Extension talk:LDAP Authentication

Jump to navigation Jump to search

About this board

How to ask for support

There's a couple key pieces of info I always need:

  1. The MediaWiki version you are using
  2. The LdapAuthentication extension version you are using

I very often will need to see two other things when you ask for support, so you should have them prepared:

  1. Your configuration, with sensitive stuff snipped out
  2. The extension's debug log, with sensitive stuff snipped out

When you are trying to debug an authentication problem, you should always use the most basic configuration possible. For instance, if you don't have basic authentication working yet, you shouldn't have group restrictions or group synchronization enabled yet. I will generally ask you to disable these things when debugging.

Also, $wgLDAPUseLocal is almost never what you want to use. It's a frequent cause of configuration issues, and unless you really know what you are doing, it should not be set (or explicitly set to false, which is the default).

Most importantly of all: ensure you are using the newest version of the extension. From the extension distributor, that's the "master" version. If you are using git, just make sure you use git pull && git reset --hard origin/master. This is one of the more common cause of problems.

How to submit a bug

If you've found a bug, please submit it here.

Archives

195.85.237.130 (talkcontribs)

Hi! I installed the Extension on my MediaWiki 1.32 running on Xampp (PHP 7). Setup the configs as following:


$wgLDAPDomainNames = array(

  'MYDOMAIN',

);

$wgLDAPServerNames = array(

  'MYDOMAIN' => 'MYLDAPSERVER',

 

);

$wgLDAPEncryptionType = array(

  'MYDOMAIN' => 'ssl',

);

$wgLDAPSearchAttributes = array(

  'MYDOMAIN' => 'sAMAccountName',

);

$wgLDAPBaseDNs = array(

  'MYDOMAIN' => 'DC=manz,DC=lc',

);

$wgLDAPGroupBaseDNs = array(

'MYDOMAIN' => 'OU=DE,OU=RT,OU=User,DC=MYDOMAIN,DC=lc',

);

$wgLDAPUserBaseDNs = array(

'MYDOMAIN' => 'OU=DE,OU=RT,OU=User,DC=MYDOMAIN,DC=lc',

);


There is an actual domain name and the ip for the LDAP Server,however for privacy reasons I would like to hide them. It seems like there is a connection established, however the Extension can not find the user. Log tells me:


2019-03-04 10:22:34 WINWIKI x: 2.1.0 Couldn't find an entry

2019-03-04 10:22:34 WINWIKI x: 2.1.0 userdn is:

2019-03-04 10:22:34 WINWIKI x: 2.1.0 User DN is blank


195.85.237.130 (talkcontribs)

I got it to work, the problem was actually that a proxy user was needed in order to do the search.

80.157.191.124 (talkcontribs)

How did you configured your Proxy? Like in the docs?


$wgLDAPProxyAgent = array( 'testLDAPdomain' => 'cn=proxyagent,ou=profile,dc=LDAP,dc=example,dc=com', ); $wgLDAPProxyAgentPassword = array( 'testLDAPdomain' => 'S0M3L0ngP@$$w0r6ofS0meV@rie222y!', );


Reply to "User DN is blank"

LDAP Using CentOS7 (Active Directory)

2
185.46.212.117 (talkcontribs)

Hello everyone,


Feel like I'm going crazy. Installed MediaWiki on a brand new CentOS7 VM (iso 1810).

MediaWiki version 1.32.0

MariaDB10.3.14

PHP version 7.3.5


Got the LDAP extension off this website, created a folder called LdapAuth under /extensions

Installed php-ldap

composer install --no-dev


Added the following settings to my LocalSettings.php (and tried countless variaties on this):


#added by me

require_once ('/var/log/www/html/extensions/LdapAuth/src/Auth/LdapAuthenticationRequest.php');

require_once ('includes/AuthPlugin.php');

wfLoadExtension( 'LdapAuth' );


$wgAuth = new AuthPlugin()

$wgLDAPDomainNames = array('mytest.lan');

$wgLDAPServerNames = array('mytest.lan' => 'ad01.mytest.lan');

$wgLDAPSearchAttributes = array('mytest.lan' => 'sAMAccountName');

$wgLDAPBaseDNs = array('mytest.lan' => 'dc=mytest,dc=lan');

$wgLDAPAuthEncryptionType = array('mytest.lan' => 'false');

$wgLDAPPort = array('mytest.lan' => '389');

$wgLdapAuthIsActiveDirectory = true;

$wgMinimalPasswordLength = 1;

#Debugging options

$wgShowExceptionDetails = true;

$wgLDAPDebug = 3

$wgDebugLogGroups[ 'ldap' ] = '/tmp/debug.log';


This and all kinds of variaties but to no success.


- I don't see packets incoming on the domain controller except DNS. DNS-resolving itself works fine and there are no ACL's between the two machines.

- The logging for whatever reason does not work. I turned off SELinux to make sure it isn't blocking anything but no luck. Gave the /tmp/debug.log all access for the time being but still nothing is being written to it.

- Documentation says to make sure /etc/php.d/ldap.ini has the line containing: extension=ldap.so

This is not entirely the case, this OS had: /etc/php.d/20-ldap.ini containing the line extension=ldap (so without the.so, though I changed that as well but it did not help)

- put the following line in /etc/openldap/ldap.conf: TLS_REQCERT never


Ran the maintenance/update.php after pretty much every change as well restarting the httpd (and the server itself at times).

But whenever I try to logon with a domainuser It just tells me "username or password is not correct". Truly at a loss. The same settings work fine on Zabbix => Active Directory authentication.

Jlenuff (talkcontribs)

Hi,

From a fresh CentOS 7 install too (CentOS Linux release 7.6.1810), here is what I did and it works like a charm :

Download LdapAuthentication extension :

[root@myserver ~]# wget -O downloads/LdapAuthentication-REL1_32-e2cab88.tar.gz https://extdist.wmflabs.org/dist/extensions/LdapAuthentication-REL1_32-e2cab88.tar.gz

Extract archive file in the mediawiki extensions directory :

[root@myserver ~]# tar -xzf downloads/LdapAuthentication-REL1_32-e2cab88.tar.gz -C /data/www/mediawiki/current/extensions

Add the following configuration options in the /data/www/mediawiki/current/LocalSettings.php file :

## Beginning of LDAP Authentication/AD Configuration

require_once ("$IP/extensions/LdapAuthentication/LdapAuthentication.php");

$wgAuth = new LdapAuthenticationPlugin();

$wgLDAPDomainNames = array(

  'adomainname'

);

$wgLDAPServerNames = array(

  'adomainname' => 'myADserver.mydomain.local'

);

$wgLDAPSearchStrings = array(

'adomainname' => 'USER-NAME@myreal.domain' // <== to be sure of this value, you can view a record in you AD and compare

);

$wgLDAPEncryptionType = array(

  'adomainname' => 'clear'

);

$wgLDAPUseLocal = false;

$wgMinimalPasswordLength = 1;

$wgLDAPBaseDNs = array(

  'adomainname' => 'DC=mydomain,DC=local'

);

$wgLDAPSearchAttributes = array(

  'adomainname' => 'sAMAccountName'

);

$wgLDAPRetrievePrefs = array(

  'adomainname' => true

);

$wgLDAPPreferences = array(

  'adomainname' => array(

    'email' => 'mail',

    'realname' => 'displayName',    // <== adapt with you needs

    'nickname' => 'samaccountname'

  )

);

$wgLDAPProxyAgent =  array(

  'adomainname' => 'CN=myserviceaccount,OU=serviceaccounts,DC=mydomain,DC=local'

);

$wgLDAPProxyAgentPassword = array(

  'adomainname' => 'myservicepassword'

);

$wgLDAPDisableAutoCreate = array(

  'adomainname' => true

);

$wgLDAPGroupUseFullDN = array(

  'adomainname' => true

);

$wgLDAPLowerCaseUsername = array(

  'adomainname' => true

);

$wgLDAPGroupObjectclass = array(

  'adomainname' => 'group',

);

$wgLDAPGroupAttribute = array(

  'adomainname' => 'member',

);

$wgLDAPGroupNameAttribute = array(

  'adomainname' => 'cn',

);

$wgLDAPGroupsUseMemberOf = array(

  'adomainname' => false,

);

$wgLDAPUseLDAPGroups = array(

  'adomainname' => true,

);

$wgLDAPRequiredGroups = array(

  'adomainname' => array(

    'CN=MyReserverGroup,OU=IT,OU=Users,DC=mydomain,DC=local',

)

);

$wgLDAPGroupsPrevail = array(

  'adomainname' => true,

);

$wgLDAPGroupSearchNestedGroups = array(

  'adomainname' => true,

);

$wgLDAPActiveDirectory = array(

  'adomainname' => true,

);

$wgLDAPAuthAttribute = array(

  'adomainname' => '!(userAccountControl:1.2.840.113556.1.4.803:=2)',

);

$wgHooks['SetUsernameAttributeFromLDAP'][] = 'SetUsernameAttribute';

function SetUsernameAttribute(&$LDAPUsername, $info) {

        $LDAPUsername = $info[0]['samaccountname'][0];

        return true;

}

$wgLDAPDebug = 1; //for debugging LDAP

## End of LDAP Authentication/AD Configuration

Go to your mediawiki instalaltion directory and run the following command in order to adapt you BDD to this new extension :

[root@myserver ~]# cd /data/www/mediawiki/current/

[root@myserver current]# php7 maintenance/update.php

MediaWiki 1.32.0 Updater

Your composer.lock file is up to date with current dependencies!

Going to run database updates for mediawiki_db

Depending on the size of your database this may take a while!

..................................

Attempted to insert 0 IP revisions, 0 actually done.

Purging caches...done.

Done in 2.7 s.
Reply to "LDAP Using CentOS7 (Active Directory)"

Query: INSERT INTO `ldap_domains` (domain,user_id) VALUES (NULL,'2') Function: LdapAuthenticationPlugin::saveDomain Error: 1048 Column 'domain' cannot be null (127.0.0.1)

1
139.18.118.1 (talkcontribs)

After upgrading Mediawiki und LDAP extension from 1.26 to 1.32.1 I have a problem to login whith the ldap extension. I use one Domain.


The following SQL shows, that there is no domain to insert into the table.


Query: INSERT INTO `ldap_domains` (domain,user_id) VALUES (NULL,'2')

Function: LdapAuthenticationPlugin::saveDomain

Error: 1048 Column 'domain' cannot be null (127.0.0.1)


Is there somebody who has the same error and an solution?

Reply to "Query: INSERT INTO `ldap_domains` (domain,user_id) VALUES (NULL,'2') Function: LdapAuthenticationPlugin::saveDomain Error: 1048 Column 'domain' cannot be null (127.0.0.1)"

MediaWiki Server 18.04 Failed to bind to user

3
Enovyfalls (talkcontribs)

Have an old Mediawiki Ubuntu server running Ubuntu 14.04, with MediaWiki 1.25, PHP 5.59 and mysql 5.7.23. This server was getting old and we wanted to add certain functionality past what 1.25 could run, so we spun up a new server running 18.04, transferred everything over and I was able to get the wiki up and running. It is now at MediaWiki 1.30, PHP 7.2 and mysql 5.7. My localsettings.php have not changed and as this is all internal I am running the encryption type as clear. I have the debug log set up and everything seems to be running correctly until

userdn is: user@domain

Entering getDomain

Binding as the user

Failed to bind as user@domain

I can access the ldap server as usual.

Any ideas?

62.14.255.236 (talkcontribs)

did you installed the ldap module for php7.2

apt-get install -y php7.2-ldap

you can check it with a phpinfo()

41.143.138.131 (talkcontribs)

Thanks.

Reply to "MediaWiki Server 18.04 Failed to bind to user"
192.150.187.199 (talkcontribs)

I know this is not fully supported on 1.31, but this extension is the only thing that does what we need and I'm trying to make it work. We are running RHEL6, with the software collections apache 2.4 and php7.0. This combo is needed for our other websites, and the wikis happen to live on the same server. But this combo doesn't work with mediawiki + LdapAuthentication, and the current "replacement" is not functional in any way.


So my question is: do I need to update in steps from 1.23 to 1.31 to make this work? Or is it ok to upgrade straight to 1.31? Has anyone gotten this path to work before?

Ciencia Al Poder (talkcontribs)

You can upgrade mediawiki straight to 1.31

192.150.187.199 (talkcontribs)

No, I cannot upgrade straight to 1.31 with ldap Authentication installed. I am asking if I need to take an intermediate step to make this extension work, not whether the mediawiki base install can be upgraded.

MarkAHershberger (talkcontribs)
Reply to "Upgrade path from 1.23 to 1.31?"

Username with _ fails to connect

2
94.136.21.234 (talkcontribs)

I found out that AD users with _ in their loginname cannot login, because the "_" is replaced with an " " (Space) at logon process.

Are there any workarounds?

94.136.21.234 (talkcontribs)
Mellenberger65 (talkcontribs)

After authenticating with ldap, my users IP address still appears in the information bar and there is no "LOG OUT" link (The "LOG IN" link is still present).

An advice on what I am doing wrong?


MediaWiki 1.23.0 PHP 5.3.6 (apache2handler)

Florianschmidtwelzow (talkcontribs)

Hello! First: I have moved the thread to the extension talk page, it's better there to talk about the extension :) To your problem: The logout link will be removed by the Ldap Auth extension, that's right. The other things i can't answer, maybe someone other (maybe the developer) will do :)

189.9.74.7 (talkcontribs)

My server has the same behavior. I'm usin 1.31.1.


I solve this problem loading my wiki inside a <div>. The logout button stay in other page.


If user wants to exit wiki, He clicks logout and the page is redirect to mainpage.

Reply to "No "LOG OUT" link"

Ldap Authentication on Mediawiki V1.32

2
2A00:18C8:3E27:3012:8002:DB88:3E26:B009 (talkcontribs)

Anyone got this working yet?

Urfiner (talkcontribs)

Works just fine after upgrade from mw 1.31

Reply to "Ldap Authentication on Mediawiki V1.32"

Mapping LDAP Groups to Wiki Groups

2
195.85.237.130 (talkcontribs)

I did not quite understand how the mapping works. We have a lot of Wiki AD Groups, e.g(Public_C and Public_E etc.)

How do I tell the config that I want one of that group to match another group in the wiki that is called different?

Urfiner (talkcontribs)

Looks like you cannot map groups if group names are different in wiki and AD.

Reply to "Mapping LDAP Groups to Wiki Groups"
196.35.254.180 (talkcontribs)

When try to get LDAP working with AD I am getting this BadMethodCallException on the logon page when I try to log on.

I installed veresion 1.32 of mediawiki on Windows with PHP 7.3 enabled ldap. I kept the ldap setting the same as my previous wiki installation which used to work (version 1.24). However it does not look like the extension is loading?


My entry :

require_once( "$IP/extensions/LdapAuthentication/LdapAuthentication.php");

$wgAuth = new LdapAuthenticationPlugin();


When I get to the logon page it is not showing my ad domain which it used to show on the previous version?


MarkAHershberger (talkcontribs)
Reply to "BadMethodCallException"