Extension talk:LDAP Authentication

Jump to navigation Jump to search

About this board

How to ask for support

There's a couple key pieces of info I always need:

  1. The MediaWiki version you are using
  2. The LdapAuthentication extension version you are using

I very often will need to see two other things when you ask for support, so you should have them prepared:

  1. Your configuration, with sensitive stuff snipped out
  2. The extension's debug log, with sensitive stuff snipped out

When you are trying to debug an authentication problem, you should always use the most basic configuration possible. For instance, if you don't have basic authentication working yet, you shouldn't have group restrictions or group synchronization enabled yet. I will generally ask you to disable these things when debugging.

Also, $wgLDAPUseLocal is almost never what you want to use. It's a frequent cause of configuration issues, and unless you really know what you are doing, it should not be set (or explicitly set to false, which is the default).

Most importantly of all: ensure you are using the newest version of the extension. From the extension distributor, that's the "master" version. If you are using git, just make sure you use git pull && git reset --hard origin/master. This is one of the more common cause of problems.

How to submit a bug

If you've found a bug, please submit it here.

Archives

Previous page history was archived for backup purposes at Extension talk:LDAP Authentication/LQT Archive 1 on 2015-07-10.

Text is available under the Creative Commons Attribution-ShareAlike License; additional terms may apply. See Terms of Use for details.

Start a new topic
You are not logged in. To receive attribution with your name instead of your IP address, you can log in or create an account.

Error after importing database with phpmyadmin

3 comments • 15:31, 31 August 2019 15 days ago
3
Tmhoskins (talkcontribs)

[24dbcafdfdd1b46c128f4a7a] /NRTwiki/Main_Page Wikimedia\Rdbms\DBQueryError from line 1587 of /var/www/html/SNRTwiki/includes/libs/rdbms/database/Database.php: A database query error has occurred. Did you forget to run your application's database schema updater after upgrading?

Query: SELECT user_id,user_name,user_real_name,user_email,user_touched,user_token,user_email_authenticated,user_email_token,user_email_token_expires,user_registration,user_editcount,user_actor.actor_id FROM `user` JOIN `actor` `user_actor` ON ((user_actor.actor_user = user_id)) WHERE user_id = '1' LIMIT 1

Function: User::loadFromDatabase

Error: 1146 Table 'wikidb.actor' doesn't exist (localhost)

Backtrace:

#0 /var/www/html/SNRTwiki/includes/libs/rdbms/database/Database.php(1556): Wikimedia\Rdbms\Database->getQueryExceptionAndLog(string, integer, string, string)

#1 /var/www/html/SNRTwiki/includes/libs/rdbms/database/Database.php(1274): Wikimedia\Rdbms\Database->reportQueryError(string, integer, string, string, boolean)

#2 /var/www/html/SNRTwiki/includes/libs/rdbms/database/Database.php(1784): Wikimedia\Rdbms\Database->query(string, string)

#3 /var/www/html/SNRTwiki/includes/libs/rdbms/database/Database.php(1875): Wikimedia\Rdbms\Database->select(array, array, array, string, array, array)

#4 /var/www/html/SNRTwiki/includes/user/User.php(1442): Wikimedia\Rdbms\Database->selectRow(array, array, array, string, array, array)

#5 /var/www/html/SNRTwiki/includes/user/User.php(531): User->loadFromDatabase(integer)

#6 /var/www/html/SNRTwiki/includes/libs/objectcache/WANObjectCache.php(1253): User->{closure}(boolean, integer, array, NULL)

#7 /var/www/html/SNRTwiki/includes/libs/objectcache/WANObjectCache.php(1414): WANObjectCache->{closure}(boolean, integer, array, NULL)

#8 /var/www/html/SNRTwiki/includes/libs/objectcache/WANObjectCache.php(1258): WANObjectCache->doGetWithSetCallback(string, integer, Closure, array, NULL)

#9 /var/www/html/SNRTwiki/includes/user/User.php(555): WANObjectCache->getWithSetCallback(string, integer, Closure, array)

#10 /var/www/html/SNRTwiki/includes/user/User.php(474): User->loadFromCache()

#11 /var/www/html/SNRTwiki/includes/user/User.php(411): User->loadFromId(integer)

#12 /var/www/html/SNRTwiki/includes/session/UserInfo.php(89): User->load()

#13 /var/www/html/SNRTwiki/includes/session/CookieSessionProvider.php(122): MediaWiki\Session\UserInfo::newFromId(string)

#14 /var/www/html/SNRTwiki/includes/session/SessionManager.php(466): MediaWiki\Session\CookieSessionProvider->provideSessionInfo(WebRequest)

#15 /var/www/html/SNRTwiki/includes/session/SessionManager.php(191): MediaWiki\Session\SessionManager->getSessionInfoForRequest(WebRequest)

#16 /var/www/html/SNRTwiki/includes/WebRequest.php(748): MediaWiki\Session\SessionManager->getSessionForRequest(WebRequest)

#17 /var/www/html/SNRTwiki/includes/session/SessionManager.php(130): WebRequest->getSession()

#18 /var/www/html/SNRTwiki/includes/Setup.php(816): MediaWiki\Session\SessionManager::getGlobalSession()

#19 /var/www/html/SNRTwiki/includes/WebStart.php(77): require_once(string)

#20 /var/www/html/SNRTwiki/index.php(39): require(string)

#21 {main}


I tried doing this manually on the command line and it dropped a lot fo the tables I needed. So I decided to use phpmyadmin since we are using for our old wiki version 1.26.

Reply 18:21, 29 August 2019 17 days ago
Ciencia Al Poder (talkcontribs)

MediaWiki 1.26 doesn't have the actor table. And this stacktrace doesn't get any code path from Extension:LDAP Authentication. I don't know what are you trying to do TBH.

Reply 19:29, 29 August 2019 17 days ago
MarkAHershberger (talkcontribs)

Also, MW 1.26 is not supported. You should upgrade to 1.31 at least.

Reply 15:31, 31 August 2019 15 days ago
Reply to "Error after importing database with phpmyadmin"

$wgAuth removed in MediaWiki 1.33

11 comments • 09:15, 19 August 2019 28 days ago
11
81.14.176.5 (talkcontribs)

I'm currently on MediaWiki 1.32.2 and using the LDAP Authentication extension version REL1_32-e2cab88 - everything works fine.

I have a pretty simple setup - connection to one Active Directory server using ssl, restricting users that are able to login to a certain AD group.


As of 7/3/19 the current stable MediaWiki version is now 1.33.

I tried to upgrade and use the LDAP Authentication extension version REL1_33-d82149e with the same ldap settings that were working on 1.32 and REL1_32-e2cab88, but it does not work.

The version REL1_33-d82149e has some accommodations for the new mediawiki version - the update.php script runs without errors.

But it seems like the extension is completely ignored by mediawiki - users can login using the local user credentials, but the login does not work with login credentials from Active Directory.

The logs are also missing despite using $wgLDAPDebug, $wgDebugLogGroups configuration variables.


My guess is that this is caused by the removal of the $wgAuth variable (as stated in the release notes for mediawiki 1.33).

The newer configuration variables for authentication purposes are now $wgAuthManagerAutoConfig or $wgAuthManagerConfig.


The problem is that i don't know how to configure these variables or if they are supported by the LDAP Authentication extension at all.

The configuration examples are still using the old variable $wgAuth.


Did someone figure out how to configure this extension to work with MediaWiki 1.33 and can help out?

Reply 09:45, 4 July 2019 2 months ago
MarkAHershberger (talkcontribs)

Could you look at the LDAP hub. It says it is in draft, but people have successfully been using those new extensions for a while now.

Reply 18:22, 4 July 2019 2 months ago
2001:67C:2344:50:0:0:0:85 (talkcontribs)

I can confirm this issue. I've got freshly installed 1.33 mediawiki and LDAP_Authentication extension is not working at all. There is no errors from update.php script and I've tried different configuration options in LocalSettings.php but no success. It looks like this extension is not activated at all. Any advice?

Reply 09:32, 8 July 2019 2 months ago
TheNetStriker (talkcontribs)

I have exactly the same problem after the update to 1.3.3. Did you find any solution for this? I also didn't found any information on how to switch to this new LDAP hub.

Reply 13:48, 29 July 2019 1 month ago
Osnard (talkcontribs)
Reply 06:36, 30 July 2019 1 month ago
217.114.64.90 (talkcontribs)

Here the same. Would be nice, when it can be fixed.

Reply 10:17, 1 August 2019 1 month ago
UnplanedDowntimer (talkcontribs)

Same here, the plugin is dead on my 1.3.3 Mediawiki, it even doesn't write debug information to the configured file. Any suggestions to get it to life again?

Reply Edited 13:07, 8 August 2019 1 month ago
Osnard (talkcontribs)
Reply 14:39, 12 August 2019 1 month ago
Mark Ziegler (talkcontribs)

Does anyone know if the LdapAuthentication for Versions extension will be adjusted for v1.33+ at all?

Or is the switch to LDAP stack indispensable?

Reply 10:55, 16 August 2019 30 days ago
Osnard (talkcontribs)
Reply 17:14, 17 August 2019 29 days ago
Gslin (talkcontribs)

Use the solution in Topic:Tfu65b5pncef5p6s to solve. Change the original $wgAuth = new LdapAuthenticationPlugin(); to:

   $wgAuthManagerAutoConfig['primaryauth'] += [
       LdapPrimaryAuthenticationProvider::class => [
           'class' => LdapPrimaryAuthenticationProvider::class,
           'args' => [[
                  'authoritative' => true, // don't allow local non-LDAP accounts
              ]],
           'sort' => 50, // must be smaller than local pw provider
       ],
   ];
Reply 09:15, 19 August 2019 28 days ago
Reply to "$wgAuth removed in MediaWiki 1.33"

Login error incorrect password entered. please try again

8 comments • 11:07, 14 July 2019 2 months ago
8
Bernhardsmw (talkcontribs)

Installed:

 

Installed and configured MediaWiki without problems. Then I tried to change the login to LDAP. After hours and the use of the documentation I was not able to login. Is this extension still working? 

Here are my LocalSettings.php config: 

#LDAP Authentication
    require_once( "$IP/extensions/LdapAuthentication/LdapAuthentication.php" );
    $wgAuth = new LdapAuthenticationPlugin();
    
    $wgLDAPProxyAgent = array('EUROPE' => 'cn=mediawiki,dc=EUROPE,dc=LAN');
    $wgLDAPProxyAgentPassword = array('EUROPE' => 'password');
    
    
    $wgLDAPDomainNames = array( "EUROPE.LAN" );
    
    $wgLDAPServerNames = array( "EUROPE.LAN" => "dc1.EUROPE.lan" );
    # I recommend using a Global Catalog server for this.
    
    $wgLDAPSearchStrings = array( "EUROPE.LAN" => "EUROPE.LAN\\USER-NAME" );
    $wgLDAPEncryptionType = array( "EUROPE.LAN" => "tls" );
    $wgLDAPUseLocal = false;
    $wgMinimalPasswordLength = 1;
    
    $wgLDAPBaseDNs = array( "EUROPE.LAN" => "dc=EUROPE,dc=LAN" );
    # Example: If your domain is mydomain.internet.ca then you want to put in "dc=mydomain,dc=internet,dc=ca".
    
    $wgLDAPSearchAttributes = array( "EUROPE.LAN" => "sAMAccountName" );
    
    
    $wgLDAPRetrievePrefs = array( "EUROPE.LAN" => "true" );
    
    $wgLDAPPreferences = array('EUROPE.LAN' => array( 'email' => 'mail','realname' => 'displayname'));
    # This will automatically map the users e-mail address and full name from Active Directory to their account in MediaWiki
    
    $wgLDAPDebug = 3; //for debugging LDAP
    $wgShowExceptionDetails = true; //for debugging MediaWiki
    $wgDebugLogGroups["ldap"] = "/tmp/ldapdebug.log" ;

This is the debug log: 

2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Setting domain as: EUROPE.LAN
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering getCanonicalName
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Username is: Mediawiki
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering getDomain
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Munged username: Mediawiki
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering getCanonicalName
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Username is an IP, not munging.
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering getCanonicalName
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Username is an IP, not munging.
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering getDomain
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering userExists
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering getDomain
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering getDomain
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering authenticate for username Mediawiki
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering getDomain
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering getDomain
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering getDomain
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering Connect
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering getDomain
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Using TLS or not using encryption.
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering getDomain
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering getDomain
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering getDomain
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Using servers:  ldap://dc1.bbveurope.lan:389
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering getDomain
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Using TLS
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 PHP's LDAP connect method returned true (note, this does not imply it connected to the server).
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering getSearchString
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering getDomain
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Doing a straight bind
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 userdn is: EUROPE.LAN\mediawiki
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering getDomain
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Binding as the user
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Failed to bind as EUROPE.LAN\mediawiki
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering allowPasswordChange
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering getDomain
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering getDomain
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering modifyUITemplate
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering getDomain
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering getDomain
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering getDomain

I tried a normal PHP login with this script and it works.  

<?php
// use ldap bind
$ldaprdn  = 'mediawiki'; 
$ldappass = 'mediawiki';

// connect to ldap server
$ldapconn = ldap_connect("EUROPE.LAN")
    or die("No connection to LDAP.");

if ($ldapconn) {

    // bind ldap server
    $ldapbind = ldap_bind($ldapconn, $ldaprdn, $ldappass);

    // test binding
    if ($ldapbind) {
        echo "LDAP bind success...";
    } else {
        echo "LDAP bind failed...";
    }

}

?>

Please help me the problem is really frustrating and I worked on it for hours... 

Reply Edited 07:47, 16 September 2015 4 years ago
Bernhardsmw (talkcontribs)

Just for info: "mediawiki" is an existing windows domain user. I tried other users too and it still worked.

Reply 15:18, 15 September 2015 4 years ago
Bernhardsmw (talkcontribs)

And most importantly: Why do I need kerberos or slapd as the documentation tells? Is the normal php5-ldap package not enough?

Reply 15:24, 15 September 2015 4 years ago
158.145.224.111 (talkcontribs)

try switching to SSL, or clear text. If you are authenticating and the binding is failing (same as mine below) then we might be in the same boat. The extension works. I can vouch for that. If the ldap server you are authenticating to isn't authenticated by a real CA you might have issue. You'll need to add the public key certificate to your CA store.

Reply 23:33, 15 September 2015 4 years ago
Bernhardsmw (talkcontribs)

I did the change and this is how my /etc/ldap/ldap.conf looks now

TLS_REQCERT     never

This is the change I did in the /var/lib/mediawiki/LocalSettings.php

$wgLDAPEncryptionType = array( "EUROPE.LAN" => "clear" );

And this the debug file. Still no success...

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Entering validDomain

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 User is using a valid domain (EUROPE.LAN).

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Setting domain as: EUROPE.LAN

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Entering getCanonicalName

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Username is: Mediawiki

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Entering getDomain

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Munged username: Mediawiki

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Entering getCanonicalName

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Username is an IP, not munging.

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Entering getCanonicalName

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Username is an IP, not munging.

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Entering getDomain

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Entering userExists

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Entering getDomain

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Entering getDomain

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Entering authenticate for username Mediawiki

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Entering getDomain

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Entering getDomain

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Entering getDomain

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Entering Connect

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Entering getDomain

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Using TLS or not using encryption.

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Entering getDomain

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Entering getDomain

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Entering getDomain

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Using servers:  ldap://DC1.EUROPE.LAN:389

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Entering getDomain

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 PHP's LDAP connect method returned true (note, this does not imply it connected to the server).

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Entering getSearchString

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Entering getDomain

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Doing a straight bind

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 userdn is: EUROPE.LAN\mediawiki

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Entering getDomain

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Binding as the user

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Failed to bind as EUROPE.LAN\mediawiki

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Entering allowPasswordChange

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Entering getDomain

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Entering getDomain

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Entering modifyUITemplate

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Entering getDomain

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Entering getDomain

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Entering getDomain



Reply Edited 07:47, 16 September 2015 4 years ago
Bernhardsmw (talkcontribs)

As I can see now the time of the Logfile is not correct. The system time is the same as the DC server but the logfile time is 2 hours after it.

Reply 07:50, 16 September 2015 4 years ago
Bernhardsmw (talkcontribs)

phpinfo() about SSL config

[openssl]

OpenSSL support enabled
OpenSSL Library Version OpenSSL 1.0.1f 6 Jan 2014
OpenSSL Header Version OpenSSL 1.0.1f 6 Jan 2014
Registered Stream Socket Transports tcp, udp, unix, udg, ssl, sslv3, tls
Reply Edited 08:16, 16 September 2015 4 years ago
Bernhardsmw (talkcontribs)

After hours of madness I finally get it working:

You have to install the required packages: Extension:LDAP Authentication#Installation

Then just follow this guide: http://ryandlane.com/blog/2009/03/23/using-the-ldap-authentication-plugin-for-mediawiki-the-basics-part-1/

Forget what configurations are written on the wiki page. If you get after the login a database error: Topic:Sshx994njzy3rs3l

"www.mediawiki.org/wiki/Topic:Sshx994njzy3rs3l" (if the link does not work)

I am a bit mad but happy now. This plugin costs to much time because of the missleading documentation.

Reply Edited 14:33, 11 November 2015 3 years ago
Reply to "Login error incorrect password entered. please try again"

SSL on RHEL8

One comment • 21:11, 13 June 2019 3 months ago
1
162.96.9.2 (talkcontribs)

I have been using LDAP Authentication with LDAPS without any issues for many years. I'm now trying to use the same configuration on a RHEL8 server and cannot get it to work. The debug log isn't very helpful, it just says "failed to bind". When using "clear" option, everything works, so I know it's something with SSL. Certificates are fine because they are set up identical to a RHEL7 where everything is working.

Does anyone has any idea?

Reply 21:11, 13 June 2019 3 months ago
Reply to "SSL on RHEL8"

User DN is blank

3 comments • 09:26, 23 May 2019 3 months ago
3
195.85.237.130 (talkcontribs)

Hi! I installed the Extension on my MediaWiki 1.32 running on Xampp (PHP 7). Setup the configs as following:


$wgLDAPDomainNames = array(

  'MYDOMAIN',

);

$wgLDAPServerNames = array(

  'MYDOMAIN' => 'MYLDAPSERVER',

 

);

$wgLDAPEncryptionType = array(

  'MYDOMAIN' => 'ssl',

);

$wgLDAPSearchAttributes = array(

  'MYDOMAIN' => 'sAMAccountName',

);

$wgLDAPBaseDNs = array(

  'MYDOMAIN' => 'DC=manz,DC=lc',

);

$wgLDAPGroupBaseDNs = array(

'MYDOMAIN' => 'OU=DE,OU=RT,OU=User,DC=MYDOMAIN,DC=lc',

);

$wgLDAPUserBaseDNs = array(

'MYDOMAIN' => 'OU=DE,OU=RT,OU=User,DC=MYDOMAIN,DC=lc',

);


There is an actual domain name and the ip for the LDAP Server,however for privacy reasons I would like to hide them. It seems like there is a connection established, however the Extension can not find the user. Log tells me:


2019-03-04 10:22:34 WINWIKI x: 2.1.0 Couldn't find an entry

2019-03-04 10:22:34 WINWIKI x: 2.1.0 userdn is:

2019-03-04 10:22:34 WINWIKI x: 2.1.0 User DN is blank


Reply 10:26, 4 March 2019 6 months ago
195.85.237.130 (talkcontribs)

I got it to work, the problem was actually that a proxy user was needed in order to do the search.

Reply 11:58, 4 March 2019 6 months ago
80.157.191.124 (talkcontribs)

How did you configured your Proxy? Like in the docs?


$wgLDAPProxyAgent = array( 'testLDAPdomain' => 'cn=proxyagent,ou=profile,dc=LDAP,dc=example,dc=com', ); $wgLDAPProxyAgentPassword = array( 'testLDAPdomain' => 'S0M3L0ngP@$$w0r6ofS0meV@rie222y!', );


Reply 06:41, 21 March 2019 5 months ago
Reply to "User DN is blank"

LDAP Using CentOS7 (Active Directory)

2 comments • 08:57, 13 May 2019 4 months ago
2
185.46.212.117 (talkcontribs)

Hello everyone,


Feel like I'm going crazy. Installed MediaWiki on a brand new CentOS7 VM (iso 1810).

MediaWiki version 1.32.0

MariaDB10.3.14

PHP version 7.3.5


Got the LDAP extension off this website, created a folder called LdapAuth under /extensions

Installed php-ldap

composer install --no-dev


Added the following settings to my LocalSettings.php (and tried countless variaties on this):


#added by me

require_once ('/var/log/www/html/extensions/LdapAuth/src/Auth/LdapAuthenticationRequest.php');

require_once ('includes/AuthPlugin.php');

wfLoadExtension( 'LdapAuth' );


$wgAuth = new AuthPlugin()

$wgLDAPDomainNames = array('mytest.lan');

$wgLDAPServerNames = array('mytest.lan' => 'ad01.mytest.lan');

$wgLDAPSearchAttributes = array('mytest.lan' => 'sAMAccountName');

$wgLDAPBaseDNs = array('mytest.lan' => 'dc=mytest,dc=lan');

$wgLDAPAuthEncryptionType = array('mytest.lan' => 'false');

$wgLDAPPort = array('mytest.lan' => '389');

$wgLdapAuthIsActiveDirectory = true;

$wgMinimalPasswordLength = 1;

#Debugging options

$wgShowExceptionDetails = true;

$wgLDAPDebug = 3

$wgDebugLogGroups[ 'ldap' ] = '/tmp/debug.log';


This and all kinds of variaties but to no success.


- I don't see packets incoming on the domain controller except DNS. DNS-resolving itself works fine and there are no ACL's between the two machines.

- The logging for whatever reason does not work. I turned off SELinux to make sure it isn't blocking anything but no luck. Gave the /tmp/debug.log all access for the time being but still nothing is being written to it.

- Documentation says to make sure /etc/php.d/ldap.ini has the line containing: extension=ldap.so

This is not entirely the case, this OS had: /etc/php.d/20-ldap.ini containing the line extension=ldap (so without the.so, though I changed that as well but it did not help)

- put the following line in /etc/openldap/ldap.conf: TLS_REQCERT never


Ran the maintenance/update.php after pretty much every change as well restarting the httpd (and the server itself at times).

But whenever I try to logon with a domainuser It just tells me "username or password is not correct". Truly at a loss. The same settings work fine on Zabbix => Active Directory authentication.

Reply 14:41, 8 May 2019 4 months ago
Jlenuff (talkcontribs)

Hi,

From a fresh CentOS 7 install too (CentOS Linux release 7.6.1810), here is what I did and it works like a charm :

Download LdapAuthentication extension :

[root@myserver ~]# wget -O downloads/LdapAuthentication-REL1_32-e2cab88.tar.gz https://extdist.wmflabs.org/dist/extensions/LdapAuthentication-REL1_32-e2cab88.tar.gz

Extract archive file in the mediawiki extensions directory :

[root@myserver ~]# tar -xzf downloads/LdapAuthentication-REL1_32-e2cab88.tar.gz -C /data/www/mediawiki/current/extensions

Add the following configuration options in the /data/www/mediawiki/current/LocalSettings.php file :

## Beginning of LDAP Authentication/AD Configuration

require_once ("$IP/extensions/LdapAuthentication/LdapAuthentication.php");

$wgAuth = new LdapAuthenticationPlugin();

$wgLDAPDomainNames = array(

  'adomainname'

);

$wgLDAPServerNames = array(

  'adomainname' => 'myADserver.mydomain.local'

);

$wgLDAPSearchStrings = array(

'adomainname' => 'USER-NAME@myreal.domain' // <== to be sure of this value, you can view a record in you AD and compare

);

$wgLDAPEncryptionType = array(

  'adomainname' => 'clear'

);

$wgLDAPUseLocal = false;

$wgMinimalPasswordLength = 1;

$wgLDAPBaseDNs = array(

  'adomainname' => 'DC=mydomain,DC=local'

);

$wgLDAPSearchAttributes = array(

  'adomainname' => 'sAMAccountName'

);

$wgLDAPRetrievePrefs = array(

  'adomainname' => true

);

$wgLDAPPreferences = array(

  'adomainname' => array(

    'email' => 'mail',

    'realname' => 'displayName',    // <== adapt with you needs

    'nickname' => 'samaccountname'

  )

);

$wgLDAPProxyAgent =  array(

  'adomainname' => 'CN=myserviceaccount,OU=serviceaccounts,DC=mydomain,DC=local'

);

$wgLDAPProxyAgentPassword = array(

  'adomainname' => 'myservicepassword'

);

$wgLDAPDisableAutoCreate = array(

  'adomainname' => true

);

$wgLDAPGroupUseFullDN = array(

  'adomainname' => true

);

$wgLDAPLowerCaseUsername = array(

  'adomainname' => true

);

$wgLDAPGroupObjectclass = array(

  'adomainname' => 'group',

);

$wgLDAPGroupAttribute = array(

  'adomainname' => 'member',

);

$wgLDAPGroupNameAttribute = array(

  'adomainname' => 'cn',

);

$wgLDAPGroupsUseMemberOf = array(

  'adomainname' => false,

);

$wgLDAPUseLDAPGroups = array(

  'adomainname' => true,

);

$wgLDAPRequiredGroups = array(

  'adomainname' => array(

    'CN=MyReserverGroup,OU=IT,OU=Users,DC=mydomain,DC=local',

)

);

$wgLDAPGroupsPrevail = array(

  'adomainname' => true,

);

$wgLDAPGroupSearchNestedGroups = array(

  'adomainname' => true,

);

$wgLDAPActiveDirectory = array(

  'adomainname' => true,

);

$wgLDAPAuthAttribute = array(

  'adomainname' => '!(userAccountControl:1.2.840.113556.1.4.803:=2)',

);

$wgHooks['SetUsernameAttributeFromLDAP'][] = 'SetUsernameAttribute';

function SetUsernameAttribute(&$LDAPUsername, $info) {

        $LDAPUsername = $info[0]['samaccountname'][0];

        return true;

}

$wgLDAPDebug = 1; //for debugging LDAP

## End of LDAP Authentication/AD Configuration

Go to your mediawiki instalaltion directory and run the following command in order to adapt you BDD to this new extension :

[root@myserver ~]# cd /data/www/mediawiki/current/

[root@myserver current]# php7 maintenance/update.php

MediaWiki 1.32.0 Updater

Your composer.lock file is up to date with current dependencies!

Going to run database updates for mediawiki_db

Depending on the size of your database this may take a while!

..................................

Attempted to insert 0 IP revisions, 0 actually done.

Purging caches...done.

Done in 2.7 s.
Reply Edited 08:57, 13 May 2019 4 months ago
Reply to "LDAP Using CentOS7 (Active Directory)"

Query: INSERT INTO `ldap_domains` (domain,user_id) VALUES (NULL,'2') Function: LdapAuthenticationPlugin::saveDomain Error: 1048 Column 'domain' cannot be null (127.0.0.1)

One comment • 12:47, 6 May 2019 4 months ago
1
139.18.118.1 (talkcontribs)

After upgrading Mediawiki und LDAP extension from 1.26 to 1.32.1 I have a problem to login whith the ldap extension. I use one Domain.


The following SQL shows, that there is no domain to insert into the table.


Query: INSERT INTO `ldap_domains` (domain,user_id) VALUES (NULL,'2')

Function: LdapAuthenticationPlugin::saveDomain

Error: 1048 Column 'domain' cannot be null (127.0.0.1)


Is there somebody who has the same error and an solution?

Reply 12:47, 6 May 2019 4 months ago
Reply to "Query: INSERT INTO `ldap_domains` (domain,user_id) VALUES (NULL,'2') Function: LdapAuthenticationPlugin::saveDomain Error: 1048 Column 'domain' cannot be null (127.0.0.1)"

MediaWiki Server 18.04 Failed to bind to user

3 comments • 15:59, 30 April 2019 4 months ago
3
Enovyfalls (talkcontribs)

Have an old Mediawiki Ubuntu server running Ubuntu 14.04, with MediaWiki 1.25, PHP 5.59 and mysql 5.7.23. This server was getting old and we wanted to add certain functionality past what 1.25 could run, so we spun up a new server running 18.04, transferred everything over and I was able to get the wiki up and running. It is now at MediaWiki 1.30, PHP 7.2 and mysql 5.7. My localsettings.php have not changed and as this is all internal I am running the encryption type as clear. I have the debug log set up and everything seems to be running correctly until

userdn is: user@domain

Entering getDomain

Binding as the user

Failed to bind as user@domain

I can access the ldap server as usual.

Any ideas?

Reply 16:52, 24 October 2018 10 months ago
62.14.255.236 (talkcontribs)

did you installed the ldap module for php7.2

apt-get install -y php7.2-ldap

you can check it with a phpinfo()

Reply 14:29, 6 February 2019 7 months ago
41.143.138.131 (talkcontribs)

Thanks.

Reply 15:59, 30 April 2019 4 months ago
Reply to "MediaWiki Server 18.04 Failed to bind to user"

Upgrade path from 1.23 to 1.31?

4 comments • 17:28, 16 April 2019 4 months ago
4
192.150.187.199 (talkcontribs)

I know this is not fully supported on 1.31, but this extension is the only thing that does what we need and I'm trying to make it work. We are running RHEL6, with the software collections apache 2.4 and php7.0. This combo is needed for our other websites, and the wikis happen to live on the same server. But this combo doesn't work with mediawiki + LdapAuthentication, and the current "replacement" is not functional in any way.


So my question is: do I need to update in steps from 1.23 to 1.31 to make this work? Or is it ok to upgrade straight to 1.31? Has anyone gotten this path to work before?

Reply 23:44, 10 April 2019 5 months ago
Ciencia Al Poder (talkcontribs)

You can upgrade mediawiki straight to 1.31

Reply 09:13, 11 April 2019 5 months ago
192.150.187.199 (talkcontribs)

No, I cannot upgrade straight to 1.31 with ldap Authentication installed. I am asking if I need to take an intermediate step to make this extension work, not whether the mediawiki base install can be upgraded.

Reply 17:44, 12 April 2019 5 months ago
MarkAHershberger (talkcontribs)
Reply 17:28, 16 April 2019 4 months ago
Reply to "Upgrade path from 1.23 to 1.31?"

Username with _ fails to connect

2 comments 22:42, 27 March 2019 5 months ago
2
94.136.21.234 (talkcontribs)

I found out that AD users with _ in their loginname cannot login, because the "_" is replaced with an " " (Space) at logon process.

Are there any workarounds?

14:19, 27 March 2019 5 months ago
94.136.21.234 (talkcontribs)
15:21, 27 March 2019 5 months ago
Load more
Retrieved from "https://www.mediawiki.org/wiki/Extension_talk:LDAP_Authentication"