Extension talk:LDAP Authentication

Jump to: navigation, search

About this board

Edit description

How to ask for support

There's a couple key pieces of info I always need:

  1. The MediaWiki version you are using
  2. The LdapAuthentication extension version you are using

I very often will need to see two other things when you ask for support, so you should have them prepared:

  1. Your configuration, with sensitive stuff snipped out
  2. The extension's debug log, with sensitive stuff snipped out

When you are trying to debug an authentication problem, you should always use the most basic configuration possible. For instance, if you don't have basic authentication working yet, you shouldn't have group restrictions or group synchronization enabled yet. I will generally ask you to disable these things when debugging.

Also, $wgLDAPUseLocal is almost never what you want to use. It's a frequent cause of configuration issues, and unless you really know what you are doing, it should not be set (or explicitly set to false, which is the default).

Most importantly of all: ensure you are using the newest version of the extension. From the extension distributor, that's the "master" version. If you are using git, just make sure you use git pull && git reset --hard origin/master. This is one of the more common cause of problems.

How to submit a bug

If you've found a bug, please submit it here.

Archives

By clicking "Add topic", you agree to our Terms of Use and agree to irrevocably release your text under the CC BY-SA 3.0 License and GFDL
217.6.145.253 (talkcontribs)

Versions: Mediawiki 1.27.1, LDAPAuth 2.1.0 (Translate: MLEB 2017.01)

Problem:

I want to use this Extension and Extension:Translate, but: I cant publish Translations as long as LDAP_Authentication is active. This seems to be because LDAP_Authentication prevents the use of Translates Fuzzybot according to the php error log:

 UnexpectedValueException from line 273 of [base]\includes\auth\AuthPluginPrimaryAuthenticationProvider.php: AuthPlugin failed to reset password for Fuzzybot in the following domains: [all Domains]

According to Topic:Tfu65b5pncef5p6s this should work, but it doesn't:

$wgAuthManagerAutoConfig['primaryauth'] += [

    LdapPrimaryAuthenticationProvider::class => [

    'class' => LdapPrimaryAuthenticationProvider::class,

    'args' => [ ['authoritative' => true, ] ],

    'sort' => 50,    ],

];

What can I do?

Lsilverman (talkcontribs)

Did you ever find a solution? I'm stuck in the exact same place.

Reply to "Conflict with Extension:Translate"

LDAPAuthentication with Mediawiki 1.27.1

4
2620:0:1AF0:F100:A1E1:5564:C09B:29E (talkcontribs)

The configuration required to use LDAPAuthentication with Mediawiki 1.27.x must change. It caused us problem when combining LDAPAuthentication with the Translate extension, which uses the local user Fuzzybot. We had to change

$wgAuth = new LdapAuthenticationPlugin();

by

$wgAuthManagerAutoConfig['primaryauth'] += [

LdapPrimaryAuthenticationProvider::class => [

'class' => LdapPrimaryAuthenticationProvider::class,

'args' => [ [

'authoritative' => true, // don't allow local non-LDAP accounts

] ],

'sort' => 50, // must be smaller than local pw provider

],

];

This was taken from here:

https://gerrit.wikimedia.org/r/#/c/293086/4/wmf-config/wikitech.php

and was pointed to me by Anomie in this chat log:

http://bots.wmflabs.org/~wm-bot/logs/%23wikimedia-dev/20161122.txt

Lsilverman (talkcontribs)

Thank you very much for this. It solved my problem on 1.27.3 with LDAP.

Lsilverman (talkcontribs)

Hmm, correction. Translate started working, but auth no longer worked.

Jbrekelbaum (talkcontribs)

I am a mediawiki newbie. I have just installed 1.28 and LDAP auth is a requirement. Do you recommend that I downgrade to a previous version, or are you aware of an alternate plugin that would give us the same functionality. Thanks!

Reply to "LDAPAuthentication with Mediawiki 1.27.1"

LDAP Authentication extention to registration not working

2
131.203.91.54 (talkcontribs)

Hi

I am trying to get LdapAuthentication extension work with my upgraded MediaWiki. Our previous setup was

Product Version
MediaWiki 1.24.4
PHP 5.6.30 (apache2handler)
MySQL 5.6.16
Apache 2.4.16
OS Windows Server 2012R2

The LdapAuthentication worked fine with the above version of MediaWiki.

Once we upgraded to the newer version, and I am getting errors below.

MediaWiki 1.28.0
PHP 7.0.15 (apache2handler)
MySQL 5.6.0
Apache 2.4.25
OS Windows Server 2012R2

I am trying to run convertExtensionToRegistration.php on LdapAuthentication and I get the following error:

C:\PHP\php.exe : Error: Global functions cannot be converted to JSON. Please move the handler for LoadExtensionSchemaUpdates inside a class.

At line:1 char:1

This does create an extension file but when I run update.php I get the following error:

C:\PHP\php.exe : [2ede5ca9f218d5e8ed5d0e2a] [no req]   MWException from line 176 of E:\Websites\MediaWiki\includes\Hooks.php: Invalid callback 

efLdapAuthenticationSchemaUpdates in hooks for LoadExtensionSchemaUpdates

At line:1 char:1

+ C:\PHP\php.exe .\maintenance\update.php

+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    + CategoryInfo          : NotSpecified: ([2ede5ca9f218d5...onSchemaUpdates:String) [], RemoteException

    + FullyQualifiedErrorId : NativeCommandError 

Backtrace:

#0 E:\Websites\MediaWiki\includes\installer\DatabaseUpdater.php(122): Hooks::run(string, array)

#1 E:\Websites\MediaWiki\includes\installer\DatabaseUpdater.php(187): DatabaseUpdater->__construct(DatabaseMysqli, boolean, UpdateMediaWiki)

#2 E:\Websites\MediaWiki\maintenance\update.php(171): DatabaseUpdater::newForDB(DatabaseMysqli, boolean, UpdateMediaWiki)

#3 E:\Websites\MediaWiki\maintenance\doMaintenance.php(111): UpdateMediaWiki->execute()

#4 E:\Websites\MediaWiki\maintenance\update.php(217): require_once(string)

#5 {main}

Can anyone please help with this?

Jbrekelbaum (talkcontribs)

I am also having the same problem on 1.28.

Reply to "LDAP Authentication extention to registration not working"
Platonbjs (talkcontribs)

Hi everybody,

I'm trying to config ldap configuration with a required group but i have a problem. In my ldap, uniquemember attribute is not only uid, is "path". An example:

dn: cn=ExampleGroup,ou=Groups,o=domain.local

description: Users who are a member of ExampleGroup

objectclass: top

objectclass: groupOfUniqueNames

uniquemember: uid=user1,ou=People,o=domain.local

uniquemember: uid=user2,ou=People,o=domain.local

uniquemember: uid=user3,ou=People,o=domain.local

cn: ExampleGroup Team Member

But, when I try login, the log show this:

....

2017-06-19 09:52:25 server: 2.1.0 Search string: (&(uniquemember=user2)(objectclass=groupOfUniqueNames)))

...

And the query must be:

....

2017-06-19 09:52:25 server: 2.1.0 Search string: (&(uniquemember: uid=user2,ou=People,o=domain.local)(objectclass=groupOfUniqueNames)))

...

How can i solve it?

My config

require_once('extensions/LdapAuthentication/LdapAuthentication.php');

require_once('includes/AuthPlugin.php');

$wgAuth = new LdapAuthenticationPlugin();

$wgLDAPDomainNames = array('domain.local');

$wgLDAPServerNames = array('domain.local'=>'server.domain.local');

$wgLDAPUseLocal = false;

$wgLDAPEncryptionType = array('domain.local' => 'clear');

$wgLDAPPort = array('domain.local'=> 369);

$wgLDAPProxyAgent = array('domain.local'=>'cn=admin,ou=Special Users,o=domain.local');

$wgLDAPProxyAgentPassword = array("domain.local"=>"password");

$wgLDAPSearchAttributes = array('domain.local'=>'uid');

$wgLDAPBaseDNs = array('domain.local'=>'o=domain.local');

$wgLDAPGroupBaseDNs = array('domain.local'=>'ou=Groups,o=domain.local');

$wgLDAPUserBaseDNs = array('domain.local'=>'ou=People,o=domain.local');

$wgLDAPDebug = 5;

$wgDebugLogGroups['ldap'] = '/tmp/debug.log';

$wgLDAPPreferences = array('domain.local'=>array('email'=>'mail'));

$wgLDAPGroupsUseMemberOf = array('domain.local'=>false);

$wgLDAPGroupObjectclass = array('domain.local'=>'groupOfUniqueNames');

$wgLDAPGroupAttribute = array( 'domain.local'=>'dn');

$wgLDAPGroupNameAttribute = array('domain.local'=>'cn');

$wgLDAPRequiredGroups = array('domain.local'=>array('cn=ExampleGroup,ou=Groups,o=domain.local'));

$wgLDAPLowerCaseUsername = array('domain.local'=>true);

$wgGroupPermissions['*']['autocreateaccount'] = true;

Platonbjs (talkcontribs)

OK, solved. Need

$wgLDAPGroupUseFullDN = array( 'testLDAPdomain' => true);

204.114.196.21 (talkcontribs)

Whenever I try to login, it displays a message, "Incorrect password entered. Please try again.".

I am using PHP 5.5.38 and upgraded to Mediawiki 1.28.0 version.

MathieuRobe (talkcontribs)

Mediawiki isn't compatible with MediaWiki 1.28 at present. The main problem is AuthManager.

3ShapeDevOps (talkcontribs)

Please let us know if this issue with compatibility will be resolved

73.176.255.33 (talkcontribs)

I'm interested as well. Trying to upgrade from 1.23 and this one's a blocker. Happy to test anything you can come up with.

MathieuRobe (talkcontribs)

Ryan lane is the Author of LDAP Authentication but no answer.

204.114.196.21 (talkcontribs)

That means if I am upgraded to Mediawiki 1.28, I can't use LDAP authentication i.e. I cant login my application which uses mediawiki 1.28. Is my understanding correct on this?

Reply to "Compatibility with MediaWiki 1.28?"
203.88.129.14 (talkcontribs)

i have enalbe LDAP Auth. over SSL 636 and doing user auth successfully

i wanted to check if User password reset is possible ? @Ryan

Reply to "LDAP User Password Reset/change"

Additional function: user and group authentication

5
Max.mueller (talkcontribs)

Hello.

Our company added some code and now it is possible to configure LDAP groups and LDAP users (via uid) who are allowed to login into a wiki.

Is there a way that I can send the code to the developers of the extension?

Regards

Max

MathieuRobe (talkcontribs)

The author is User:Ryan lane

I really want to see how your company fix it :)

Ciencia Al Poder (talkcontribs)

You can also submit a patch to gerrit yourself. Read How to become a MediaWiki hacker

MarkAHershberger (talkcontribs)

Note that we had a meeting about this extension at the Vienna hackathon and I'll be working with others to improve it.

MathieuRobe (talkcontribs)

keep us posted :)

Reply to "Additional function: user and group authentication"

Automatic account creation is not allowed

15
TroySettle (talkcontribs)

extension for mediawiki 1.28

I'm getting closer to figuring this out, but stuck on automatically creating accounts. Here's my current (sanitized) configuration. I can authenticate, but I then get the message:

Auto-creation of a local account failed: Automatic account creation is not allowed.

require_once ("$IP/extensions/LdapAuthentication/LdapAuthentication.php");
$wgAuth = new LdapAuthenticationPlugin();
$wgLDAPUseLocal = true;

$wgLDAPDebug = 3;
$wgDebugLogGroups['ldap'] = '/tmp/debug.log';

$wgLDAPDomainNames       = array('LOCAL');
$wgLDAPServerNames       = array('LOCAL' => 'local-dc2.local.domain');
$wgLDAPEncryptionType    = array('LOCAL' => 'clear');
$wgMinimalPasswordLength = 1;
$wgLDAPBaseDNs           = array('LOCAL' => 'ou=Users,ou=LOCAL,dc=domain,dc=local');

$wgLDAPSearchStrings     = array('LOCAL' => 'LOCAL\\USER-NAME');
$wgLDAPSearchAttributes  = array('LOCAL' => 'sAMAccountName' );

$wgLDAPDisableAutoCreate = array('LOCAL' => false);

Any help would be greatly appreciated!

Tz1971 (talkcontribs)

currently I am using Centos 7.3, MySql 5.7 and PHP 7.1 LDAP TLS

LdapAuthentication: REL1_28 2016-11-18T19:08:52 770c89e

in /etc/openldap/ldap.conf

I add

TLS_REQCERT allow    

TLS hard

and LocalSettings.php setting

$wgLDAPEncryptionType  = array('domain.com' => 'tls');

at this point cannot authenticate

so i tweak and change some code in LdapAuthenticationPlugin at line 547

if ( !ldap_start_tls( $this->ldapconn ) ) {

add @

if ( !@ldap_start_tls( $this->ldapconn ) ) {

for autocreation, I stuck at /includes/auth/AuthManager.php between line 1612 and 1626

// Is the IP user able to create accounts?

$anon = new User;

/*

if ( !$anon->isAllowedAny( 'createaccount', 'autocreateaccount' ) ) {

.....

}

*/

comment out this block, now working. (need better solution rather than comment out)

for group permission

# Implicit group for all visitors

$wgGroupPermissions['*']['createaccount'] = false; // ??? not working

$wgGroupPermissions['*']['autocreateaccount'] = false;  // ???

$wgGroupPermissions['*']['read'] = false;

$wgGroupPermissions['*']['edit'] = false;

$wgGroupPermissions['*']['createpage'] = false;

$wgGroupPermissions['*']['createtalk'] = false;

$wgGroupPermissions['*']['writeapi'] = false;

Aarango1 (talkcontribs)

Same here. Any help is appreciated. My config:

require_once( "$IP/extensions/LdapAuthentication/LdapAuthentication.php" );

$wgAuth = new LdapAuthenticationPlugin();

$wgLDAPDomainNames = array("iRedMail");

$wgLDAPServerNames = array("iRedMail" => "192.168.XX.XX");

$wgLDAPPort = array("iRedMail" => 389);

$wgLDAPEncryptionType = array( "iRedMail" => "clear");

$wgLDAPBaseDNs = array( "iRedMail"=>"o=domains,dc=example,dc=com");

$wgLDAPProxyAgent = array("iRedMail"=>"cn=vmail,dc=example,dc=com");

$wgLDAPProxyAgentPassword = array( "iRedMail"=>"*****");

$wgLDAPUserBaseDNs = array( "iRedMail"=>"o=domains,dc=example,dc=com");

$wgLDAPSearchAttributes = array( "iRedMail" => "mail");

$wgLDAPLowerCaseUsername = array( "iRedMail"=>true);

$wgLDAPUseLocal = true;

$wgLDAPDebug = 3;

$wgDebugLogGroups['ldap'] = '/tmp/debug.log';

Legaulph (talkcontribs)

Same issue

TroySettle (talkcontribs)

FWIW, I finally got it working. Not sure what the difference is here... the $wgGroupPermissions item is not listed on the LDAP extension instructions, but I think this is what did it.

require_once ("$IP/extensions/LdapAuthentication/LdapAuthentication.php");
$wgAuth = new LdapAuthenticationPlugin();
#$wgLDAPUseLocal = true;
$wgLDAPDomainNames       = array('LOCAL');
$wgLDAPServerNames       = array('LOCAL' => 'local-dc2.mydomain.local');
$wgLDAPEncryptionType    = array('LOCAL' => 'clear');
$wgMinimalPasswordLength = 1;
$wgLDAPBaseDNs           = array('LOCAL' => 'ou=Users,ou=LOCAL,dc=mydomain,dc=local');
$wgLDAPSearchStrings     = array('LOCAL' => 'LOCAL\\USER-NAME');
$wgLDAPSearchAttributes  = array('LOCAL' => 'sAMAccountName' );
$wgLDAPRetrievePrefs     = array('LOCAL' => true );
$wgGroupPermissions['*']['autocreateaccount'] = true;
Aarango1 (talkcontribs)

I tried with that TroySettle but not luck. I receive same fails, what versions do you have installed? (Mediawiki and LDAP please) Thanks.

Did you create Wiki as Open? private?

NOTE: I solved using wiki 1.23 version.

Legaulph (talkcontribs)

I had to set $wgGroupPermissions['*']['createaccount'] = true;

130.219.8.234 (talkcontribs)

That still did not work for me.

My other anonymous permissions are set to false.

$wgGroupPermissions['*']['edit'] = false; $wgGroupPermissions['*']['read'] = false;

I want this to be a private wiki.

130.219.8.234 (talkcontribs)

It would seem I had to clear all session data and remove cookies from previous logon attempts with my test user as well as comment out self::saveDomain( $user, $_SESSION['wsDomain'] ); from one of the extension's configuration files. It now works.

153.96.128.5 (talkcontribs)

I had this problem, too. In my case, the solution was the one that has already been mentioned above:

1. switch back to local auth in LocalSettings.php; then login with a *local* admin/bureaucrat account (the one you set up when installing the wiki).

2. create a local user with the same name as one that exists in LDAP (give him a bullsh*t password, no need to match the LDAP one). Not mandatory, but if you are smart, this user should be a bureaucrat as you need at least one LDAP-based bureaucrat anyways. Lets call this user "Ldapboss".

3. switch again to LDAP auth in LocalSettings.php; then login with the user Ldapboss you just created. Of course you need to use the user's actual LDAP password this time. Btw, your local admin is now locked out of the system (unless you set wgLDAPUseLocal to true). This is why you need an LDAP-based bureaucrat.

From this point on, weirdly enough, auto account creation works. It's like, you need at least one successful login to make it work. Not sure why, doesn't make sense.

Ask a colleague to log on, or alternatively, rename your Ldapboss user to Ldapboss_Trash (Renameuser extension) and logout. Then login again with Ldapboss using again the LDAP credentials. Now, you Ldapboss is auto-created (this time as a simple user, as it should).

Actually, on Ryan D Lane (creator and ex-maintainer of the plugin) has this written on a 2009 blog post --- Quote:

"Before enabling the plugin, you should create a user in the local wiki database that exists in AD, and promote that user to sysop. After the plugin is enabled, you will not be able to log in as any user who does not exist in AD."

Brain wang (talkcontribs)

Hi,

While I executed step 3, then use Ldapboss login with LDAP password, I got the following error:

[WMFhIqwRAAIAABOptNUAAAAG] 2017-03-09 14:05:24: Fatal exception of type "DBQueryError"

Is it normal?

But it looks I have already logged in.

223.166.93.186 (talkcontribs)

Hi,

Any news on Brain Wang's problem? I experience the same issue. The user seems to be logged in, however logging in with an other user from LDAP still fails.

195.212.29.162 (talkcontribs)

Today I ran into the same issue, and found that the LDAP plugin does not have the right to autocreate users, despite the allowed autocreateaccount Group Permission setting. Then I found that the referred table (ldap_domains) did not exist in the database (and thus throwing the authmanager-autocreate-noperm errors). Creating the table in the right database based on the extensions/LdapAuthentication/schema/ldap-mysql.sql seems to fixed the issue:

# mysql -u root -p

Enter password:

mysql> use my_wiki

Reading table information for completion of table and column names

You can turn off this feature to get a quicker startup with -A

Database changed

mysql> CREATE TABLE ldap_domains (domain_id int not null primary key auto_increment,domain varchar(255) binary not null,user_id int not null);

Query OK, 0 rows affected (0.00 sec)

85.220.204.126 (talkcontribs)

This worked for me. Thanks

145.109.211.76 (talkcontribs)

I am running a private Wiki

$wgGroupPermissions['*']['autocreateaccount'] = true;

fixed it for me. If you read the changelog of 1.27:

* MediaWiki will now auto-create users as necessary, removing the need for

  extensions to do so. An 'autocreateaccount' right is added to allow

  auto-creation when 'createaccount' is not granted to all users.

Reply to "Automatic account creation is not allowed"
Raj bhaskar (talkcontribs)

Hi, Does anyone know if this extension is affected by the new AuthManager in MediaWiki 1.27? Is it safe to upgrade to the new version of MW?

Thanks, Raj.

65.171.153.4 (talkcontribs)

Would not recommend upgrading at this point.

Authentication was overhauled in 1.27 with AuthPlugin being deprecated, superseded by Manual:SessionManager and AuthManager.

After a quick test users that have not logged in previously will not be able to login (depending on your settings/permissions). The domain selection box also does not appear, although it seems to default to the first domain.

MarkAHershberger (talkcontribs)

This extension should be converted to use PluggableAuth. Using PluggableAuth will probably help maintain compatibility in the future.

Maalab (talkcontribs)

Il have test it a litte bit today after upgrading out test wiki today.

By default, for new account, the auto creation of local account does not work. But it is working well for existing account.

I have made a lot of search and test to overcome this problem. I have found out that a new right exist for auto account creation since 1.26.

I have tried to put this line in my LocalSettings.php file : $wgGroupPermissions['*']['autocreateaccount'] = true;

If i tried to login with a new account, it does not work, but if login with a existing account, logout and then login with a new account it work. Afther that, i have close my web page, restarted the server, try with another browser and if i login with a new account, the account is created each time.

The domain delection box does not appear, but if configure a second domain, the box appear.

2.113.181.87 (talkcontribs)

After updating to mediawiki 1.27 Auto LDAP Authentication no longer worked. Mediawiki showed "database error occurred."

I commented line 1240 in LdapAuthentication.php ( self::saveDomain( $user, $_SESSION['wsDomain'] ); ) and the error went away.

128.104.255.2 (talkcontribs)

What does uncommenting that do, exactly? It removed the error for me, too.

Raj bhaskar (talkcontribs)

Does anyone know who we should contact to try and fix this at source and add proper compatibility for AuthManager? I tried contacting Ryan Lane (marked as the author on the extension homepage), but he said that he's no longer maintaining it.

Ciencia Al Poder (talkcontribs)

I've added the phabricator project to the extension's infobox. You can report the bug there

Raj bhaskar (talkcontribs)

Thanks (although poking around on the Phabricator site, there appear to be no members on the project, and there's a fairly hefty backlog waiting to be looked at).

Mvdboogaard (talkcontribs)

I have the same problem with a new installation of mediawiki 1.27

I created a bug: https://phabricator.wikimedia.org/T140972

Devsec (talkcontribs)

The updated worked for me for the most part. The line I had to comment out was in the file "/extensions/LdapAuthentication/LdapAuthenticationPlugin.php" and it was on line 1165.

Also, I was still having an error caused by a plugin after authenticating. I had to remove the ToDoTasks plugin and then it worked. :) YEAH!!

198.239.156.250 (talkcontribs)

Use: https://github.com/noris-network/mediawiki-extensions-sessionprovider-remoteuser

185.22.192.146 (talkcontribs)

I've hit this problem as well, it only emerged after new users that had not logged into the wiki prior to the upgrade from v1.26, started complaining.

I'm running a private wiki, with LDAP auth only. Going through the code of AuthManager.php (line 1545 onwards), it became clear that this can either be resolved using the 'createaccount' or 'autocreateaccount' permission. I've tried both options and the 'autocreateaccount' matches my desired behavior. I *think* that the wiki also still is secure/private and no additional users can be created (except when auth from LDAP succeeds).

However I feel it would be better if these permissions would be integrated in the plugin and would not have to be handled separately.

Reply to "Compatibility with MediaWiki 1.27?"

adding AD users to local MediaWiki groups

1
Mattseaboard (talkcontribs)

I am able to log in using my AD account so I know that part is working. What I don't understand is what i need to do for permissions and groups.

Is there a way that I can use local groups in MediaWiki and just add AD users to that group, or do I HAVE to use AD groups and configure them in LocalSettings.php?

Here's my current config if that helps:

#LDAP Authentication Extension
require_once( "$IP/extensions/LdapAuthentication/LdapAuthentication.php" );
$wgAuth = new LdapAuthenticationPlugin();
$wgLDAPDomainNames = array( "MYDOMAIN" );
$wgLDAPServerNames = array( "MYDOMAIN" => "my.ad.domain.com" );
$wgLDAPSearchStrings = array( "MYDOMAIN" => "USER-NAME@MYDOMAIN" );
$wgLDAPEncryptionType = array( "MYDOMAIN" => "clear" );
$wgLDAPBaseDNs = array( "MYDOMAIN" => "OU=MyOu,DC=MyDC,DC=MyDC2,DC=MyDC3" );
$wgMinimalPasswordLength = 15;
Reply to "adding AD users to local MediaWiki groups"