Extension talk:LDAP Authentication

Jump to: navigation, search

About this board

How to ask for support

There's a couple key pieces of info I always need:

  1. The MediaWiki version you are using
  2. The LdapAuthentication extension version you are using

I very often will need to see two other things when you ask for support, so you should have them prepared:

  1. Your configuration, with sensitive stuff snipped out
  2. The extension's debug log, with sensitive stuff snipped out

When you are trying to debug an authentication problem, you should always use the most basic configuration possible. For instance, if you don't have basic authentication working yet, you shouldn't have group restrictions or group synchronization enabled yet. I will generally ask you to disable these things when debugging.

Also, $wgLDAPUseLocal is almost never what you want to use. It's a frequent cause of configuration issues, and unless you really know what you are doing, it should not be set (or explicitly set to false, which is the default).

Most importantly of all: ensure you are using the newest version of the extension. From the extension distributor, that's the "master" version. If you are using git, just make sure you use git pull && git reset --hard origin/master. This is one of the more common cause of problems.

How to submit a bug

If you've found a bug, please submit it here.

Archives

Support for LDAP Authentication on MW 1.29 (Windows 2012 R2, IIS).

3
198.181.18.22 (talkcontribs)

After spending the better part of two days, I just installed LDAP authentication in my environment, which is made up of:

MediaWiki 1.29

PHP 7.1.8

MySQL 5.7.19

Windows Server 2012 R2

IIS 8.5

Unfortunately, it is not working (in fact, after installing all the pieces and parts, my Wiki site would not load at all)

Is LDAP Authentication supported under this configuration? I have seen conflicting information on this and before I spend a lot of time on this, I need to know if this is even achievable.

198.181.18.24 (talkcontribs)

After tweaking some of the settings in LocalSettings.php, the site now loads when LDAP Authentication is enabled. Unfortunately, LDAP Authentication itself is still not working. In the meantime, I really need to know if this is supported/should work in my environment:

MediaWiki 1.29

PHP 7.1.8

MySQL 5.7.19

Windows Server 2012 R2

IIS 8.5

198.181.18.23 (talkcontribs)

Still trying to find out if this configuration is supported ..... can anyone verify yes or no for me?

Reply to "Support for LDAP Authentication on MW 1.29 (Windows 2012 R2, IIS)."

RHEL6 - MW 1.21.1 - httpd.x86_64 2.2.15-60.el6_9.5 - php.x86_64 5.3.3-49.el6

2
2620:107:9000:2200:0:0:0:110 (talkcontribs)

[Tue Jan 23 11:57:26 2018] [error] [client 10.x.x.x PHP Parse error:  syntax error, unexpected '[' in /var/www/wiki/mywiki/extensions/LdapAuthentication/LdapAuthentication.php on line 39

On this page Extension:LDAP Authentication it says that this version of the extension should be compatible with this version of php and mediawiki. Please advise

Ciencia Al Poder (talkcontribs)

MediaWiki 1.21 is unsupported. If you want to still using it despite the security risks, you should download the extension for the MediaWiki 1.21, not a recent version.

Reply to "RHEL6 - MW 1.21.1 - httpd.x86_64 2.2.15-60.el6_9.5 - php.x86_64 5.3.3-49.el6"

Incorrect password entered error - yet password is correct

2
MintSauce~mediawikiwiki (talkcontribs)

Hi,

I'm using MediaWiki 1.16.5 and the latest LdapAuthentication extensions from svn trunk on an Ubuntu server that already uses LDAP successfully with a Plone CMS and phpBB.

I've added the configuration below and as you can see from the logs, it seems to connect to LDAP fine (indeed, removing the config results in non-LDAP users being told their username doesn't exist), however, no user can login successfully, all are presented with the error: "Incorrect password entered. Please try again.". I've triple checked against the ldap db that the passwords are correct.

The only thing I can see that might be wrong in the logs is the capitalisation of the first letter of the uid.

Any ideas?

LocalSettings.php:

require_once($IP."/extensions/LdapAuthentication/LdapAuthentication.php");
$wgAuth = new LdapAuthenticationPlugin();
$wgLDAPDomainNames = array(
  'anonymous-coward'
);
$wgLDAPServerNames = array(
  'anonymous-coward' => '127.0.0.1'
);
$wgLDAPSearchStrings = array(
  'anonymous-coward' => 'uid=USER-NAME,ou=people,dc=anonymous-coward,dc=org'
);
$wgLDAPEncryptionType = array(
  "'anonymous-coward'"=>"clear"
  );
$wgLDAPDebug = 3;
$wgDebugLogGroups["ldap"] = "/tmp/ldapdebug.log" ;

Debug file:

2011-07-27 20:00:36  wikidb: 1.2e Entering validDomain
2011-07-27 20:00:36  wikidb: 1.2e User is using a valid domain (anonymous-coward).
2011-07-27 20:00:36  wikidb: 1.2e Setting domain as: anonymous-coward
2011-07-27 20:00:36  wikidb: 1.2e Entering getCanonicalName
2011-07-27 20:00:36  wikidb: 1.2e Username isn't empty.
2011-07-27 20:00:36  wikidb: 1.2e Munged username: Jbloggs
2011-07-27 20:00:36  wikidb: 1.2e Entering userExists
2011-07-27 20:00:36  wikidb: 1.2e
2011-07-27 20:00:36  wikidb: 1.2e Entering authenticate
2011-07-27 20:00:36  wikidb: 1.2e
2011-07-27 20:00:36  wikidb: 1.2e Entering Connect
2011-07-27 20:00:36  wikidb: 1.2e Using TLS or not using encryption.
2011-07-27 20:00:36  wikidb: 1.2e Using servers:  ldap://127.0.0.1
2011-07-27 20:00:36  wikidb: 1.2e Using TLS
2011-07-27 20:00:36  wikidb: 1.2e Failed to start TLS.
2011-07-27 20:00:36  wikidb: 1.2e Connected successfully
2011-07-27 20:00:36  wikidb: 1.2e Entering getSearchString
2011-07-27 20:00:36  wikidb: 1.2e Doing a straight bind
2011-07-27 20:00:36  wikidb: 1.2e userdn is: uid=Jbloggs,ou=people,dc=anonymous-coward,dc=org
2011-07-27 20:00:36  wikidb: 1.2e
2011-07-27 20:00:36  wikidb: 1.2e Binding as the user
2011-07-27 20:00:36  wikidb: 1.2e Failed to bind as uid=Jbloggs,ou=people,dc=anonymous-coward,dc=org
2011-07-27 20:00:36  wikidb: 1.2e with password: xxxxxx
2011-07-27 20:00:36  wikidb: 1.2e Entering allowPasswordChange
2011-07-27 20:00:36  wikidb: 1.2e Entering modifyUITemplate

This post was posted by MintSauce~mediawikiwiki, but signed as MintSauce.

Ryan lane (talkcontribs)

Well, this is obviously wrong:

$wgLDAPEncryptionType = array(
  "'anonymous-coward'"=>"clear"
  );

It should be:

$wgLDAPEncryptionType = array(
  "anonymous-coward"=>"clear"
  );
Reply to "Incorrect password entered error - yet password is correct"

Mediawiki 1.28 with php5.6 v. php7.0 & LdapAuthentication issues

2
96.91.174.60 (talkcontribs)

Hi,

with mediawiki 1.28 and php5.6 I can authenticate to my openldap servers, however when I enable php7.0 and disable php5.6 (Debian 9) it stops working.

Can anyone point me to posts similar to this if this has been brought up already?

Thanks

Rolacher (talkcontribs)

I've had the same issue with MW 1.26 and php 5.6 / php 7.0. This solved the problem:

1. Install LDAP: apt-get install php-ldap

2. Change line 600 of the file 'extensions/LdapAuthentication/LdapAuthentication.php' (see this post):

from:

$servers = rtrim( $servers );

to:

$servers = trim( $servers );

Reply to "Mediawiki 1.28 with php5.6 v. php7.0 & LdapAuthentication issues"

Login error incorrect password entered. please try again

10
Bernhardsmw (talkcontribs)

Installed:

 

Installed and configured MediaWiki without problems. Then I tried to change the login to LDAP. After hours and the use of the documentation I was not able to login. Is this extension still working? 

Here are my LocalSettings.php config: 

#LDAP Authentication
    require_once( "$IP/extensions/LdapAuthentication/LdapAuthentication.php" );
    $wgAuth = new LdapAuthenticationPlugin();
    
    $wgLDAPProxyAgent = array('EUROPE' => 'cn=mediawiki,dc=EUROPE,dc=LAN');
    $wgLDAPProxyAgentPassword = array('EUROPE' => 'password');
    
    
    $wgLDAPDomainNames = array( "EUROPE.LAN" );
    
    $wgLDAPServerNames = array( "EUROPE.LAN" => "dc1.EUROPE.lan" );
    # I recommend using a Global Catalog server for this.
    
    $wgLDAPSearchStrings = array( "EUROPE.LAN" => "EUROPE.LAN\\USER-NAME" );
    $wgLDAPEncryptionType = array( "EUROPE.LAN" => "tls" );
    $wgLDAPUseLocal = false;
    $wgMinimalPasswordLength = 1;
    
    $wgLDAPBaseDNs = array( "EUROPE.LAN" => "dc=EUROPE,dc=LAN" );
    # Example: If your domain is mydomain.internet.ca then you want to put in "dc=mydomain,dc=internet,dc=ca".
    
    $wgLDAPSearchAttributes = array( "EUROPE.LAN" => "sAMAccountName" );
    
    
    $wgLDAPRetrievePrefs = array( "EUROPE.LAN" => "true" );
    
    $wgLDAPPreferences = array('EUROPE.LAN' => array( 'email' => 'mail','realname' => 'displayname'));
    # This will automatically map the users e-mail address and full name from Active Directory to their account in MediaWiki
    
    $wgLDAPDebug = 3; //for debugging LDAP
    $wgShowExceptionDetails = true; //for debugging MediaWiki
    $wgDebugLogGroups["ldap"] = "/tmp/ldapdebug.log" ;

This is the debug log: 

2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Setting domain as: EUROPE.LAN
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering getCanonicalName
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Username is: Mediawiki
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering getDomain
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Munged username: Mediawiki
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering getCanonicalName
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Username is an IP, not munging.
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering getCanonicalName
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Username is an IP, not munging.
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering getDomain
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering userExists
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering getDomain
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering getDomain
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering authenticate for username Mediawiki
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering getDomain
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering getDomain
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering getDomain
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering Connect
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering getDomain
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Using TLS or not using encryption.
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering getDomain
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering getDomain
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering getDomain
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Using servers:  ldap://dc1.bbveurope.lan:389
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering getDomain
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Using TLS
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 PHP's LDAP connect method returned true (note, this does not imply it connected to the server).
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering getSearchString
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering getDomain
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Doing a straight bind
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 userdn is: EUROPE.LAN\mediawiki
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering getDomain
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Binding as the user
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Failed to bind as EUROPE.LAN\mediawiki
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering allowPasswordChange
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering getDomain
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering getDomain
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering modifyUITemplate
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering getDomain
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering getDomain
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering getDomain

I tried a normal PHP login with this script and it works.  

<?php
// use ldap bind
$ldaprdn  = 'mediawiki'; 
$ldappass = 'mediawiki';

// connect to ldap server
$ldapconn = ldap_connect("EUROPE.LAN")
    or die("No connection to LDAP.");

if ($ldapconn) {

    // bind ldap server
    $ldapbind = ldap_bind($ldapconn, $ldaprdn, $ldappass);

    // test binding
    if ($ldapbind) {
        echo "LDAP bind success...";
    } else {
        echo "LDAP bind failed...";
    }

}

?>

Please help me the problem is really frustrating and I worked on it for hours... 

Bernhardsmw (talkcontribs)

Just for info: "mediawiki" is an existing windows domain user. I tried other users too and it still worked.

Bernhardsmw (talkcontribs)

And most importantly: Why do I need kerberos or slapd as the documentation tells? Is the normal php5-ldap package not enough?

158.145.224.111 (talkcontribs)

try switching to SSL, or clear text. If you are authenticating and the binding is failing (same as mine below) then we might be in the same boat. The extension works. I can vouch for that. If the ldap server you are authenticating to isn't authenticated by a real CA you might have issue. You'll need to add the public key certificate to your CA store.

Bernhardsmw (talkcontribs)

I did the change and this is how my /etc/ldap/ldap.conf looks now

TLS_REQCERT     never

This is the change I did in the /var/lib/mediawiki/LocalSettings.php

$wgLDAPEncryptionType = array( "EUROPE.LAN" => "clear" );

And this the debug file. Still no success...

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Entering validDomain

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 User is using a valid domain (EUROPE.LAN).

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Setting domain as: EUROPE.LAN

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Entering getCanonicalName

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Username is: Mediawiki

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Entering getDomain

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Munged username: Mediawiki

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Entering getCanonicalName

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Username is an IP, not munging.

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Entering getCanonicalName

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Username is an IP, not munging.

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Entering getDomain

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Entering userExists

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Entering getDomain

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Entering getDomain

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Entering authenticate for username Mediawiki

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Entering getDomain

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Entering getDomain

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Entering getDomain

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Entering Connect

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Entering getDomain

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Using TLS or not using encryption.

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Entering getDomain

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Entering getDomain

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Entering getDomain

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Using servers:  ldap://DC1.EUROPE.LAN:389

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Entering getDomain

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 PHP's LDAP connect method returned true (note, this does not imply it connected to the server).

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Entering getSearchString

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Entering getDomain

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Doing a straight bind

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 userdn is: EUROPE.LAN\mediawiki

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Entering getDomain

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Binding as the user

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Failed to bind as EUROPE.LAN\mediawiki

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Entering allowPasswordChange

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Entering getDomain

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Entering getDomain

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Entering modifyUITemplate

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Entering getDomain

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Entering getDomain

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Entering getDomain



Bernhardsmw (talkcontribs)

As I can see now the time of the Logfile is not correct. The system time is the same as the DC server but the logfile time is 2 hours after it.

Bernhardsmw (talkcontribs)

phpinfo() about SSL config

[openssl]

OpenSSL support enabled
OpenSSL Library Version OpenSSL 1.0.1f 6 Jan 2014
OpenSSL Header Version OpenSSL 1.0.1f 6 Jan 2014
Registered Stream Socket Transports tcp, udp, unix, udg, ssl, sslv3, tls
Bernhardsmw (talkcontribs)

After hours of madness I finally get it working:

You have to install the required packages: Extension:LDAP Authentication#Installation

Then just follow this guide: http://ryandlane.com/blog/2009/03/23/using-the-ldap-authentication-plugin-for-mediawiki-the-basics-part-1/

Forget what configurations are written on the wiki page. If you get after the login a database error: Topic:Sshx994njzy3rs3l

"www.mediawiki.org/wiki/Topic:Sshx994njzy3rs3l" (if the link does not work)

I am a bit mad but happy now. This plugin costs to much time because of the missleading documentation.

86.135.240.141 (talkcontribs)

One of the year and I don't have the Kajus

110.137.41.215 (talkcontribs)

 Incorrect password entered. Please try again.

Reply to "Login error incorrect password entered. please try again"
Dturtill (talkcontribs)

Is there anyway that I can configure this so that It will auto create accounts and grant them Specific permissions (read \ Write \ Admin) based on what AD group they are in please

I currently have it enabled so that it will allow you to log in if you are in certain groups but then I need to populate the permissions manually

here is current details

require_once( "$IP/extensions/LdapAuthentication/LdapAuthentication.php" );

$wgAuth = new LdapAuthenticationPlugin();
$wgLDAPDomainNames = array( "test" );
$wgLDAPServerNames = array( "test"=> "srvadfshqgw.test.test.co.uk srvadfsbrtn.test.test.co.uk"  );
$wgLDAPSearchStrings = array("test" => "test\\USER-NAME",);
$wgLDAPEncryptionType = array( "test"=>"ssl" );
#$wgLDAPUseLocal = false;
$wgMinimalPasswordLength = 1;
$wgLDAPBaseDNs = array( "test"=> "DC=test,DC=test,DC=co,DC=uk" );
$wgLDAPSearchAttributes = array( "test"=>"sAMAccountName" );
$wgLDAPRetrievePrefs = array( "test" => "true" );
$wgLDAPPreferences = array('test' => array( 'email' => 'mail','realname' => 'displayname'));
$wgLDAPDebug = 1; //for debugging LDAP;
$wgDebugLogGroups["ldap"] = "/tmp/wikidebuglog-{$wgDBname}.log";
#$wgLDAPRequiredGroups = array( "test"=> array("cn=Bimtest_Admin,ou=Groups for testing,ou=test,dc=test,dc=test,dc=co,dc=uk","cn=Bimtest_Read,ou=Groups for testing,ou=test,dc=test,dc=test,dc=co,dc=uk") );
$wgLDAPGroupUseFullDN = array( "test"=>true );
$wgLDAPGroupsUseMemberOf = array( "test"=>true );
$wgLDAPGroupObjectclass = array( "test"=>"group" );
$wgLDAPGroupAttribute = array( "test"=>"member" );
$wgLDAPGroupSearchNestedGroups = array( "test"=>true );
$wgLDAPGroupNameAttribute = array( "test"=>"cn" );
$wgLDAPGroupSearchNestedGroups = array( "test"=>true );
$wgLDAPActiveDirectory = array( "test" => true);
#$wgLDAPDisableAutoCreate = array(

  'test' => true;

thanks

Reply to "Auto Create and Grant Access"

AD auth - Automatic account creation is not allowed

3
77.245.199.118 (talkcontribs)

Hello.

I use Debian 9 with Nginx + last mediawiki

when i try to log in i receive: "Auto-creation of a local account failed: Automatic account creation is not allowed."

if i use correct auth name and password, if not - i receive thet user or password wrong. Another word ldap auth ok.

my config:

# The following permissions were set based on your choice in the installer

$wgGroupPermissions['*'    ]['createaccount']   = true;

$wgGroupPermissions['*'    ]['read']            = true;

$wgGroupPermissions['*'    ]['edit']            = true;

$wgGroupPermissions['*'    ]['createpage']      = true;

$wgGroupPermissions['*'    ]['createtalk']      = true;

# AD

require_once ("/usr/share/mediawiki-extensions/ldapauth/LdapAuthentication.php");

$wgAuth = new LdapAuthenticationPlugin();

$wgLDAPDomainNames = array(

  '**addomain**'

);

$wgLDAPServerNames = array(

  '**addomain**' => 'srv-dc2.**addomain**.ru'

);

$wgLDAPSearchStrings = array(

  '**addomain**' => '**addomain**\\USER-NAME'

);

$wgLDAPBaseDNs = array(

  '**addomain**' => 'dc=**addomain**,dc=ru'

);

$wgLDAPSearchAttributes = array(

  '**addomain**' => 'sAMAccountName' );

$wgLDAPPort = array(

  '**addomain**' => 389,

);

$wgLDAPEncryptionType = array(

  '**addomain**' => 'clear'

);

$wgLDAPProxyAgent =  array(

  '**addomain**' => 'CN=ldapwiki,CN=Users,DC=**addomain**,DC=ru'

);

$wgLDAPProxyAgentPassword = array(

  '**addomain**' => '****'

);

$wgLDAPDisableAutoCreate = array(

  '**addomain**' => true

);

$wgLDAPUseLocal = false;

$wgMinimalPasswordLength = 1;

$wgLDAPDebug = 99;

$wgDebugLogGroups['ldap'] = '/tmp/debug.log';

in debug log:

2017-10-27 12:46:17 srv-intranet wiki: 2.0a Using TLS or not using encryption.

2017-10-27 12:46:17 srv-intranet wiki: 2.0a Using non-standard port: 389

2017-10-27 12:46:17 srv-intranet wiki: 2.0a Using servers:  ldap://srv-dc2.**addomain**.ru:389

2017-10-27 12:46:17 srv-intranet wiki: 2.0a PHP's LDAP connect method returned true (note, this does not imply it connected to the server).

2017-10-27 12:46:17 srv-intranet wiki: 2.0a Entering getUserDN

2017-10-27 12:46:17 srv-intranet wiki: 2.0a Doing a proxy bind

2017-10-27 12:46:17 srv-intranet wiki: 2.0a Created a regular filter: (sAMAccountName=UserName)

2017-10-27 12:46:17 srv-intranet wiki: 2.0a Entering getBaseDN

2017-10-27 12:46:17 srv-intranet wiki: 2.0a basedn is not set for this type of entry, trying to get the default basedn.

2017-10-27 12:46:17 srv-intranet wiki: 2.0a Entering getBaseDN

2017-10-27 12:46:17 srv-intranet wiki: 2.0a Using base: dc=**addomain**,dc=ru

2017-10-27 12:46:17 srv-intranet wiki: 2.0a Fetched username is not a string (check your hook code...). This message can be safely ignored if you do not have the SetUsernameAttributeFromLDAP hook defined.

2017-10-27 12:46:17 srv-intranet wiki: 2.0a Munged username: UserName

2017-10-27 12:46:17 srv-intranet wiki: 2.0a Entering getCanonicalName

2017-10-27 12:46:17 srv-intranet wiki: 2.0a Username isn't empty.

2017-10-27 12:46:17 srv-intranet wiki: 2.0a Entering Connect

2017-10-27 12:46:17 srv-intranet wiki: 2.0a Using TLS or not using encryption.

2017-10-27 12:46:17 srv-intranet wiki: 2.0a Using non-standard port: 389

2017-10-27 12:46:17 srv-intranet wiki: 2.0a Using servers:  ldap://srv-dc2.**addomain**.ru:389

2017-10-27 12:46:17 srv-intranet wiki: 2.0a PHP's LDAP connect method returned true (note, this does not imply it connected to the server).

2017-10-27 12:46:17 srv-intranet wiki: 2.0a Entering getUserDN

2017-10-27 12:46:17 srv-intranet wiki: 2.0a Doing a proxy bind

2017-10-27 12:46:17 srv-intranet wiki: 2.0a Created a regular filter: (sAMAccountName=UserName)

2017-10-27 12:46:17 srv-intranet wiki: 2.0a Entering getBaseDN

2017-10-27 12:46:17 srv-intranet wiki: 2.0a basedn is not set for this type of entry, trying to get the default basedn.

2017-10-27 12:46:17 srv-intranet wiki: 2.0a Entering getBaseDN

2017-10-27 12:46:17 srv-intranet wiki: 2.0a Using base: dc=**addomain**,dc=ru

206.55.83.201 (talkcontribs)

$wgLDAPDisableAutoCreate = array(

  '**addomain**' => false );

2003:CC:ABE0:EF00:CDBF:F0FF:9AD0:DA37 (talkcontribs)

Right, $wgLDAPDisableAutoCreate needs t be set to false for the domain for auto creation to be allowed.

I had the same problem, but it had a different reason:

Automatic account creation needs one or both of the user rights "createaccount" and "autocreateaccount" to be granted to anonymous users. And these user rights need to be defined before the extension is included and configured.

In my case, the problem disappeared when I put the line

$wgGroupPermissions['*']['autocreateaccount'] = true;

before any line of the LdapAuthentication extension.

Reply to "AD auth - Automatic account creation is not allowed"
Aschroet (talkcontribs)

Currently we configure the allowed users for our MW by wgLDAPRequiredGroups. Is there a way to explicitely allow certains LDAP users to authenticate indepently from their groups?

Reply to "Autheniticate single users"
Xavi (talkcontribs)

I am describing a situation where LDAP Authentication wrongly seems to log in a user through the LDAP domain.

Initial setup:

  • One local user: user1 (who has logged in at least once in the wiki)
  • Two ldap users: user1 and user2
  • $wgMainCacheType = CACHE_ACCEL
  • Local user1 and ldap user1 have the same password

After installing LDAP Authentication with $wgLDAPUseLocal = true; and before running maintenance/update.php (or creating /*_*/ldap_domains manually):

  1. Access the wiki: Error: 1146 Table 'wiki_db_name.wiki_db_prefix_ldap_domains' doesn't exist
  2. Change $wgMainCacheType = CACHE_NONE
  3. Access the wiki: Wiki is displayed with no error message
  4. Log in with user1 in local domain: Error: 1146 Table 'wiki_db_name.wiki_db_prefix_ldap_domains' doesn't exist but the user is logged in
  5. Log out
  6. Log in with user1 in ldap domain: The user is logged in with no error message
  7. Log out
  8. Log in with user2 in ldap domain: Wrong credential message, the is not logged in
Reply to "LDAP "fake" log in"

Use of $_SESSION['wsDomain'] in LdapAuthentication.php causes problems

3
HermannSchwärzler (talkcontribs)

In my setup the direct use of $_SESSION['wsDomain'] at line 1237 of LdapAuthentication.php causes problems: Im my case there sometimes is a token but the wsDomain-member of the $_SESSION array is not (yet) set.

Looking through the code I came up with this solution:

diff --git a/LdapAuthentication.php b/LdapAuthentication.php
index 44e47d4..462f9c9 100644
--- a/LdapAuthentication.php
+++ b/LdapAuthentication.php
@@ -1234,7 +1234,7 @@ class LdapAuthenticationPlugin extends AuthPlugin {
                # We must set a user option if we want token based logins to work
                if ( $user->getToken( false ) ) {
                        $this->printDebug( "User has a token, setting domain in user options.", NONSENSITIVE );
-                       self::saveDomain( $user, $_SESSION['wsDomain'] );
+                       self::saveDomain( $user, $this->getDomain() );
                }
 
                # Let other extensions update the user

I think this is the correct way of doing it especially after reading the comments in getDomain(). :-)

What do you think?

62.143.213.59 (talkcontribs)

Hi Hermann, You are 100% right - I totally agree with your saying. The $_SESSION['wsDomain'] cannot be use at that moment. It is better to use $this->getDomain()

By doing so the extensions works as expected.

- Michael

206.55.83.201 (talkcontribs)

thanks Michel. It works for me.

Reply to "Use of $_SESSION['wsDomain'] in LdapAuthentication.php causes problems"