Extension talk:LDAPAuthentication2/2020

When reporting an error, please be sure to include version information for MediaWiki and all relevant extensions as well as configuration information. Also, please turn on debug logging as described at Manual:How to debug#Logging and include the relevant portions of the debug log.

My Usernames in the AD are name_surname with underscore. I can login with name_surname. But in the login field at e new login "Name surname" is autofilled in the username login field. With that username logon fails. Textform (talk) 09:47, 8 January 2020 (UTC)Reply

I could solve this by changing

$username = strtolower(str_replace(" ","_",$extraLoginFields[ExtraLoginFields::USERNAME]));

in

extensions\LDAPAuthentication2\src\PluggableAuth.php

But group mapping does not work. All groups are removed, no matter if i login with name_surname or "Name surname".

With a username that has no underscores all works fine.

php LDAPProvider/maintenance/ShowUserGroups.php --domain textform.net --username wikiuser

shows all the groups, when I use name_surname. But obvously nothing for "Name surname".

How can I tell the extension LDAPGroups to "normalize" the username to name_surname befor querying the groups?

(Maybe it would be better to move this thread to the LDAPGroups talk?) Textform (talk) 10:02, 8 January 2020 (UTC)Reply

Maybe this helps: https://phabricator.wikimedia.org/T240336 Osnard (talk) 07:02, 9 January 2020 (UTC)Reply

i am trying to get this working. i have recently upgraded to:

mw: 1.31.6; running php7.3. i have been able to validate using the maintenance/CheckLogin.php on the LDAPProvider extension. if i enter an incorrect password; when i login, i get the "Could not authenticate credentials against domain"; if i enter the correct password, i get the "The supplied credentials are not associated with any user on this wiki."

the PluggableAuth is also installed.

when i look at my debug log, i notice a couple of errors:

ErrorException from line 85 of /var/lib/mediawiki/extensions/LDAPAuthentication2/src/PluggableAuth.php: PHP Notice: Undefined index: samaccountname

ErrorException from line 86 of /var/lib/mediawiki/extensions/LDAPAuthentication2/src/PluggableAuth.php: PHP Notice: Undefined index: cn

my settings are such:

<code>

$LDAPProviderDomainConfigProvider = function () {

   $config = [

      "ny.something.biz" => [ 

         "connection" => [

            "server" => "domain.ny.something.biz", 

            "basedn" => "dc=something,dc=biz", 

            "groupbasedn" => "dc=something,dc=biz", 

            "userbasedn" => "dc=something,dc=biz", 

            "searchattribute" => "samaccountname", 

            "searchstring" => "SOMETHING_NY_1\\USER-NAME", 

            "usernameattribute" => "samaccountname",

            "realnameattribute" => "cn",

            "emailattribute" => "mail"

         ],

      ]

   ];

   return new \MediaWiki\Extension\LDAPProvider\DomainConfigProvider\InlinePHPArray($config);

};

</code>

appreciate any help on this! thanks. LeavingCT (talk) 01:24, 21 January 2020 (UTC)Reply

Please check the output of LDAPProvider/maintenance/CheckUserInfo.php. It looks like you need to configure something else than "samacountname" for the username and "cn" for the realname. Osnard (talk) 14:20, 22 January 2020 (UTC)Reply

hi osnard, thanks for the help. i'm guessing you meant ShowUserInfo.php and not CheckUserInfo.php. when i try that i'm getting the:

MWException from line 197 of /var/lib/mediawiki/extensions/LDAPProvider/src/Client.php: Error in LDAP search: Operations error

ive tried setting the LDAP_OPT_REFERRALS to 0 (as well as 1); but neither seemed to help.

appreciate any further input as a cursory search seems to indicate plenty of people have similar problem.

best. LeavingCT (talk) 23:44, 23 January 2020 (UTC)Reply

hi osnard, i have played around with a bit of the config values. at 1 point, i got the ShowUserInfo to work. now it does not... however, i am now validating against AD and am successfully logging in! so thanks for the help. once i get some more time, i may come back and see where i went adrift, but for now i seem to be working. i do believe that i added our OU as well. thanks again. LeavingCT (talk) 02:08, 24 January 2020 (UTC)Reply

Could you please share your resolution that lets users login? Chattadude (talk) 19:24, 24 January 2020 (UTC)Reply

with regards to the changes i made, it is hard to tell exactly what caused the login to now work. i am not sure if a recent update to our domain controller was the culprit, or adding our organization unit (ou=) to our basedn in the above config. as i stated above, i have added the following options to the config:

                        "options" => [

                                "LDAP_OPT_DEREF" => 0

                        ],

but i'm not clear if this is part of the solution or not. unfortunately i can not say for sure what has resolved our issue, nor can i say why we are now getting the:

Error in LDAP search: Operations error

when executing the ShowUserInfo script. i know i successfully ran that maintenance script once, but now it is erroring out. i wish i could be of more help with a definitive answer. when i have more time, i will continue to play, and see if i can come up with a definitive answer. best. LeavingCT (talk) 20:13, 27 January 2020 (UTC)Reply

The "Operations error" may imply that the user you have use to bind to the LDAP resource is not allowed to run a "search" against LDAP. This sometimes happens in "anonymous bind" setups. Osnard (talk) 06:54, 29 January 2020 (UTC)Reply

Hi,

It seems that the following error is a common occurrence when someone tries to tie Mediawiki into an Active Directory domain: "The supplied credentials are not associated with any user on this wiki."

Osnard, as you know from a separate post in Extension talk:PluggableAuth, I was trying to get Mediawiki talking to a FreeIPA (Red Hat IdM) LDAP directory.

I still intend to reach out to someone with Red Hat or FreeIPA to help determine why there seems to be two "users" in the database associated with the same uid.

That said, my ultimate goal is to bind Media Wiki to an Active Directory (and use FreeIPA as a "proxy" of sorts).

In part of my troubleshooting, I decided to try to connect Mediawiki directly to AD without FreeIPA in the middle.

And that leads me to the error I'm currently getting, that "The supplied credentials are not associated with any user on this wiki."

If I enter in incorrect credentials, I confirm that there is a failure to authenticate.

I can confirm that I AM able to get correct output when I run:

php /var/www/html/extensions/LDAPProvider/maintenance/ShowUserInfo.php --domain LDAP --username {my-user}

My /etc/mediawiki/ldapprovider.json file contains the following:

                       "server": "10.10.10.10",

                       "user": "cn=bind_user,ou=MediaWiki,ou=Applications,ou=Foo,dc=example,dc=com",

                       "pass": "REDACTED",

                       "port":"389",

                       "enctype":"clear",

                       "basedn": "dc=example,dc=com",

                       "groupbasedn": "ou=Network Users,dc=example,dc=com",

                       "userbasedn": "ou=Network Users,dc=example,dc=com",

                       "searchattribute": "samaccountname",

                       "searchstring": "USER-NAME",

                       "usernameattribute": "samaccountname",

                       "realnameattribute": "cn",

                       "emailattribute": "mail"

My LocalSettings.php file contains:

wfLoadExtension( 'PluggableAuth' );

wfLoadExtension( 'LDAPProvider' );

wfLoadExtension( 'LDAPAuthentication2' );

wfLoadExtension( 'LDAPUserInfo' );

$LDAPProviderDomainConfigs = "/etc/mediawiki/ldapprovider.json";

$LDAPAuthentication2AllowLocalLogin = false;

I have the following versions:

- Mediawiki 1.34

- PluggableAuth-REL1_34

- LDAPUserInfo-REL1_31

- LDAPAuthentication2-master-2aa5664 (I've also tried LDAPAuthentication2-REL1_31)

- LDAPProvider-master-963bd84 (I've also tried LDAPProvider-REL1_31)

I'm not sure where to go from here. Chattadude (talk) 19:54, 24 January 2020 (UTC)Reply

I have just done a "fresh install" of MediaWiki 1.34 to rule out any possible issue in the database itself.

Using the same codebase and configuration options as described above in the (new) LocalSettings.php of the new install, I am still getting the symptoms I described earlier. My user credentials are clearly working, but I keep getting the error message "The supplied credentials are not associated with any user on this wiki." when I do try to login.

I'm completely at a loss at this point. Chattadude (talk) 20:43, 5 February 2020 (UTC)Reply

Have you found a solution yet, this is where I'm at. 209.3.130.226 (talk) 16:43, 8 February 2020 (UTC)Reply

Nope, I still don't have this working. I was hoping someone else would be able to provide some guidance.

I'll keep troubleshooting, and if I get it working, will be sure to post back here. If you come up with a solution for yourself, please consider posting back here with your solution as well. Chattadude (talk) 12:48, 10 February 2020 (UTC)Reply

Just enable logs with

$wgDebugLogFile = "/var/www/mediawiki/debug.log";

You could see the error there 80.89.157.0 (talk) 04:25, 11 February 2020 (UTC)Reply

I'm a little late to the party, but I had this issue a few days ago and even posted about it here Extension talk:LDAPProvider/2020#h-Internal_error:_Parameter_must_be_an_array_or_an_object_that_implements_Countabl-2020-09-21T20:29:00.000Z, here's a snip of my comment on how I solved this, my installation is now working properly.

to solve this, keep in mind the JSON fields MUST be in all lower case letters, so instead of sAMAccountname you must use samaccountname and so on for all fields used by the JSON file. Kevin.murilo (talk) 12:30, 1 October 2020 (UTC)Reply

Hello, I have had some mediawiki servers running and am working on a fresh 1.35 install. I only noticed your note from a search. I also have RHEL IDM working w/AD we setup over a year ago with RH.

The only thing I wanted to note is that you will not get everything from AD through IDM; its a subset of information. RH Is working on expanding that. Like email address, will not be passed as it is part of IDM. Groups get passed depending on how you configure IDM.

IDM is amazing and better than all the other solutions to date, and getting better. Definitely helps move enterprises in the direction of 'single account' with all their linux users. Emikulic (talk) 19:50, 25 November 2020 (UTC)Reply

Working on upgrading our wiki from 1.31 and though we'd upgrade our authentication app at the same time but having troubles, specifically with the upgrade script:

php extensions/LDAPProvider/maintenance/ConvertLdapAuthenticationConfig.php --output /ext/mediawiki/ldapprovider.json

Specifically, I have this error:

php extensions/LDAPProvider/maintenance/ConvertLdapAuthenticationConfig.php --output /ext/mediawiki/ldapprovider.json

PHP Fatal error:  Uncaught Exception: /var/lib/mediawiki-1.33.1-HD-test/extensions/LdapAuthentication/extension.json does not exist! in /var/lib/mediawiki-1.33.1-HD-test/includes/registration/ExtensionRegistry.php:117

Stack trace:
#0 /var/lib/mediawiki-1.33.1-HD-test/includes/GlobalFunctions.php(50): ExtensionRegistry->queue('/var/lib/mediaw...')
#1 /var/lib/mediawiki-1.33.1-HD-test/LocalSettings.php(176): wfLoadExtension('LdapAuthenticat...')
#2 /var/lib/mediawiki-1.33.1-HD-test/includes/Setup.php(105): require_once('/var/lib/mediaw...')
#3 /var/lib/mediawiki-1.33.1-HD-test/maintenance/doMaintenance.php(81): require_once('/var/lib/mediaw...')
#4 /var/lib/mediawiki-1.33.1-HD-test/extensions/LDAPProvider/maintenance/ConvertLdapAuthenticationConfig.php(98): require_once('/var/lib/mediaw...')
#5 {main}
  thrown in /var/lib/mediawiki-1.33.1-HD-test/includes/registration/ExtensionRegistry.php on line 117

This is the relevant part of /includes/registration/ExtensionRegistry.php:

6		/**
   107		 * @param string $path Absolute path to the JSON file
   108		 */
   109		public function queue( $path ) {
   110			global $wgExtensionInfoMTime;
   111	
   112			$mtime = $wgExtensionInfoMTime;
   113			if ( $mtime === false ) {
   114				if ( file_exists( $path ) ) {
   115					$mtime = filemtime( $path );
   116				} else {
   117					throw new Exception( "$path does not exist!" );
   118				}
   119				// @codeCoverageIgnoreStart
   120				if ( $mtime === false ) {
   121					$err = error_get_last();
   122					throw new Exception( "Couldn't stat $path: {$err['message']}" );
   123					// @codeCoverageIgnoreEnd
   124				}
   125			}
   126			$this->queued[$path] = $mtime;
   127		}

Here's a pastebin with the relevant parts of LocalSettings.php pastebin.com/HQ5SH4iY

I'd appreciate any insight anyone has. Realsalt (talk) 22:56, 24 January 2020 (UTC)Reply

I took a look at your config layout on pastebin, and I see what you're trying to do.

A few suggestions:

- Use 1.31 or 1.34. The extension-set has not been built/qualified for 1.33, and I've tried master on 1.33 to no avail

- When you install 1.31 or 1.34, consider using the approach of a JSON-config file, combined with LocalSettings.php

- You will find a full working example here: Manual:Active Directory Integration

To avoid agony, I would remove all your existing LDAP or Permission config, and try with the PHP on that page.

I don't think the maintenance script you are running will have any impact on "getting a working setup" Nick Parrott (talk) 19:47, 11 February 2020 (UTC)Reply

When I try to log in as any LDAP user I get the above titled error message. Can someone please help me? I don't know what to do next.

wfLoadExtension( 'PluggableAuth' );                                                                         
wfLoadExtension( 'LDAPProvider' );                                                                                    
wfLoadExtension( 'LDAPAuthentication2' );                                                                             
wfLoadExtension( 'LDAPUserInfo' );                                                                                    
                                                                                                                      
$LDAPAuthentication2AllowLocalLogin = true;                                                                           
                                                                                                                      
$LDAPProviderDomainConfigProvider = function() {                                                      
        $config = [                                                                                                   
                'LDAP' => [                                                                                           
                        'connection' => [                                                                             
                                "server" => "REDACTED",                                           
                                "user" => "CN=Administrator,CN=Users,DC=it,DC=networkservice,DC=associates",
                                "pass" => 'REDACTED',                                                         
                                "options" => [                                                                        
                                        "LDAP_OPT_DEREF" => 1                                                         
                                ],                                                                    
                                "basedn" => "DC=it,DC=networkservice,DC=associates",                                  
                                "groupbasedn" => "OU=Groups,DC=it,DC=networkservice,DC=associates",                   
                                "userbasedn" => "OU=Associates,DC=it,DC=networkservice,DC=associates",                
                                "searchattribute" => "uid",                                
                                "searchstring" => "uid=USER-NAME,OU=Associates,DC=it,DC=networkservice,DC=associates",
                                "usernameattribute" => "uid",                                       
                                "realnameattribute" => "cn",                                        
                                "emailattribute" => "mail"                          
                        ]                                                                           
                ]                                                                                     
        ];                                                                                          
                                                                                                                      
        return new \MediaWiki\Extension\LDAPProvider\DomainConfigProvider\InlinePHPArray( $config );
};                                                                              

2601:588:C000:CC8:D49F:4C05:5318:13D (talk) 02:22, 28 January 2020 (UTC)Reply

Please enable debugging: Manual:How to debug

Also see LDAP hub section about debugging. Osnard (talk) 09:17, 28 January 2020 (UTC)Reply

The error is due to lack of php package :

yum install rh-php72-php-ldap 91.135.176.46 (talk) 07:37, 22 April 2020 (UTC)Reply

Hello,

I recently upgraded the mediawiki package on a debian buster server and i am configuring the ldap authentication with LDAPAuthentication2 instead of the old extension 'LdapAuthentication'.

When i try the ldap authentication, i got the message "The supplied credentials are not associated with any user on this wiki".

This 2 scripts below are ok and retrieve information from our ldap directory.

1. php extensions/LDAPProvider/maintenance/ShowUserInfo.php --domain "ldap.sub.mydomain.com" --username Nicolasgo
2. php extensions/LDAPProvider/maintenance/CheckLogin.php --domain "ldap.sub.mydomain.com" --username Nicolasgo

Password:mypass OK

Here is my LDAP section from LocalSettings.php

... $wgShowDBErrorBacktrace = false; $wgDebugDumpSql = false; $wgShowSQLErrors = false; $wgShowExceptionDetails = true; $wgDebugToolbar = true; $wgDebugLogFile = "/tmp/wikimedia.log";

wfLoadExtension( 'PluggableAuth' ); wfLoadExtension( 'LDAPProvider' ); wfLoadExtension( 'LDAPAuthentication2' ); wfLoadExtension( 'LDAPAuthorization' ); wfLoadExtension( 'LDAPUserInfo' );

//$LDAPAuthentication2UsernameNormalizer = 'strtolower'; $wgPluggableAuth_EnableAutoLogin = true; $wgPluggableAuth_EnableLocalLogin = false; $wgPluggableAuth_EnableLocalProperties = false; ...

Here is my ldapprovider.json configuration :

{

       "ldap.sub.mydomain.com": {
               "connection": {
                       "server": "ldap.sub.mydomain.com",
                       "user": "loginId=nicolasgo,ou=users,dc=sub,dc=mydomain,dc=com",
                       "pass": "mypass",
                       "options": {
                               "LDAP_OPT_DEREF": 1
                       },
                       "port": 636,
                       "enctype": "ssl",
                       "basedn": "dc=sub,dc=mydomain,dc=com",
                       "groupbasedn": "dc=sub,dc=mydomain,dc=com",
                       "userbasedn": "ou=users,dc=sub,dc=mydomain,dc=com",
                       "searchattribute": "loginId",
                       "searchstring": "loginId=USER-NAME,ou=users,dc=sub,dc=mydomain,dc=com",
                       "usernameattribute": "loginId",
                       "realnameattribute": "cn",
                       "emailattribute": "mail"
               },
               "authorization": {
                       "rules": {
                       }
               },
               "userinfo": {
                       "attributes-map": {
                               "email": "mail",
                               "realname": "cn"
                       }
               }
       }

}

Here are some lines from /tmp/wikimedia.log when trying to authenticate :

"Start request GET /index.php?title=Sp%C3%A9cial:Connexion HTTP HEADERS: COOKIE: mediawiki_dbUserName=Nicolasgo; mediawiki_db_session=e4gn5jc5la5rbtd82k6ffihsl6isr4ib TE: trailers UPGRADE-INSECURE-REQUESTS: 1 REFERER: h t t p s : / / wiki2.sub.mydomain.com/index.php?title=Sp%C3%A9cial:Connexion ACCEPT-ENCODING: gzip, deflate, br ACCEPT-LANGUAGE: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3 ACCEPT: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 USER-AGENT: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36 HOST: wiki2.sub.mydomain.com CONTENT-LENGTH: CONTENT-TYPE: [caches] cluster: APCUBagOStuff, WAN: mediawiki-main-default, stash: db-replicated, message: APCUBagOStuff, session: APCUBagOStuff [caches] LocalisationCache: using store LCStoreDB [DBConnection] Wikimedia\Rdbms\LoadBalancer::openConnection: calling initLB() before first connection. [DBReplication] Cannot use ChronologyProtector with EmptyBagOStuff. [DBReplication] Wikimedia\Rdbms\LBFactory::getChronologyProtector: using request info { "IPAddress": "10.XX.XX.XX", "UserAgent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/61.0.3163.100 Safari\/537.36", "ChronologyProtection": false, "ChronologyPositionIndex": 0 } [DBConnection] Wikimedia\Rdbms\LoadBalancer::openConnection: connected to database 0 at 'localhost'. [session] Session "e4gn5jc5la5rbtd82k6ffihsl6isr4ib" requested without UserID cookie Unstubbing $wgParser on call of $wgParser::setHook from require_once Parser: using preprocessor: Preprocessor_DOM [CryptRand] 0 bytes of randomness leftover in the buffer. [session] SessionBackend "e4gn5jc5la5rbtd82k6ffihsl6isr4ib" data dirty due to dirty(): AuthManagerSpecialPage->handleReturnBeforeExecute/MediaWiki\Auth\AuthManager->removeAuthenticationSessionData/MediaWiki\Session\Session->setSecret/MediaWiki\Session\Session->set/MediaWiki\Session\SessionBackend->dirty [session] SessionBackend "e4gn5jc5la5rbtd82k6ffihsl6isr4ib" save: dataDirty=1 metaDirty=0 forcePersist=0 [MessageCache] MessageCache::load: Loading fr... local cache is empty, got from global cache Unstubbing $wgLang on call of $wgLang::_unstub from ParserOptions->__construct QuickTemplate::__construct was called with no Config instance passed to it [CryptRand] 0 bytes of randomness leftover in the buffer. [session] SessionBackend "e4gn5jc5la5rbtd82k6ffihsl6isr4ib" data dirty due to dirty(): PluggableAuthContinueAuthenticationRequest->loadFromSubmission/MediaWiki\Auth\AuthManager->removeAuthenticationSessionData/MediaWiki\Session\Session->setSecret/MediaWiki\Session\Session->set/MediaWiki\Session\SessionBackend->dirty [session] SessionBackend "e4gn5jc5la5rbtd82k6ffihsl6isr4ib" save: dataDirty=1 metaDirty=0 forcePersist=0 [authentication] Primary login with PluggableAuthPrimaryAuthenticationProvider succeeded [authentication] Primary login with PluggableAuthPrimaryAuthenticationProvider succeeded, but returned no user [CryptRand] 0 bytes of randomness leftover in the buffer. [session] SessionBackend "e4gn5jc5la5rbtd82k6ffihsl6isr4ib" data dirty due to dirty(): AuthManagerSpecialPage->performAuthenticationStep/MediaWiki\Auth\AuthManager->continueAuthentication/MediaWiki\Session\Session->setSecret/MediaWiki\Session\Session->set/MediaWiki\Session\SessionBackend->dirty [session] SessionBackend "e4gn5jc5la5rbtd82k6ffihsl6isr4ib" save: dataDirty=1 metaDirty=0 forcePersist=0 [authevents] Login attempt QuickTemplate::__construct was called with no Config instance passed to it MediaWiki::preOutputCommit: primary transaction round committed MediaWiki::preOutputCommit: pre-send deferred updates completed MediaWiki::preOutputCommit: LBFactory shutdown completed [MessageCache] MessageCache::load: Loading en... local cache is empty, got from global cache [gitinfo] Computed cacheFile=/usr/share/mediawiki/gitinfo.json for /usr/share/mediawiki [gitinfo] Cache incomplete for /usr/share/mediawiki"

Here are some observation :

- MediaWiki: 1.31.7 PHP: 7.3.14-1~deb10u1 Time: 1.01150 Memory: 20,48 Mio (Peak: 20,66 Mio) - If i comment out '$LDAPAuthentication2UsernameNormalizer = 'strtolower';' i got a backtrace with error 'DomainException from line 616 of /usr/share/mediawiki/includes/auth/AuthManager.php: PluggableAuthPrimaryAuthenticationProvider returned an invalid username'

Could you give me some hints to resolve this please ? Thank you in advance.

Nicolas 109.197.247.94 (talk) 11:52, 28 April 2020 (UTC)Reply

Please try to remove the "authorization" section from your domain config completely. Osnard (talk) 09:34, 30 April 2020 (UTC)Reply

Hello,

Thank you for your answer. I removed the "authorization" section from ldapprovider.json file and i don't load LDAPAuthorization extension anymore from LocalSettings.php.

But the result is the same. Do you have an other idea ?

Best regards,

Nicolas. 109.197.247.94 (talk) 16:37, 30 April 2020 (UTC)Reply

I'm not sure if i am using the right version of php, i notice this PHP warning in the PluggableAuthLogin logs.

"[error] [72c6d20312d838d0d3ef852a] /index.php?title=Sp%C3%A9cial:PluggableAuthLogin ErrorException from line 89 of /var/lib/mediawiki/extensions/PluggableAuth/includes/PluggableAuthLogin.php: PHP Warning: count(): Parameter must be an array or an object that implements Countable"

Do you already seen this error ?

I tried to get around this count function in "PluggableAuth/includes/PluggableAuthLogin.php" (because my $returnToUrl variable is not null, but it seems to be a string instead of array), but always the same result.

Thank you. 109.197.247.94 (talk) 16:59, 30 April 2020 (UTC)Reply

If you are getting a DomainException you might set $LDAPProviderDefaultDomain = "ldap.sub.mydomain.com"; Osnard (talk) 15:34, 6 May 2020 (UTC)Reply

Hello, thank you for the hint.

I added "$LDAPProviderDefaultDomain = "ldap.sub.mydomain.com";" in my LocalSettings.php. I still have the Domain Exception.

Here is the full backtrace i didn't post the last time :

[c6dab44f11ea607a1a3646b7] /index.php?title=Sp%C3%A9cial:Connexion DomainException from line 616 of /usr/share/mediawiki/includes/auth/AuthManager.php: PluggableAuthPrimaryAuthenticationProvider returned an invalid username:

Backtrace:

1. 0 /usr/share/mediawiki/includes/specialpage/AuthManagerSpecialPage.php(355): MediaWiki\Auth\AuthManager->continueAuthentication(array)
2. 1 /usr/share/mediawiki/includes/specialpage/AuthManagerSpecialPage.php(482): AuthManagerSpecialPage->performAuthenticationStep(string, array)
3. 2 /usr/share/mediawiki/includes/htmlform/HTMLForm.php(660): AuthManagerSpecialPage->handleFormSubmit(array, VFormHTMLForm)
4. 3 /usr/share/mediawiki/includes/specialpage/AuthManagerSpecialPage.php(416): HTMLForm->trySubmit()
5. 4 /usr/share/mediawiki/includes/specialpage/LoginSignupSpecialPage.php(316): AuthManagerSpecialPage->trySubmit()
6. 5 /usr/share/mediawiki/includes/specialpage/SpecialPage.php(565): LoginSignupSpecialPage->execute(NULL)
7. 6 /usr/share/mediawiki/includes/specialpage/SpecialPageFactory.php(568): SpecialPage->run(NULL)
8. 7 /usr/share/mediawiki/includes/MediaWiki.php(288): SpecialPageFactory::executePath(Title, RequestContext)
9. 8 /usr/share/mediawiki/includes/MediaWiki.php(861): MediaWiki->performRequest()
10. 9 /usr/share/mediawiki/includes/MediaWiki.php(524): MediaWiki->main()
11. 10 /usr/share/mediawiki/index.php(42): MediaWiki->run()
12. 11 {main}

In the "Debug log", i got this line :

"[authentication] [Auth] username: , user"

I checked in /usr/share/mediawiki/includes/auth/AuthManager.php, line 612.

$res->username is empty

Best regards. 109.197.247.94 (talk) 13:33, 18 May 2020 (UTC)Reply

Which version of PluggableAuth are you using? There is no call to count in PluggableAuthLogin.php anymore. Please check whether the field "loginId" is actually listed in the result of LDAPProvider/maintenance/ShowUserInfo.php. Be aware that the extension is case sensitive here. You might check other variants like "loginid" or "loginID". Osnard (talk) 15:42, 18 May 2020 (UTC)Reply

Thank you Osnard, you find the solution.

Authentication works now.

I am using PluggableAuth: REL1_31 (2019-05-20T02:40:46).

The field "loginid" is listed in the result of LDAPProvider/maintenance/ShowUserInfo.php but i was using "loginId" in my ldapprovider.json configuration. 109.197.247.94 (talk) 08:03, 19 May 2020 (UTC)Reply

Hi,

I'm trying to setup ldap authentication on a mediawiki docker instance. I've gotten to the point where the ShowUserInfo.php and CheckLogin.php work correctly. I am also able to login to the wiki instance with an account that already existed, but using ldap instead of the local login. The problem I run into is when i try to login with an LDAP account that doesn't already exist. When i do that i get the following error:

/var/www/html/includes/libs/rdbms/database/Database.php: A database query error has occurred. Did you forget to run your application's database schema updater after upgrading?

Function: Mediawiki\Extension\LDAPProvider\UserDomainStore::getDomainForUser

Error: 1 no such table: ldap_domains

I have searched for how to solve this error but only find solutions for LDAPAuthenticator, not LDAPAuthenticator2 (the file they say to run does not exist in the new version)

I can't include logs because this is being spun up on a confidential system.

My question is: how do i create the table ldap_domains? i have LDAPProvider, PluggableAuth, and LDAPAuthenticator2 modules installed. 2601:46:C702:5634:6124:8B90:4DDC:DE67 (talk) 17:19, 29 April 2020 (UTC)Reply

Have you run <mediawiki>/maintenance/update.php after installation/activation? Osnard (talk) 09:32, 30 April 2020 (UTC)Reply

So this is running inside of a docker container. is this something that i should add in my LocalSettings.php file as require_once("maintenance/update.php"); ?

2601:46:C702:5634:D016:26C8:684E:4744 (talk) 16:25, 30 April 2020 (UTC)Reply

For others: Osnard's solution worked, as long as you have a mounted volume holding the data files and the database files this only needs to be run once. You cannot make this a require_once() call, this makes it so that the webpage only displays an error. After running the update.php file, everything works (LDAP) and the changes persist over docker container failovers, if you're using a service like me. 2601:46:C702:5634:D016:26C8:684E:4744 (talk) 16:32, 30 April 2020 (UTC)Reply

MW. 1.34.1

PHP. 7.2.18

LDAPAuthentication2. 1.0.1

LDAPProvider 1.0.3

PluggableAuth. 5.7

extensions/LDAPProvider/src/PlatformFunctionWrapper.php

Hello every one, I do not know if it is the right place, because I have no bug but a request for advice.

I recently upgrade my MW, installed LDAPAuthentication2 and use it with Sun Directory Server Enterprise Edition 7.

Everything works fine.

But when I look at the logs (/var/www/mediawiki/debug.log). I note that the search filter is not optimal, that the search result returns me all the LDAP attributes of the user (which is useless).

It seems that the LDAP search function is in the file "extensions/LDAPProvider/src/PlatformFunctionWrapper.php " but i don't know how to "custom" it, it's frustrating.

I think we should modify this request [ldap_search( $linkID, $baseDN = 'dc=mycompagny,dc=country,dc=glob', $filter = '(uid=guims08)', $attributes = [ '*', 'memberof' ], $attrsonly = , $sizelimit = , $timelimit = , $deref =  );]

but maybe it's not here.

Anyone know where can I custom filter and search results ?

Last point: Where i can find a list of Mappings Data ?

If anyone can answer my questions.

Thank you very much Guims08 (talk) 07:09, 5 June 2020 (UTC)Reply

Hi!

Thanks for your request!

• Q: Anyone know where can I custom filter and search results?
  • At the moment there is no good way to do it. You will probably need to hack UserInfoRequest.php [1]. If you explain your motivation of changing the filtering, maybe I can implement something that suits your needs.
• Q: Where i can find a list of Mappings Data ?
  • Unfortunately I don't understand completely. "LDAPAuthentication2" will only sync "username", "realname" and "email". If you need further syncing you will probably need Extension:LDAPUserInfo. This allows you to map whatever field is available in the "UserInfoRequest"-reponse to a MediaWiki user property. You can also specify a callback function that allows additional processing of user info data. Osnard (talk) 12:31, 5 June 2020 (UTC)Reply

Hello,

I'm trying to configure a MW installation to use AD for authentication. I modified LocalSettings.php and created ldap.json.

I run extensions/LDAPProvider/maintenance/ShowUserInfo.php, ShowUserGroups.php and CheckLogin.php scripts and all three works fine. Therefore at this point I was confident. But...

When I try to login I receive the message "Fatal error authenticating user" and I find three lines like the following in the log file:

ErrorException from line 42 of /var/www/mediawiki-1.34.1/extensions/LDAPAuthentication2/src/PluggableAuth.php: PHP Notice: Trying to access array offset on value of type null

The same for lines 43 and 44. This means that the variable $extraLoginFields is empty. But why? Why it needs extra login fields? Documentation, about $wgPluggableAuth_ExtraLoginFields says "This configuration variable may be set by authentication plugins and should not be set by wiki site administrators".

It happens even if I use a fake username or a wrong password therefore it seems it's not an authentication issue.

I tried with or without LDAPAuthorization and LDAPGroup extensions enabled but the result is the same.

Any suggest?

Best regards

My configuration:

MW: 1.34.1

Php: 7.4.3

LDAPAuthentication2, LDAPAuthorization, LDAPGroups, LDAPProvider, LDAPUserInfo, PluggableAuth: latest version

my LocalSettings.php modifications:

$ldapJsonFile = "$IP/ldap.json";

wfLoadExtension( 'PluggableAuth' );

wfLoadExtension( 'LDAPProvider' );

wfLoadExtension( 'LDAPAuthentication2' );

wfLoadExtension( 'LDAPAuthorization' );

wfLoadExtension( 'LDAPUserInfo' );

wfLoadExtension( 'LDAPGroups' );

$LDAPProviderDomainConfigs = $ldapJsonFile;

$LDAPAuthentication2AllowLocalLogin = false;

$wgPluggableAuth_ButtonLabel = "Log In";

my ldap.json:

{

   "MY.DOMAIN": {

       "connection": {

           "server": "adserver.ip.domain",

           "user": "aduser",

           "pass": "pass",

           "options": {

               "LDAP_OPT_DEREF": 1

           },

           "port": "636",

           "enctype": "ssl",

           "basedn": "DC=my,DC=domain",

           "userbasedn": "OU=Users,OU=organization,DC=my,DC=domain",

           "groupbasedn": "OU=Groups,OU=organization,DC=my,DC=domain",

           "grouprequest": "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\UserMemberOf::factory",

           "searchattribute": "sAMAccountName",

           "usernameattribute": "sAMAccountName",

           "realnameattribute": "cn",

           "emailattribute": "mail",

           "presearchusernamemodifiers": [ "spacestounderscores", "lowercase" ]

       },

       "userinfo": [],

       "groupsync": []

   }

} Abiuan (talk) 10:43, 19 June 2020 (UTC)Reply

The values for $wgPluggableAuth_ExtraLoginFields are defined in LDAPAuthentication2/src/ExtraLoginFields.php. It is set in Setup.php of the same extension. Could you try to debug this, by checking whether the variable is properly set in that function? Osnard (talk) 15:03, 19 June 2020 (UTC)Reply

I did some debug. It seems it is not a problem with ExtraLoginFields. It is set and has original values form DOMAIN, USERNAME and PASSWORD attributes.

The issue is with the call of AuthManager->getAuthenticationSessionData() method.

Authmanager is set using

$authManager = AuthManager::singleton();

It is defined and it seems correct.

Instead, the call of $authManager->getAuthenticationSessionData(PluggableAuthLogin::EXTRALOGINFIELDS_SESSION_KEY) returns null;

PluggableAuthLogin::EXTRALOGINFIELDS_SESSION_KEY has the value "PluggableAuthLoginExtraLoginFields".

I did some debug on authManager->getAuthenticationSessionData().

Before the login, if I do a refresh of the page, it works and gives the values of the previous login attempt. After click on "Login" button the call of

$this->request->getSession()->getSecret( 'authData' );

returns null.

Quite strange.

Sorry if it is not clear but I not a big expert of php.

Abiuan (talk) 08:46, 22 June 2020 (UTC)Reply

This looks like you might have an issue with the session storage in general. If you disable the LDAP-Stack extension, can you log in with a local user and stay logged in? Osnard (talk) 10:57, 22 June 2020 (UTC)Reply

You put me on the right direction. I set up the local authentication before. Then, after some tweaking, it works now.

Thank you Abiuan (talk) 12:18, 23 June 2020 (UTC)Reply

Glad I could help Osnard (talk) 14:49, 23 June 2020 (UTC)Reply

I'm having the same issue trying to build a new mediawiki server with AD authentication. ShowUserinfo and CheckLogin were successful but when I login I get Fatal error authenticating user. In the error logs I get "PHP Notice:  Trying to access array offset on value of type null in E:\Inetpub\wwwroot\mediawiki\extensions\LDAPAuthentication2\src\PluggableAuth.php on line 45" and for lines 46 and 47. Debug logs show "[error] [94c23f1e792b385369135ec0] /index.php?title=Special:PluggableAuthLogin   ErrorException: PHP Notice: Trying to access array offset on value of type null". I can login successfully with a local account. I followed the instructions from this page, "Manual:Installing MediaWiki on Windows Server 2019 - MediaWiki". I worked through the errors one by one but this is the last one that's got me stuck. BTW, I'm an Infrastructure engineer/Cloud Architect and a PHP newbie. I'm learning along the way.

I'm running the following version. MediaWiki 1.36.1, PHP 7.4.24 nts, running on IIS on Windows Server 2019. Schweinmesser (talk) 16:19, 29 September 2021 (UTC)Reply

Update: I configured the website to use HTTPS/SSL for more security. Using HTTPS I get the login error. I tested using HTTP and I was able to login using my AD account. I am not sure how to resolve for using HTTPS. Schweinmesser (talk) 20:05, 29 September 2021 (UTC)Reply

The LDAP-Stack extensions are completely agnostic to the protocoll used by the webserver. Maybe you need to reconfigure your wiki in general. Have a look at Manual:$wgServer. Osnard (talk) 08:02, 30 September 2021 (UTC)Reply

Thank you Osnard. That did the trick. Schweinmesser (talk) 20:13, 30 September 2021 (UTC)Reply

I have an entirely new wiki / database / extensions setup (first time doing this).

I am using the full LDAP stack loaded as extenstions, using a LDAP.json file to configure.

I've tested the php commands by hand, they query LDAP server fine and get user info, etc.

My users get a login box, with domain in the drop down, can log in fine.

One user got in once, then got errors. Now she still gets this same error above. Only her, so far. Five other users have had no problem. I've used the UserMerge extention to delete her old user. Still has this error. She has cleared her cache, used two different machines, still the same problem. She is in the correct AD group as the rest of us.

I have the extended debugging still turned on, and she is getting

"trying to access array offset on value of type null in PluggableAuth.php" (on lines 42, 43, 44)

these are the extensions I'm loading, and the order.

wfLoadExtension( 'PluggableAuth' );

  wfLoadExtension( 'LDAPProvider' );

  wfLoadExtension( 'LDAPAuthentication2' );

  wfLoadExtension( 'LDAPAuthorization' );

  wfLoadExtension( 'LDAPUserInfo' );

  wfLoadExtension( 'LDAPGroups' );

  wfLoadExtension( 'Auth_remoteuser' );

Any ideas? The 'realnames' isn't working either, but maybe that's a separate issue.

Cannot figure out why this one user cannot log in but the others can. AdamX8888 (talk) 14:33, 28 July 2020 (UTC)Reply

"trying to access array offset on value of type null in PluggableAuth.php" (on lines 42, 43, 44) means that the code can not extract "username", "password" and "domain" from the session data [1]. Can you please check if the client sends the session cookie and if the session id stays the same between the request of Special:Login and the POST request when the form is sumbitted.

[1] https://github.com/wikimedia/mediawiki-extensions-LDAPAuthentication2/blob/519d88ed2429157bb6cae800295d34a072e292cc/src/PluggableAuth.php#L42-L44 Osnard (talk) 14:54, 28 July 2020 (UTC)Reply

I will check when I can - I am currently blocked from Github.

Can you think of any reason this wouldn't be functioning on only one user? All of us should be using similar machines & browser configs, etc. I am going to have her try directly on the server IE11 itself as my login works fine there, just to see if there is any different behavior.

Thanks AdamX8888 (talk) 15:05, 28 July 2020 (UTC)Reply

No idea. Especially as you have already tried different machines/browsers. Osnard (talk) 15:48, 28 July 2020 (UTC)Reply

Did you ever figure this out? I have two users with this problem, but works for everyone else. 152.85.8.38 (talk) 17:31, 6 July 2021 (UTC)Reply

I have been trying to get LDAP Authentication configured on our MediaWiki installation I am bringing up on our network. We are confguring with enctype = ssl in our ldap.json file over port 636. Have tried other combinations, but this seems to get me closest to fully functional. I am using LDAPAuthentication2/PluggableAuth and all the other required extensions in the LDAP stack.

I can sometimes log in properly, but will almost immediately get the following error if I try again with another browser after logging out, or even with the same browser in a subsequent attempt.

"MWException from line 169 of /var/www/mediawiki-1.34.2/extensions/LDAPProvider/src/Client.php: Could not bind to LDAP: (-1) Can't contact LDAP server”

It will work intermittently, but then fail. We believe the issue may have to do with a load balanced LDAP server. Not sure if anyone else has had either success or intermittent failures with hitting a load balanced Ldap server for authentication.

Would like to know if there is anything I need to set to possibly accommodate this if this is the issue. I have been told by our System Administrators that their load balancer is configured properly and has the proper Persistence, etc.. settings set properly, and that other applications that hit it work fine.

Has anyone had any similar issue or could offer any advice?

Thank you. Nwroble (talk) 20:54, 12 August 2020 (UTC)Reply

Is there anything else showing up in the PHP error log or the application debug log? Osnard (talk) 12:23, 14 August 2020 (UTC)Reply

Osnard, no, nothing compelling. And as an update to this, what is strange it seems that i can most of the time hit the Refresh on the browser, and then i get it in. There just doesnt seem to be any predictability to when it will fail or not. Nwroble (talk) 17:00, 17 August 2020 (UTC)Reply

Can you try to set $LDAPProviderCacheType = CACHE_NONE; and tell me if it occurs more frequently. Osnard (talk) 11:44, 18 August 2020 (UTC)Reply

I have added the $LDAPProviderCacheType = CACHE_NONE; into my LocalSettings.php file and tried a bunch of times. I'd say at least it is probably about the same number of intermittent failures as prior to doing so. Behavior is still the same following the error. Clicking refresh on browser then gets me in. Nwroble (talk) 17:55, 18 August 2020 (UTC)Reply

Also, just to let you know. I have changed my configuration in my ldap.json file to use tls/port 389 instead of ssl/port 636. Also I am now hitting a domain controller directly instead of the load balancer. At this point none of those variables seem to matter. I just get the intermittent failures and hitting the browser refresh gets me in. Also, an FYI, the error message is slightly different, for TLS, but I think that is just because it is going down a different code path for TLS vs SSL. Error message is now this: "MWException from line 141 of /var/www/mediawiki-1.34.2/extensions/LDAPProvider/src/Client.php: Could not start TLS!" Nwroble (talk) 17:59, 18 August 2020 (UTC)Reply

@Osnard, a follow up to this. I have now eliminated the intermittent LDAP login behavior. It ended up being that I needed to restart the php-fpm service (# systemctl restart php-fpm on RH 8). When I was making all my various changes in combination between servers/protocols/ports in the ldap.json and cert changes in ldap.conf, I was doing update.php everytime, but I never restarted php-fpm. I just happened to stumble upon this when trying to track down whether I had proper packages installed and was researching. Unfortunately, I am new to Linux and web servers in general. Thank for your help and taking interest. Nwroble (talk) 17:52, 20 August 2020 (UTC)Reply

Sorry, I have no idea. If connection works once in a web request context it should work always. Also if the "CheckLogin.php" maintenance script works, we can assume that the LDAP configuration in general is okay. Could you please share the debug log, maybe I can spot something you didn't notice? Osnard (talk) 08:19, 2 September 2020 (UTC)Reply

I have mediawiki 1.34.2 on fedora 32 with apache 2.4.43, mysql 8.0.21 and php 7.4.8. I installed ldapprovider, pluggableauth and ldapauthentication2; autocreate account set to true and have a json file with my ldap config (domain controller, base dn, etc. and hope it's correct). when trying to login, it says it can't authenticate credentials against the domain. I tried to set debug logging for the extension to a log file but didn't create a file. i'm just trying to authenticate against a domain controller. I have pluggableauth, ldapauthentication2, ldapprovider, ldapuserinfo, ldapgroups. not sure if all of those are required for this but seems the documentation is confusing only because there are so many extensions and not sure if all of them are required for this. maybe getting the logging to work to get some debugging or more info as to why it throws that error would be a start Seth2740 (talk) 03:07, 14 August 2020 (UTC)Reply

Have you tried authenticating using the LDAPProvider/maintenance/CheckLogin.php script? Can you please share your configuration? LDAP_hub#Migrating_from_old_LdapAuthentication should give you a clear idea of what extensions you need from the stack. Osnard (talk) 12:27, 14 August 2020 (UTC)Reply

checklogin.php returns FAILED though showuserinfo.php pulls all the info of my account. i do have ldapprovider, ldapauthentication2 and pluggableauth so that should be fine Seth2740 (talk) 15:05, 14 August 2020 (UTC)Reply

Okay, so the general connection and is configured properly. Can you confirm that your LDAP backend even allows "binding" for the concrete user? Osnard (talk) 10:45, 17 August 2020 (UTC)Reply

yes the account being used is also used by other applications for ldap lookups Seth2740 (talk) 20:13, 17 August 2020 (UTC)Reply

Can you please share the exact commandline of CheckLogin.php (with arguments) and your domain config? Osnard (talk) 11:42, 18 August 2020 (UTC)Reply

php CheckLogin.php --domain domain.com --username user

what domain config? Seth2740 (talk) 02:05, 20 August 2020 (UTC)Reply

The JSON of PHP file that contains the LDAP credentials and other config. Osnard (talk) 15:07, 31 August 2020 (UTC)Reply