Extension talk:LDAP Authentication

[24dbcafdfdd1b46c128f4a7a] /NRTwiki/Main_Page Wikimedia\Rdbms\DBQueryError from line 1587 of /var/www/html/SNRTwiki/includes/libs/rdbms/database/Database.php: A database query error has occurred. Did you forget to run your application's database schema updater after upgrading?

Query: SELECT user_id,user_name,user_real_name,user_email,user_touched,user_token,user_email_authenticated,user_email_token,user_email_token_expires,user_registration,user_editcount,user_actor.actor_id FROM `user` JOIN `actor` `user_actor` ON ((user_actor.actor_user = user_id)) WHERE user_id = '1' LIMIT 1

Function: User::loadFromDatabase

Error: 1146 Table 'wikidb.actor' doesn't exist (localhost)

Backtrace:

#0 /var/www/html/SNRTwiki/includes/libs/rdbms/database/Database.php(1556): Wikimedia\Rdbms\Database->getQueryExceptionAndLog(string, integer, string, string)

#1 /var/www/html/SNRTwiki/includes/libs/rdbms/database/Database.php(1274): Wikimedia\Rdbms\Database->reportQueryError(string, integer, string, string, boolean)

#2 /var/www/html/SNRTwiki/includes/libs/rdbms/database/Database.php(1784): Wikimedia\Rdbms\Database->query(string, string)

#3 /var/www/html/SNRTwiki/includes/libs/rdbms/database/Database.php(1875): Wikimedia\Rdbms\Database->select(array, array, array, string, array, array)

#4 /var/www/html/SNRTwiki/includes/user/User.php(1442): Wikimedia\Rdbms\Database->selectRow(array, array, array, string, array, array)

#5 /var/www/html/SNRTwiki/includes/user/User.php(531): User->loadFromDatabase(integer)

#6 /var/www/html/SNRTwiki/includes/libs/objectcache/WANObjectCache.php(1253): User->{closure}(boolean, integer, array, NULL)

#7 /var/www/html/SNRTwiki/includes/libs/objectcache/WANObjectCache.php(1414): WANObjectCache->{closure}(boolean, integer, array, NULL)

#8 /var/www/html/SNRTwiki/includes/libs/objectcache/WANObjectCache.php(1258): WANObjectCache->doGetWithSetCallback(string, integer, Closure, array, NULL)

#9 /var/www/html/SNRTwiki/includes/user/User.php(555): WANObjectCache->getWithSetCallback(string, integer, Closure, array)

#10 /var/www/html/SNRTwiki/includes/user/User.php(474): User->loadFromCache()

#11 /var/www/html/SNRTwiki/includes/user/User.php(411): User->loadFromId(integer)

#12 /var/www/html/SNRTwiki/includes/session/UserInfo.php(89): User->load()

#13 /var/www/html/SNRTwiki/includes/session/CookieSessionProvider.php(122): MediaWiki\Session\UserInfo::newFromId(string)

#14 /var/www/html/SNRTwiki/includes/session/SessionManager.php(466): MediaWiki\Session\CookieSessionProvider->provideSessionInfo(WebRequest)

#15 /var/www/html/SNRTwiki/includes/session/SessionManager.php(191): MediaWiki\Session\SessionManager->getSessionInfoForRequest(WebRequest)

#16 /var/www/html/SNRTwiki/includes/WebRequest.php(748): MediaWiki\Session\SessionManager->getSessionForRequest(WebRequest)

#17 /var/www/html/SNRTwiki/includes/session/SessionManager.php(130): WebRequest->getSession()

#18 /var/www/html/SNRTwiki/includes/Setup.php(816): MediaWiki\Session\SessionManager::getGlobalSession()

#19 /var/www/html/SNRTwiki/includes/WebStart.php(77): require_once(string)

#20 /var/www/html/SNRTwiki/index.php(39): require(string)

#21 {main}

I tried doing this manually on the command line and it dropped a lot fo the tables I needed. So I decided to use phpmyadmin since we are using for our old wiki version 1.26.

MediaWiki 1.26 doesn't have the actor table. And this stacktrace doesn't get any code path from Extension:LDAP Authentication. I don't know what are you trying to do TBH.

Also, MW 1.26 is not supported. You should upgrade to 1.31 at least.

I am trying to dump the database from an older version 1.26 into my new version 1.33. This is the error I get when I try to access the web interface of the new version 1.33. Sounds like I need a different LDAP authentication extension, but that still doesn't solve the database issue, which is why i am getting this error. Seems like dumping the DB from 1.26 into 1.33 isn't one to one?

You need to run update.php after upgrading MediaWiki to 1.33 (or any other version more recent than the database schema you had)

Ran php update.php inside the html/site/maintenance folder and I get: symfony/ldap: 4.3.2 installed, ^4.3 required.

Error: your composer.lock file is not up to date. Run "composer update --no-dev" to install newer dependencies. After some googling I ran: composer upate --lock and it doesn't have anything to update. It's just going in circles.

Also, this is a fresh install of Mediawiki 1.33 on a VM its not an older Mediawiki that I upgraded. I do need to dump the old database from the another mediawiki 1.26 into the new version. That's where I am having issues. Not to mention I cannot get LdapAuth Extension to work at all.

This is solved. Mediawiki is using the composer file for other things so to get php to update the schema I had to run "php maintenance/update.php --skip-external-dependencies" after I dumped the database in the new wiki with phpmyadmin.

However LdapAuth is still not working even though I used this other guys info for configuration that seemed to work for him: https://github.com/shanept/mediawiki-LdapAuth/issues/13bottom comment.

Please Advise.

I'm currently on MediaWiki 1.32.2 and using the LDAP Authentication extension version REL1_32-e2cab88 - everything works fine.

I have a pretty simple setup - connection to one Active Directory server using ssl, restricting users that are able to login to a certain AD group.

As of 7/3/19 the current stable MediaWiki version is now 1.33.

I tried to upgrade and use the LDAP Authentication extension version REL1_33-d82149e with the same ldap settings that were working on 1.32 and REL1_32-e2cab88, but it does not work.

The version REL1_33-d82149e has some accommodations for the new mediawiki version - the update.php script runs without errors.

But it seems like the extension is completely ignored by mediawiki - users can login using the local user credentials, but the login does not work with login credentials from Active Directory.

The logs are also missing despite using $wgLDAPDebug, $wgDebugLogGroups configuration variables.

My guess is that this is caused by the removal of the $wgAuth variable (as stated in the release notes for mediawiki 1.33).

The newer configuration variables for authentication purposes are now $wgAuthManagerAutoConfig or $wgAuthManagerConfig.

The problem is that i don't know how to configure these variables or if they are supported by the LDAP Authentication extension at all.

The configuration examples are still using the old variable $wgAuth.

Did someone figure out how to configure this extension to work with MediaWiki 1.33 and can help out?

Could you look at the LDAP hub. It says it is in draft, but people have successfully been using those new extensions for a while now.

I can confirm this issue. I've got freshly installed 1.33 mediawiki and LDAP_Authentication extension is not working at all. There is no errors from update.php script and I've tried different configuration options in LocalSettings.php but no success. It looks like this extension is not activated at all. Any advice?

I have exactly the same problem after the update to 1.3.3. Did you find any solution for this? I also didn't found any information on how to switch to this new LDAP hub.

I have added a first full fledged example configuration for LDAP Stack here: LDAP hub/Migration from extension LDAPAuthentication

Hopefully I can add additional examples soon. Please feel free to add your own examples.

Here the same. Would be nice, when it can be fixed.

Same here, the plugin is dead on my 1.3.3 Mediawiki, it even doesn't write debug information to the configured file. Any suggestions to get it to life again?

@UnplanedDowntimer please have a look at LDAP Stack and LDAP hub/Migration from extension LDAPAuthentication. Hopefully this will provide a solution.

Does anyone know if the LdapAuthentication for Versions extension will be adjusted for v1.33+ at all?

Or is the switch to LDAP stack indispensable?

This might be something that @Cindy.cicalese might be able to answer.

Use the solution in Topic:Tfu65b5pncef5p6s to solve. Change the original $wgAuth = new LdapAuthenticationPlugin(); to:

   $wgAuthManagerAutoConfig['primaryauth'] += [
       LdapPrimaryAuthenticationProvider::class => [
           'class' => LdapPrimaryAuthenticationProvider::class,
           'args' => [[
                  'authoritative' => true, // don't allow local non-LDAP accounts
              ]],
           'sort' => 50, // must be smaller than local pw provider
       ],
   ];

I have been using LDAP Authentication with LDAPS without any issues for many years. I'm now trying to use the same configuration on a RHEL8 server and cannot get it to work. The debug log isn't very helpful, it just says "failed to bind". When using "clear" option, everything works, so I know it's something with SSL. Certificates are fine because they are set up identical to a RHEL7 where everything is working.

Does anyone has any idea?

Hi! I installed the Extension on my MediaWiki 1.32 running on Xampp (PHP 7). Setup the configs as following:

$wgLDAPDomainNames = array(

  'MYDOMAIN',

);

$wgLDAPServerNames = array(

  'MYDOMAIN' => 'MYLDAPSERVER',

);

$wgLDAPEncryptionType = array(

  'MYDOMAIN' => 'ssl',

);

$wgLDAPSearchAttributes = array(

  'MYDOMAIN' => 'sAMAccountName',

);

$wgLDAPBaseDNs = array(

  'MYDOMAIN' => 'DC=manz,DC=lc',

);

$wgLDAPGroupBaseDNs = array(

'MYDOMAIN' => 'OU=DE,OU=RT,OU=User,DC=MYDOMAIN,DC=lc',

);

$wgLDAPUserBaseDNs = array(

'MYDOMAIN' => 'OU=DE,OU=RT,OU=User,DC=MYDOMAIN,DC=lc',

);

There is an actual domain name and the ip for the LDAP Server,however for privacy reasons I would like to hide them. It seems like there is a connection established, however the Extension can not find the user. Log tells me:

2019-03-04 10:22:34 WINWIKI x: 2.1.0 Couldn't find an entry

2019-03-04 10:22:34 WINWIKI x: 2.1.0 userdn is:

2019-03-04 10:22:34 WINWIKI x: 2.1.0 User DN is blank

I got it to work, the problem was actually that a proxy user was needed in order to do the search.

How did you configured your Proxy? Like in the docs?

$wgLDAPProxyAgent = array( 'testLDAPdomain' => 'cn=proxyagent,ou=profile,dc=LDAP,dc=example,dc=com', ); $wgLDAPProxyAgentPassword = array( 'testLDAPdomain' => 'S0M3L0ngP@$$w0r6ofS0meV@rie222y!', );

Hello everyone,

Feel like I'm going crazy. Installed MediaWiki on a brand new CentOS7 VM (iso 1810).

MediaWiki version 1.32.0

MariaDB10.3.14

PHP version 7.3.5

Got the LDAP extension off this website, created a folder called LdapAuth under /extensions

Installed php-ldap

composer install --no-dev

Added the following settings to my LocalSettings.php (and tried countless variaties on this):

#added by me

require_once ('/var/log/www/html/extensions/LdapAuth/src/Auth/LdapAuthenticationRequest.php');

require_once ('includes/AuthPlugin.php');

wfLoadExtension( 'LdapAuth' );

$wgAuth = new AuthPlugin()

$wgLDAPDomainNames = array('mytest.lan');

$wgLDAPServerNames = array('mytest.lan' => 'ad01.mytest.lan');

$wgLDAPSearchAttributes = array('mytest.lan' => 'sAMAccountName');

$wgLDAPBaseDNs = array('mytest.lan' => 'dc=mytest,dc=lan');

$wgLDAPAuthEncryptionType = array('mytest.lan' => 'false');

$wgLDAPPort = array('mytest.lan' => '389');

$wgLdapAuthIsActiveDirectory = true;

$wgMinimalPasswordLength = 1;

#Debugging options

$wgShowExceptionDetails = true;

$wgLDAPDebug = 3

$wgDebugLogGroups[ 'ldap' ] = '/tmp/debug.log';

This and all kinds of variaties but to no success.

- I don't see packets incoming on the domain controller except DNS. DNS-resolving itself works fine and there are no ACL's between the two machines.

- The logging for whatever reason does not work. I turned off SELinux to make sure it isn't blocking anything but no luck. Gave the /tmp/debug.log all access for the time being but still nothing is being written to it.

- Documentation says to make sure /etc/php.d/ldap.ini has the line containing: extension=ldap.so

This is not entirely the case, this OS had: /etc/php.d/20-ldap.ini containing the line extension=ldap (so without the.so, though I changed that as well but it did not help)

- put the following line in /etc/openldap/ldap.conf: TLS_REQCERT never

Ran the maintenance/update.php after pretty much every change as well restarting the httpd (and the server itself at times).

But whenever I try to logon with a domainuser It just tells me "username or password is not correct". Truly at a loss. The same settings work fine on Zabbix => Active Directory authentication.

Hi,

From a fresh CentOS 7 install too (CentOS Linux release 7.6.1810), here is what I did and it works like a charm :

Download LdapAuthentication extension :

[root@myserver ~]# wget -O downloads/LdapAuthentication-REL1_32-e2cab88.tar.gz https://extdist.wmflabs.org/dist/extensions/LdapAuthentication-REL1_32-e2cab88.tar.gz

Extract archive file in the mediawiki extensions directory :

[root@myserver ~]# tar -xzf downloads/LdapAuthentication-REL1_32-e2cab88.tar.gz -C /data/www/mediawiki/current/extensions

Add the following configuration options in the /data/www/mediawiki/current/LocalSettings.php file :

## Beginning of LDAP Authentication/AD Configuration

require_once ("$IP/extensions/LdapAuthentication/LdapAuthentication.php");

$wgAuth = new LdapAuthenticationPlugin();

$wgLDAPDomainNames = array(

  'adomainname'

);

$wgLDAPServerNames = array(

  'adomainname' => 'myADserver.mydomain.local'

);

$wgLDAPSearchStrings = array(

'adomainname' => 'USER-NAME@myreal.domain' // <== to be sure of this value, you can view a record in you AD and compare

);

$wgLDAPEncryptionType = array(

  'adomainname' => 'clear'

);

$wgLDAPUseLocal = false;

$wgMinimalPasswordLength = 1;

$wgLDAPBaseDNs = array(

  'adomainname' => 'DC=mydomain,DC=local'

);

$wgLDAPSearchAttributes = array(

  'adomainname' => 'sAMAccountName'

);

$wgLDAPRetrievePrefs = array(

  'adomainname' => true

);

$wgLDAPPreferences = array(

  'adomainname' => array(

    'email' => 'mail',

    'realname' => 'displayName',    // <== adapt with you needs

    'nickname' => 'samaccountname'

  )

);

$wgLDAPProxyAgent =  array(

  'adomainname' => 'CN=myserviceaccount,OU=serviceaccounts,DC=mydomain,DC=local'

);

$wgLDAPProxyAgentPassword = array(

  'adomainname' => 'myservicepassword'

);

$wgLDAPDisableAutoCreate = array(

  'adomainname' => true

);

$wgLDAPGroupUseFullDN = array(

  'adomainname' => true

);

$wgLDAPLowerCaseUsername = array(

  'adomainname' => true

);

$wgLDAPGroupObjectclass = array(

  'adomainname' => 'group',

);

$wgLDAPGroupAttribute = array(

  'adomainname' => 'member',

);

$wgLDAPGroupNameAttribute = array(

  'adomainname' => 'cn',

);

$wgLDAPGroupsUseMemberOf = array(

  'adomainname' => false,

);

$wgLDAPUseLDAPGroups = array(

  'adomainname' => true,

);

$wgLDAPRequiredGroups = array(

  'adomainname' => array(

    'CN=MyReserverGroup,OU=IT,OU=Users,DC=mydomain,DC=local',

)

);

$wgLDAPGroupsPrevail = array(

  'adomainname' => true,

);

$wgLDAPGroupSearchNestedGroups = array(

  'adomainname' => true,

);

$wgLDAPActiveDirectory = array(

  'adomainname' => true,

);

$wgLDAPAuthAttribute = array(

  'adomainname' => '!(userAccountControl:1.2.840.113556.1.4.803:=2)',

);

$wgHooks['SetUsernameAttributeFromLDAP'][] = 'SetUsernameAttribute';

function SetUsernameAttribute(&$LDAPUsername, $info) {

        $LDAPUsername = $info[0]['samaccountname'][0];

        return true;

}

$wgLDAPDebug = 1; //for debugging LDAP

## End of LDAP Authentication/AD Configuration

Go to your mediawiki instalaltion directory and run the following command in order to adapt you BDD to this new extension :

[root@myserver ~]# cd /data/www/mediawiki/current/

[root@myserver current]# php7 maintenance/update.php

MediaWiki 1.32.0 Updater

Your composer.lock file is up to date with current dependencies!

Going to run database updates for mediawiki_db

Depending on the size of your database this may take a while!

..................................

Attempted to insert 0 IP revisions, 0 actually done.

Purging caches...done.

Done in 2.7 s.

After upgrading Mediawiki und LDAP extension from 1.26 to 1.32.1 I have a problem to login whith the ldap extension. I use one Domain.

The following SQL shows, that there is no domain to insert into the table.

Query: INSERT INTO `ldap_domains` (domain,user_id) VALUES (NULL,'2')

Function: LdapAuthenticationPlugin::saveDomain

Error: 1048 Column 'domain' cannot be null (127.0.0.1)

Is there somebody who has the same error and an solution?

Thanks.

I know this is not fully supported on 1.31, but this extension is the only thing that does what we need and I'm trying to make it work. We are running RHEL6, with the software collections apache 2.4 and php7.0. This combo is needed for our other websites, and the wikis happen to live on the same server. But this combo doesn't work with mediawiki + LdapAuthentication, and the current "replacement" is not functional in any way.

So my question is: do I need to update in steps from 1.23 to 1.31 to make this work? Or is it ok to upgrade straight to 1.31? Has anyone gotten this path to work before?

You can upgrade mediawiki straight to 1.31

No, I cannot upgrade straight to 1.31 with ldap Authentication installed. I am asking if I need to take an intermediate step to make this extension work, not whether the mediawiki base install can be upgraded.

Please use the replacement at LDAP hub.