Extension talk:LDAP Authentication

About this board

About - Requirements - Examples - Configuration Options - Changelog - Roadmap - Suggestions - User provided info - FAQ - Support

How to ask for support

There's a couple key pieces of info I always need:

The MediaWiki version you are using
The LdapAuthentication extension version you are using

I very often will need to see two other things when you ask for support, so you should have them prepared:

Your configuration, with sensitive stuff snipped out
The extension's debug log, with sensitive stuff snipped out

When you are trying to debug an authentication problem, you should always use the most basic configuration possible. For instance, if you don't have basic authentication working yet, you shouldn't have group restrictions or group synchronization enabled yet. I will generally ask you to disable these things when debugging.

Also, $wgLDAPUseLocal is almost never what you want to use. It's a frequent cause of configuration issues, and unless you really know what you are doing, it should not be set (or explicitly set to false, which is the default).

Most importantly of all: ensure you are using the newest version of the extension. From the extension distributor, that's the "master" version. If you are using git, just make sure you use git pull && git reset --hard origin/master. This is one of the more common cause of problems.

How to submit a bug

If you've found a bug, please submit it here.

Does this extension work on MediaWiki 1.36.1?

One comment • 12:07, 23 September 2021 2 hours ago

1

Lebenshilfe.offenburg (talkcontribs)

If yes, please tell me exactly how to install it from scratch because all other descriptions i found at the web are for older versions.

Thank you very much in advance!

(I use MediaWiki 1.36.1 and LdapAuthentication extension version 2.1.0)

Reply Edited 12:07, 23 September 2021 2 hours ago

Reply to "Does this extension work on MediaWiki 1.36.1?"

Account Creation

3 comments • 03:29, 23 September 2021 11 hours ago

3

Ana.carvalho (talkcontribs)

Hi all,

Not all users in LDAP are authorized to own an user account in my MediaWiki. I already have users logging in because I created their accounts before installing LDAP Plugin. Now, I need to create accounts for new employees and I always receive the message "Username entered already in use. Please choose a different name.", through Special:CreateAccount.

Obviously, If I disable all LDAP configuration in LocalSettings, I'm able to create a local user account with the same LDAP username. Then , if I enable LDAP configuration again, the user is recognized with LDAP password and he can log in. The fact is that I don't want to edit LocalSettings every time I have a new employee.

My configuration is below. Thanks in advance.

require_once ('.../extensions/LdapAuthentication/LdapAuthentication.php');

$wgAuth = new LdapAuthenticationPlugin();

$wgLDAPDomainNames = array( 'AD' );

$wgLDAPServerNames = array( 'AD' => 'url' );

$wgLDAPUseLocal = false;

$wgLDAPEncryptionType = array( 'AD' => 'clear' );

$wgLDAPPort = array( 'AD' => 389 );

$wgLDAPProxyAgent = array( 'AD' => 'CN=a,OU=b,DC=c,DC=d' );

$wgLDAPProxyAgentPassword = array( 'UFPE-AD' => 'password' );

$wgLDAPSearchAttributes = array( 'AD' => 'description' );

$wgLDAPBaseDNs = array( 'AD' => 'DC=c,DC=d' );

$wgLDAPDisableAutoCreate = array( 'AD' => true );

$wgLDAPPreferences = array( 'AD' => array( 'email' => 'mail', 'realname' => 'cn','nickname' => 'givenname') );

$wgLDAPLowerCaseUsername = array( 'AD' => true);

$wgGroupPermissions['*']['createaccount'] = false;

MediaWiki: 1.29.1

PHP: 5.5.21 (apache2handler)

PostgreSQL: 9LDAP

Reply 13:08, 19 September 2017 4 years ago

Lesscomplex (talkcontribs)

If I understand correctly, the `Special:CreateAccount` page will actually atempt to create an account (in your AD!). But the account already exists (in the AD)..

But if I understand correctly, with `$wgGroupPermissions['*']['autocreateaccount'] = true;` the accounts will be auto-created in the database on first log in. So you just need to make sure the account is available in AD and then tell the user to sign in to you wiki instance.

Reply 09:50, 5 June 2018 3 years ago

118.210.39.78 (talkcontribs)

This is confusing. Are you saying that once you have LDAP connected that you can't create local accounts in the wiki instance? We have users that need to access the wiki that don't belong to our LDAP groups. So I was hoping to create accounts directly on the wiki server...

Reply 03:29, 23 September 2021 11 hours ago

Reply to "Account Creation"

Could not get user DN!

One comment • 21:58, 16 June 2021 3 months ago

1

This post was hidden by Serrkind (history)

Reply to "Could not get user DN!"

OpenLdap: Did not find a matching user in LDAP

2 comments • 10:38, 28 May 2021 3 months ago

2

Dbavedb (talkcontribs)

I had been using OpenLdap already so when I install MediaWiki I hoped to use the Extension:LDAP Authentication to bridge the user hurdle for a site we could all share.

I installed
CentOS	CentOS Linux release 8.2.2004 (Core)
OpenLdap	openldap-2.4.50
Apache2	httpd-2.4.37-21.module_el8.2.0
PHP	php-7.2.24-1.module_el8.2.0
MariaDB	mariadb-server-10.3.17-1.module_el8.1.0
MediaWiki	1.34.2
LdapAuthentication	LdapAuthentication-REL1_34-b97a26e.tar.gz

Here was my basic config:

# Basic search criteria
$wgLDAPDomainNames = array('extra-extra.com');
$wgLDAPServerNames = array('extra-extra.com' => 'ldapmaster.extra-extra.com.com');
$wgLDAPSearchAttributes = array('extra-extra.com' => 'uid');
$wgLDAPSearchStrings =  array('extra-extra.com' => 'uid=USER-NAME,ou=people,dc=ldapmaster,dc=extra-extra.com,dc=com');
$wgLDAPBaseDNs = array('extra-extra.com' => 'dc=ldapmaster,dc=extra-extra.com,dc=com');
$wgLDAPProxyAgent = array('extra-extra.com' => 'cn=readonly,ou=system,dc=ldapmaster,dc=extra-extra.com,dc=com');
$wgLDAPProxyAgentPassword = array('extra-extra.com' => 'password');
$wgLDAPLowerCaseUsername = array('extra-extra.com' => true);
$wgLDAPEncryptionType = array('extra-extra.com' => 'tls');
$wgMinimalPasswordLength = 1;
$wgLDAPUseLocal = false;
$wgLDAPDebug = 3; //for debugging LDAP

I then tried logging in quite a bit until I discovered how to enable debug logging:

$wgDebugLogFile = "/var/log/php-fpm/mw.log";
$wgDebugLogGroups["ldap"] = "/var/log/php-fpm/ldapdebug.log";
$wgShowExceptionDetails = true; //for debugging MediaWiki

Here was the debug log output:

2020-07-31 00:21:23 wiki.extra-extra.com my_wiki: 2.1.0 Entering getDomain
2020-07-31 00:21:23 wiki.extra-extra.com my_wiki: 2.1.0 Setting domain as: extra-extra
2020-07-31 00:21:23 wiki.extra-extra.com my_wiki: 2.1.0 Entering userExistsReal
2020-07-31 00:21:23 wiki.extra-extra.com my_wiki: 2.1.0 Entering Connect
2020-07-31 00:21:23 wiki.extra-extra.com my_wiki: 2.1.0 Entering getDomain
2020-07-31 00:21:23 wiki.extra-extra.com my_wiki: 2.1.0 Using TLS or not using encryption.
2020-07-31 00:21:23 wiki.extra-extra.com my_wiki: 2.1.0 Entering getDomain
2020-07-31 00:21:23 wiki.extra-extra.com my_wiki: 2.1.0 Entering getDomain
2020-07-31 00:21:23 wiki.extra-extra.com my_wiki: 2.1.0 Using non-standard port: 389
2020-07-31 00:21:23 wiki.extra-extra.com my_wiki: 2.1.0 Using servers: ldap://ldapmaster.extra-extra.com:389
2020-07-31 00:21:23 wiki.extra-extra.com my_wiki: 2.1.0 Entering getDomain
2020-07-31 00:21:23 wiki.extra-extra.com my_wiki: 2.1.0 PHP's LDAP connect method returned true (note, this does not imply it connected to the server).
2020-07-31 00:21:23 wiki.extra-extra.com my_wiki: 2.1.0 Entering getSearchString
2020-07-31 00:21:23 wiki.extra-extra.com my_wiki: 2.1.0 Entering getDomain
2020-07-31 00:21:23 wiki.extra-extra.com my_wiki: 2.1.0 Doing a straight bind
2020-07-31 00:21:23 wiki.extra-extra.com my_wiki: 2.1.0 userdn is: uid=Wiho,ou=people,dc=ldapmaster,dc=extra-extra,dc=com
2020-07-31 00:21:23 wiki.extra-extra.com my_wiki: 2.1.0 Entering getDomain
2020-07-31 00:21:23 wiki.extra-extra.com my_wiki: 2.1.0 Did not find a matching user in LDAP
2020-07-31 00:21:23 wiki.extra-extra.com my_wiki: 2.1.0 Entering strict.
2020-07-31 00:21:23 wiki.extra-extra.com my_wiki: 2.1.0 Entering getDomain
2020-07-31 00:21:23 wiki.extra-extra.com my_wiki: 2.1.0 Returning true in strict().

Obviously this line was the deal breaker:

2020-07-31 00:21:23 wiki.extra-extra.com my_wiki: 2.1.0 Did not find a matching user in LDAP

I was encouraged by this comment Bernhardsmw to start looking into the basic code (always great to do when troubleshooting), and that is when I found a fix for the problem I was seeing:

diff ~/src/LdapAuthentication/LdapAuthenticationPlugin.php extensions/LdapAuthentication/
532a533,536
>
>                                 // If we are going to find and entry we need to bind first?
>                                 $bindval = self::ldap_bind( $this->ldapconn, $this->getConf('ProxyAgent'), $this->getConf('ProxyAgentPassword') );

as can be seen in the next debug log snippet:

2020-07-31 07:07:27 wiki.extra-extra.com my_wiki: 2.1.0 Entering getDomain
2020-07-31 07:07:27 wiki.extra-extra.com my_wiki: 2.1.0 Setting domain as: extra-extra
2020-07-31 07:07:27 wiki.extra-extra.com my_wiki: 2.1.0 Entering userExistsReal
2020-07-31 07:07:27 wiki.extra-extra.com my_wiki: 2.1.0 Entering Connect
2020-07-31 07:07:27 wiki.extra-extra.com my_wiki: 2.1.0 Entering getDomain
2020-07-31 07:07:27 wiki.extra-extra.com my_wiki: 2.1.0 Using TLS or not using encryption.
2020-07-31 07:07:27 wiki.extra-extra.com my_wiki: 2.1.0 Entering getDomain
2020-07-31 07:07:27 wiki.extra-extra.com my_wiki: 2.1.0 Entering getDomain
2020-07-31 07:07:27 wiki.extra-extra.com my_wiki: 2.1.0 Using non-standard port: 389
2020-07-31 07:07:27 wiki.extra-extra.com my_wiki: 2.1.0 Using servers: ldap://ldapmaster.extra-extra.com:389
2020-07-31 07:07:27 wiki.extra-extra.com my_wiki: 2.1.0 Entering getDomain
2020-07-31 07:07:27 wiki.extra-extra.com my_wiki: 2.1.0 Using TLS
2020-07-31 07:07:27 wiki.extra-extra.com my_wiki: 2.1.0 PHP's LDAP connect method returned true (note, this does not imply it connected to the server).
2020-07-31 07:07:27 wiki.extra-extra.com my_wiki: 2.1.0 Entering getSearchString
2020-07-31 07:07:27 wiki.extra-extra.com my_wiki: 2.1.0 Entering getDomain
2020-07-31 07:07:27 wiki.extra-extra.com my_wiki: 2.1.0 Doing a straight bind
2020-07-31 07:07:27 wiki.extra-extra.com my_wiki: 2.1.0 userdn is: uid=Wiho,ou=people,dc=ldapmaster,dc=extra-extra,dc=com
2020-07-31 07:07:27 wiki.extra-extra.com my_wiki: 2.1.0 Entering getDomain
2020-07-31 07:07:27 wiki.extra-extra.com my_wiki: 2.1.0 Entering getDomain
2020-07-31 07:07:27 wiki.extra-extra.com my_wiki: 2.1.0 Entering getDomain
2020-07-31 07:07:27 wiki.extra-extra.com my_wiki: 2.1.0 Found a matching user in LDAP
2020-07-31 07:07:27 wiki.extra-extra.com my_wiki: 2.1.0 Entering authenticate for username Wiho
2020-07-31 07:07:27 wiki.extra-extra.com my_wiki: 2.1.0 Entering getDomain
2020-07-31 07:07:27 wiki.extra-extra.com my_wiki: 2.1.0 Entering getDomain
2020-07-31 07:07:27 wiki.extra-extra.com my_wiki: 2.1.0 Entering getDomain

However I am not an expert with any of this, so I am wondering if this is worth a patch, or is there something else wrong with my config. Perhaps a bind against the Proxy might have worked, if my config was slightly different?

Reply Edited 08:24, 31 July 2020 1 year ago

132.230.195.223 (talkcontribs)

Hey,

How exactly did you fix this? I cannot follow your explanation from the diff command on to the end. Did you fix something within the LdapAuthenticationPlugin.php?

Reply 10:38, 28 May 2021 3 months ago

Reply to "OpenLdap: Did not find a matching user in LDAP"

sasl auth mechanisms supported?

2 comments • 22:43, 12 April 2021 5 months ago

2

Jsipprell (talkcontribs)

When "you" (whomever wrote the docs) states that "straight bind" is used for openldap/non-AD, I presume this means SASL rather than a simple bind right?

What SASL mechanisms are supported? I presume GSSAPI for Kerberos, but what about the non end-to-end mechs like PLAIN, LOGIN, CRAM-MD5 or even any of the new high-crypto mechs?

This is important to know to configure one's sasl subsystems correctly.

Many thanks.

Reply 07:24, 15 February 2013 8 years ago

92.107.88.39 (talkcontribs)

Query server /?supportedSASLMechanisms?base?(objectclass=*) before bind to retrieve a list of supported mechanisms.

Reply 22:43, 12 April 2021 5 months ago

Reply to "sasl auth mechanisms supported?"

1.34 Login fails, but test will work (Active Directory)

3 comments • 11:10, 8 April 2021 5 months ago

3

Tuxwiki (talkcontribs)

Hi,

I try to migrate the ldap login from 1.32 to 1.34 using the new ldap system.

My problem is that the test from LDAP hub#Debugging will work, but the log in from the web page will fails.

The ldap login itself looks , because I will see the user ldap data in it.

In the debug log I see this error:

Ran LDAP search for '(sAMAccountName=XXX)' in 0.0094449520111084 seconds.

Authenticated new user:

Authenticated new user: MediaWiki\Extension\LDAPProvider\Client::getUserDN: search with array (

'base' => 'dc=foo,dc=foo',

'filter' => '(sAMAccountName=)',

'attributes' =>

array (

0 => '*',

1 => 'memberof',

),

)

ldap_search( $linkID, $baseDN = 'dc=foo,dc=foo', $filter = '(sAMAccountName=)', $attributes = [ '*', 'memberof' ], $attrsonly = , $sizelimit = , $timelimit = , $deref = );

# returns Resource id #38

ldap_count_entries( $linkiID, $result = 'Resource id #38' );

# returns 0

Could not get user DN!

Versions:

Installed software

Product	Version
MediaWiki	1.34.0
PHP	7.3.13 (fpm-fcgi)
MariaDB	10.3.21-MariaDB
ICU	62.1

Installed extensions:

LDAPAuthentication2 1.0.1 (cb07184)

LDAPAuthorization 1.0.0 (95d34b2)

LDAPProvider 1.0.1 (04dc101)

LDAPUserInfo 1.0.0 (2107f5a)

PluggableAuth5.7 (17fb1ea)

Plugin config:

Have anybody an idea what the problem is?

Reply 12:22, 8 January 2020 1 year ago

Tuxwiki (talkcontribs)

After change sAMAccountName to samaccountname, now the error "Could not get user DN!" is gone and the log will end with:

User is authorized

Real name and email address did not change.

But the on the webpage itself only an error is shown:

MediaWiki\Extension\LDAPProvider\LDAPNoDomainConfigException from line 61 of /usr/share/mediawiki/extensions/LDAPProvider/src/DomainConfigFactory.php: No configuration available for domain 'invaliddomain'!

Backtrace:

#0 /usr/share/mediawiki/extensions/LDAPProvider/src/ClientFactory.php(55): MediaWiki\Extension\LDAPProvider\DomainConfigFactory->factory(string, string)

#1 /usr/share/mediawiki/extensions/LDAPProvider/src/Hook/UserLoadAfterLoadFromSession.php(145): MediaWiki\Extension\LDAPProvider\ClientFactory->getForDomain(string)

#2 /usr/share/mediawiki/extensions/LDAPProvider/src/Hook/UserLoadAfterLoadFromSession.php(101): MediaWiki\Extension\LDAPProvider\Hook\UserLoadAfterLoadFromSession->createLdapClientForDomain()

#3 /usr/share/mediawiki/extensions/LDAPProvider/src/Hook/UserLoadAfterLoadFromSession.php(90): MediaWiki\Extension\LDAPProvider\Hook\UserLoadAfterLoadFromSession->process()

#4 /usr/share/mediawiki/includes/Hooks.php(174): MediaWiki\Extension\LDAPProvider\Hook\UserLoadAfterLoadFromSession::callback(User)

#5 /usr/share/mediawiki/includes/Hooks.php(202): Hooks::callHook(string, array, array, NULL)

#6 /usr/share/mediawiki/includes/user/User.php(375): Hooks::run(string, array)

#7 /usr/share/mediawiki/includes/user/User.php(2238): User->load()

#8 /usr/share/mediawiki/includes/MediaWiki.php(570): User->getName()

#9 /usr/share/mediawiki/includes/MediaWiki.php(525): MediaWiki->setDBProfilingAgent()

#10 /usr/share/mediawiki/index.php(44): MediaWiki->run()

#11 {main}

Reply 12:55, 8 January 2020 1 year ago

Eduhernandezm (talkcontribs)

Hi,

I have been looking in the forums to find a solution to the error that is being presented to me. I am trying to upgrade from version 1.32.2 to version 1.34.4 which is the last of the 1.34 branch. Following the instructions, which are simple, when launching php update.php to update the database with the changes to be made internally, it returns the following error:

[error] 32436 # 32436: * 11154 FastCGI sent in stderr: "PHP message: PHP Fatal error: Class 'AuthPlugin' not found in /var/www/wiki/extensions/LdapAuthentication/LdapAuthenticationPlugin.php on line 21

I have validation configured with the "LdapAuthenticacion" plugin against three different LDAPs that work perfectly in version 1.32. I have verified that inside the includes folder I have the file "AuthPlugin" What may be missing or why the update is failing?

Kind regards.

Reply 11:10, 8 April 2021 5 months ago

Reply to "1.34 Login fails, but test will work (Active Directory)"

Automatic account creation is not allowed

20 comments • 19:46, 26 March 2021 5 months ago

20

TroySettle (talkcontribs)

extension for mediawiki 1.28

I'm getting closer to figuring this out, but stuck on automatically creating accounts. Here's my current (sanitized) configuration. I can authenticate, but I then get the message:

Auto-creation of a local account failed: Automatic account creation is not allowed.

require_once ("$IP/extensions/LdapAuthentication/LdapAuthentication.php");
$wgAuth = new LdapAuthenticationPlugin();
$wgLDAPUseLocal = true;

$wgLDAPDebug = 3;
$wgDebugLogGroups['ldap'] = '/tmp/debug.log';

$wgLDAPDomainNames       = array('LOCAL');
$wgLDAPServerNames       = array('LOCAL' => 'local-dc2.local.domain');
$wgLDAPEncryptionType    = array('LOCAL' => 'clear');
$wgMinimalPasswordLength = 1;
$wgLDAPBaseDNs           = array('LOCAL' => 'ou=Users,ou=LOCAL,dc=domain,dc=local');

$wgLDAPSearchStrings     = array('LOCAL' => 'LOCAL\\USER-NAME');
$wgLDAPSearchAttributes  = array('LOCAL' => 'sAMAccountName' );

$wgLDAPDisableAutoCreate = array('LOCAL' => false);

Any help would be greatly appreciated!

Reply Edited 16:36, 1 December 2016 4 years ago

Tz1971 (talkcontribs)

currently I am using Centos 7.3, MySql 5.7 and PHP 7.1 LDAP TLS

LdapAuthentication: REL1_28 2016-11-18T19:08:52 770c89e

in /etc/openldap/ldap.conf

I add

TLS_REQCERT allow

TLS hard

and LocalSettings.php setting

$wgLDAPEncryptionType = array('domain.com' => 'tls');

at this point cannot authenticate

so i tweak and change some code in LdapAuthenticationPlugin at line 547

if ( !ldap_start_tls( $this->ldapconn ) ) {

add @

if ( !@ldap_start_tls( $this->ldapconn ) ) {

for autocreation, I stuck at /includes/auth/AuthManager.php between line 1612 and 1626

// Is the IP user able to create accounts?

$anon = new User;

/*

if ( !$anon->isAllowedAny( 'createaccount', 'autocreateaccount' ) ) {

.....

}

*/

comment out this block, now working. (need better solution rather than comment out)

for group permission

# Implicit group for all visitors

$wgGroupPermissions['*']['createaccount'] = false; // ??? not working

$wgGroupPermissions['*']['autocreateaccount'] = false; // ???

$wgGroupPermissions['*']['read'] = false;

$wgGroupPermissions['*']['edit'] = false;

$wgGroupPermissions['*']['createpage'] = false;

$wgGroupPermissions['*']['createtalk'] = false;

$wgGroupPermissions['*']['writeapi'] = false;

Reply 11:22, 5 April 2017 4 years ago

Aarango1 (talkcontribs)

Same here. Any help is appreciated. My config:

require_once( "$IP/extensions/LdapAuthentication/LdapAuthentication.php" );

$wgAuth = new LdapAuthenticationPlugin();

$wgLDAPDomainNames = array("iRedMail");

$wgLDAPServerNames = array("iRedMail" => "192.168.XX.XX");

$wgLDAPPort = array("iRedMail" => 389);

$wgLDAPEncryptionType = array( "iRedMail" => "clear");

$wgLDAPBaseDNs = array( "iRedMail"=>"o=domains,dc=example,dc=com");

$wgLDAPProxyAgent = array("iRedMail"=>"cn=vmail,dc=example,dc=com");

$wgLDAPProxyAgentPassword = array( "iRedMail"=>"*****");

$wgLDAPUserBaseDNs = array( "iRedMail"=>"o=domains,dc=example,dc=com");

$wgLDAPSearchAttributes = array( "iRedMail" => "mail");

$wgLDAPLowerCaseUsername = array( "iRedMail"=>true);

$wgLDAPUseLocal = true;

$wgLDAPDebug = 3;

$wgDebugLogGroups['ldap'] = '/tmp/debug.log';

Reply 09:57, 5 December 2016 4 years ago

Legaulph (talkcontribs)

Same issue

Reply 15:20, 7 December 2016 4 years ago

TroySettle (talkcontribs)

FWIW, I finally got it working. Not sure what the difference is here... the $wgGroupPermissions item is not listed on the LDAP extension instructions, but I think this is what did it.

require_once ("$IP/extensions/LdapAuthentication/LdapAuthentication.php");
$wgAuth = new LdapAuthenticationPlugin();
#$wgLDAPUseLocal = true;
$wgLDAPDomainNames       = array('LOCAL');
$wgLDAPServerNames       = array('LOCAL' => 'local-dc2.mydomain.local');
$wgLDAPEncryptionType    = array('LOCAL' => 'clear');
$wgMinimalPasswordLength = 1;
$wgLDAPBaseDNs           = array('LOCAL' => 'ou=Users,ou=LOCAL,dc=mydomain,dc=local');
$wgLDAPSearchStrings     = array('LOCAL' => 'LOCAL\\USER-NAME');
$wgLDAPSearchAttributes  = array('LOCAL' => 'sAMAccountName' );
$wgLDAPRetrievePrefs     = array('LOCAL' => true );
$wgGroupPermissions['*']['autocreateaccount'] = true;

Reply Edited 13:25, 9 December 2016 4 years ago

Aarango1 (talkcontribs)

I tried with that TroySettle but not luck. I receive same fails, what versions do you have installed? (Mediawiki and LDAP please) Thanks.

Did you create Wiki as Open? private?

NOTE: I solved using wiki 1.23 version.

Reply Edited 13:28, 9 December 2016 4 years ago

Legaulph (talkcontribs)

I had to set $wgGroupPermissions['*']['createaccount'] = true;

Reply 14:29, 13 December 2016 4 years ago

130.219.8.234 (talkcontribs)

That still did not work for me.

My other anonymous permissions are set to false.

$wgGroupPermissions['*']['edit'] = false; $wgGroupPermissions['*']['read'] = false;

I want this to be a private wiki.

Reply 14:56, 13 December 2016 4 years ago

130.219.8.234 (talkcontribs)

It would seem I had to clear all session data and remove cookies from previous logon attempts with my test user as well as comment out self::saveDomain( $user, $_SESSION['wsDomain'] ); from one of the extension's configuration files. It now works.

Reply 19:29, 13 December 2016 4 years ago

153.96.128.5 (talkcontribs)

I had this problem, too. In my case, the solution was the one that has already been mentioned above:

1. switch back to local auth in LocalSettings.php; then login with a *local* admin/bureaucrat account (the one you set up when installing the wiki).

2. create a local user with the same name as one that exists in LDAP (give him a bullsh*t password, no need to match the LDAP one). Not mandatory, but if you are smart, this user should be a bureaucrat as you need at least one LDAP-based bureaucrat anyways. Lets call this user "Ldapboss".

3. switch again to LDAP auth in LocalSettings.php; then login with the user Ldapboss you just created. Of course you need to use the user's actual LDAP password this time. Btw, your local admin is now locked out of the system (unless you set wgLDAPUseLocal to true). This is why you need an LDAP-based bureaucrat.

From this point on, weirdly enough, auto account creation works. It's like, you need at least one successful login to make it work. Not sure why, doesn't make sense.

Ask a colleague to log on, or alternatively, rename your Ldapboss user to Ldapboss_Trash (Renameuser extension) and logout. Then login again with Ldapboss using again the LDAP credentials. Now, you Ldapboss is auto-created (this time as a simple user, as it should).

Actually, on Ryan D Lane (creator and ex-maintainer of the plugin) has this written on a 2009 blog post --- Quote:

"Before enabling the plugin, you should create a user in the local wiki database that exists in AD, and promote that user to sysop. After the plugin is enabled, you will not be able to log in as any user who does not exist in AD."

Reply 23:16, 7 February 2017 4 years ago

Brain wang (talkcontribs)

Hi,

While I executed step 3, then use Ldapboss login with LDAP password, I got the following error:

[WMFhIqwRAAIAABOptNUAAAAG] 2017-03-09 14:05:24: Fatal exception of type "DBQueryError"

Is it normal?

But it looks I have already logged in.

Reply 14:10, 9 March 2017 4 years ago

223.166.93.186 (talkcontribs)

Hi,

Any news on Brain Wang's problem? I experience the same issue. The user seems to be logged in, however logging in with an other user from LDAP still fails.

Reply 09:47, 21 March 2017 4 years ago

195.212.29.162 (talkcontribs)

Today I ran into the same issue, and found that the LDAP plugin does not have the right to autocreate users, despite the allowed autocreateaccount Group Permission setting. Then I found that the referred table (ldap_domains) did not exist in the database (and thus throwing the authmanager-autocreate-noperm errors). Creating the table in the right database based on the extensions/LdapAuthentication/schema/ldap-mysql.sql seems to fixed the issue:

# mysql -u root -p

Enter password:

mysql> use my_wiki

Reading table information for completion of table and column names

You can turn off this feature to get a quicker startup with -A

Database changed

mysql> CREATE TABLE ldap_domains (domain_id int not null primary key auto_increment,domain varchar(255) binary not null,user_id int not null);

Query OK, 0 rows affected (0.00 sec)

Reply 16:54, 27 March 2017 4 years ago

85.220.204.126 (talkcontribs)

This worked for me. Thanks

Reply 15:30, 5 April 2017 4 years ago

145.109.211.76 (talkcontribs)

I am running a private Wiki

$wgGroupPermissions['*']['autocreateaccount'] = true;

fixed it for me. If you read the changelog of 1.27:

* MediaWiki will now auto-create users as necessary, removing the need for

extensions to do so. An 'autocreateaccount' right is added to allow

auto-creation when 'createaccount' is not granted to all users.

Reply 07:17, 31 May 2017 4 years ago

31.221.114.66 (talkcontribs)

I resolved the problem by setting the $wgGroupPermissions['*']['autocreateaccount'] = true but also assigning CHMOD permissions to all .php files in /mediawiki to 777 for the local account I was using.

Reply 14:25, 3 August 2017 4 years ago

70.67.200.45 (talkcontribs)

For anyone else with this error:

Do set $wgGroupPermissions['*']['autocreateaccount'] = true;

Then delete your session cookie and reload the page to get a new session before trying again. Your session gets added to an account auto-creation blacklist when it fails the first time, which happens to give the exact same error message.

Reply 17:24, 13 September 2017 4 years ago

213.33.64.46 (talkcontribs)

This exact method worked for me too, thanks! Removing the session-cookie was the one thing I missed after unsuccessfully adding the configuration-option

Reply 08:53, 4 May 2018 3 years ago

73.44.250.189 (talkcontribs)

I had the same issue - I did not need to add any particular wgGroupPermissions, I just followed responses from:

153.96.128.5

and 195.212.29.162

Was racking my brain as to why it wasn't working, thanks for your help.

This comes up quite high on the search for issue, so I thought I'd add my 2 cents.

I am running on mediaWiki 1.29 due to legacy php/database and other things related - we're not in a position to do much upgrades and were stuck in using this, which is fine for us, thanks.

Reply 22:37, 27 January 2020 1 year ago

187.41.31.85 (talkcontribs)

It worked for me. -> 153.96.128.5

Reply 19:46, 26 March 2021 5 months ago

Reply to "Automatic account creation is not allowed"

You do not have permission to edit user rights on other wikis

9 comments • 16:54, 26 March 2021 5 months ago

9

125.17.149.237 (talkcontribs)

Hi, I am using Ldap authentication (Last version 2.0d (2012-11-21)). I have created my login id and added to the groups (bureaucrat, administrator). Issues: As i am ADMIN, i couldn't able to add any users to mediawiki, until they do login with their ldap authentication. After users have been added, i couldn't able to manage the groups of the users. it shows an error as "You do not have permission to edit user rights on other wikis" Can you please let me know the fix as earlier as possible.?

Reply 12:22, 31 July 2013 8 years ago

88.130.98.245 (talkcontribs)

Hi!

What I do not understand is why the error message speaks of "another wiki". As I understood you, you are only running one wiki, not multiple. Do you maybe have an "@" in your username?

Reply 12:50, 31 July 2013 8 years ago

125.17.149.237 (talkcontribs)

Thanks for the reply. yes my username contains '@'.

we are using Ldap authentication, the username is email-id (which contains '@').

As an Amdin i couldn't able to manage other user's groups, i am facing the above error "You do not have permission to edit user rights on other wikis".

Please let provide solution as earlier.

THanks sesha

Reply 06:05, 1 August 2013 8 years ago

88.130.125.140 (talkcontribs)

You could try setting


 $wgInvalidUsernameCharacters = '';

in LocalSettings.php. I am not sure, if this solves your problem, but this allows the @ sign in usernames.

Reply Edited 10:53, 1 August 2013 8 years ago

125.17.149.237 (talkcontribs)

Thanks for the Reply.

I can able to login and create users as username with @, but ADMIN can't able to manage the user's groups.

Like ADMIN can't able to add any other users to any groups. shows above error.

Reply Edited by MarkAHershberger 00:28, 30 August 2013 8 years ago

125.17.149.237 (talkcontribs)

Hi,

Can any one help me to solve this issue?

please it's very urgent requirement.

Reply 08:47, 7 August 2013 8 years ago

GreenReaper (talkcontribs)

$wgUserrightsInterwikiDelimiter = '#';

($wgGroupPermissions['bureaucrat']['userrights-interwiki'] = true; would give you the right it thinks you need, but that's the wrong solution, because you're not actually editing a separate database.)

Reply Edited by Wargo 18:23, 12 October 2013 7 years ago

88.130.76.242 (talkcontribs)

Adjusting $wgUserrightsInterwikiDelimiter seems to be a nice solution. I don't know where you see a problem with that. After changing the interwiki delimiter to something different than "@", MediaWiki should no longer think that you are actually editing a user in another DB.

Reply 22:19, 29 August 2013 8 years ago

187.41.31.85 (talkcontribs)

It works for me. Thanks!

$wgUserrightsInterwikiDelimiter = '#';

Reply 16:54, 26 March 2021 5 months ago

Reply to "You do not have permission to edit user rights on other wikis"

Debug log file location

8 comments • 10:44, 10 November 2020 10 months ago

8

192.55.208.10 (talkcontribs)

I'm trying to configure the LDAP plugin, and my problems can probably be solved by reading the debug file, but I can't find it in the expected location /tmp/debug.log. Is that the default? I'm using version 1.2b (alpha) of the plugin and MediaWiki 1.16beta3. Here are the LocalSettings.php lines I added -- most are commented out:

# LDAP
require_once("$IP/extensions/LdapAuthentication/LdapAuthentication.php");
$wgAuth = new LdapAuthenticationPlugin();
$wgLDAPDebug = 4;
$wgDebugLogGroups["ldap"] = "/tmp/debug.log"
#$wgLDAPDomainNaves = array("STJUDE");
#$wgLDAPServerNames = array("STJUDE"=>"[redacted]");
#$wgUseLocal = false;
#$wgLDAPEncryptionType = array("STJUDE"=>"clear");
#$wgLDAPProxyAgent = array("STJUDE"=>"[redacted]");
#$wgLDAPProxyAgentPassword = array("STJUDE"=>"[redacted]");

John Obenauer

Reply 18:59, 18 June 2010 11 years ago

192.55.208.10 (talkcontribs)

Although I'd still like to know where the log file goes for future reference, I got around it by adding lines after every "printDebug" call to print the same message to a text file I specified. It was tedious, but it showed me where the errors were, and now LDAP authentication is working in my environment. Here are the parameters that worked for me, in case it helps others:

# LDAP
require_once("$IP/extensions/LdapAuthentication/LdapAuthentication.php");
$wgAuth = new LdapAuthenticationPlugin();
$wgLDAPDomainNames = array("STJUDE");
$wgLDAPServerNames = array("STJUDE"=>"[redacted]");
$wgUseLocal = false;
$wgLDAPEncryptionType = array("STJUDE"=>"clear");
$wgLDAPProxyAgent = array("STJUDE"=>"cn=[redacted],ou=[redacted],ou=[redacted],DC=[redacted],DC=[redacted],DC=[redacted]");
$wgLDAPProxyAgentPassword = array("STJUDE"=>"[redacted]");
$wgLDAPBaseDNs = array("OU=[redacted],OU=[redacted],dc=[redacted],dc=[redacted],dc=[redacted]");
$wgLDAPSearchAttributes = array("STJUDE"=>"sAMAccountName");
$wgLDAPSearchStrings = array("STJUDE"=>"USER-NAME@STJUDE");

Reply 21:49, 18 June 2010 11 years ago

Ryan lane (talkcontribs)

You can specify the output file to anything you want. There is no default. Notice that the debug method just prints information to the specified file.

Reply 13:33, 22 June 2010 11 years ago

217.196.8.10 (talkcontribs)

You can make the Debug file appear in your C:\ by applying the following line;

$wgLDAPDebug = 3;
$wgDebugLogGroups["ldap"] = "\debug.log" ;

Reply Edited by Wargo 12:37, 13 October 2013 7 years ago

64.238.228.2 (talkcontribs)

>You can specify the output file to anything you want

That would work - if it worked. Even if you specify the file name, like OP in his first example, it does not work. He states his configuration, and then informs that the log does not populate.

>You can make the Debug file appear in your C:\ by applying the following line

Except John here is using Linux.

Reply 13:22, 2 September 2016 5 years ago

199.46.249.148 (talkcontribs)

I had the same problem, eventually read this (Extension:LDAP Authentication/FAQ#The extension won.27t write a debug log), and it shows how the files don't end up in /tmp exactly, because of systemd.

Reply 19:53, 21 November 2016 4 years ago

155.70.23.45 (talkcontribs)

Do you have SELinux enabled? If you have SELinux enabled, it's not going to allow it to write to that debug file.

Reply 15:43, 26 January 2017 4 years ago

This post was hidden by Wiki13 (history)

Reply to "Debug log file location"

Login error incorrect password entered. please try again

10 comments • 06:25, 31 July 2020 1 year ago

10

Bernhardsmw (talkcontribs)

Installed:

MediaWiki	1.25.2
PHP	5.5.9-1ubuntu4.11 (apache2handler)
MySQL	5.5.44-0ubuntu0.14.04.1
Apache2	2.4.7
LdapAuthentication	: REL1_25 2015-06-16T21:10:35 d4db6f0

Installed and configured MediaWiki without problems. Then I tried to change the login to LDAP. After hours and the use of the documentation I was not able to login. Is this extension still working?

Here are my LocalSettings.php config:

#LDAP Authentication
    require_once( "$IP/extensions/LdapAuthentication/LdapAuthentication.php" );
    $wgAuth = new LdapAuthenticationPlugin();
    
    $wgLDAPProxyAgent = array('EUROPE' => 'cn=mediawiki,dc=EUROPE,dc=LAN');
    $wgLDAPProxyAgentPassword = array('EUROPE' => 'password');
    
    
    $wgLDAPDomainNames = array( "EUROPE.LAN" );
    
    $wgLDAPServerNames = array( "EUROPE.LAN" => "dc1.EUROPE.lan" );
    # I recommend using a Global Catalog server for this.
    
    $wgLDAPSearchStrings = array( "EUROPE.LAN" => "EUROPE.LAN\\USER-NAME" );
    $wgLDAPEncryptionType = array( "EUROPE.LAN" => "tls" );
    $wgLDAPUseLocal = false;
    $wgMinimalPasswordLength = 1;
    
    $wgLDAPBaseDNs = array( "EUROPE.LAN" => "dc=EUROPE,dc=LAN" );
    # Example: If your domain is mydomain.internet.ca then you want to put in "dc=mydomain,dc=internet,dc=ca".
    
    $wgLDAPSearchAttributes = array( "EUROPE.LAN" => "sAMAccountName" );
    
    
    $wgLDAPRetrievePrefs = array( "EUROPE.LAN" => "true" );
    
    $wgLDAPPreferences = array('EUROPE.LAN' => array( 'email' => 'mail','realname' => 'displayname'));
    # This will automatically map the users e-mail address and full name from Active Directory to their account in MediaWiki
    
    $wgLDAPDebug = 3; //for debugging LDAP
    $wgShowExceptionDetails = true; //for debugging MediaWiki
    $wgDebugLogGroups["ldap"] = "/tmp/ldapdebug.log" ;

This is the debug log:

2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Setting domain as: EUROPE.LAN
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering getCanonicalName
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Username is: Mediawiki
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering getDomain
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Munged username: Mediawiki
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering getCanonicalName
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Username is an IP, not munging.
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering getCanonicalName
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Username is an IP, not munging.
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering getDomain
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering userExists
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering getDomain
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering getDomain
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering authenticate for username Mediawiki
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering getDomain
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering getDomain
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering getDomain
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering Connect
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering getDomain
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Using TLS or not using encryption.
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering getDomain
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering getDomain
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering getDomain
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Using servers:  ldap://dc1.bbveurope.lan:389
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering getDomain
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Using TLS
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 PHP's LDAP connect method returned true (note, this does not imply it connected to the server).
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering getSearchString
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering getDomain
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Doing a straight bind
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 userdn is: EUROPE.LAN\mediawiki
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering getDomain
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Binding as the user
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Failed to bind as EUROPE.LAN\mediawiki
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering allowPasswordChange
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering getDomain
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering getDomain
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering modifyUITemplate
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering getDomain
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering getDomain
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering getDomain

I tried a normal PHP login with this script and it works.

<?php
// use ldap bind
$ldaprdn  = 'mediawiki'; 
$ldappass = 'mediawiki';

// connect to ldap server
$ldapconn = ldap_connect("EUROPE.LAN")
    or die("No connection to LDAP.");

if ($ldapconn) {

    // bind ldap server
    $ldapbind = ldap_bind($ldapconn, $ldaprdn, $ldappass);

    // test binding
    if ($ldapbind) {
        echo "LDAP bind success...";
    } else {
        echo "LDAP bind failed...";
    }

}

?>

Please help me the problem is really frustrating and I worked on it for hours...

Reply Edited 07:47, 16 September 2015 6 years ago

Dbavedb (talkcontribs)

When connecting with OpenLdap I had to add some connection options:

ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);

Thanks for the code, nice and simple and a great idea, seeing as guidance is hard to give apparently for this extension. Definitely not simple and straight forward to follow.

Reply Edited 06:25, 31 July 2020 1 year ago

Bernhardsmw (talkcontribs)

Just for info: "mediawiki" is an existing windows domain user. I tried other users too and it still worked.

Reply 15:18, 15 September 2015 6 years ago

Bernhardsmw (talkcontribs)

And most importantly: Why do I need kerberos or slapd as the documentation tells? Is the normal php5-ldap package not enough?

Reply 15:24, 15 September 2015 6 years ago

Dbavedb (talkcontribs)

slapd is the OpenLdap service, you won't need it if your using ActiveDirectory

Reply 05:24, 31 July 2020 1 year ago

158.145.224.111 (talkcontribs)

try switching to SSL, or clear text. If you are authenticating and the binding is failing (same as mine below) then we might be in the same boat. The extension works. I can vouch for that. If the ldap server you are authenticating to isn't authenticated by a real CA you might have issue. You'll need to add the public key certificate to your CA store.

Reply 23:33, 15 September 2015 6 years ago

Bernhardsmw (talkcontribs)

I did the change and this is how my /etc/ldap/ldap.conf looks now

TLS_REQCERT never

This is the change I did in the /var/lib/mediawiki/LocalSettings.php

$wgLDAPEncryptionType = array( "EUROPE.LAN" => "clear" );

And this the debug file. Still no success...

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Entering validDomain

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 User is using a valid domain (EUROPE.LAN).

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Setting domain as: EUROPE.LAN

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Entering getCanonicalName

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Username is: Mediawiki