Extension talk:LDAP Authentication

Versions: Mediawiki 1.27.1, LDAPAuth 2.1.0 (Translate: MLEB 2017.01)

Problem:

I want to use this Extension and Extension:Translate, but: I cant publish Translations as long as LDAP_Authentication is active. This seems to be because LDAP_Authentication prevents the use of Translates Fuzzybot according to the php error log:

 UnexpectedValueException from line 273 of [base]\includes\auth\AuthPluginPrimaryAuthenticationProvider.php: AuthPlugin failed to reset password for Fuzzybot in the following domains: [all Domains]

According to Topic:Tfu65b5pncef5p6s this should work, but it doesn't:

$wgAuthManagerAutoConfig['primaryauth'] += [

    LdapPrimaryAuthenticationProvider::class => [

    'class' => LdapPrimaryAuthenticationProvider::class,

    'args' => [ ['authoritative' => true, ] ],

    'sort' => 50,    ],

];

What can I do?

Did you ever find a solution? I'm stuck in the exact same place.

The configuration required to use LDAPAuthentication with Mediawiki 1.27.x must change. It caused us problem when combining LDAPAuthentication with the Translate extension, which uses the local user Fuzzybot. We had to change

$wgAuth = new LdapAuthenticationPlugin();

by

$wgAuthManagerAutoConfig['primaryauth'] += [

LdapPrimaryAuthenticationProvider::class => [

'class' => LdapPrimaryAuthenticationProvider::class,

'args' => [ [

'authoritative' => true, // don't allow local non-LDAP accounts

] ],

'sort' => 50, // must be smaller than local pw provider

],

];

This was taken from here:

https://gerrit.wikimedia.org/r/#/c/293086/4/wmf-config/wikitech.php

and was pointed to me by Anomie in this chat log:

http://bots.wmflabs.org/~wm-bot/logs/%23wikimedia-dev/20161122.txt

Thank you very much for this. It solved my problem on 1.27.3 with LDAP.

Hmm, correction. Translate started working, but auth no longer worked.

I am a mediawiki newbie. I have just installed 1.28 and LDAP auth is a requirement. Do you recommend that I downgrade to a previous version, or are you aware of an alternate plugin that would give us the same functionality. Thanks!

Hi

I am trying to get LdapAuthentication extension work with my upgraded MediaWiki. Our previous setup was

The LdapAuthentication worked fine with the above version of MediaWiki.

Once we upgraded to the newer version, and I am getting errors below.

I am trying to run convertExtensionToRegistration.php on LdapAuthentication and I get the following error:

C:\PHP\php.exe : Error: Global functions cannot be converted to JSON. Please move the handler for LoadExtensionSchemaUpdates inside a class.

At line:1 char:1

This does create an extension file but when I run update.php I get the following error:

C:\PHP\php.exe : [2ede5ca9f218d5e8ed5d0e2a] [no req]   MWException from line 176 of E:\Websites\MediaWiki\includes\Hooks.php: Invalid callback 

efLdapAuthenticationSchemaUpdates in hooks for LoadExtensionSchemaUpdates

At line:1 char:1

+ C:\PHP\php.exe .\maintenance\update.php

+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    + CategoryInfo          : NotSpecified: ([2ede5ca9f218d5...onSchemaUpdates:String) [], RemoteException

    + FullyQualifiedErrorId : NativeCommandError 

Backtrace:

#0 E:\Websites\MediaWiki\includes\installer\DatabaseUpdater.php(122): Hooks::run(string, array)

#1 E:\Websites\MediaWiki\includes\installer\DatabaseUpdater.php(187): DatabaseUpdater->__construct(DatabaseMysqli, boolean, UpdateMediaWiki)

#2 E:\Websites\MediaWiki\maintenance\update.php(171): DatabaseUpdater::newForDB(DatabaseMysqli, boolean, UpdateMediaWiki)

#3 E:\Websites\MediaWiki\maintenance\doMaintenance.php(111): UpdateMediaWiki->execute()

#4 E:\Websites\MediaWiki\maintenance\update.php(217): require_once(string)

#5 {main}

Can anyone please help with this?

I am also having the same problem on 1.28.

Whenever I try to login, it displays a message, "Incorrect password entered. Please try again.".

I am using PHP 5.5.38 and upgraded to Mediawiki 1.28.0 version.

Mediawiki isn't compatible with MediaWiki 1.28 at present. The main problem is AuthManager.

I'm interested as well. Trying to upgrade from 1.23 and this one's a blocker. Happy to test anything you can come up with.

Ryan lane is the Author of LDAP Authentication but no answer.

That means if I am upgraded to Mediawiki 1.28, I can't use LDAP authentication i.e. I cant login my application which uses mediawiki 1.28. Is my understanding correct on this?

i have enalbe LDAP Auth. over SSL 636 and doing user auth successfully

i wanted to check if User password reset is possible ? @Ryan

Hello.

Our company added some code and now it is possible to configure LDAP groups and LDAP users (via uid) who are allowed to login into a wiki.

Is there a way that I can send the code to the developers of the extension?

Regards

Max

The author is User:Ryan lane

I really want to see how your company fix it :)

You can also submit a patch to gerrit yourself. Read How to become a MediaWiki hacker

Note that we had a meeting about this extension at the Vienna hackathon and I'll be working with others to improve it.

keep us posted :)

extension for mediawiki 1.28

I'm getting closer to figuring this out, but stuck on automatically creating accounts. Here's my current (sanitized) configuration. I can authenticate, but I then get the message:

Auto-creation of a local account failed: Automatic account creation is not allowed.

require_once ("$IP/extensions/LdapAuthentication/LdapAuthentication.php");
$wgAuth = new LdapAuthenticationPlugin();
$wgLDAPUseLocal = true;

$wgLDAPDebug = 3;
$wgDebugLogGroups['ldap'] = '/tmp/debug.log';

$wgLDAPDomainNames       = array('LOCAL');
$wgLDAPServerNames       = array('LOCAL' => 'local-dc2.local.domain');
$wgLDAPEncryptionType    = array('LOCAL' => 'clear');
$wgMinimalPasswordLength = 1;
$wgLDAPBaseDNs           = array('LOCAL' => 'ou=Users,ou=LOCAL,dc=domain,dc=local');

$wgLDAPSearchStrings     = array('LOCAL' => 'LOCAL\\USER-NAME');
$wgLDAPSearchAttributes  = array('LOCAL' => 'sAMAccountName' );

$wgLDAPDisableAutoCreate = array('LOCAL' => false);

Any help would be greatly appreciated!

Same here. Any help is appreciated. My config:

require_once( "$IP/extensions/LdapAuthentication/LdapAuthentication.php" );

$wgAuth = new LdapAuthenticationPlugin();

$wgLDAPDomainNames = array("iRedMail");

$wgLDAPServerNames = array("iRedMail" => "192.168.XX.XX");

$wgLDAPPort = array("iRedMail" => 389);

$wgLDAPEncryptionType = array( "iRedMail" => "clear");

$wgLDAPBaseDNs = array( "iRedMail"=>"o=domains,dc=example,dc=com");

$wgLDAPProxyAgent = array("iRedMail"=>"cn=vmail,dc=example,dc=com");

$wgLDAPProxyAgentPassword = array( "iRedMail"=>"*****");

$wgLDAPUserBaseDNs = array( "iRedMail"=>"o=domains,dc=example,dc=com");

$wgLDAPSearchAttributes = array( "iRedMail" => "mail");

$wgLDAPLowerCaseUsername = array( "iRedMail"=>true);

$wgLDAPUseLocal = true;

$wgLDAPDebug = 3;

$wgDebugLogGroups['ldap'] = '/tmp/debug.log';

Same issue

FWIW, I finally got it working. Not sure what the difference is here... the $wgGroupPermissions item is not listed on the LDAP extension instructions, but I think this is what did it.

require_once ("$IP/extensions/LdapAuthentication/LdapAuthentication.php");
$wgAuth = new LdapAuthenticationPlugin();
#$wgLDAPUseLocal = true;
$wgLDAPDomainNames       = array('LOCAL');
$wgLDAPServerNames       = array('LOCAL' => 'local-dc2.mydomain.local');
$wgLDAPEncryptionType    = array('LOCAL' => 'clear');
$wgMinimalPasswordLength = 1;
$wgLDAPBaseDNs           = array('LOCAL' => 'ou=Users,ou=LOCAL,dc=mydomain,dc=local');
$wgLDAPSearchStrings     = array('LOCAL' => 'LOCAL\\USER-NAME');
$wgLDAPSearchAttributes  = array('LOCAL' => 'sAMAccountName' );
$wgLDAPRetrievePrefs     = array('LOCAL' => true );
$wgGroupPermissions['*']['autocreateaccount'] = true;

I tried with that TroySettle but not luck. I receive same fails, what versions do you have installed? (Mediawiki and LDAP please) Thanks.

Did you create Wiki as Open? private?

NOTE: I solved using wiki 1.23 version.

I had to set $wgGroupPermissions['*']['createaccount'] = true;

That still did not work for me.

My other anonymous permissions are set to false.

$wgGroupPermissions['*']['edit'] = false; $wgGroupPermissions['*']['read'] = false;

I want this to be a private wiki.

It would seem I had to clear all session data and remove cookies from previous logon attempts with my test user as well as comment out self::saveDomain( $user, $_SESSION['wsDomain'] ); from one of the extension's configuration files. It now works.

I had this problem, too. In my case, the solution was the one that has already been mentioned above:

1. switch back to local auth in LocalSettings.php; then login with a *local* admin/bureaucrat account (the one you set up when installing the wiki).

2. create a local user with the same name as one that exists in LDAP (give him a bullsh*t password, no need to match the LDAP one). Not mandatory, but if you are smart, this user should be a bureaucrat as you need at least one LDAP-based bureaucrat anyways. Lets call this user "Ldapboss".

3. switch again to LDAP auth in LocalSettings.php; then login with the user Ldapboss you just created. Of course you need to use the user's actual LDAP password this time. Btw, your local admin is now locked out of the system (unless you set wgLDAPUseLocal to true). This is why you need an LDAP-based bureaucrat.

From this point on, weirdly enough, auto account creation works. It's like, you need at least one successful login to make it work. Not sure why, doesn't make sense.

Ask a colleague to log on, or alternatively, rename your Ldapboss user to Ldapboss_Trash (Renameuser extension) and logout. Then login again with Ldapboss using again the LDAP credentials. Now, you Ldapboss is auto-created (this time as a simple user, as it should).

Actually, on Ryan D Lane (creator and ex-maintainer of the plugin) has this written on a 2009 blog post --- Quote:

"Before enabling the plugin, you should create a user in the local wiki database that exists in AD, and promote that user to sysop. After the plugin is enabled, you will not be able to log in as any user who does not exist in AD."

Hi,

While I executed step 3, then use Ldapboss login with LDAP password, I got the following error:

[WMFhIqwRAAIAABOptNUAAAAG] 2017-03-09 14:05:24: Fatal exception of type "DBQueryError"

Is it normal?

But it looks I have already logged in.

Hi,

Any news on Brain Wang's problem? I experience the same issue. The user seems to be logged in, however logging in with an other user from LDAP still fails.

Today I ran into the same issue, and found that the LDAP plugin does not have the right to autocreate users, despite the allowed autocreateaccount Group Permission setting. Then I found that the referred table (ldap_domains) did not exist in the database (and thus throwing the authmanager-autocreate-noperm errors). Creating the table in the right database based on the extensions/LdapAuthentication/schema/ldap-mysql.sql seems to fixed the issue:

# mysql -u root -p

Enter password:

mysql> use my_wiki

Reading table information for completion of table and column names

You can turn off this feature to get a quicker startup with -A

Database changed

mysql> CREATE TABLE ldap_domains (domain_id int not null primary key auto_increment,domain varchar(255) binary not null,user_id int not null);

Query OK, 0 rows affected (0.00 sec)

This worked for me. Thanks

I am running a private Wiki

$wgGroupPermissions['*']['autocreateaccount'] = true;

fixed it for me. If you read the changelog of 1.27:

* MediaWiki will now auto-create users as necessary, removing the need for

  extensions to do so. An 'autocreateaccount' right is added to allow

  auto-creation when 'createaccount' is not granted to all users.

Hi, Does anyone know if this extension is affected by the new AuthManager in MediaWiki 1.27? Is it safe to upgrade to the new version of MW?

Thanks, Raj.

Would not recommend upgrading at this point.

Authentication was overhauled in 1.27 with AuthPlugin being deprecated, superseded by Manual:SessionManager and AuthManager.

After a quick test users that have not logged in previously will not be able to login (depending on your settings/permissions). The domain selection box also does not appear, although it seems to default to the first domain.

This extension should be converted to use PluggableAuth. Using PluggableAuth will probably help maintain compatibility in the future.

Il have test it a litte bit today after upgrading out test wiki today.

By default, for new account, the auto creation of local account does not work. But it is working well for existing account.

I have made a lot of search and test to overcome this problem. I have found out that a new right exist for auto account creation since 1.26.

I have tried to put this line in my LocalSettings.php file : $wgGroupPermissions['*']['autocreateaccount'] = true;

If i tried to login with a new account, it does not work, but if login with a existing account, logout and then login with a new account it work. Afther that, i have close my web page, restarted the server, try with another browser and if i login with a new account, the account is created each time.

The domain delection box does not appear, but if configure a second domain, the box appear.

After updating to mediawiki 1.27 Auto LDAP Authentication no longer worked. Mediawiki showed "database error occurred."

I commented line 1240 in LdapAuthentication.php ( self::saveDomain( $user, $_SESSION['wsDomain'] ); ) and the error went away.

What does uncommenting that do, exactly? It removed the error for me, too.

Does anyone know who we should contact to try and fix this at source and add proper compatibility for AuthManager? I tried contacting Ryan Lane (marked as the author on the extension homepage), but he said that he's no longer maintaining it.

I've added the phabricator project to the extension's infobox. You can report the bug there

I have the same problem with a new installation of mediawiki 1.27

I created a bug: https://phabricator.wikimedia.org/T140972

The updated worked for me for the most part. The line I had to comment out was in the file "/extensions/LdapAuthentication/LdapAuthenticationPlugin.php" and it was on line 1165.

Also, I was still having an error caused by a plugin after authenticating. I had to remove the ToDoTasks plugin and then it worked. :) YEAH!!

Use: https://github.com/noris-network/mediawiki-extensions-sessionprovider-remoteuser

I've hit this problem as well, it only emerged after new users that had not logged into the wiki prior to the upgrade from v1.26, started complaining.

I'm running a private wiki, with LDAP auth only. Going through the code of AuthManager.php (line 1545 onwards), it became clear that this can either be resolved using the 'createaccount' or 'autocreateaccount' permission. I've tried both options and the 'autocreateaccount' matches my desired behavior. I *think* that the wiki also still is secure/private and no additional users can be created (except when auth from LDAP succeeds).

However I feel it would be better if these permissions would be integrated in the plugin and would not have to be handled separately.

I am able to log in using my AD account so I know that part is working. What I don't understand is what i need to do for permissions and groups.

Is there a way that I can use local groups in MediaWiki and just add AD users to that group, or do I HAVE to use AD groups and configure them in LocalSettings.php?

Here's my current config if that helps:

#LDAP Authentication Extension
require_once( "$IP/extensions/LdapAuthentication/LdapAuthentication.php" );
$wgAuth = new LdapAuthenticationPlugin();
$wgLDAPDomainNames = array( "MYDOMAIN" );
$wgLDAPServerNames = array( "MYDOMAIN" => "my.ad.domain.com" );
$wgLDAPSearchStrings = array( "MYDOMAIN" => "USER-NAME@MYDOMAIN" );
$wgLDAPEncryptionType = array( "MYDOMAIN" => "clear" );
$wgLDAPBaseDNs = array( "MYDOMAIN" => "OU=MyOu,DC=MyDC,DC=MyDC2,DC=MyDC3" );
$wgMinimalPasswordLength = 15;