Extension talk:LDAPGroups

Jump to navigation Jump to search

About this board

Dimassc (talkcontribs)

I'm trying to migrate from the old LdapAuthentication to the new LDAP Hub extensions. Now I can login to the LDAP and restrict groups but I can't get LDAPGroups to sync with local groups. In the old installation I use $wgGroupPermissions to change permissions depending on LDAP groups, I'd like to do the same.


When I login I can't see any groups in Special:Preferences page, only "Users" and "Authenticated users".


In my LDAP schema all the groups have an attribute memberUid with all the users of this group (not full dn, only the uid).


php wikiutic/extensions/LDAPProvider/maintenance/ShowUserInfo.php --domain LDAP --username 40447118p

homedirectory => /home/h416udim

sambasid => S-1-5-21-4066546031-2994049288-1383288855-21844

uid => 40447118P

uidnumber => 10422

loginshell => /bin/bash

sambahomepath => \\svrfit\usuaris\h416udim

employeenumber => 40447118

mobile => a41c0a76a958ae045ed19cda402e9fef

objectclass =>

  0 => top

  1 => person

  2 => posixAccount

  3 => sambaSamAccount

  4 => inetOrgPerson

  sambapwdcanchange => 2074348956

  sambapwdmustchange => 0

  sambantpassword => 2DA051AD5B1EF7B4864929ABC47C5DB9

  sambapasswordhistory => 0000000000000000000000000000000000000000000000000000000000000000

  userpassword => {password}

  sambapwdlastset => 2581923686

  sambaprimarygroupsid => S-1-5-21-4066546031-2994049288-1383288855-21181

  gecos => Joan Test Name

  gidnumber => 10090

  sambalogonscript => scripts\logon.bat

  carlicense => 11709000

  telephonenumber => 1234

  mail => jtest.girona.ics@gencat.cat

  givenname => Joan

  description => Test

  sn => Test Name

  cn => Joan Test Name

  displayname => Joan Test Name

  departmentnumber => P40447118

  destinationindicator => uid=40447118P,ou=Users,dc=htrueta,dc=intranet

  sambaacctflags => [U]

  dn => uid=40447118P,ou=Users,dc=htrueta,dc=intranet


LocalSettings.php

# Autenticació LDAP

wfLoadExtensions( [

   'PluggableAuth', // Autenticació base

   'LDAPProvider', // Autenticació base

   'LDAPAuthentication2', // Autenticació base

   'LDAPAuthorization', // Per restringir accés per grups

   'LDAPGroups' // Per sincronitzar grups ldap amb locals

] );

// $wgPluggableAuth_EnableAutoLogin = true; /* Si activem desactiva la opció de fer logout */

$wgPluggableAuth_EnableLocalLogin = false;

$wgPluggableAuth_ButtonLabel = "Inicia sessió";

$LDAPAuthentication2UsernameNormalizer = 'strtoupper'; // strtolower no funciona

$LDAPAuthentication2AllowLocalLogin = true;

$wgLDAPUseLocal = false; // Permetre autentificació local wiki. Mirar que no estigui sobreescrit a LdapAuthentication.php

$LDAPProviderDomainConfigProvider = function() {

   $config = [

       'LDAP' => [

           'connection' => [

               "server" => "golum.trueta.intranet",

               "enctype" => 'clear',

               "basedn" => "dc=htrueta,dc=intranet",

               "userbasedn" => "dc=htrueta,dc=intranet", // u=Users,dc=htrueta,dc=intranet

               "searchstring" => "uid=USER-NAME,ou=Users,dc=htrueta,dc=intranet",

               "searchattribute" => "uid",

               "usernameattribute" => "uid",

               "realnameattribute" => "cn",

               "emailattribute" => "mail",

               "groupbasedn" => "dc=htrueta,dc=intranet", // ou=Groups,dc=htrueta,dc=intranet

               "groupattribute" => "memberuid",

               "groupobjectclass" => "posixgroup",

               "grouprequest" => "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\Configurable::factory"

           ],

           'authorization' => [

               'rules' => [

                   'groups' => [

                       'required' => [ "cn=Domain Admins,ou=Groups,dc=htrueta,dc=intranet",

                                       "cn=s103,ou=Groups,dc=htrueta,dc=intranet",

                                       "cn=wikiUtic,ou=Groups,dc=htrueta,dc=intranet",

                                       "cn=wikiUticLectura,ou=Groups,dc=htrueta,dc=intranet",

                                       "cn=lt2b,ou=Groups,dc=htrueta,dc=intranet",

                                       "cn=lt1,ou=Groups,dc=htrueta,dc=intranet",

                                       "cn=lt15,ou=Groups,dc=htrueta,dc=intranet"]

                   ]

               ]

           ],

           'groupsync' => [

               "mechanism" => "allgroups",

               "mapping" => [

                   "s103" => "cn=s103,ou=Groups,dc=htrueta,dc=intranet",

                   "Domain admins" => "cn=Domain Admins,ou=Groups,dc=htrueta,dc=intranet"

               ],

               "locally-managed" => [ "local", "wiki", "group", "names" ]

           ]

       ]

   ];

   return new \MediaWiki\Extension\LDAPProvider\DomainConfigProvider\InlinePHPArray( $config );

};

Osnard (talkcontribs)

Please check what php wikiutic/extensions/LDAPProvider/maintenance/ShowUserGroups.php --domain LDAP --username 40447118p returns. Be aware that "mechanism" => "allgroups" will not evaluate "mapping". You may need to use "mechanism" => "mapping"

Users are loosing their groups in media wiki after approximately one hour

2
Calebgcooper (talkcontribs)

After updating from Mediawiki 1.34.0 to 1.34.2 and more importantly updating to the latest version of LDAP stack for Mediawiki 1.31 we noticed users were being removed from their groups after about an hour. Enabled Debug logs for the LDAP stack it was observed that the pre search modifier are not being utilized by groupsync after the cache expires (500 seconds by default)


I found out that manually running the groupsync maintenance script also removes the users from their groups. So created a new wiki and used this for troubleshooting.


After reinstalling a brand new test wiki and loging in for the first time we observe:

2020-08-25 16:47:58 testwiki.wiki.internal wikis: MediaWiki\Extension\LDAPProvider\Client::getUserDN: search with array (
  'base' => 'dc=acme,dc=com',
  'filter' => '(samaccountname=caleb_cooper)',
  'attributes' =>
  array (
    0 => '*',
    1 => 'memberof',
  ),
)
2020-08-25 16:47:58 testwiki.wiki.internal wikis: ldap_search( $linkID, $baseDN = 'dc=acme,dc=com', $filter = '(samaccountname=caleb_cooper)', $attributes = [ '*', 'memberof' ], $attrsonly = , $sizelimit = , $tim
elimit = , $deref =  );


Note the search string for my samaccount name is caleb_cooper converting to lower case and replacing spaces with underscores. As per pre search modifier configuration in ldap,json. At this point group sync can be run many times manually and successfully, until 500 seconds passes, and the cache expires:

bash-5.0# php extensions/LDAPGroups/maintenance/SyncGroups.php --user Caleb_Cooper
Syncing groups for 'Caleb Cooper' (ID:3) ...

Old groups:
* bureaucrat
* editor
* interface-admin
* sysop
* tech-L2

New groups:
* bureaucrat
* editor
* interface-admin
* sysop
* tech-L2


After 500 seconds this is the response from groupsync:

bash-5.0# php extensions/LDAPGroups/maintenance/SyncGroups.php --user Caleb_Cooper
Syncing groups for 'Caleb Cooper' (ID:3) ...

Old groups:
* bureaucrat
* editor
* interface-admin
* sysop
* tech-L2

New groups:
* bureaucrat
* editor


And this is noticed in the debug logs:

2020-08-25 16:56:39 testwiki.wiki.internal wikis: Ran LDAP search for '(samaccountname=Caleb Cooper)' in 0.010628938674927 seconds.

2020-08-25 16:56:39 testwiki.wiki.internal wikis: Removing 'bureaucrat' from 'Caleb Cooper'.
2020-08-25 16:56:39 testwiki.wiki.internal wikis: Removing 'editor' from 'Caleb Cooper'.
2020-08-25 16:56:39 testwiki.wiki.internal wikis: Removing 'interface-admin' from 'Caleb Cooper'.
2020-08-25 16:56:39 testwiki.wiki.internal wikis: Removing 'sysop' from 'Caleb Cooper'.
2020-08-25 16:56:39 testwiki.wiki.internal wikis: Removing 'tech-L2' from 'Caleb Cooper'.


Note the search string for my samaccount name is Caleb Cooper and is not obeying the pre search modifiers in ldap.json shown below:

{
  "acme.com": {
    "connection": {
      "server": "10.24.27.5",
      "port": "3268",
      "user": "CN=Servicets-ola-dev,OU=Service Accounts,DC=emea,DC=acme,DC=com",
      "pass": "-oV~;j87NXa0IKg5mUw3r?b:",
      "enctype": "clear",
      "options": {
        "LDAP_OPT_DEREF": 1
      },
      "basedn": "dc=acme,dc=com",
      "userbasedn": "dc=acme,dc=com",
      "groupbasedn": "dc=acme,dc=com",
      "searchattribute": "samaccountname",
      "usernameattribute": "samaccountname",
      "realnameattribute": "cn",
      "emailattribute": "mail",
      "grouprequest": "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\UserMemberOf::factory",
      "presearchusernamemodifiers": [ "spacestounderscores", "lowercase" ],
      "cachetime": "60"
    },
    "userinfo": [],
    "authorization": [],
    "groupsync": {
      "mapping": {
        "editor": "CN=Wiki_L2,OU=Groups,DC=emea,DC=acme,DC=com",
        "tech-L2": "CN=Wiki_L2,OU=Groups,DC=emea,DC=acme,DC=com",
        "reviewer": "CN=Wiki_L3,OU=Groups,DC=emea,DC=acme,DC=com",
        "tech-L3": "CN=Wiki_L3,OU=Groups,DC=emea,DC=acme,DC=com",
        "sysop": "CN=Support_Wikis_Admins,OU=Groups,DC=emea,DC=acme,DC=com",
        "bureaucrat": "CN=Support_Wikis_Admins,OU=Groups,DC=emea,DC=acme,DC=com",
        "interface-admin": "CN=Support_Wikis_Admins,OU=Groups,DC=emea,DC=acme,DC=com"
      }
    }
  }
}

I have bugged this here:

https://phabricator.wikimedia.org/T261231

Osnard (talkcontribs)
Reply to "Users are loosing their groups in media wiki after approximately one hour"

ShowUserGroups.php Invalid argument line 60

8
Seanvin (talkcontribs)

Hi

I am running MediaWiki on Windows Server 2016 and have configured Active Directory Integration although users can log in they are not joined to any MedaWiki groups.

CheckLogin.php and ShowUserInfo.php run OK, however when I run ShowUserGroups.php I get the following errors.

Full DNs:
PHP Warning: Invalid argument supplied for foreach() in C:\inetpub\wwwroot\mediawiki\extensions\LDAPProvider\maintenance\ShowUserGroups.php on line 60
Warning: Invalid argument supplied for foreach() in C:\inetpub\wwwroot\mediawiki\extensions\LDAPProvider\maintenance\ShowUserGroups.php on line 60
Short names:
PHP Warning: Invalid argument supplied for foreach() in C:\inetpub\wwwroot\mediawiki\extensions\LDAPProvider\src\GroupList.php on line 52
Warning: Invalid argument supplied for foreach() in C:\inetpub\wwwroot\mediawiki\extensions\LDAPProvider\src\GroupList.php on line 52

My ldap.json is below. Any help would be much appreciated.

{

   "ad.xxx.xx.xx": {

       "connection": {

           "server": "xxx-xxxx-xx",

           "port": "389",

           "user": "CN=xxx,OU=xxx,DC=ad,DC=xxx,DC=xx,DC=xx",

           "pass": "xxxxxxxxxxxxxxxxxx",

           "enctype": "clear",

           "options": {

               "LDAP_OPT_DEREF": 1

           },

           "basedn": "dc=ad,dc=xxx,dc=xx,dc=xx",

           "userbasedn": "dc=ad,dc=xxx,dc=xx,dc=xx",

           "groupbasedn": "OU=Groups,OU=WiKi,OU=xxxx,OU=xxx,OU=xxx,DC=ad,DC=xxx,DC=xx,DC=xx",

           "searchattribute": "samaccountname",

           "usernameattribute": "samaccountname",

           "realnameattribute": "cn",

           "emailattribute": "mail",

           "grouprequest": "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\UserMemberOf::factory",

           "presearchusernamemodifiers": [  "spacestounderscores", "lowercase" ]

       },

       "userinfo": [],

       "authorization": [],

       "groupsync": {

           "mapping": {

               "sdadmins": "CN=xxxx,OU=Groups,OU=WiKi,OU=xxxx,OU=xxx,OU=xxx,DC=ad,DC=xxx,DC=xx,DC=xx",

               "ictonly": "CN=xxxx,OU=Groups,OU=WiKi,OU=xxx,OU=xxx,OU=xxx,DC=ad,DC=xxx,DC=xx,DC=xx"             

           }

       }

   }

}
Osnard (talkcontribs)

Does "ShowUserInfo.php" list a field "memberof"? If not you may need to set a different "grouprequest".

Seanvin (talkcontribs)

Hi Osnard.

Many thanks for taking the trouble to respond. ShowUsrInfo.php does list memberof

memberof => CN=xxxx,OU=Groups,OU=WiKi,OU=Services,OU=xxx,OU=xxx,DC=ad,DC=xxx,DC=xx,DC=xx

which is the group for "ictonly" as expected.

Regards

Sean

Osnard (talkcontribs)
Seanvin (talkcontribs)

Thank you, Applying the patch worked.

I can also confirm that if I put the user into two groups, ShowUserGroups.php works without the patch. However if the user is in two groups and UserMemebrof.php has the patch I get an 'array to string conversion' error in ShowUsergroups.php (You are probably already be aware of this).

But not worry, I now understand the problem, and have solutions I can work with. I really appreciate you taking the time to help. Many thanks

Osnard (talkcontribs)

Awesome! Can you please share all of you modifications? maybe I can add them to the codebase.

Seanvin (talkcontribs)

In order to handle users being a member of one or multiple groups, I added a check, 'is_array( $res['memberof'] )' to UserMemberOf.php.

/** * @param string $username to get the groups for
*@return GroupList
*/
Public function getUserGroups( $username ) {
 $userInfoRequest = new UserInfoRequest( $this->ldapClient, $this->config );
 $res = $userInfoRequest->getUserInfo( $username );
 if ( is_array( $res['memberof'] ) )
    {
     return new GroupList(  $res['memberof']  );
    }
 else
   {   
    return new GroupList( [ $res['memberof'] ] );
   }
}
Osnard (talkcontribs)
Reply to "ShowUserGroups.php Invalid argument line 60"

Problem with getting groups from LDAP

16
Bozhob (talkcontribs)

Hi

I try to get groups in which user is a member from LDAP serwer.

We use Open LDAP witj GOSA, probably the different schema is the cause of the problem.

extensions/LDAPProvider/maintenance/ShowUserGroups.php can't read the groups.

First at all the the search attribute is memberUid, not uid, but after setting "searchattribute" => "memberUid", ShowUserInfo.php stops to work, and I am not aware, how to use different attributes for searching users and groups.


"searchattribute" => "memberUid" also don't resolves the problem with the groups.


Here is part of my LocalSettings.php

<code>

wfLoadExtension( 'PluggableAuth' );

wfLoadExtension( 'LDAPProvider' );

wfLoadExtension( 'LDAPAuthentication2' );

wfLoadExtension( 'LDAPAuthorization' );

wfLoadExtension( 'LDAPUserInfo' );

wfLoadExtension( 'LDAPGroups' );


$LDAPProviderDomainConfigProvider = function()

{

   $config =

   [

"example.bg" =>

[

   "connection" =>

   [

"server" => "ldap.example.bg",

"port" => "389",

"enctype" => "clear",

"user" => "cn=admin,dc=example,dc=bg",

"pass" => "****",

"options" => [

//                "LDAP_OPT_DEREF" => 1,

"LDAP_DEREF_ALWAYS" => 1

               ],

               "basedn" => "dc=example,dc=bg",

"userbasedn" => "dc=example,dc=bg",

"searchattribute" => "memberUid",

"emailattribute" => "mail",

"groupobjectclass" => "posixGroup",

"groupattribute" => "",

"groupbasedn" => "dc=example,dc=bg",

//"grouprequest" => "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\GroupMember::factory"

"grouprequest" => "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\Configurable::factory",

   ],

   "authorization" =>

   [

           [

"rules" =>

[

   "groups" =>

   [

   ]

]

   ],

   "groupsync" =>

   [

"mechanism" => "allgroups",

   "locally-managed" => [ "local", "wiki", "group", "names" ]

]

   ],

   "userinfo" =>

   [

   ]

   ];

   return new \MediaWiki\Extension\LDAPProvider\DomainConfigProvider\InlinePHPArray( $config );

};

</code>


This non works and in the log file I see:

<code>

Jun 11 16:24:10 gosa slapd[12258]: conn=357601 fd=44 ACCEPT from IP=100.100.10.1:48104 (IP=0.0.0.0:389)

Jun 11 16:24:10 gosa slapd[12258]: conn=357601 op=0 BIND dn="cn=admin,dc=example,dc=bg" method=128

Jun 11 16:24:10 gosa slapd[12258]: conn=357601 op=0 BIND dn="cn=admin,dc=example,dc=bg" mech=SIMPLE ssf=0

Jun 11 16:24:10 gosa slapd[12258]: conn=357601 op=0 RESULT tag=97 err=0 text=

Jun 11 16:24:10 gosa slapd[12258]: conn=357601 op=1 SRCH base="dc=example,dc=bg" scope=2 deref=0 filter="(memberUid=bozhotest)"

Jun 11 16:24:10 gosa slapd[12258]: conn=357601 op=1 SRCH attr=* memberof

Jun 11 16:24:10 gosa slapd[12258]: <= bdb_equality_candidates: (memberUid) not indexed

Jun 11 16:24:10 gosa slapd[12258]: conn=357601 op=1 SEARCH RESULT tag=101 err=0 nentries=5 text=

Jun 11 16:24:10 gosa slapd[12258]: conn=357601 op=2 SRCH base="dc=example,dc=bg" scope=2 deref=0 filter="(&(objectClass=*)(cn=cn=calgroup_example,ou=groups,dc=example,dc=bg))"

Jun 11 16:24:10 gosa slapd[12258]: conn=357601 op=2 SRCH attr=dn

Jun 11 16:24:10 gosa slapd[12258]: <= bdb_equality_candidates: (cn) not indexed

Jun 11 16:24:10 gosa slapd[12258]: conn=357601 op=2 SEARCH RESULT tag=101 err=0 nentries=0 text=

Jun 11 16:24:10 gosa slapd[12258]: conn=357601 op=3 UNBIND

Jun 11 16:24:10 gosa slapd[12258]: conn=357601 fd=44 closed

</code>


With ldapsearch:

ldapsearch -x -a always   -b "dc=example,dc=bg"  "(memberUid=bozhotest)"

returns the groups and the record in the log file is:


<code>

Jun 11 12:12:07 gosa slapd[12258]: conn=354613 fd=268 ACCEPT from IP=127.0.0.1:59392 (IP=0.0.0.0:389)

Jun 11 12:12:07 gosa slapd[12258]: conn=354613 op=0 BIND dn="cn=admin,dc=example,dc=bg" method=128

Jun 11 12:12:07 gosa slapd[12258]: conn=354613 op=0 BIND dn="cn=admin,dc=example,dc=bg" mech=SIMPLE ssf=0

Jun 11 12:12:07 gosa slapd[12258]: conn=354613 op=0 RESULT tag=97 err=0 text=

Jun 11 12:12:07 gosa slapd[12258]: conn=354613 op=1 SRCH base="dc=example,dc=bg" scope=2 deref=3 filter="(memberUid=bozhotest)"

Jun 11 12:12:07 gosa slapd[12258]: conn=354613 op=1 SRCH attr=cn sn uid postalAddress telephoneNumber

Jun 11 12:12:07 gosa slapd[12258]: <= bdb_equality_candidates: (memberUid) not indexed

Jun 11 12:12:07 gosa slapd[12258]: conn=354613 op=1 SEARCH RESULT tag=101 err=0 nentries=5 text=

Jun 11 12:12:07 gosa slapd[12258]: conn=354613 op=2 SRCH base="cn=calgroup_example,ou=groups,dc=example,dc=bg" scope=0 deref=0 filter="(&(objectClass=*))"

Jun 11 12:12:07 gosa slapd[12258]: conn=354613 op=2 SRCH attr=* +

Jun 11 12:12:07 gosa slapd[12258]: conn=354613 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=

Jun 11 12:12:07 gosa slapd[12258]: conn=354613 op=3 SRCH base="cn=calgroup_zastrahovateli,ou=groups,dc=example,dc=bg" scope=0 deref=0 filter="(&(objectClass=*))"

Jun 11 12:12:07 gosa slapd[12258]: conn=354613 op=3 SRCH attr=* +

etc.

</code>

The main differences in the two logs, as I can see are:

Jun 11 16:24:10 gosa slapd[12258]: conn=357601 op=2 SRCH base="dc=example,dc=bg" scope=2 deref=0 filter="(&(objectClass=*)(cn=cn=calgroup_example,ou=groups,dc=example,dc=bg))"


and

Jun 11 12:12:07 gosa slapd[12258]: conn=354613 op=2 SRCH base="cn=calgroup_example,ou=groups,dc=example,dc=bg" scope=0 deref=0 filter="(&(objectClass=*))"


Aslo probably this:

SRCH attr=* memberof

and

SRCH attr=* +


Which parameters have I to change, to achive both searches to work?


Thank you in advacne

Bozho

Osnard (talkcontribs)
Bozhob (talkcontribs)

I set

"grouprequest" => "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\UserMemberOf::factory",

but I receive

PHP Notice:  Undefined index: memberof in LDAPProvider/src/UserGroupsRequest/UserMemberOf.php on line 19

what other have I to add to the config?

Bozhob (talkcontribs)

Actually I think, that this case is very complicated. In given LDAP schema there are no any attribute for a user, pointing in which groups he\she is member. Instead in the groups users are listed. Example:

cn=wikiadmins,ou=groups,l=wikiusers,dc=example,dc=bg?memberUid?sub?(objectClass=posixGroup)

memberUid - an array containg UIDs of group members


So the problem seems too difficult to resolve.

Using "searchattribute" => "memberUid"


In log file I can see response from the LDAP - there actually are listed all the groups user is member in with full list of attributes:

...snip...

4 =>

  array (

   'cn' =>

   array (

     'count' => 1,

     0 => 'wikiadmins',

   ),

   0 => 'cn',

   'gidnumber' =>

   array (

     'count' => 1,

     0 => '1027',

   ),

   1 => 'gidnumber',

   'memberuid' =>

   array (

     'count' => 3,

     0 => 'test1',

     1 => 'test2',

     2 => 'bozhotest',

   ),

   2 => 'memberuid',

   'labeleduri' =>

   array (

     'count' => 1,

     0 => 'ldap:///cn=wikiadmins,ou=groups,l=wikiusers,dc=example,dc=bg?memberUid?sub?(objectClass=posixGroup)',

   ),

   3 => 'labeleduri',

   'objectclass' =>

   array (

     'count' => 3,

     0 => 'top',

     1 => 'posixGroup',

     2 => 'labeledURIObject',

   ),

   4 => 'objectclass',

   'count' => 5,

   'dn' => 'cn=wikiadmins,ou=groups,l=wikiusers,dc=example,dc=bg',

  ),

May be I have to try to modify extensions/LDAPProvider/src/UserGroupsRequest/UserMemberOf.php 

instead of return new GroupList( $res['memberof'] ); to set a loop foreach to get 'cn' values


Osnard (talkcontribs)

Yes, you will probably need to implement a new `UserGroupsRequest`. Could you please share your solution so I can add it to the extension?

Bozhob (talkcontribs)

Hi Robert

I have achieved some success, but I need a bit of help.

Of course, I will post all the code I wrote, but there are many things to tune.

I wrote a new file UserGosaMember.php and class UserGosaMember, and now the result from

php extensions/LDAPProvider/maintenance/ShowUserGroups.php --domain  example.bg --username bozhotest

is a list of the names of the groups, having the user as a member:


Full DNs:

   

   calgroup_test1

   calgroup_zastrahovateli

   calgroup_klienti

   wikiadmins

Short names:

But I suppose this is not the proper output. I have not opportunity to test with another kind of LDAP to see the proper results.

According to the log above, this group names should be in the section Short names I suppose.

My question is, how the other functions which use the result from the 'UserGroupsRequest' functions expect to "see" the result.

Which is the proper format?

Bozhob (talkcontribs)

Hi

I have some progress

The result now is

php extensions/LDAPProvider/maintenance/ShowUserGroups.php --domain   example.bg --username bozhotest

Full DNs:


   cn=calgroup_example,ou=groups,dc=example,dc=bg

   cn=calgroup_zastrahovateli,ou=groups,dc=example,dc=bg

   cn=calgroup_klienti,ou=groups,dc=example,dc=bg

   cn=wikiadmins,ou=groups,l=wikiusers,dc=example,dc=bg

Short names:

   calgroup_test1

   calgroup_zastrahovateli

   calgroup_klienti

   wikiadmins


This blank line after Full DNs: looks suspicious, but I suppose this is the right format I need to achieve.

But from the wiki page still groups are not visible.

Bozhob (talkcontribs)

Here I put the code I wrote

First, I found out that function getUserDN from /extensions/LDAPProvider/src/Client.php returns all information about the groups which have the user as a member, if searchattr is set to memberUid. So I copied getUserDN to a new a member function in Client.php where I added $searchattr = "memberUid"; in the begging and instead of return $userdn I set return $this->userInfo;

I know there is wiser ways to do the same, but being in a hurry I leave it at that for now.

So I wrote a class UserGosaMember in extensions/LDAPProvider/src/UserGroupsRequest/UserGosaMember.php -

"grouprequest" => "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\UserGosaMember::factory", should be used in Localsettings.php

namespace MediaWiki\Extension\LDAPProvider\UserGroupsRequest;

use MediaWiki\Extension\LDAPProvider\ClientConfig; use MediaWiki\Extension\LDAPProvider\EscapedString; use MediaWiki\Extension\LDAPProvider\GroupList; use MediaWiki\Extension\LDAPProvider\UserGroupsRequest; use MWException;


class UserGosaMember extends UserGroupsRequest {

             /**
              * @param string $username to get the groups for
              * @return GroupList
              */
             public function getUserGroups( $username ) {
             $userInfo =  $this->ldapClient->getGosaGroups( $username ) ;
                           $baseDN = $this->config->get( ClientConfig::GROUP_BASE_DN );
                           $dn = 'dn';
                           if ( $baseDN ===  ) {
                                         $baseDN = null;
                           }
 $ret = [];
 foreach ($userInfo as $res){
    $ret[] = $res['dn'];
 }
  return new GroupList( $ret );
} //getUserGroups;


}//class

The $userInfo variable contains an array:

array(6) {</nowiki>

 ["count"]=>
 int(5)
 [0]=>
 array(12) {
   ["gidnumber"]=>
   array(2) {
     ["count"]=>
     int(1)
     [0]=>
     string(4) "2010"
   }
   [0]=>
   string(9) "gidnumber"
   ["description"]=>
   array(2) {
     ["count"]=>
     int(1)
     [0]=>
     string(47) "Comment"
   }
   [1]=>
   string(11) "description"
   ["cn"]=>
   array(2) {
     ["count"]=>
     int(1)
     [0]=>
     string(18) "calgroup_test"
   }
   [2]=>
   string(2) "cn"
   ["memberuid"]=>
   array(414) {
     ["count"]=>
     int(413)
     [0]=>
     string(5) "test1"
     [1]=>
     string(5) "test2"

................

     [412]=>
     string(13) "wiki-readonly"
   }
   [3]=>
   string(9) "memberuid"
   ["objectclass"]=>
   array(3) {
     ["count"]=>
     int(2)
     [0]=>
     string(3) "top"
     [1]=>
     string(10) "posixGroup"
   }
   [4]=>
   string(11) "objectclass"
   ["count"]=>
   int(5)
   ["dn"]=>
   string(50) "cn=calgroup_test1,ou=groups,dc=example,dc=bg"
 }
 [1]=>
 array(12) {
   ["cn"]=>
   array(2) {
     ["count"]=>
     int(1)
     [0]=>
     string(23) "calgroup_zastrahovateli"
   }

.......

Bozhob (talkcontribs)

A step further. I added "presearchusernamemodifiers" => ["lowercase"]

in Localsettings.php

and in the debug info in apache log file now I can see the groups listed. But still synchronization doesn't work. When I try to check is Special pages-> User rights, or Settings, LDAP groups are missing.

Osnard (talkcontribs)

First of all, thank you for sharing the code! I will try to incorporate this into the extension, but can not give any timeframe for it.

If "ShowUserGroups.php" properly lists the groups already, then we are almost there. I can see that you are using the "allgroups" mechanism. Please be aware that the groups will only be synced if they are actually available (somewhere configured by `wgGroupPermissions`) in the wiki. Otherwise syncing will not work.

Bozhob (talkcontribs)

Yes, I know that. I have set $wgGroupPermissions['wikiadmins']['edit'] = true; $wgGroupPermissions['wikiadmins']['read'] = true;

and similar for the other groups, that have to be synchronized. I tried to use

 "mechanism" => "mappedgroups",
 "mapping" => [
        "wbaseaccess" => "cn=wbaseaccess,ou=groups,l=wikiusers,dc=example,dc=bg",
        "wexperts"    => "cn=wexperts,ou=groups,l=wikiusers,dc=example,dc=bg",
        "wikiadmins"  => "cn=wikiadmins,ou=groups,l=wikiusers,dc=example,dc=bg",
        "wstaff"      => "cn=wstaff,ou=groups,l=wikiusers,dc=example,dc=bg"
  ]

instead of all groups. Now I receive "Member of: mapping" which confuses me.

Osnard (talkcontribs)

Where do you receive "Member of: mapping"? Can you please share a debug-log of when you log into the wiki?

This post was hidden by Bozhob (history)
This post was hidden by Bozhob (history)
Bozhob (talkcontribs)

Sorry This was my mistake! When I switched to "mechanism" => "mappedgroups", I have doubled "mapping" => [ declaration. Now things seem are OK. I'll will make some tests, before mark the case as solved. This variant satisfied me. I'll try to investigate why "allgroups" still doesn't work, probably because another mistake I have made. But I thing that the wiki is now completely usable. Thnak you for your help!

Bozhob (talkcontribs)

Everything looks good. So I consider the case is solved. For further questions I will open new post. Thank you very much again!

TypeError for certain users

2
68.111.178.77 (talkcontribs)

Hi all,

I am running MediaWiki 1.33 + LDAP Stack 1.33 on WIMP. Getting a TypeError for certain user accounts at login,


[3028ab2b8a2be600918b0b51] /acmepedia/index.php?title=Special:UserLogin TypeError from line 29 of C:\inetpub\wwwroot\acmepedia\extensions\LDAPGroups\src\Hook.php: Argument 1 passed to LdapGroups\Hook::populateGroups() must be an instance of LdapGroups\User, instance of User given, called in C:\inetpub\wwwroot\acmepedia\includes\Hooks.php on line 174


Here is my ldap.json,

{

"ca.acme.com": {

"connection": {

"server": "dc1.ca.acme.com",

"port": "3268",

"user": "CN=SD.WIKI.SVC,CN=Managed Service Accounts,DC=ca,DC=acme,DC=com",

"pass": "password",

"enctype": "clear",

"options": {

"LDAP_OPT_DEREF": 1

},

"basedn": "dc=ca,dc=acme,dc=com",

"userbasedn": "dc=ca,dc=acme,dc=com",

"groupbasedn": "dc=ca,dc=acme,dc=com",

"searchattribute": "samaccountname",

"usernameattribute": "samaccountname",

"realnameattribute": "displayname",

"emailattribute": "mail",

"grouprequest": "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\UserMemberOf::factory"

},

"userinfo": [],

"authorization": [],

"groupsync": {

"mapping": {

"Analysts": "CN=SDAnalysts,OU=Groups,OU=acmeSD,DC=ca,DC=acme,DC=com",

"Developers": "CN=SDDevelopers,OU=Groups,OU=acmeSD,DC=ca,DC=acme,DC=com",

"Uncleared Users": "OU=Uncleared Users,OU=UsersSD,OU=acmeSD,DC=ca,DC=acme,DC=com",

"sysop": "CN=Cybersecurity Team,CN=Users,DC=acme,DC=com",

"SrDevelopers": "CN=Lead Developers,OU=Groups,OU=acmeSD,DC=ca,DC=acme,DC=com",

"SrAnalysts": "CN=SD_SrAnalysts,OU=DistributionLists,OU=Groups,OU=acmeSD,DC=ca,DC=acme,DC=com",

"OfficeAdmins": "CN=SD-Admin,OU=Groups,OU=acmeSD,DC=ca,DC=acme,DC=com"

}

}

}

}


No error when a member of Cybersecurity Team (mapped to sysop) logs in, but everyone else gets the error.

Thanks!

Osnard (talkcontribs)

Looks like you are using an outdated version of "Extension:LdapGroups", Please try to update.

Reply to "TypeError for certain users"

User stays in Mediawiki group after deletion from LDAP group

10
80.245.147.81 (talkcontribs)

Hi,

I have a problem with syncing of LDAP (Microsoft AD) group memberships to local wiki groups.

Mediawiki version: 1.34

LDAPGroups version:

LDAPGroups: master

2020-03-02T07:11:00

c76e11b

I have this user, let's call him Example-user, that has been in both groups wiki-read and wiki-write for a while.

Now our AD team has removed this guy from the corresponding AD group Wiki_ReadWrite but somehow, he still pops up as a member of wiki-write on Special:ListUsers and, even worse, still has the permission to edit and save pages.

Special:Listgrouprights has wiki-read with only one permission (read) and wiki-write with three permissions (read, edit and delete).

Permissions of the group "users" have been trimmed to only read and editmyusercss.

I suspect, there is an error with syncing the groups of this user for some reason.

Output of maintenance script ShowUserGroups.php shows his correct groups:

root# php extensions/LDAPProvider/maintenance/ShowUserGroups.php --username Example-user --domain mydomain.net

Full DNs:

<some omitted>

        CN=Wiki_ReadOnly,OU=Groups,DC=mydomain,DC=net

Short names:

<some omitted>

        wiki_readonly

Notice the explicitly missing group of Wiki_ReadWrite!


When running the maintenance script SyncUserGroups.php of LDAPGroups extension, I get the following output:

root# php extensions/LDAPGroups/maintenance/SyncGroups.php --user Example-user

PHP Notice:  Undefined property: MediaWiki\Extension\LDAPGroups\Maintenance\SyncGroups::$config in /opt/rh/httpd24/root/var/www/html/wiki/extensions/LDAPGroups/maintenance/SyncGroups.php on line 77

Syncing groups for 'Example-user' (ID:11) ...

Old groups:

* wiki-read

* wiki-write

ConfigException from line 53 of /opt/rh/httpd24/root/var/www/html/wiki/includes/config/GlobalVarConfig.php: GlobalVarConfig::get: undefined option: 'LDAPGroupsSyncMechanismRegistry'

#0 /opt/rh/httpd24/root/var/www/html/wiki/extensions/LDAPGroups/maintenance/SyncGroups.php(61): GlobalVarConfig->get('LDAPGroupsSyncM...')

#1 /opt/rh/httpd24/root/var/www/html/wiki/maintenance/doMaintenance.php(99): MediaWiki\Extension\LDAPGroups\Maintenance\SyncGroups->execute()

#2 /opt/rh/httpd24/root/var/www/html/wiki/extensions/LDAPGroups/maintenance/SyncGroups.php(87): require_once('/opt/rh/httpd24...')

#3 {main}

So it correctly grasps the old groups the user was in, but doesn't seem to be able to sync the current groups correctly.


Here's my ldap.json:

ldap.json

{

        "mydomain.net": {

                "connection": {

                        "server": "dc.mydomain.net",

                        "port": "389",

                        "user": "CN=MyBindUser,OU=Users,DC=mydomain,DC=net",

                        "pass": "omittedPassword",

                        "enctype": "clear",

                        "options": {

                                "LDAP_OPT_DEREF": 1

                        },

                        "basedn": "DC=mydomain,DC=net",

                        "userbasedn": "DC=mydomain,DC=net",

                        "groupbasedn": "DC=mydomain,DC=net",

                        "searchstring": "USER-NAME@mydomain.net",

                        "searchattribute": "samaccountname",

                        "usernameattribute": "samaccountname",

                        "realnameattribute": "displayname",

                        "emailattribute": "mail",

                        "grouprequest": "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\GroupMember::factory"

                },

                "userinfo": [],

                "groupsync": {

                        "mapping": {

                                "sysop": "CN=Wiki_Admin,OU=Groups,DC=mydomain,DC=net",

                                "wiki-read": "CN=Wiki_ReadOnly,OU=Groups,DC=mydomain,DC=net",

                                "wiki-write": "CN=Wiki_ReadWrite,OU=Groups,DC=mydomain,DC=net"

                        }

                },

                "authorization": {

                        "rules": {

                                "groups": {

                                        "required":[ "CN=Wiki_Admin,OU=Groups,DC=mydomain,DC=net",

"CN=Wiki_ReadOnly,OU=Groups,DC=mydomain,DC=net",

"CN=Wiki_ReadWrite,OU=Groups,DC=mydomain,DC=net" ]

                                }

                        }

                }

        }

}

Real values have been omitted for security reasons :)


SyncUserGroups.php says undefined option: 'LDAPGroupsSyncMechanismRegistry' but I think that should be the default value of mappedgroups as stated on Extension:LDAPGroups as I have not defined this explicitly in my ldap.json.

Any help is much appreciated :)

80.245.147.81 (talkcontribs)
80.245.147.81 (talkcontribs)

Proposed workaround applied:

# Load LDAP Config from JSON

$ldapJsonFile = "$IP/ldap.json";

$ldapConfig = false;

if (is_file($ldapJsonFile) && is_dir("$IP/extensions/LDAPProvider")) {

  $testJson = @json_decode(file_get_contents($ldapJsonFile),true);

  if (is_array($testJson)) {

    $ldapConfig = true;

  } else {

    error_log("Found invalid JSON in file: $IP/ldap.json");

  }

}

$LDAPProviderDomainConfigs = $ldapJsonFile;

$wgLDAPGroupsSyncMechanismRegistry = 'ignoreme';

No changes in ldap.json.


root# php extensions/LDAPGroups/maintenance/SyncGroups.php --user Example-user

PHP Notice:  Undefined property: MediaWiki\Extension\LDAPGroups\Maintenance\SyncGroups::$config in /opt/rh/httpd24/root/var/www/html/wiki/extensions/LDAPGroups/maintenance/SyncGroups.php on line 77

Syncing groups for 'Example-user' (ID:11) ...

Old groups:

* wiki-read

* wiki-write

New groups:

* wiki-read

* wiki-write

ShowUserGroups.php still only shows Wiki_ReadOnly membership for Example-user (yes, the original is with a - as well if this is a problem)

80.245.147.81 (talkcontribs)

Help me @Osnard-Wan Kenobi, you're my only hope :)

Osnard (talkcontribs)

There actually seems to be a little bug in the `SyncGroups` mainenance script. Pleas obtain a updated version from and try again.

But actually groups should be removed when a user logs in also. No maintenance script would be required.

Your domain configruation looks good so far. So if `CN=Wiki_ReadWrite,OU=Groups,DC=mydomain,DC=net` not shows up in the list from `ShowUserGroups` script the `wiki-write` group should be removed on the next login.

80.245.147.81 (talkcontribs)

First of all thanks for the reply :)

Unfortunately I don't have the credentials of this particular user, so I can't really test if the groups get synced correctly when they log in without bothering them everytime.

They should sync correctly with the maintenance script as well though, right?

Now, when trying to sync with your updated SyncGroups script, I get the same output only without the php notice:

Old script:

# php extensions/LDAPGroups/maintenance/SyncGroups.php --user Example-user

PHP Notice:  Undefined property: MediaWiki\Extension\LDAPGroups\Maintenance\SyncGroups::$config in /opt/rh/httpd24/root/var/www/html/wiki/extensions/LDAPGroups/maintenance/SyncGroups.php on line 77

Syncing groups for 'Example-user' (ID:11) ...

Old groups:

* wiki-read

* wiki-write

New groups:

* wiki-read

* wiki-write

Updated script:

# php extensions/LDAPGroups/maintenance/SyncGroups_new.php --user Example-user

Syncing groups for 'Example-user' (ID:11) ...

Old groups:

* wiki-read

* wiki-write

New groups:

* wiki-read

* wiki-write

No change :(


For testing purposes I removed this user manually from the wiki-write group via Special:UserRights and tried both versions of the maintenance script again:

# php extensions/LDAPGroups/maintenance/SyncGroups.php --user Example-user

PHP Notice:  Undefined property: MediaWiki\Extension\LDAPGroups\Maintenance\SyncGroups::$config in /opt/rh/httpd24/root/var/www/html/wiki/extensions/LDAPGroups/maintenance/SyncGroups.php on line 77

Syncing groups for 'Example-user' (ID:11) ...

Old groups:

* wiki-read

New groups:

* wiki-read

# php extensions/LDAPGroups/maintenance/SyncGroups_new.php --user Example-user

Syncing groups for 'Example-user' (ID:11) ...

Old groups:

* wiki-read

New groups:

* wiki-read


So the user does not get added to wiki-write when they have previously been removed from the group manually.

So we can rule out wrong AD memberships or mappings that lead to this. If the sync mechanism worked and that were the case, the user would have been added to wiki-write again.

80.245.147.81 (talkcontribs)

@Osnard

Okay, so we could recreate this problem with a new user as well.

Here's what we did:

- created a new user in AD (Example-User2)

- added this user to Wiki_ReadOnly in AD

- logged into MediaWiki successfully with this user and were only able to read (only group membership was wiki-read)

- added this user to Wiki_Write in AD

- upon logging out of MediaWiki, I could see under the admin account (refreshing Special:UserRights for that user) that the group sync took place and the user was added to wiki-write MW group

- successfully logged back in with Example-User2 and were able to write/edit

- removed user Example-User2 from AD group Wiki_Write

- Example-User2 is still member of MW group mw-write and is able to edit stuff


Special:UserRights says the groups of Example-User2 have no expiry date (this should not be a problem though?).


When running SyncGroups_new.php, it shows the same output as before.

Debug log of extension LDAPGroups says the following, when executing SyncGroups_new.php:

2020-06-04 14:18:27 wikiserver wiki: Adding 'wiki-read' to 'Example-User2'.

2020-06-04 14:18:27 wikiserver wiki: Problem adding user 'Example-User2' to the group 'wiki-read'.

Maybe LDAPGroups tries to add the user to wiki-read but fails as the user already is a member of wiki-read and then doesn't even try to remove the user from wiki-write?

Osnard (talkcontribs)
80.245.147.81 (talkcontribs)

After cloning the new LDAPGroups version, SyncGroups.php reports the following:

# php extensions/LDAPGroups/maintenance/SyncGroups.php --user Example-User2

Syncing groups for 'Example-User2' (ID:73) ...

Old groups:

* wiki-read

* wiki-write

New groups:

* wiki-read

This should also sync automatically when a user logs in, right?

Thanks a lot! :)

Osnard (talkcontribs)

Good to hear. Sync will be done on login and around every hour during a regular session.

Reply to "User stays in Mediawiki group after deletion from LDAP group"
LasseSix (talkcontribs)

4 months ago Osnard commented that nested groups should now available from https://gerrit.wikimedia.org/g/mediawiki/extensions/LDAPGroups . I downloaded and installed the latest Master version (Fri Aug 02 07:59:52 2019) but still fail to use nested groups regardless of using sync mechanism "allgroups" or "mappedgroups".

Running "php extensions/LDAPProvider/maintenance/ShowUserGroups.php --domain domainname --username username" only shows groups of which the user is a direct member, not groups to which the user is linked indirectly through a subgroup.

Adding "$LDAPGroupsUseMatchingRuleInChainQuery = true;" to LocalSettings.php similar to the approach of the older LdapGroups extension does not solve the issue.

Any idea how to activate this feature?

Osnard (talkcontribs)

In you domain config, you need to set connection.grouprequest to be MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\GroupMember::factory and connection.nestedgroups to be true.

Josef FTH (talkcontribs)

Hello Osnard,

when I set connection.nestedgroups to true in my wiki I get

.../extensions/LDAPProvider/src/Client.php: Error in LDAP search: Time limit exceeded.

When it's set to false everything is working perfectly well. Do you have a suggestion for me how to get nested groups working or am I limited to flat groups ?

Osnard (talkcontribs)

Looks like there might be some infinite nesting. You should investigate the structure on your LDAP. Are you using a Microsoft AD?

Reply to "Nested groups"
62.178.171.148 (talkcontribs)

It seems that the linked github mirror is linked to a wrong repo

62.178.171.148 (talkcontribs)

Anyway, Nested Group Support would be great like it is implemented in the older Extension:LdapGroups

Osnard (talkcontribs)
Osnard (talkcontribs)

But yes, you are right. The wong github mirror is due to the fact that github is case insensitive. Sorry for that.

Planetenxin (talkcontribs)

The Github mirror is still broken. Can this be fixed?

Osnard (talkcontribs)

@MarkAHershberger, do you know what needs to be done to make the github-mirror of "LDAPGroups" not contain the old "LdapGroups" code?

MarkAHershberger (talkcontribs)
Planetenxin (talkcontribs)

@MarkAHershberger the Github mirror now claims that this extension is archived. Strange...

Reply to "Wrong Github mirror"

Group mapping for usernames with underscore

2
Textform (talkcontribs)

When I login with a username with underscore (name_surname) groups are not mapped. If I add groups to the user manually in mediawiki, the user will be removed from all of them after a new login.

Surely I could prevent this with 'locally-managed', but that is no real solution.

With a username that has no underscores all works fine.

php LDAPProvider/maintenance/ShowUserGroups.php --domain ad-domain.com --username wikiuser shows all the groups when I use name_surname. But obvously nothing for "Name surname".

It seems that name_surnameist changed to "Name surname" after login and LDAPGroups queries the Active Directory with that username.

How can I tell the extension LDAPGroups to "normalize" the username to name_surname before querying the groups?

Osnard (talkcontribs)
Reply to "Group mapping for usernames with underscore"
There are no older topics