Extension talk:LDAP Authentication

I setup ldap debug but I don't get any useful information... just the following...

2018-07-19 19:50:02 dtn13-vm wiki_demo: 2.1.0 Returning true in strict().

2018-07-19 19:51:02 dtn13-vm wiki_demo: 2.1.0 Entering strict.

Here is part of my config...

require_once( "$IP/extensions/LdapAuthentication/LdapAuthentication.php" );

$wgAuth = new LdapAuthenticationPlugin();

$wgLDAPDebug = 3;

$wgDebugLogGroups['ldap'] = '/tmp/debug.log';

$wgLDAPDomainNames = array(

  'quest',

);

$wgLDAPServerNames = array(

  'domain' => 'domain.local',

);

$wgLDAPSearchStrings = array(

  'domain' => 'domain\\USER-NAME'

);

Versions: Mediawiki 1.27.1, LDAPAuth 2.1.0 (Translate: MLEB 2017.01)

Problem:

I want to use this Extension and Extension:Translate, but: I cant publish Translations as long as LDAP_Authentication is active. This seems to be because LDAP_Authentication prevents the use of Translates Fuzzybot according to the php error log:

 UnexpectedValueException from line 273 of [base]\includes\auth\AuthPluginPrimaryAuthenticationProvider.php: AuthPlugin failed to reset password for Fuzzybot in the following domains: [all Domains]

According to Topic:Tfu65b5pncef5p6s this should work, but it doesn't:

$wgAuthManagerAutoConfig['primaryauth'] += [

    LdapPrimaryAuthenticationProvider::class => [

    'class' => LdapPrimaryAuthenticationProvider::class,

    'args' => [ ['authoritative' => true, ] ],

    'sort' => 50,    ],

];

What can I do?

Did you ever find a solution? I'm stuck in the exact same place.

I'm currently thinking about setting up a parallell wiki (accessing the same Database) without LDAP for Translators.

But that sucks because i'm pretty sure that would lead to some sort of conflict eventually...

I abandoned LDAP_Authentication. Instead I migrated to PluggableAuth+OpenId extensions married to Google Auth, which our organization also uses. Much better and easier configuration than LdapAuth. Now users are auto-logged in just by visiting our private wiki.

I have the same issue with LDAP-authentication on Mediawiki 1.31 and GraphViz. To solve it I commented out almost everything in the function providerRevokeAccessFor User:

public function providerRevokeAccessForUser( $username ) {

               # function commented out due to an issue with LDAP-authentication and newer versions of Mediawiki, preventing for example GraphViz from fucntioning properly

               # seems to be similiar to the issue described here: https://www.mediawiki.org/wiki/Topic:Tpyxsdgiheh5zqjr

               return;

               /*$username = User::getCanonicalName( $username, 'usable' );

               if ( $username === false ) {

                       return;

               }

               $user = User::newFromName( $username );

               if ( $user ) {

                       // Reset the password on every domain.

                       $curDomain = $this->auth->getDomain();

                       $domains = $this->auth->domainList() ?: [ '' ];

                       $failed = [];

                       foreach ( $domains as $domain ) {

                               $this->auth->setDomain( $domain );

                               if ( $this->testUserCanAuthenticateInternal( $user ) &&

                                       !$this->auth->setPassword( $user, null )

                               ) {

                                       $failed[] = $domain === '' ? '(default)' : $domain;

                               }

                       }

                       $this->auth->setDomain( $curDomain );

                       if ( $failed ) {

                               throw new \UnexpectedValueException(

                                       "AuthPlugin failed to reset password for $username in the following domains: "

                                               . implode( ' ', $failed )

                               );

                       }

               }*/

       }

Would be really cool if MediaWiki or the LDAP-auth peeps will make an update that will help this kind of extensions work. LDAP is very useful and would be a bummer to give up.

Hi there,

We are using mediawiki 1.26.2. We are using the extension for quite some time. Recently we have the need to give a certain (ldap-)group "readonly" permissions (default you are able to edit). I am unable to figure out how to do that. Is this possible and if so how do I manage that?

You should be able to do this configuring User rights, assuming this extension get the user groups correctly.

Hi I have been using Mediawiki for the past 4 months with Active directory integrated LDAP logins. Now every user in AD has access to all pages once they login. My requirement is to make Group based logins and restric all other users not to access mediawiki. For this, i have added the following in localsettings.php file which is not working. After adding the last line related to Required groups, it says incorrect user name and password. Please help.

$wgAuth = new LdapAuthenticationPlugin();

$wgLDAPDomainNames = array(
  'ourdomainname'
);

$wgLDAPServerNames = array(
  'ourdomainname' => 'dc.ourdomainname dc.ourdomainname'
);

$wgLDAPSearchStrings = array(
  'ourdomainname' => 'domain\\USER-NAME'
);

$wgLDAPEncryptionType = array(
  'ourdomainname' => 'clear'
);

$wgLDAPUseLocal = false;

$wgMinimalPasswordLength = 1;

$wgLDAPBaseDNs = array(
  'ourdomainname' => 'dc=domain,dc=com'
);

$wgLDAPSearchAttributes = array(
  'ourdomainname' => 'sAMAccountName' );

$wgLDAPRequiredGroups = array( 'ourdomainname'=>array('CN=Wiki_Users,OU=Security Groups,OU=Others,DC=domain,DC=com') );

Hello, I know it's very long time after.

I have the same problem, did you manage to make it works ?

Hey all,

I've migrated Mediawiki 1.21 from one server to another with 1.31 running (nginx + PHP 7.0 on a virtual Debian machine). Everything seems to be fine, I've managed to get LDAP-logon to work, but not with wgLDAPRequiredGroups. Furthermore, unlike some people here in this community, I don't even get any errors in the logfile. What am I missing? As soon as I comment out

$wgLDAPRequiredGroups = array( 'internal.domain.com' => array( 'cn=employees,cn=users,dc=internal,dc=domain,dc=com' ));

everything is working as it should.

Here is my config:

_{require_once( "$IP/extensions/LdapAuthentication/LdapAuthentication.php" );}

_{$wgAuth = new LdapAuthenticationPlugin();}

_{$wgLDAPDomainNames = array(  'internal.domain.com');}

_{$wgLDAPServerNames = array(  'internal.domain.com' => 'dc1.internal.domain.com');}

_{$wgLDAPPort = array(      'internal.domain.com' => 389,  );}

_{$wgLDAPProxyAgent = array(  'internal.domain.com' => 'CN=LDAP Read-only,CN=Users,DC=INTERNAL,DC=domain,dc=com',);}

_{$wgLDAPProxyAgentPassword = array(  'internal.domain.com' => 'D7WBKQgsFEPcuajA3zHb',);}

_{$wgLDAPSearchAttributes = array(  'internal.domain.com' => 'sAMAccountName');}

_{$wgLDAPEncryptionType = array(    'internal.domain.com' => 'start_tls');}

_{$wgLDAPGroupObjectclass = array( 'internal.domain.com'=>'group' );}

_{$wgLDAPGroupAttribute = array( 'internal.domain.com'=>'member' );}

_{$wgLDAPBaseDNs = array(  'internal.domain.com' => 'CN=Users,DC=internal,DC=domain,dc=com');}

_{$wgLDAPGroupObjectclass = array(  'internal.domain.comt' => 'posixGroup');}

_{$wgLDAPGroupNameAttribute = array(  'internal.domain.com' => 'cn');}

_{$wgLDAPRequiredGroups = array( 'internal.domain.com' => array( 'cn=employees,cn=users,dc=internal,dc=domain,dc=com' ));}

_{$wgLDAPGroupSearchNestedGroups = array("ad" => true);}

_{$wgLDAPActiveDirectory = array( "ad" => true);}

_{$wgLDAPDebug = 3;}

_{$wgDebugLogGroups['ldap'] = "/tmp/mediawiki.log";}

_{$wgShowExceptionDetails = true;}

I've been trying a lot of different options here, nothing helps really. So any ideas are welcome, especially if I can get that logging going!

Thank you in advance

Windows Server 2016 Datacenter Edition with Amazon Web Services EC2 Instance

How do i set this up with Simple AD, I'm only 14, and am confused after trying for 3 days to install

After spending the better part of two days, I just installed LDAP authentication in my environment, which is made up of:

MediaWiki 1.29

PHP 7.1.8

MySQL 5.7.19

Windows Server 2012 R2

IIS 8.5

Unfortunately, it is not working (in fact, after installing all the pieces and parts, my Wiki site would not load at all)

Is LDAP Authentication supported under this configuration? I have seen conflicting information on this and before I spend a lot of time on this, I need to know if this is even achievable.

After tweaking some of the settings in LocalSettings.php, the site now loads when LDAP Authentication is enabled. Unfortunately, LDAP Authentication itself is still not working. In the meantime, I really need to know if this is supported/should work in my environment:

MediaWiki 1.29

PHP 7.1.8

MySQL 5.7.19

Windows Server 2012 R2

IIS 8.5

Still trying to find out if this configuration is supported ..... can anyone verify yes or no for me?

Any progress?

Did you ever get this working? I am having issues getting ldap working too.

Hi all,

Not all users in LDAP are authorized to own an user account in my MediaWiki. I already have users logging in because I created their accounts before installing LDAP Plugin. Now, I need to create accounts for new employees and I always receive the message "Username entered already in use. Please choose a different name.", through Special:CreateAccount.

Obviously, If I disable all LDAP configuration in LocalSettings, I'm able to create a local user account with the same LDAP username. Then , if I enable LDAP configuration again, the user is recognized with LDAP password and he can log in. The fact is that I don't want to edit LocalSettings every time I have a new employee.

My configuration is below. Thanks in advance.

require_once ('.../extensions/LdapAuthentication/LdapAuthentication.php');

$wgAuth = new LdapAuthenticationPlugin();

$wgLDAPDomainNames = array( 'AD' );

$wgLDAPServerNames = array( 'AD' => 'url' );

$wgLDAPUseLocal = false;

$wgLDAPEncryptionType = array( 'AD' => 'clear' );

$wgLDAPPort = array( 'AD' => 389 );

$wgLDAPProxyAgent = array( 'AD' => 'CN=a,OU=b,DC=c,DC=d' );

$wgLDAPProxyAgentPassword = array( 'UFPE-AD' => 'password' );

$wgLDAPSearchAttributes = array( 'AD' => 'description' );

$wgLDAPBaseDNs = array( 'AD' => 'DC=c,DC=d' );

$wgLDAPDisableAutoCreate = array( 'AD' => true );

$wgLDAPPreferences = array( 'AD' => array( 'email' => 'mail', 'realname' => 'cn','nickname' => 'givenname') );

$wgLDAPLowerCaseUsername = array( 'AD' => true);

$wgGroupPermissions['*']['createaccount'] = false;

MediaWiki: 1.29.1

PHP: 5.5.21 (apache2handler)

PostgreSQL: 9LDAP

If I understand correctly, the `Special:CreateAccount` page will actually atempt to create an account (in your AD!). But the account already exists (in the AD)..

But if I understand correctly, with `$wgGroupPermissions['*']['autocreateaccount'] = true;` the accounts will be auto-created in the database on first log in. So you just need to make sure the account is available in AD and then tell the user to sign in to you wiki instance.

Hi, Does anyone know if this extension is affected by the new AuthManager in MediaWiki 1.27? Is it safe to upgrade to the new version of MW?

Thanks, Raj.

Would not recommend upgrading at this point.

Authentication was overhauled in 1.27 with AuthPlugin being deprecated, superseded by Manual:SessionManager and AuthManager.

After a quick test users that have not logged in previously will not be able to login (depending on your settings/permissions). The domain selection box also does not appear, although it seems to default to the first domain.

This extension should be converted to use PluggableAuth. Using PluggableAuth will probably help maintain compatibility in the future.

Il have test it a litte bit today after upgrading out test wiki today.

By default, for new account, the auto creation of local account does not work. But it is working well for existing account.

I have made a lot of search and test to overcome this problem. I have found out that a new right exist for auto account creation since 1.26.

I have tried to put this line in my LocalSettings.php file : $wgGroupPermissions['*']['autocreateaccount'] = true;

If i tried to login with a new account, it does not work, but if login with a existing account, logout and then login with a new account it work. Afther that, i have close my web page, restarted the server, try with another browser and if i login with a new account, the account is created each time.

The domain delection box does not appear, but if configure a second domain, the box appear.

After updating to mediawiki 1.27 Auto LDAP Authentication no longer worked. Mediawiki showed "database error occurred."

I commented line 1240 in LdapAuthentication.php ( self::saveDomain( $user, $_SESSION['wsDomain'] ); ) and the error went away.

What does uncommenting that do, exactly? It removed the error for me, too.

Does anyone know who we should contact to try and fix this at source and add proper compatibility for AuthManager? I tried contacting Ryan Lane (marked as the author on the extension homepage), but he said that he's no longer maintaining it.

I've added the phabricator project to the extension's infobox. You can report the bug there

I have the same problem with a new installation of mediawiki 1.27

I created a bug: https://phabricator.wikimedia.org/T140972

The updated worked for me for the most part. The line I had to comment out was in the file "/extensions/LdapAuthentication/LdapAuthenticationPlugin.php" and it was on line 1165.

Also, I was still having an error caused by a plugin after authenticating. I had to remove the ToDoTasks plugin and then it worked. :) YEAH!!

Use: https://github.com/noris-network/mediawiki-extensions-sessionprovider-remoteuser

I've hit this problem as well, it only emerged after new users that had not logged into the wiki prior to the upgrade from v1.26, started complaining.

I'm running a private wiki, with LDAP auth only. Going through the code of AuthManager.php (line 1545 onwards), it became clear that this can either be resolved using the 'createaccount' or 'autocreateaccount' permission. I've tried both options and the 'autocreateaccount' matches my desired behavior. I *think* that the wiki also still is secure/private and no additional users can be created (except when auth from LDAP succeeds).

However I feel it would be better if these permissions would be integrated in the plugin and would not have to be handled separately.

THANKS a lot for this solution. For me it works also!

extension for mediawiki 1.28

I'm getting closer to figuring this out, but stuck on automatically creating accounts. Here's my current (sanitized) configuration. I can authenticate, but I then get the message:

Auto-creation of a local account failed: Automatic account creation is not allowed.

require_once ("$IP/extensions/LdapAuthentication/LdapAuthentication.php");
$wgAuth = new LdapAuthenticationPlugin();
$wgLDAPUseLocal = true;

$wgLDAPDebug = 3;
$wgDebugLogGroups['ldap'] = '/tmp/debug.log';

$wgLDAPDomainNames       = array('LOCAL');
$wgLDAPServerNames       = array('LOCAL' => 'local-dc2.local.domain');
$wgLDAPEncryptionType    = array('LOCAL' => 'clear');
$wgMinimalPasswordLength = 1;
$wgLDAPBaseDNs           = array('LOCAL' => 'ou=Users,ou=LOCAL,dc=domain,dc=local');

$wgLDAPSearchStrings     = array('LOCAL' => 'LOCAL\\USER-NAME');
$wgLDAPSearchAttributes  = array('LOCAL' => 'sAMAccountName' );

$wgLDAPDisableAutoCreate = array('LOCAL' => false);

Any help would be greatly appreciated!

Same here. Any help is appreciated. My config:

require_once( "$IP/extensions/LdapAuthentication/LdapAuthentication.php" );

$wgAuth = new LdapAuthenticationPlugin();

$wgLDAPDomainNames = array("iRedMail");

$wgLDAPServerNames = array("iRedMail" => "192.168.XX.XX");

$wgLDAPPort = array("iRedMail" => 389);

$wgLDAPEncryptionType = array( "iRedMail" => "clear");

$wgLDAPBaseDNs = array( "iRedMail"=>"o=domains,dc=example,dc=com");

$wgLDAPProxyAgent = array("iRedMail"=>"cn=vmail,dc=example,dc=com");

$wgLDAPProxyAgentPassword = array( "iRedMail"=>"*****");

$wgLDAPUserBaseDNs = array( "iRedMail"=>"o=domains,dc=example,dc=com");

$wgLDAPSearchAttributes = array( "iRedMail" => "mail");

$wgLDAPLowerCaseUsername = array( "iRedMail"=>true);

$wgLDAPUseLocal = true;

$wgLDAPDebug = 3;

$wgDebugLogGroups['ldap'] = '/tmp/debug.log';

Same issue

FWIW, I finally got it working. Not sure what the difference is here... the $wgGroupPermissions item is not listed on the LDAP extension instructions, but I think this is what did it.

require_once ("$IP/extensions/LdapAuthentication/LdapAuthentication.php");
$wgAuth = new LdapAuthenticationPlugin();
#$wgLDAPUseLocal = true;
$wgLDAPDomainNames       = array('LOCAL');
$wgLDAPServerNames       = array('LOCAL' => 'local-dc2.mydomain.local');
$wgLDAPEncryptionType    = array('LOCAL' => 'clear');
$wgMinimalPasswordLength = 1;
$wgLDAPBaseDNs           = array('LOCAL' => 'ou=Users,ou=LOCAL,dc=mydomain,dc=local');
$wgLDAPSearchStrings     = array('LOCAL' => 'LOCAL\\USER-NAME');
$wgLDAPSearchAttributes  = array('LOCAL' => 'sAMAccountName' );
$wgLDAPRetrievePrefs     = array('LOCAL' => true );
$wgGroupPermissions['*']['autocreateaccount'] = true;

I tried with that TroySettle but not luck. I receive same fails, what versions do you have installed? (Mediawiki and LDAP please) Thanks.

Did you create Wiki as Open? private?

NOTE: I solved using wiki 1.23 version.

I had to set $wgGroupPermissions['*']['createaccount'] = true;

That still did not work for me.

My other anonymous permissions are set to false.

$wgGroupPermissions['*']['edit'] = false; $wgGroupPermissions['*']['read'] = false;

I want this to be a private wiki.

It would seem I had to clear all session data and remove cookies from previous logon attempts with my test user as well as comment out self::saveDomain( $user, $_SESSION['wsDomain'] ); from one of the extension's configuration files. It now works.

I had this problem, too. In my case, the solution was the one that has already been mentioned above:

1. switch back to local auth in LocalSettings.php; then login with a *local* admin/bureaucrat account (the one you set up when installing the wiki).

2. create a local user with the same name as one that exists in LDAP (give him a bullsh*t password, no need to match the LDAP one). Not mandatory, but if you are smart, this user should be a bureaucrat as you need at least one LDAP-based bureaucrat anyways. Lets call this user "Ldapboss".

3. switch again to LDAP auth in LocalSettings.php; then login with the user Ldapboss you just created. Of course you need to use the user's actual LDAP password this time. Btw, your local admin is now locked out of the system (unless you set wgLDAPUseLocal to true). This is why you need an LDAP-based bureaucrat.

From this point on, weirdly enough, auto account creation works. It's like, you need at least one successful login to make it work. Not sure why, doesn't make sense.

Ask a colleague to log on, or alternatively, rename your Ldapboss user to Ldapboss_Trash (Renameuser extension) and logout. Then login again with Ldapboss using again the LDAP credentials. Now, you Ldapboss is auto-created (this time as a simple user, as it should).

Actually, on Ryan D Lane (creator and ex-maintainer of the plugin) has this written on a 2009 blog post --- Quote:

"Before enabling the plugin, you should create a user in the local wiki database that exists in AD, and promote that user to sysop. After the plugin is enabled, you will not be able to log in as any user who does not exist in AD."

Hi,

While I executed step 3, then use Ldapboss login with LDAP password, I got the following error:

[WMFhIqwRAAIAABOptNUAAAAG] 2017-03-09 14:05:24: Fatal exception of type "DBQueryError"

Is it normal?

But it looks I have already logged in.

Hi,

Any news on Brain Wang's problem? I experience the same issue. The user seems to be logged in, however logging in with an other user from LDAP still fails.

Today I ran into the same issue, and found that the LDAP plugin does not have the right to autocreate users, despite the allowed autocreateaccount Group Permission setting. Then I found that the referred table (ldap_domains) did not exist in the database (and thus throwing the authmanager-autocreate-noperm errors). Creating the table in the right database based on the extensions/LdapAuthentication/schema/ldap-mysql.sql seems to fixed the issue:

# mysql -u root -p

Enter password:

mysql> use my_wiki

Reading table information for completion of table and column names

You can turn off this feature to get a quicker startup with -A

Database changed

mysql> CREATE TABLE ldap_domains (domain_id int not null primary key auto_increment,domain varchar(255) binary not null,user_id int not null);

Query OK, 0 rows affected (0.00 sec)

This worked for me. Thanks

I am running a private Wiki

$wgGroupPermissions['*']['autocreateaccount'] = true;

fixed it for me. If you read the changelog of 1.27:

* MediaWiki will now auto-create users as necessary, removing the need for

  extensions to do so. An 'autocreateaccount' right is added to allow

  auto-creation when 'createaccount' is not granted to all users.

I resolved the problem by setting the $wgGroupPermissions['*']['autocreateaccount'] = true but also assigning CHMOD permissions to all .php files in /mediawiki to 777 for the local account I was using.

For anyone else with this error:

Do set $wgGroupPermissions['*']['autocreateaccount'] = true;

Then delete your session cookie and reload the page to get a new session before trying again. Your session gets added to an account auto-creation blacklist when it fails the first time, which happens to give the exact same error message.

This exact method worked for me too, thanks! Removing the session-cookie was the one thing I missed after unsuccessfully adding the configuration-option