sub,dc=mydomain,dc=com",
                       "groupbasedn": "dc=sub,dc=mydomain,dc=com",
                       "userbasedn": "ou=users,dc=sub,dc=mydomain,dc=com",
                       "searchattribute": "loginId",
                       "searchstring": "loginId=USER-NAME,ou=users,dc=sub,dc=mydomain,dc=com",
                       "usernameattribute": "loginId",
                       "realnameattribute": "cn",
                       "emailattribute": "mail"
               },
               "authorization": {
                       "rules": {
                       }
               },
               "userinfo": {
                       "attributes-map": {
                               "email": "mail",
                               "realname": "cn"
                       }
               }
       }

}

Here are some lines from /tmp/wikimedia.log when trying to authenticate :

"Start request GET /index.php?title=Sp%C3%A9cial:Connexion HTTP HEADERS: COOKIE: mediawiki_dbUserName=Nicolasgo; mediawiki_db_session=e4gn5jc5la5rbtd82k6ffihsl6isr4ib TE: trailers UPGRADE-INSECURE-REQUESTS: 1 REFERER: h t t p s : / / wiki2.sub.mydomain.com/index.php?title=Sp%C3%A9cial:Connexion ACCEPT-ENCODING: gzip, deflate, br ACCEPT-LANGUAGE: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3 ACCEPT: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 USER-AGENT: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36 HOST: wiki2.sub.mydomain.com CONTENT-LENGTH: CONTENT-TYPE: [caches] cluster: APCUBagOStuff, WAN: mediawiki-main-default, stash: db-replicated, message: APCUBagOStuff, session: APCUBagOStuff [caches] LocalisationCache: using store LCStoreDB [DBConnection] Wikimedia\Rdbms\LoadBalancer::openConnection: calling initLB() before first connection. [DBReplication] Cannot use ChronologyProtector with EmptyBagOStuff. [DBReplication] Wikimedia\Rdbms\LBFactory::getChronologyProtector: using request info { "IPAddress": "10.XX.XX.XX", "UserAgent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/61.0.3163.100 Safari\/537.36", "ChronologyProtection": false, "ChronologyPositionIndex": 0 } [DBConnection] Wikimedia\Rdbms\LoadBalancer::openConnection: connected to database 0 at 'localhost'. [session] Session "e4gn5jc5la5rbtd82k6ffihsl6isr4ib" requested without UserID cookie Unstubbing $wgParser on call of $wgParser::setHook from require_once Parser: using preprocessor: Preprocessor_DOM [CryptRand] 0 bytes of randomness leftover in the buffer. [session] SessionBackend "e4gn5jc5la5rbtd82k6ffihsl6isr4ib" data dirty due to dirty(): AuthManagerSpecialPage->handleReturnBeforeExecute/MediaWiki\Auth\AuthManager->removeAuthenticationSessionData/MediaWiki\Session\Session->setSecret/MediaWiki\Session\Session->set/MediaWiki\Session\SessionBackend->dirty [session] SessionBackend "e4gn5jc5la5rbtd82k6ffihsl6isr4ib" save: dataDirty=1 metaDirty=0 forcePersist=0 [MessageCache] MessageCache::load: Loading fr... local cache is empty, got from global cache Unstubbing $wgLang on call of $wgLang::_unstub from ParserOptions->__construct QuickTemplate::__construct was called with no Config instance passed to it [CryptRand] 0 bytes of randomness leftover in the buffer. [session] SessionBackend "e4gn5jc5la5rbtd82k6ffihsl6isr4ib" data dirty due to dirty(): PluggableAuthContinueAuthenticationRequest->loadFromSubmission/MediaWiki\Auth\AuthManager->removeAuthenticationSessionData/MediaWiki\Session\Session->setSecret/MediaWiki\Session\Session->set/MediaWiki\Session\SessionBackend->dirty [session] SessionBackend "e4gn5jc5la5rbtd82k6ffihsl6isr4ib" save: dataDirty=1 metaDirty=0 forcePersist=0 [authentication] Primary login with PluggableAuthPrimaryAuthenticationProvider succeeded [authentication] Primary login with PluggableAuthPrimaryAuthenticationProvider succeeded, but returned no user [CryptRand] 0 bytes of randomness leftover in the buffer. [session] SessionBackend "e4gn5jc5la5rbtd82k6ffihsl6isr4ib" data dirty due to dirty(): AuthManagerSpecialPage->performAuthenticationStep/MediaWiki\Auth\AuthManager->continueAuthentication/MediaWiki\Session\Session->setSecret/MediaWiki\Session\Session->set/MediaWiki\Session\SessionBackend->dirty [session] SessionBackend "e4gn5jc5la5rbtd82k6ffihsl6isr4ib" save: dataDirty=1 metaDirty=0 forcePersist=0 [authevents] Login attempt QuickTemplate::__construct was called with no Config instance passed to it MediaWiki::preOutputCommit: primary transaction round committed MediaWiki::preOutputCommit: pre-send deferred updates completed MediaWiki::preOutputCommit: LBFactory shutdown completed [MessageCache] MessageCache::load: Loading en... local cache is empty, got from global cache [gitinfo] Computed cacheFile=/usr/share/mediawiki/gitinfo.json for /usr/share/mediawiki [gitinfo] Cache incomplete for /usr/share/mediawiki"

Here are some observation :

- MediaWiki: 1.31.7 PHP: 7.3.14-1~deb10u1 Time: 1.01150 Memory: 20,48 Mio (Peak: 20,66 Mio) - If i comment out '$LDAPAuthentication2UsernameNormalizer = 'strtolower';' i got a backtrace with error 'DomainException from line 616 of /usr/share/mediawiki/includes/auth/AuthManager.php: PluggableAuthPrimaryAuthenticationProvider returned an invalid username'

Could you give me some hints to resolve this please ? Thank you in advance.

Nicolas

Osnard (talkcontribs)

Please try to remove the "authorization" section from your domain config completely.

109.197.247.94 (talkcontribs)

Hello,

Thank you for your answer. I removed the "authorization" section from ldapprovider.json file and i don't load LDAPAuthorization extension anymore from LocalSettings.php.

But the result is the same. Do you have an other idea ?

Best regards, Nicolas.

109.197.247.94 (talkcontribs)

I'm not sure if i am using the right version of php, i notice this PHP warning in the PluggableAuthLogin logs.

"[error] [72c6d20312d838d0d3ef852a] /index.php?title=Sp%C3%A9cial:PluggableAuthLogin ErrorException from line 89 of /var/lib/mediawiki/extensions/PluggableAuth/includes/PluggableAuthLogin.php: PHP Warning: count(): Parameter must be an array or an object that implements Countable"

Do you already seen this error ?

I tried to get around this count function in "PluggableAuth/includes/PluggableAuthLogin.php" (because my $returnToUrl variable is not null, but it seems to be a string instead of array), but always the same result.

Thank you.

Osnard (talkcontribs)

If you are getting a DomainException you might set $LDAPProviderDefaultDomain = "ldap.sub.mydomain.com";

109.197.247.94 (talkcontribs)

Hello, thank you for the hint.

I added "$LDAPProviderDefaultDomain = "ldap.sub.mydomain.com";" in my LocalSettings.php. I still have the Domain Exception.

Here is the full backtrace i didn't post the last time :

[c6dab44f11ea607a1a3646b7] /index.php?title=Sp%C3%A9cial:Connexion DomainException from line 616 of /usr/share/mediawiki/includes/auth/AuthManager.php: PluggableAuthPrimaryAuthenticationProvider returned an invalid username:

Backtrace:

  1. 0 /usr/share/mediawiki/includes/specialpage/AuthManagerSpecialPage.php(355): MediaWiki\Auth\AuthManager->continueAuthentication(array)
  2. 1 /usr/share/mediawiki/includes/specialpage/AuthManagerSpecialPage.php(482): AuthManagerSpecialPage->performAuthenticationStep(string, array)
  3. 2 /usr/share/mediawiki/includes/htmlform/HTMLForm.php(660): AuthManagerSpecialPage->handleFormSubmit(array, VFormHTMLForm)
  4. 3 /usr/share/mediawiki/includes/specialpage/AuthManagerSpecialPage.php(416): HTMLForm->trySubmit()
  5. 4 /usr/share/mediawiki/includes/specialpage/LoginSignupSpecialPage.php(316): AuthManagerSpecialPage->trySubmit()
  6. 5 /usr/share/mediawiki/includes/specialpage/SpecialPage.php(565): LoginSignupSpecialPage->execute(NULL)
  7. 6 /usr/share/mediawiki/includes/specialpage/SpecialPageFactory.php(568): SpecialPage->run(NULL)
  8. 7 /usr/share/mediawiki/includes/MediaWiki.php(288): SpecialPageFactory::executePath(Title, RequestContext)
  9. 8 /usr/share/mediawiki/includes/MediaWiki.php(861): MediaWiki->performRequest()
  10. 9 /usr/share/mediawiki/includes/MediaWiki.php(524): MediaWiki->main()
  11. 10 /usr/share/mediawiki/index.php(42): MediaWiki->run()
  12. 11 {main}

In the "Debug log", i got this line : "[authentication] [Auth] username: , user"

I checked in /usr/share/mediawiki/includes/auth/AuthManager.php, line 612. $res->username is empty

Best regards.

Osnard (talkcontribs)

Which version of PluggableAuth are you using? There is no call to count in PluggableAuthLogin.php anymore. Please check whether the field "loginId" is actually listed in the result of LDAPProvider/maintenance/ShowUserInfo.php. Be aware that the extension is case sensitive here. You might check other variants like "loginid" or "loginID".

109.197.247.94 (talkcontribs)

Thank you Osnard, you find the solution. Authentication works now.

I am using PluggableAuth: REL1_31 (2019-05-20T02:40:46).

The field "loginid" is listed in the result of LDAPProvider/maintenance/ShowUserInfo.php but i was using "loginId" in my ldapprovider.json configuration.

Reply to "Credentials are not associated with any user on this wiki."

autocreateaccount throwing no such table: ldap_domains

4
2601:46:C702:5634:6124:8B90:4DDC:DE67 (talkcontribs)

Hi,

I'm trying to setup ldap authentication on a mediawiki docker instance. I've gotten to the point where the ShowUserInfo.php and CheckLogin.php work correctly. I am also able to login to the wiki instance with an account that already existed, but using ldap instead of the local login. The problem I run into is when i try to login with an LDAP account that doesn't already exist. When i do that i get the following error:

/var/www/html/includes/libs/rdbms/database/Database.php: A database query error has occurred. Did you forget to run your application's database schema updater after upgrading?

Function: Mediawiki\Extension\LDAPProvider\UserDomainStore::getDomainForUser

Error: 1 no such table: ldap_domains


I have searched for how to solve this error but only find solutions for LDAPAuthenticator, not LDAPAuthenticator2 (the file they say to run does not exist in the new version)

I can't include logs because this is being spun up on a confidential system.


My question is: how do i create the table ldap_domains? i have LDAPProvider, PluggableAuth, and LDAPAuthenticator2 modules installed.

Osnard (talkcontribs)

Have you run <mediawiki>/maintenance/update.php after installation/activation?

2601:46:C702:5634:D016:26C8:684E:4744 (talkcontribs)

So this is running inside of a docker container. is this something that i should add in my LocalSettings.php file as require_once("maintenance/update.php"); ?


2601:46:C702:5634:D016:26C8:684E:4744 (talkcontribs)

For others: Osnard's solution worked, as long as you have a mounted volume holding the data files and the database files this only needs to be run once. You cannot make this a require_once() call, this makes it so that the webpage only displays an error. After running the update.php file, everything works (LDAP) and the changes persist over docker container failovers, if you're using a service like me.

Reply to "autocreateaccount throwing no such table: ldap_domains"

[0d90a23077d2a1fa5d12fbea] 2020-01-28 02:02:03: Fatal exception of type "Error"

3
2601:588:C000:CC8:D49F:4C05:5318:13D (talkcontribs)

When I try to log in as any LDAP user I get the above titled error message. Can someone please help me? I don't know what to do next.


wfLoadExtension( 'PluggableAuth' );                                                                         
wfLoadExtension( 'LDAPProvider' );                                                                                    
wfLoadExtension( 'LDAPAuthentication2' );                                                                             
wfLoadExtension( 'LDAPUserInfo' );                                                                                    
                                                                                                                      
$LDAPAuthentication2AllowLocalLogin = true;                                                                           
                                                                                                                      
$LDAPProviderDomainConfigProvider = function() {                                                      
        $config = [                                                                                                   
                'LDAP' => [                                                                                           
                        'connection' => [                                                                             
                                "server" => "REDACTED",                                           
                                "user" => "CN=Administrator,CN=Users,DC=it,DC=networkservice,DC=associates",
                                "pass" => 'REDACTED',                                                         
                                "options" => [                                                                        
                                        "LDAP_OPT_DEREF" => 1                                                         
                                ],                                                                    
                                "basedn" => "DC=it,DC=networkservice,DC=associates",                                  
                                "groupbasedn" => "OU=Groups,DC=it,DC=networkservice,DC=associates",                   
                                "userbasedn" => "OU=Associates,DC=it,DC=networkservice,DC=associates",                
                                "searchattribute" => "uid",                                
                                "searchstring" => "uid=USER-NAME,OU=Associates,DC=it,DC=networkservice,DC=associates",
                                "usernameattribute" => "uid",                                       
                                "realnameattribute" => "cn",                                        
                                "emailattribute" => "mail"                          
                        ]                                                                           
                ]                                                                                     
        ];                                                                                          
                                                                                                                      
        return new \MediaWiki\Extension\LDAPProvider\DomainConfigProvider\InlinePHPArray( $config );
};                                                                              
Osnard (talkcontribs)
91.135.176.46 (talkcontribs)

The error is due to lack of php package :


yum install rh-php72-php-ldap

Reply to "[0d90a23077d2a1fa5d12fbea] 2020-01-28 02:02:03: Fatal exception of type "Error""

Difficulty upgrading from LDAPAuthentication

2
Realsalt (talkcontribs)

Working on upgrading our wiki from 1.31 and though we'd upgrade our authentication app at the same time but having troubles, specifically with the upgrade script:

php extensions/LDAPProvider/maintenance/ConvertLdapAuthenticationConfig.php --output /ext/mediawiki/ldapprovider.json


Specifically, I have this error:

php extensions/LDAPProvider/maintenance/ConvertLdapAuthenticationConfig.php --output /ext/mediawiki/ldapprovider.json

PHP Fatal error:  Uncaught Exception: /var/lib/mediawiki-1.33.1-HD-test/extensions/LdapAuthentication/extension.json does not exist! in /var/lib/mediawiki-1.33.1-HD-test/includes/registration/ExtensionRegistry.php:117

Stack trace:
#0 /var/lib/mediawiki-1.33.1-HD-test/includes/GlobalFunctions.php(50): ExtensionRegistry->queue('/var/lib/mediaw...')
#1 /var/lib/mediawiki-1.33.1-HD-test/LocalSettings.php(176): wfLoadExtension('LdapAuthenticat...')
#2 /var/lib/mediawiki-1.33.1-HD-test/includes/Setup.php(105): require_once('/var/lib/mediaw...')
#3 /var/lib/mediawiki-1.33.1-HD-test/maintenance/doMaintenance.php(81): require_once('/var/lib/mediaw...')
#4 /var/lib/mediawiki-1.33.1-HD-test/extensions/LDAPProvider/maintenance/ConvertLdapAuthenticationConfig.php(98): require_once('/var/lib/mediaw...')
#5 {main}
  thrown in /var/lib/mediawiki-1.33.1-HD-test/includes/registration/ExtensionRegistry.php on line 117

This is the relevant part of /includes/registration/ExtensionRegistry.php:

6		/**
   107		 * @param string $path Absolute path to the JSON file
   108		 */
   109		public function queue( $path ) {
   110			global $wgExtensionInfoMTime;
   111	
   112			$mtime = $wgExtensionInfoMTime;
   113			if ( $mtime === false ) {
   114				if ( file_exists( $path ) ) {
   115					$mtime = filemtime( $path );
   116				} else {
   117					throw new Exception( "$path does not exist!" );
   118				}
   119				// @codeCoverageIgnoreStart
   120				if ( $mtime === false ) {
   121					$err = error_get_last();
   122					throw new Exception( "Couldn't stat $path: {$err['message']}" );
   123					// @codeCoverageIgnoreEnd
   124				}
   125			}
   126			$this->queued[$path] = $mtime;
   127		}

Here's a pastebin with the relevant parts of LocalSettings.php pastebin.com/HQ5SH4iY


I'd appreciate any insight anyone has.

Nick Parrott (talkcontribs)

I took a look at your config layout on pastebin, and I see what you're trying to do.


A few suggestions:


- Use 1.31 or 1.34. The extension-set has not been built/qualified for 1.33, and I've tried master on 1.33 to no avail

- When you install 1.31 or 1.34, consider using the approach of a JSON-config file, combined with LocalSettings.php

- You will find a full working example here: Manual:Active Directory Integration


To avoid agony, I would remove all your existing LDAP or Permission config, and try with the PHP on that page.


I don't think the maintenance script you are running will have any impact on "getting a working setup"

Reply to "Difficulty upgrading from LDAPAuthentication"