Extension talk:LDAP Authentication

Jump to navigation Jump to search

About this board

How to ask for support

There's a couple key pieces of info I always need:

  1. The MediaWiki version you are using
  2. The LdapAuthentication extension version you are using

I very often will need to see two other things when you ask for support, so you should have them prepared:

  1. Your configuration, with sensitive stuff snipped out
  2. The extension's debug log, with sensitive stuff snipped out

When you are trying to debug an authentication problem, you should always use the most basic configuration possible. For instance, if you don't have basic authentication working yet, you shouldn't have group restrictions or group synchronization enabled yet. I will generally ask you to disable these things when debugging.

Also, $wgLDAPUseLocal is almost never what you want to use. It's a frequent cause of configuration issues, and unless you really know what you are doing, it should not be set (or explicitly set to false, which is the default).

Most importantly of all: ensure you are using the newest version of the extension. From the extension distributor, that's the "master" version. If you are using git, just make sure you use git pull && git reset --hard origin/master. This is one of the more common cause of problems.

How to submit a bug

If you've found a bug, please submit it here.

Archives

Trying to use Windows AD ldap for authentication.

5
Jac09876 (talkcontribs)

Good day,

I try to authenticate against Windows Server 2012 R2. But whatever I tried, it does not work.  Mediawiki is running, and I can login with a local account. But not with an Active Directory account.

I run Mediawiki on CentOS Linux release 7.2.1511, and use the following versions:

Product Version

MediaWiki 1.26.2

PHP 5.4.16 (apache2handler)

MariaDB 5.5.47-MariaDB

ICU 50.1.2

This the ldap configuration from LocalSettings.php::

require_once ("$IP/extensions/LdapAuthentication/LdapAuthentication.php");

$wgAuth = new LdapAuthenticationPlugin();

$wgLDAPDomainNames = array(

'acme'

);

$wgLDAPServerNames = array(

'acme' => 'acme-hq-AD1.internal.acme.com'

);

$wgLDAPBaseDNs = array(

'acme' => 'DC=internal,DC=acme,DC=com'

);

#$wgLDAPActiveDirectory = array(

#       "acme"=>true

#);

$wgLDAPSearchAttributes = array(

"acme"=>"sAMAccountName"

);

$wgLDAPRetrievePrefs = array(

"acme" => "true"

);

$wgLDAPPreferences = array(

'acme' => array(

'email' => 'mail',

'realname' => 'displayname'

)

);

$wgLDAPEncryptionType = array(

#  'acme' => 'clear'

'acme' => 'ssl'

#  'acme' => 'tls'

);

$wgLDAPSearchStrings = array(

#'acme' => 'acme\\USER-NAME'

'acme' => 'USER-NAME@acme'

);

$wgLDAPUseLocal = false;

$wgMinimalPasswordLength = 1;

$wgLDAPProxyAgent =  array(

'acme' => 'CN=acme-hq-mediawiki,OU=Service Accounts,OU=HeadQuarters,DC=internal,DC=acme,DC=com'

);

$wgLDAPProxyAgentPassword = array(

'acme' => 'p@sSw0rD'

);

ldapsearch works:

[root@wiki]#  ldapsearch -x -LLL -h acme-hq-ad1.internal.acme.com -D 'CN=acme-hq-mediawiki,OU=Service Accounts,OU=HeadQuarters,DC=internal,DC=acme,DC=com' -w p@sSw0rD -b"DC=internal,DC=acme,DC=com" -s sub "(objectClass=user)" givenName

dn: CN=acme-hq-AD1,OU=Domain Controllers,DC=internal,DC=acme,DC=com

etc...

This is the Mediawiki logging

2016-04-21 19:40:33 wiki.acme.com

localhost.localdomain acme_wiki: 2.1.0 Entering validDomain

2016-04-21 19:40:33 wiki.acme.com

localhost.localdomain acme_wiki: 2.1.0 User is using a valid domain (acme).

2016-04-21 19:40:33 wiki.acme.com

localhost.localdomain acme_wiki: 2.1.0 Setting domain as: acme

2016-04-21 19:40:34 wiki.acme.com

localhost.localdomain acme_wiki: 2.1.0 Entering getCanonicalName

2016-04-21 19:40:34 wiki.acme.com

localhost.localdomain acme_wiki: 2.1.0 Username is: acme-hq-mediawiki

2016-04-21 19:40:34 wiki.acme.com

localhost.localdomain acme_wiki: 2.1.0 Entering getDomain

2016-04-21 19:40:34 wiki.acme.com

localhost.localdomain acme_wiki: 2.1.0 Munged username: acme-hq-mediawiki

2016-04-21 19:40:34 wiki.acme.com

localhost.localdomain acme_wiki: 2.1.0 Entering getCanonicalName

2016-04-21 19:40:34 wiki.acme.com

localhost.localdomain acme_wiki: 2.1.0 Username is an IP, not munging.

2016-04-21 19:40:34 wiki.acme.com

localhost.localdomain acme_wiki: 2.1.0 Entering getCanonicalName

2016-04-21 19:40:34 wiki.acme.com

localhost.localdomain acme_wiki: 2.1.0 Username is an IP, not munging.

2016-04-21 19:40:34 wiki.acme.com

localhost.localdomain acme_wiki: 2.1.0 Entering getDomain

2016-04-21 19:40:34 wiki.acme.com

localhost.localdomain acme_wiki: 2.1.0 Entering userExists

2016-04-21 19:40:34 wiki.acme.com

localhost.localdomain acme_wiki: 2.1.0 Entering getDomain

2016-04-21 19:40:34 wiki.acme.com

localhost.localdomain acme_wiki: 2.1.0 Entering getDomain

2016-04-21 19:40:34 wiki.acme.com

localhost.localdomain acme_wiki: 2.1.0 Entering authenticate for username acme-hq-mediawiki

2016-04-21 19:40:34 wiki.acme.com

localhost.localdomain acme_wiki: 2.1.0 Entering getDomain

2016-04-21 19:40:34 wiki.acme.com

localhost.localdomain acme_wiki: 2.1.0 Entering getDomain

2016-04-21 19:40:34 wiki.acme.com

localhost.localdomain acme_wiki: 2.1.0 Entering getDomain

2016-04-21 19:40:34 wiki.acme.com

localhost.localdomain acme_wiki: 2.1.0 Entering Connect

2016-04-21 19:40:34 wiki.acme.com

localhost.localdomain acme_wiki: 2.1.0 Entering getDomain

2016-04-21 19:40:34 wiki.acme.com

localhost.localdomain acme_wiki: 2.1.0 Using SSL

2016-04-21 19:40:34 wiki.acme.com

localhost.localdomain acme_wiki: 2.1.0 Entering getDomain

2016-04-21 19:40:34 wiki.acme.com

localhost.localdomain acme_wiki: 2.1.0 Entering getDomain

2016-04-21 19:40:34 wiki.acme.com

localhost.localdomain acme_wiki: 2.1.0 Entering getDomain

2016-04-21 19:40:34 wiki.acme.com

localhost.localdomain acme_wiki: 2.1.0 Using servers: ldaps://acme-hq-AD1.internal.acme.com:636

2016-04-21 19:40:51 wiki.acme.com

localhost.localdomain acme_wiki: 2.1.0 Entering getDomain

2016-04-21 19:40:51 wiki.acme.com

localhost.localdomain acme_wiki: 2.1.0 PHP's LDAP connect method returned true (note, this does not imply it connected to the server).

2016-04-21 19:40:51 wiki.acme.com

localhost.localdomain acme_wiki: 2.1.0 Entering getSearchString

2016-04-21 19:40:51 wiki.acme.com

localhost.localdomain acme_wiki: 2.1.0 Entering getDomain

2016-04-21 19:40:51 wiki.acme.com

localhost.localdomain acme_wiki: 2.1.0 Doing a straight bind

2016-04-21 19:40:51 wiki.acme.com

localhost.localdomain acme_wiki: 2.1.0 userdn is: acme-hq-mediawiki@acme

2016-04-21 19:40:51 wiki.acme.com

localhost.localdomain acme_wiki: 2.1.0 Entering getDomain

2016-04-21 19:40:51 wiki.acme.com

localhost.localdomain acme_wiki: 2.1.0 Binding as the user

2016-04-21 19:40:51 wiki.acme.com

localhost.localdomain acme_wiki: 2.1.0 Failed to bind as acme-hq-mediawiki@acme

2016-04-21 19:40:51 wiki.acme.com

localhost.localdomain acme_wiki: 2.1.0 Entering allowPasswordChange

2016-04-21 19:40:51 wiki.acme.com

localhost.localdomain acme_wiki: 2.1.0 Entering getDomain

2016-04-21 19:40:51 wiki.acme.com

localhost.localdomain acme_wiki: 2.1.0 Entering getDomain

2016-04-21 19:40:51 wiki.acme.com

localhost.localdomain acme_wiki: 2.1.0 Entering modifyUITemplate

2016-04-21 19:40:51 wiki.acme.com

localhost.localdomain acme_wiki: 2.1.0 Entering getDomain

2016-04-21 19:40:51 wiki.acme.com

localhost.localdomain acme_wiki: 2.1.0 Entering getDomain

2016-04-21 19:40:51 wiki.acme.com

localhost.localdomain acme_wiki: 2.1.0 Entering getDomain

[root@wiki mediawiki]#

What do I wrong?

Thanks!

Regards,

- Jac

Jac09876 (talkcontribs)

ldapsearch with TLS also works:

[root@wiki]# ldapsearch -x -ZZ -LLL -h acme-hq-ad1.internal.acme.com -D 'CN=acme-hq-mediawiki,OU=Service Accounts,OU=HeadQuarters,DC=internal,DC=acme,DC=com' -w p@sSw0rD -b"DC=internal,DC=acme,DC=com" -s sub "(objectClass=user)" givenName

dn: CN=acme-HQ-AD1,OU=Domain Controllers,DC=internal,DC=acme,DC=com

etc.

- Jac

Jac09876 (talkcontribs)

Hello,

Does anyone have a clue what's wrong? Mr. Lane?

Please help!

Thanks,

- Jac

Jac09876 (talkcontribs)

It is caused by SELinux: it blocks http using ldap by default:

[root@wiki mediawiki]# getsebool -a | grep ldap

authlogin_nsswitch_use_ldap --> off

dhcpd_use_ldap --> off

httpd_can_connect_ldap --> off

[root@wiki mediawiki]#

[root@wiki mediawiki]# setsebool httpd_can_connect_ldap 1

[root@wiki mediawiki]# getsebool -a | grep ldap

authlogin_nsswitch_use_ldap --> off

dhcpd_use_ldap --> off

httpd_can_connect_ldap --> on

Because of this ldapsearch did work.

So the problem is solved.

- Jac

Javierdiazus (talkcontribs)

This worked for me, it finally solved my ldap authentication issue (not communicating to ldap), in spite of all correct settings in place.

The only suggestion I would add is:

setsebool -p httpd_can_connect_ldap 1

-p makes the changes persistent after a reboot, otherwise, next time it reboots, the setting goes back to off

Thanks for tip!!!

--- Javier

Reply to "Trying to use Windows AD ldap for authentication."

Login error incorrect password entered. please try again

10
Bernhardsmw (talkcontribs)

Installed:

 

Installed and configured MediaWiki without problems. Then I tried to change the login to LDAP. After hours and the use of the documentation I was not able to login. Is this extension still working? 

Here are my LocalSettings.php config: 

#LDAP Authentication
    require_once( "$IP/extensions/LdapAuthentication/LdapAuthentication.php" );
    $wgAuth = new LdapAuthenticationPlugin();
    
    $wgLDAPProxyAgent = array('EUROPE' => 'cn=mediawiki,dc=EUROPE,dc=LAN');
    $wgLDAPProxyAgentPassword = array('EUROPE' => 'password');
    
    
    $wgLDAPDomainNames = array( "EUROPE.LAN" );
    
    $wgLDAPServerNames = array( "EUROPE.LAN" => "dc1.EUROPE.lan" );
    # I recommend using a Global Catalog server for this.
    
    $wgLDAPSearchStrings = array( "EUROPE.LAN" => "EUROPE.LAN\\USER-NAME" );
    $wgLDAPEncryptionType = array( "EUROPE.LAN" => "tls" );
    $wgLDAPUseLocal = false;
    $wgMinimalPasswordLength = 1;
    
    $wgLDAPBaseDNs = array( "EUROPE.LAN" => "dc=EUROPE,dc=LAN" );
    # Example: If your domain is mydomain.internet.ca then you want to put in "dc=mydomain,dc=internet,dc=ca".
    
    $wgLDAPSearchAttributes = array( "EUROPE.LAN" => "sAMAccountName" );
    
    
    $wgLDAPRetrievePrefs = array( "EUROPE.LAN" => "true" );
    
    $wgLDAPPreferences = array('EUROPE.LAN' => array( 'email' => 'mail','realname' => 'displayname'));
    # This will automatically map the users e-mail address and full name from Active Directory to their account in MediaWiki
    
    $wgLDAPDebug = 3; //for debugging LDAP
    $wgShowExceptionDetails = true; //for debugging MediaWiki
    $wgDebugLogGroups["ldap"] = "/tmp/ldapdebug.log" ;

This is the debug log: 

2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Setting domain as: EUROPE.LAN
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering getCanonicalName
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Username is: Mediawiki
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering getDomain
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Munged username: Mediawiki
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering getCanonicalName
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Username is an IP, not munging.
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering getCanonicalName
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Username is an IP, not munging.
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering getDomain
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering userExists
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering getDomain
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering getDomain
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering authenticate for username Mediawiki
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering getDomain
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering getDomain
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering getDomain
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering Connect
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering getDomain
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Using TLS or not using encryption.
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering getDomain
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering getDomain
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering getDomain
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Using servers:  ldap://dc1.bbveurope.lan:389
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering getDomain
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Using TLS
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 PHP's LDAP connect method returned true (note, this does not imply it connected to the server).
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering getSearchString
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering getDomain
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Doing a straight bind
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 userdn is: EUROPE.LAN\mediawiki
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering getDomain
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Binding as the user
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Failed to bind as EUROPE.LAN\mediawiki
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering allowPasswordChange
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering getDomain
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering getDomain
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering modifyUITemplate
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering getDomain
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering getDomain
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering getDomain

I tried a normal PHP login with this script and it works.  

<?php
// use ldap bind
$ldaprdn  = 'mediawiki'; 
$ldappass = 'mediawiki';

// connect to ldap server
$ldapconn = ldap_connect("EUROPE.LAN")
    or die("No connection to LDAP.");

if ($ldapconn) {

    // bind ldap server
    $ldapbind = ldap_bind($ldapconn, $ldaprdn, $ldappass);

    // test binding
    if ($ldapbind) {
        echo "LDAP bind success...";
    } else {
        echo "LDAP bind failed...";
    }

}

?>

Please help me the problem is really frustrating and I worked on it for hours... 

Bernhardsmw (talkcontribs)

Just for info: "mediawiki" is an existing windows domain user. I tried other users too and it still worked.

Bernhardsmw (talkcontribs)

And most importantly: Why do I need kerberos or slapd as the documentation tells? Is the normal php5-ldap package not enough?

158.145.224.111 (talkcontribs)

try switching to SSL, or clear text. If you are authenticating and the binding is failing (same as mine below) then we might be in the same boat. The extension works. I can vouch for that. If the ldap server you are authenticating to isn't authenticated by a real CA you might have issue. You'll need to add the public key certificate to your CA store.

Bernhardsmw (talkcontribs)

I did the change and this is how my /etc/ldap/ldap.conf looks now

TLS_REQCERT     never

This is the change I did in the /var/lib/mediawiki/LocalSettings.php

$wgLDAPEncryptionType = array( "EUROPE.LAN" => "clear" );

And this the debug file. Still no success...

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Entering validDomain

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 User is using a valid domain (EUROPE.LAN).

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Setting domain as: EUROPE.LAN

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Entering getCanonicalName

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Username is: Mediawiki

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Entering getDomain

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Munged username: Mediawiki

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Entering getCanonicalName

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Username is an IP, not munging.

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Entering getCanonicalName

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Username is an IP, not munging.

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Entering getDomain

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Entering userExists

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Entering getDomain

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Entering getDomain

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Entering authenticate for username Mediawiki

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Entering getDomain

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Entering getDomain

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Entering getDomain

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Entering Connect

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Entering getDomain

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Using TLS or not using encryption.

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Entering getDomain

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Entering getDomain

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Entering getDomain

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Using servers:  ldap://DC1.EUROPE.LAN:389

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Entering getDomain

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 PHP's LDAP connect method returned true (note, this does not imply it connected to the server).

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Entering getSearchString

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Entering getDomain

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Doing a straight bind

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 userdn is: EUROPE.LAN\mediawiki

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Entering getDomain

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Binding as the user

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Failed to bind as EUROPE.LAN\mediawiki

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Entering allowPasswordChange

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Entering getDomain

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Entering getDomain

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Entering modifyUITemplate

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Entering getDomain

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Entering getDomain

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Entering getDomain



Bernhardsmw (talkcontribs)

As I can see now the time of the Logfile is not correct. The system time is the same as the DC server but the logfile time is 2 hours after it.

Bernhardsmw (talkcontribs)

phpinfo() about SSL config

[openssl]

OpenSSL support enabled
OpenSSL Library Version OpenSSL 1.0.1f 6 Jan 2014
OpenSSL Header Version OpenSSL 1.0.1f 6 Jan 2014
Registered Stream Socket Transports tcp, udp, unix, udg, ssl, sslv3, tls
Bernhardsmw (talkcontribs)

After hours of madness I finally get it working:

You have to install the required packages: Extension:LDAP Authentication#Installation

Then just follow this guide: http://ryandlane.com/blog/2009/03/23/using-the-ldap-authentication-plugin-for-mediawiki-the-basics-part-1/

Forget what configurations are written on the wiki page. If you get after the login a database error: Topic:Sshx994njzy3rs3l

"www.mediawiki.org/wiki/Topic:Sshx994njzy3rs3l" (if the link does not work)

I am a bit mad but happy now. This plugin costs to much time because of the missleading documentation.

86.135.240.141 (talkcontribs)

One of the year and I don't have the Kajus

110.137.41.215 (talkcontribs)

 Incorrect password entered. Please try again.

Reply to "Login error incorrect password entered. please try again"

MediaWiki Server 18.04 Failed to bind to user

1
Enovyfalls (talkcontribs)

Have an old Mediawiki Ubuntu server running Ubuntu 14.04, with MediaWiki 1.25, PHP 5.59 and mysql 5.7.23. This server was getting old and we wanted to add certain functionality past what 1.25 could run, so we spun up a new server running 18.04, transferred everything over and I was able to get the wiki up and running. It is now at MediaWiki 1.30, PHP 7.2 and mysql 5.7. My localsettings.php have not changed and as this is all internal I am running the encryption type as clear. I have the debug log set up and everything seems to be running correctly until

userdn is: user@domain

Entering getDomain

Binding as the user

Failed to bind as user@domain

I can access the ldap server as usual.

Any ideas?

Reply to "MediaWiki Server 18.04 Failed to bind to user"

works on mediawiki --branch REL1_31 for us

3
RobFantini (talkcontribs)

spent some hours upgrading from mw v29 to v31 . without any changes to LocalSettings.php LDAP Authentication to debian 9 OpenLDAP server (slapd) works.

after reviewing my incomplete notes and apt install logs, the only thing I see we did was:

apt install php-ldap

our existing LocalSettings.php had:

require_once 'extensions/LdapAuthentication/LdapAuthentication.php';

$wgAuth = new LdapAuthenticationPlugin();
MarkAHershberger (talkcontribs)

Note that the second require_once should not be needed.

RobFantini (talkcontribs)

thanks - i removed the second require_once and no issue logging in.

Reply to "works on mediawiki --branch REL1_31 for us"

Active Directory Group based login restrictions

2
Sundaresanc (talkcontribs)

Hi I have been using Mediawiki for the past 4 months with Active directory integrated LDAP logins. Now every user in AD has access to all pages once they login. My requirement is to make Group based logins and restric all other users not to access mediawiki. For this, i have added the following in localsettings.php file which is not working. After adding the last line related to Required groups, it says incorrect user name and password. Please help.

$wgAuth = new LdapAuthenticationPlugin();

$wgLDAPDomainNames = array(
  'ourdomainname'
);

$wgLDAPServerNames = array(
  'ourdomainname' => 'dc.ourdomainname dc.ourdomainname'
);

$wgLDAPSearchStrings = array(
  'ourdomainname' => 'domain\\USER-NAME'
);

$wgLDAPEncryptionType = array(
  'ourdomainname' => 'clear'
);

$wgLDAPUseLocal = false;

$wgMinimalPasswordLength = 1;

$wgLDAPBaseDNs = array(
  'ourdomainname' => 'dc=domain,dc=com'
);

$wgLDAPSearchAttributes = array(
  'ourdomainname' => 'sAMAccountName' );

$wgLDAPRequiredGroups = array( 'ourdomainname'=>array('CN=Wiki_Users,OU=Security Groups,OU=Others,DC=domain,DC=com') );
198.184.231.254 (talkcontribs)

Hello, I know it's very long time after.

I have the same problem, did you manage to make it works ?

Reply to "Active Directory Group based login restrictions"
91.224.226.196 (talkcontribs)

Hi there,

here's another group issue where I didn'f find a solution in older threads...: We try to allow page creation etc. only to a AD group 'IT'.

Behaviour: If we uncomment the line

$wgLDAPRequiredGroups = array( "MyDomain"=> array( "dc=My,dc=Dom,dc=ain" ) );

we can logon. If the line is active we get a "wrong password" error message. In either case there is no check if the user is in the group 'IT'.

  • Settings:
    • Wiki-Version: 1.19.0
    • PHP: 5.4.4-7 (apache2handler)
    • MySQL: 5.5.24-9
    • LDAP Authentication Plugin (Version 2.0a) <-- Version 2.0c couldn't be downloaded...


  • LocalSettings.php
# Enable LDAP Authentication
require_once( "$IP/extensions/LdapAuthentication/LdapAuthentication.php" );
$wgAuth = new LdapAuthenticationPlugin();

$wgLDAPDomainNames = array( "MyDomain" );
$wgLDAPServerNames = array( "MyDomain" => "PrimDomContrl.MyDomain" );
$wgLDAPSearchStrings = array( "MyDomain" => "My\\USER-NAME" );
$wgLDAPEncryptionType = array( "MyDomain" => "clear" );
# $wgLDAPUseLocal = true;
$wgLDAPAccessDeniedPage = array( "MyDomain" => "Missing rights!" );
$wgMinimalPasswordLength = 1;
$wgLDAPBaseDNs = array( "MyDomain" => "dc=My,dc=Dom,dc=ain" );
$wgLDAPSearchAttributes = array( "MyDomain" => "sAMAccountName" );
$wgLDAPRetrievePrefs = array( "MyDomain" => "true" );
$wgLDAPDebug = 3; //for debugging LDAP
$wgDebugLogGroups["ldap"] = "/tmp/ldaplog.log";
$wgShowExceptionDetails = true; //for debugging MediaWiki
$wgLDAPGroupUseFullDN = array( "MyDomain"=>true );
$wgLDAPGroupsUseMemberOf = array( "MyDomain" => true );
$wgLDAPGroupObjectclass = array( "MyDomain"=>"group" );
$wgLDAPGroupAttribute = array( "MyDomain"=>"member" );
$wgLDAPGroupSearchNestedGroups = array( "MyDomain" => true );
$wgLDAPGroupNameAttribute = array( "MyDomain"=>"cn" );

# The following permissions were set based on your choice in the installer
$wgGroupPermissions['*']['createaccount'] = false;
$wgGroupPermissions['*']['edit'] = false;
$wgGroupPermissions['*']['read'] = false;
$wgGroupPermissions['*']['createpage'] = false;
$wgGroupPermissions['*']['createtalk'] = false;

$wgLDAPRequiredGroups = array( "MyDomain"=> array( "dc=My,dc=Dom,dc=ain" ) );

 # This section defines permissions which allow only logged-in users to edit
 #
 # Deny access to Anonymous
 # But allow Anonymous to login
 #
 $wgWhitelistRead = array ("Special:Userlogin");
 #
 # Allow logged in users to do these things
 #
 $wgGroupPermissions['it']['move']            = true;
 $wgGroupPermissions['it']['read']            = true;
 $wgGroupPermissions['it']['edit']            = true;
 $wgGroupPermissions['it']['createpage']      = true;
 $wgGroupPermissions['it']['createtalk']      = true;
 $wgGroupPermissions['it']['upload']          = true;
 $wgGroupPermissions['it']['reupload']        = true;
 $wgGroupPermissions['it']['reupload-shared'] = true;
 $wgGroupPermissions['it']['minoredit']       = true;
 


  • Log-Output:
2012-10-18 08:56:48 Localhost mywiki: 2.0a Entering validDomain
2012-10-18 08:56:48 Localhost mywiki: 2.0a User is not using a valid domain ().
2012-10-18 08:56:48 Localhost mywiki: 2.0a Setting domain as: MyDomain
2012-10-18 08:56:48 Localhost mywiki: 2.0a Entering allowPasswordChange
2012-10-18 08:56:48 Localhost mywiki: 2.0a Entering modifyUITemplate
2012-10-18 08:56:48 Localhost mywiki: 2.0a Allowing the ain domain, adding it to the list.
2012-10-18 08:56:52 Localhost mywiki: 2.0a Entering validDomain
2012-10-18 08:56:52 Localhost mywiki: 2.0a User is using a valid domain (MyDomain).
2012-10-18 08:56:52 Localhost mywiki: 2.0a Setting domain as: MyDomain
2012-10-18 08:56:52 Localhost mywiki: 2.0a Entering getCanonicalName
2012-10-18 08:56:52 Localhost mywiki: 2.0a Username isn't empty.
2012-10-18 08:56:52 Localhost mywiki: 2.0a Entering Connect
2012-10-18 08:56:52 Localhost mywiki: 2.0a Using TLS or not using encryption.
2012-10-18 08:56:52 Localhost mywiki: 2.0a Using servers:  ldap://PrimDomContrl.MyDomain:389
2012-10-18 08:56:52 Localhost mywiki: 2.0a PHP's LDAP connect method returned true (note, this does not imply it connected to the server).
2012-10-18 08:56:52 Localhost mywiki: 2.0a Entering getUserDN
2012-10-18 08:56:52 Localhost mywiki: 2.0a Doing an anonymous bind
2012-10-18 08:56:52 Localhost mywiki: 2.0a Created a regular filter: (sAMAccountName=XXX-TESTUSER)
2012-10-18 08:56:52 Localhost mywiki: 2.0a Entering getBaseDN
2012-10-18 08:56:52 Localhost mywiki: 2.0a basedn is not set for this type of entry, trying to get the default basedn.
2012-10-18 08:56:52 Localhost mywiki: 2.0a Entering getBaseDN
2012-10-18 08:56:52 Localhost mywiki: 2.0a Using base: dc=My,dc=Dom,dc=ain
2012-10-18 08:56:52 Localhost mywiki: 2.0a Couldn't find an entry
2012-10-18 08:56:52 Localhost mywiki: 2.0a Fetched username is not a string (check your hook code...). This message can be safely ignored if you do not have the SetUsernameAttributeFromLDAP hook defined.
2012-10-18 08:56:52 Localhost mywiki: 2.0a Munged username: XXX-TESTUSER
2012-10-18 08:56:52 Localhost mywiki: 2.0a Entering authenticate for username XXX-TESTUSER
2012-10-18 08:56:52 Localhost mywiki: 2.0a
2012-10-18 08:56:52 Localhost mywiki: 2.0a Entering Connect
2012-10-18 08:56:52 Localhost mywiki: 2.0a Using TLS or not using encryption.
2012-10-18 08:56:52 Localhost mywiki: 2.0a Using servers:  ldap://PrimDomContrl.MyDomain:389
2012-10-18 08:56:52 Localhost mywiki: 2.0a PHP's LDAP connect method returned true (note, this does not imply it connected to the server).
2012-10-18 08:56:52 Localhost mywiki: 2.0a Entering getSearchString
2012-10-18 08:56:52 Localhost mywiki: 2.0a Doing a straight bind
2012-10-18 08:56:52 Localhost mywiki: 2.0a userdn is: My\XXX-TESTUSER
2012-10-18 08:56:52 Localhost mywiki: 2.0a
2012-10-18 08:56:52 Localhost mywiki: 2.0a Binding as the user
2012-10-18 08:56:52 Localhost mywiki: 2.0a Bound successfully
2012-10-18 08:56:52 Localhost mywiki: 2.0a Entering getUserDN
2012-10-18 08:56:52 Localhost mywiki: 2.0a Created a regular filter: (sAMAccountName=XXX-TESTUSER)
2012-10-18 08:56:52 Localhost mywiki: 2.0a Entering getBaseDN
2012-10-18 08:56:52 Localhost mywiki: 2.0a basedn is not set for this type of entry, trying to get the default basedn.
2012-10-18 08:56:52 Localhost mywiki: 2.0a Entering getBaseDN
2012-10-18 08:56:52 Localhost mywiki: 2.0a Using base: dc=My,dc=Dom,dc=ain
2012-10-18 08:56:52 Localhost mywiki: 2.0a Fetched UserDN: CN=TESTUSER\, XXX-,OU=Undef. User,OU=MyBranch,OU=MyComp,DC=My,DC=Dom,DC=ain
2012-10-18 08:56:52 Localhost mywiki: 2.0a Entering getGroups
2012-10-18 08:56:52 Localhost mywiki: 2.0a Retrieving LDAP group membership
2012-10-18 08:56:52 Localhost mywiki: 2.0a Using memberOf
2012-10-18 08:56:52 Localhost mywiki: 2.0a Got the following groups: cn=xxx-user,ou=xxx-lists,dc=My,dc=Dom,dc=ain::cn=xxx-admins,ou=it,dc=My,dc=Dom,dc=ain:: [...]
2012-10-18 08:56:52 Localhost mywiki: 2.0a Entering checkGroups
2012-10-18 08:56:52 Localhost mywiki: 2.0a Checking for (new style) group membership
2012-10-18 08:56:52 Localhost mywiki: 2.0a Required groups: dc=My,dc=Dom,dc=ain
2012-10-18 08:56:52 Localhost mywiki: 2.0a Checking against: cn=xxx-user,ou=xxx-lists,dc=My,dc=Dom,dc=ain
2012-10-18 08:56:52 Localhost mywiki: 2.0a Checking against: cn=xxx-admins,ou=it,dc=My,dc=Dom,dc=ain
[...]
2012-10-18 08:56:52 Localhost mywiki: 2.0a Couldn't find the user in any groups.
2012-10-18 08:56:52 Localhost mywiki: 2.0a Entering strict.
2012-10-18 08:56:52 Localhost mywiki: 2.0a Returning false in strict().
2012-10-18 08:56:52 Localhost mywiki: 2.0a Entering allowPasswordChange
2012-10-18 08:56:52 Localhost mywiki: 2.0a Entering modifyUITemplate
2012-10-18 08:56:52 Localhost mywiki: 2.0a Allowing the local domain, adding it to the list.

Any hints?

Reply to "Another required groups issue"

How to fix the "Automatic account creation is not allowed" without AuthManager when using LDAP

2
82.75.122.213 (talkcontribs)

I use Mediawiki 1.27.3. LDAP authentication is required but since we upgraded the error "Automatic account creation is not allowed" occured for new LDAP users.

We used to authenticate using LdapAuthenticationPlugin() in LocalSettings.php, but since this is deprecated, the correct way to fix it would be using AuthManager, like below:

$wgAuthManagerAutoConfig['primaryauth'] += [

    LdapPrimaryAuthenticationProvider::class => [

    'class' => LdapPrimaryAuthenticationProvider::class,

    'args' => [ ['authoritative' => true, ] ],

    'sort' => 50,    ],

];

However, this didn't work for us, since it couldn't authenticate with the LDAP server (according to our logs). We even set the following in our LocalSettings:

$wgGroupPermissions['*']['autocreateaccount'] = true;

That didn't work either, *until* we restarted our apache service. So, keep in mind that you need to do that.

That is a temporary fix in my opinion, until AuthManager is updated so that it works with LDAP. Hope this helps...

155.4.45.19 (talkcontribs)

You are a legend. Thank you!

Reply to "How to fix the "Automatic account creation is not allowed" without AuthManager when using LDAP"
139.169.8.154 (talkcontribs)

I setup ldap debug but I don't get any useful information... just the following...

2018-07-19 19:50:02 dtn13-vm wiki_demo: 2.1.0 Returning true in strict().

2018-07-19 19:51:02 dtn13-vm wiki_demo: 2.1.0 Entering strict.

Here is part of my config...

require_once( "$IP/extensions/LdapAuthentication/LdapAuthentication.php" );

$wgAuth = new LdapAuthenticationPlugin();

$wgLDAPDebug = 3;

$wgDebugLogGroups['ldap'] = '/tmp/debug.log';

$wgLDAPDomainNames = array(

  'quest',

);

$wgLDAPServerNames = array(

  'domain' => 'domain.local',

);

$wgLDAPSearchStrings = array(

  'domain' => 'domain\\USER-NAME'

);

Reply to "ldap debug"

Conflict with Extension:Translate

5
217.6.145.253 (talkcontribs)

Versions: Mediawiki 1.27.1, LDAPAuth 2.1.0 (Translate: MLEB 2017.01)

Problem:

I want to use this Extension and Extension:Translate, but: I cant publish Translations as long as LDAP_Authentication is active. This seems to be because LDAP_Authentication prevents the use of Translates Fuzzybot according to the php error log:

 UnexpectedValueException from line 273 of [base]\includes\auth\AuthPluginPrimaryAuthenticationProvider.php: AuthPlugin failed to reset password for Fuzzybot in the following domains: [all Domains]

According to Topic:Tfu65b5pncef5p6s this should work, but it doesn't:

$wgAuthManagerAutoConfig['primaryauth'] += [

    LdapPrimaryAuthenticationProvider::class => [

    'class' => LdapPrimaryAuthenticationProvider::class,

    'args' => [ ['authoritative' => true, ] ],

    'sort' => 50,    ],

];

What can I do?

Lsilverman (talkcontribs)

Did you ever find a solution? I'm stuck in the exact same place.

217.6.145.253 (talkcontribs)

I'm currently thinking about setting up a parallell wiki (accessing the same Database) without LDAP for Translators.

But that sucks because i'm pretty sure that would lead to some sort of conflict eventually...

Lsilverman (talkcontribs)

I abandoned LDAP_Authentication. Instead I migrated to PluggableAuth+OpenId extensions married to Google Auth, which our organization also uses. Much better and easier configuration than LdapAuth. Now users are auto-logged in just by visiting our private wiki.

Oleg.blecher (talkcontribs)

I have the same issue with LDAP-authentication on Mediawiki 1.31 and GraphViz. To solve it I commented out almost everything in the function providerRevokeAccessFor User:

      

public function providerRevokeAccessForUser( $username ) {

               # function commented out due to an issue with LDAP-authentication and newer versions of Mediawiki, preventing for example GraphViz from fucntioning properly

               # seems to be similiar to the issue described here: https://www.mediawiki.org/wiki/Topic:Tpyxsdgiheh5zqjr

               return;

               /*$username = User::getCanonicalName( $username, 'usable' );

               if ( $username === false ) {

                       return;

               }

               $user = User::newFromName( $username );

               if ( $user ) {

                       // Reset the password on every domain.

                       $curDomain = $this->auth->getDomain();

                       $domains = $this->auth->domainList() ?: [ '' ];

                       $failed = [];

                       foreach ( $domains as $domain ) {

                               $this->auth->setDomain( $domain );

                               if ( $this->testUserCanAuthenticateInternal( $user ) &&

                                       !$this->auth->setPassword( $user, null )

                               ) {

                                       $failed[] = $domain === '' ? '(default)' : $domain;

                               }

                       }

                       $this->auth->setDomain( $curDomain );

                       if ( $failed ) {

                               throw new \UnexpectedValueException(

                                       "AuthPlugin failed to reset password for $username in the following domains: "

                                               . implode( ' ', $failed )

                               );

                       }

               }*/

       }

Would be really cool if MediaWiki or the LDAP-auth peeps will make an update that will help this kind of extensions work. LDAP is very useful and would be a bummer to give up.

Reply to "Conflict with Extension:Translate"

How to disable edit persmission for a group (or set a group to readonly)

2
159.46.196.35 (talkcontribs)

Hi there,

We are using mediawiki 1.26.2. We are using the extension for quite some time. Recently we have the need to give a certain (ldap-)group "readonly" permissions (default you are able to edit). I am unable to figure out how to do that. Is this possible and if so how do I manage that?

Ciencia Al Poder (talkcontribs)

You should be able to do this configuring User rights, assuming this extension get the user groups correctly.

Reply to "How to disable edit persmission for a group (or set a group to readonly)"