Extension talk:LDAP Authentication

Jump to navigation Jump to search

About this board

How to ask for support

There's a couple key pieces of info I always need:

  1. The MediaWiki version you are using
  2. The LdapAuthentication extension version you are using

I very often will need to see two other things when you ask for support, so you should have them prepared:

  1. Your configuration, with sensitive stuff snipped out
  2. The extension's debug log, with sensitive stuff snipped out

When you are trying to debug an authentication problem, you should always use the most basic configuration possible. For instance, if you don't have basic authentication working yet, you shouldn't have group restrictions or group synchronization enabled yet. I will generally ask you to disable these things when debugging.

Also, $wgLDAPUseLocal is almost never what you want to use. It's a frequent cause of configuration issues, and unless you really know what you are doing, it should not be set (or explicitly set to false, which is the default).

Most importantly of all: ensure you are using the newest version of the extension. From the extension distributor, that's the "master" version. If you are using git, just make sure you use git pull && git reset --hard origin/master. This is one of the more common cause of problems.

How to submit a bug

If you've found a bug, please submit it here.

Archives

OpenLdap: Did not find a matching user in LDAP

1
Dbavedb (talkcontribs)

I had been using OpenLdap already so when I install MediaWiki I hoped to use the Extension:LDAP Authentication to bridge the user hurdle for a site we could all share.

I installed
CentOS CentOS Linux release 8.2.2004 (Core)
OpenLdap openldap-2.4.50
Apache2 httpd-2.4.37-21.module_el8.2.0
PHP php-7.2.24-1.module_el8.2.0
MariaDB mariadb-server-10.3.17-1.module_el8.1.0
MediaWiki 1.34.2
LdapAuthentication LdapAuthentication-REL1_34-b97a26e.tar.gz

Here was my basic config:

# Basic search criteria
$wgLDAPDomainNames = array('extra-extra.com');
$wgLDAPServerNames = array('extra-extra.com' => 'ldapmaster.extra-extra.com.com');
$wgLDAPSearchAttributes = array('extra-extra.com' => 'uid');
$wgLDAPSearchStrings =  array('extra-extra.com' => 'uid=USER-NAME,ou=people,dc=ldapmaster,dc=extra-extra.com,dc=com');
$wgLDAPBaseDNs = array('extra-extra.com' => 'dc=ldapmaster,dc=extra-extra.com,dc=com');
$wgLDAPProxyAgent = array('extra-extra.com' => 'cn=readonly,ou=system,dc=ldapmaster,dc=extra-extra.com,dc=com');
$wgLDAPProxyAgentPassword = array('extra-extra.com' => 'password');
$wgLDAPLowerCaseUsername = array('extra-extra.com' => true);
$wgLDAPEncryptionType = array('extra-extra.com' => 'tls');
$wgMinimalPasswordLength = 1;
$wgLDAPUseLocal = false;
$wgLDAPDebug = 3; //for debugging LDAP

I then tried logging in quite a bit until I discovered how to enable debug logging:

$wgDebugLogFile = "/var/log/php-fpm/mw.log";
$wgDebugLogGroups["ldap"] = "/var/log/php-fpm/ldapdebug.log";
$wgShowExceptionDetails = true; //for debugging MediaWiki

Here was the debug log output:

2020-07-31 00:21:23 wiki.extra-extra.com my_wiki: 2.1.0 Entering getDomain
2020-07-31 00:21:23 wiki.extra-extra.com my_wiki: 2.1.0 Setting domain as: extra-extra
2020-07-31 00:21:23 wiki.extra-extra.com my_wiki: 2.1.0 Entering userExistsReal
2020-07-31 00:21:23 wiki.extra-extra.com my_wiki: 2.1.0 Entering Connect
2020-07-31 00:21:23 wiki.extra-extra.com my_wiki: 2.1.0 Entering getDomain
2020-07-31 00:21:23 wiki.extra-extra.com my_wiki: 2.1.0 Using TLS or not using encryption.
2020-07-31 00:21:23 wiki.extra-extra.com my_wiki: 2.1.0 Entering getDomain
2020-07-31 00:21:23 wiki.extra-extra.com my_wiki: 2.1.0 Entering getDomain
2020-07-31 00:21:23 wiki.extra-extra.com my_wiki: 2.1.0 Using non-standard port: 389
2020-07-31 00:21:23 wiki.extra-extra.com my_wiki: 2.1.0 Using servers: ldap://ldapmaster.extra-extra.com:389
2020-07-31 00:21:23 wiki.extra-extra.com my_wiki: 2.1.0 Entering getDomain
2020-07-31 00:21:23 wiki.extra-extra.com my_wiki: 2.1.0 PHP's LDAP connect method returned true (note, this does not imply it connected to the server).
2020-07-31 00:21:23 wiki.extra-extra.com my_wiki: 2.1.0 Entering getSearchString
2020-07-31 00:21:23 wiki.extra-extra.com my_wiki: 2.1.0 Entering getDomain
2020-07-31 00:21:23 wiki.extra-extra.com my_wiki: 2.1.0 Doing a straight bind
2020-07-31 00:21:23 wiki.extra-extra.com my_wiki: 2.1.0 userdn is: uid=Wiho,ou=people,dc=ldapmaster,dc=extra-extra,dc=com
2020-07-31 00:21:23 wiki.extra-extra.com my_wiki: 2.1.0 Entering getDomain
2020-07-31 00:21:23 wiki.extra-extra.com my_wiki: 2.1.0 Did not find a matching user in LDAP
2020-07-31 00:21:23 wiki.extra-extra.com my_wiki: 2.1.0 Entering strict.
2020-07-31 00:21:23 wiki.extra-extra.com my_wiki: 2.1.0 Entering getDomain
2020-07-31 00:21:23 wiki.extra-extra.com my_wiki: 2.1.0 Returning true in strict().

Obviously this line was the deal breaker:

2020-07-31 00:21:23 wiki.extra-extra.com my_wiki: 2.1.0 Did not find a matching user in LDAP

I was encouraged by this comment Bernhardsmw to start looking into the basic code (always great to do when troubleshooting), and that is when I found a fix for the problem I was seeing:

diff ~/src/LdapAuthentication/LdapAuthenticationPlugin.php extensions/LdapAuthentication/
532a533,536
>
>                                 // If we are going to find and entry we need to bind first?
>                                 $bindval = self::ldap_bind( $this->ldapconn, $this->getConf('ProxyAgent'), $this->getConf('ProxyAgentPassword') );

as can be seen in the next debug log snippet:

2020-07-31 07:07:27 wiki.extra-extra.com my_wiki: 2.1.0 Entering getDomain
2020-07-31 07:07:27 wiki.extra-extra.com my_wiki: 2.1.0 Setting domain as: extra-extra
2020-07-31 07:07:27 wiki.extra-extra.com my_wiki: 2.1.0 Entering userExistsReal
2020-07-31 07:07:27 wiki.extra-extra.com my_wiki: 2.1.0 Entering Connect
2020-07-31 07:07:27 wiki.extra-extra.com my_wiki: 2.1.0 Entering getDomain
2020-07-31 07:07:27 wiki.extra-extra.com my_wiki: 2.1.0 Using TLS or not using encryption.
2020-07-31 07:07:27 wiki.extra-extra.com my_wiki: 2.1.0 Entering getDomain
2020-07-31 07:07:27 wiki.extra-extra.com my_wiki: 2.1.0 Entering getDomain
2020-07-31 07:07:27 wiki.extra-extra.com my_wiki: 2.1.0 Using non-standard port: 389
2020-07-31 07:07:27 wiki.extra-extra.com my_wiki: 2.1.0 Using servers: ldap://ldapmaster.extra-extra.com:389
2020-07-31 07:07:27 wiki.extra-extra.com my_wiki: 2.1.0 Entering getDomain
2020-07-31 07:07:27 wiki.extra-extra.com my_wiki: 2.1.0 Using TLS
2020-07-31 07:07:27 wiki.extra-extra.com my_wiki: 2.1.0 PHP's LDAP connect method returned true (note, this does not imply it connected to the server).
2020-07-31 07:07:27 wiki.extra-extra.com my_wiki: 2.1.0 Entering getSearchString
2020-07-31 07:07:27 wiki.extra-extra.com my_wiki: 2.1.0 Entering getDomain
2020-07-31 07:07:27 wiki.extra-extra.com my_wiki: 2.1.0 Doing a straight bind
2020-07-31 07:07:27 wiki.extra-extra.com my_wiki: 2.1.0 userdn is: uid=Wiho,ou=people,dc=ldapmaster,dc=extra-extra,dc=com
2020-07-31 07:07:27 wiki.extra-extra.com my_wiki: 2.1.0 Entering getDomain
2020-07-31 07:07:27 wiki.extra-extra.com my_wiki: 2.1.0 Entering getDomain
2020-07-31 07:07:27 wiki.extra-extra.com my_wiki: 2.1.0 Entering getDomain
2020-07-31 07:07:27 wiki.extra-extra.com my_wiki: 2.1.0 Found a matching user in LDAP
2020-07-31 07:07:27 wiki.extra-extra.com my_wiki: 2.1.0 Entering authenticate for username Wiho
2020-07-31 07:07:27 wiki.extra-extra.com my_wiki: 2.1.0 Entering getDomain
2020-07-31 07:07:27 wiki.extra-extra.com my_wiki: 2.1.0 Entering getDomain
2020-07-31 07:07:27 wiki.extra-extra.com my_wiki: 2.1.0 Entering getDomain

However I am not an expert with any of this, so I am wondering if this is worth a patch, or is there something else wrong with my config. Perhaps a bind against the Proxy might have worked, if my config was slightly different?

Reply to "OpenLdap: Did not find a matching user in LDAP"

Login error incorrect password entered. please try again

10
Bernhardsmw (talkcontribs)

Installed:

 

Installed and configured MediaWiki without problems. Then I tried to change the login to LDAP. After hours and the use of the documentation I was not able to login. Is this extension still working? 

Here are my LocalSettings.php config: 

#LDAP Authentication
    require_once( "$IP/extensions/LdapAuthentication/LdapAuthentication.php" );
    $wgAuth = new LdapAuthenticationPlugin();
    
    $wgLDAPProxyAgent = array('EUROPE' => 'cn=mediawiki,dc=EUROPE,dc=LAN');
    $wgLDAPProxyAgentPassword = array('EUROPE' => 'password');
    
    
    $wgLDAPDomainNames = array( "EUROPE.LAN" );
    
    $wgLDAPServerNames = array( "EUROPE.LAN" => "dc1.EUROPE.lan" );
    # I recommend using a Global Catalog server for this.
    
    $wgLDAPSearchStrings = array( "EUROPE.LAN" => "EUROPE.LAN\\USER-NAME" );
    $wgLDAPEncryptionType = array( "EUROPE.LAN" => "tls" );
    $wgLDAPUseLocal = false;
    $wgMinimalPasswordLength = 1;
    
    $wgLDAPBaseDNs = array( "EUROPE.LAN" => "dc=EUROPE,dc=LAN" );
    # Example: If your domain is mydomain.internet.ca then you want to put in "dc=mydomain,dc=internet,dc=ca".
    
    $wgLDAPSearchAttributes = array( "EUROPE.LAN" => "sAMAccountName" );
    
    
    $wgLDAPRetrievePrefs = array( "EUROPE.LAN" => "true" );
    
    $wgLDAPPreferences = array('EUROPE.LAN' => array( 'email' => 'mail','realname' => 'displayname'));
    # This will automatically map the users e-mail address and full name from Active Directory to their account in MediaWiki
    
    $wgLDAPDebug = 3; //for debugging LDAP
    $wgShowExceptionDetails = true; //for debugging MediaWiki
    $wgDebugLogGroups["ldap"] = "/tmp/ldapdebug.log" ;

This is the debug log: 

2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Setting domain as: EUROPE.LAN
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering getCanonicalName
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Username is: Mediawiki
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering getDomain
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Munged username: Mediawiki
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering getCanonicalName
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Username is an IP, not munging.
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering getCanonicalName
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Username is an IP, not munging.
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering getDomain
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering userExists
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering getDomain
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering getDomain
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering authenticate for username Mediawiki
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering getDomain
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering getDomain
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering getDomain
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering Connect
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering getDomain
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Using TLS or not using encryption.
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering getDomain
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering getDomain
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering getDomain
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Using servers:  ldap://dc1.bbveurope.lan:389
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering getDomain
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Using TLS
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 PHP's LDAP connect method returned true (note, this does not imply it connected to the server).
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering getSearchString
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering getDomain
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Doing a straight bind
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 userdn is: EUROPE.LAN\mediawiki
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering getDomain
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Binding as the user
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Failed to bind as EUROPE.LAN\mediawiki
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering allowPasswordChange
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering getDomain
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering getDomain
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering modifyUITemplate
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering getDomain
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering getDomain
2015-09-15 12:08:12 MONITOR1 mediawiki: 2.1.0 Entering getDomain

I tried a normal PHP login with this script and it works.  

<?php
// use ldap bind
$ldaprdn  = 'mediawiki'; 
$ldappass = 'mediawiki';

// connect to ldap server
$ldapconn = ldap_connect("EUROPE.LAN")
    or die("No connection to LDAP.");

if ($ldapconn) {

    // bind ldap server
    $ldapbind = ldap_bind($ldapconn, $ldaprdn, $ldappass);

    // test binding
    if ($ldapbind) {
        echo "LDAP bind success...";
    } else {
        echo "LDAP bind failed...";
    }

}

?>

Please help me the problem is really frustrating and I worked on it for hours... 

Dbavedb (talkcontribs)

When connecting with OpenLdap I had to add some connection options:

ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);

Thanks for the code, nice and simple and a great idea, seeing as guidance is hard to give apparently for this extension. Definitely not simple and straight forward to follow.

Bernhardsmw (talkcontribs)

Just for info: "mediawiki" is an existing windows domain user. I tried other users too and it still worked.

Bernhardsmw (talkcontribs)

And most importantly: Why do I need kerberos or slapd as the documentation tells? Is the normal php5-ldap package not enough?

Dbavedb (talkcontribs)

slapd is the OpenLdap service, you won't need it if your using ActiveDirectory

158.145.224.111 (talkcontribs)

try switching to SSL, or clear text. If you are authenticating and the binding is failing (same as mine below) then we might be in the same boat. The extension works. I can vouch for that. If the ldap server you are authenticating to isn't authenticated by a real CA you might have issue. You'll need to add the public key certificate to your CA store.

Bernhardsmw (talkcontribs)

I did the change and this is how my /etc/ldap/ldap.conf looks now

TLS_REQCERT     never

This is the change I did in the /var/lib/mediawiki/LocalSettings.php

$wgLDAPEncryptionType = array( "EUROPE.LAN" => "clear" );

And this the debug file. Still no success...

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Entering validDomain

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 User is using a valid domain (EUROPE.LAN).

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Setting domain as: EUROPE.LAN

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Entering getCanonicalName

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Username is: Mediawiki

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Entering getDomain

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Munged username: Mediawiki

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Entering getCanonicalName

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Username is an IP, not munging.

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Entering getCanonicalName

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Username is an IP, not munging.

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Entering getDomain

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Entering userExists

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Entering getDomain

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Entering getDomain

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Entering authenticate for username Mediawiki

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Entering getDomain

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Entering getDomain

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Entering getDomain

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Entering Connect

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Entering getDomain

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Using TLS or not using encryption.

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Entering getDomain

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Entering getDomain

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Entering getDomain

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Using servers:  ldap://DC1.EUROPE.LAN:389

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Entering getDomain

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 PHP's LDAP connect method returned true (note, this does not imply it connected to the server).

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Entering getSearchString

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Entering getDomain

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Doing a straight bind

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 userdn is: EUROPE.LAN\mediawiki

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Entering getDomain

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Binding as the user

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Failed to bind as EUROPE.LAN\mediawiki

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Entering allowPasswordChange

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Entering getDomain

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Entering getDomain

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Entering modifyUITemplate

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Entering getDomain

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Entering getDomain

2015-09-16 07:29:34 MONITOR1 mediawiki: 2.1.0 Entering getDomain



Bernhardsmw (talkcontribs)

As I can see now the time of the Logfile is not correct. The system time is the same as the DC server but the logfile time is 2 hours after it.

Bernhardsmw (talkcontribs)

phpinfo() about SSL config

[openssl]

OpenSSL support enabled
OpenSSL Library Version OpenSSL 1.0.1f 6 Jan 2014
OpenSSL Header Version OpenSSL 1.0.1f 6 Jan 2014
Registered Stream Socket Transports tcp, udp, unix, udg, ssl, sslv3, tls
Bernhardsmw (talkcontribs)

After hours of madness I finally get it working:

You have to install the required packages: Extension:LDAP Authentication#Installation

Then just follow this guide: http://ryandlane.com/blog/2009/03/23/using-the-ldap-authentication-plugin-for-mediawiki-the-basics-part-1/

Forget what configurations are written on the wiki page. If you get after the login a database error: Topic:Sshx994njzy3rs3l

"www.mediawiki.org/wiki/Topic:Sshx994njzy3rs3l" (if the link does not work)

I am a bit mad but happy now. This plugin costs to much time because of the missleading documentation.

Reply to "Login error incorrect password entered. please try again"

Controlling edit rights by AD group?

3
Maiden taiwan (talkcontribs)

We use LDAPauthentication successfully to limit logins to members of certain AD groups, using $wgLDAPRequiredGroups. Now we want to change things: let all AD users log into the wiki, but limit edit rights to those certain AD groups. How can this be accomplished with LDAPauthentication?

I'm guessing that we need to set $wgLDAPUseLDAPGroups to synchronize MW and AD groups, which will somehow mirror those AD groups as MW groups, and then set in LocalSettings.php:

$wgGroupPermissions['*']['edit'] = false;
$wgGroupPermissions['AD group name 1']['edit'] = true;
$wgGroupPermissions['AD group name 2']['edit'] = true;
// ...etc...

However, I am limited in my understanding of LDAPauthentication group synchronization. Does it actually create wiki groups that mirror the AD groups? Should these AD groups now show up in Special:UserRights? (I never see them there.) How can one see that group synchronization is actually working: what is the visible effect?

Here is our current LDAPauthentication config that restricts logins:

$wgLDAPDomainNames = array( 'ourdomain' );
$wgLDAPServerNames = array( 'ourdomain' => 'server1.domain  server2.domain' );
$wgLDAPSearchStrings = array( 'ourdomain' => sprintf("%s\\USER-NAME", 'ourdomain') );
$wgLDAPLowerCaseUsername = array( 'ourdomain' => true );
$wgLDAPUseLocal = false;
$wgLDAPEncryptionType = array( 'ourdomain' => "ssl" );
$wgLDAPRequiredGroups = array( 'ourdomain' => $groupArrayInTheAppropriateFormat );
$wgLDAPBaseDNs = array( 'ourdomain' => "dc=example,dc=net" );
$wgLDAPSearchAttributes = array( 'ourdomain' => "sAMAccountName" );
$wgLDAPGroupUseFullDN = array( 'ourdomain' => true );
$wgLDAPGroupObjectclass = array( 'ourdomain' => "group" );
$wgLDAPGroupAttribute = array( 'ourdomain' => "member" );
$wgLDAPGroupNameAttribute = array( 'ourdomain' => "cn" );
$wgLDAPUseLDAPGroups = array( 'ourdomain' => true );
$wgLDAPAutoAuthUsername   = preg_replace( '/@.*/', '', $_SERVER["REMOTE_USER"] );
$wgLDAPAutoAuthDomain     = 'ourdomain';
$wgLDAPProxyAgent         = array('ourdomain' => 'CN=blah blah blah' );
$wgLDAPProxyAgentPassword = array('ourdomain' => 'password here' );
$wgLDAPSearchStrings      = null;

Thank you very much for any insights.

Maiden taiwan (talkcontribs)

This is with MediaWiki 1.22.5 and LDAPauthentication 2.0c.

84.246.165.57 (talkcontribs)

Any updates?

Reply to "Controlling edit rights by AD group?"

Automatic account creation is not allowed

19
TroySettle (talkcontribs)

extension for mediawiki 1.28

I'm getting closer to figuring this out, but stuck on automatically creating accounts. Here's my current (sanitized) configuration. I can authenticate, but I then get the message:

Auto-creation of a local account failed: Automatic account creation is not allowed.

require_once ("$IP/extensions/LdapAuthentication/LdapAuthentication.php");
$wgAuth = new LdapAuthenticationPlugin();
$wgLDAPUseLocal = true;

$wgLDAPDebug = 3;
$wgDebugLogGroups['ldap'] = '/tmp/debug.log';

$wgLDAPDomainNames       = array('LOCAL');
$wgLDAPServerNames       = array('LOCAL' => 'local-dc2.local.domain');
$wgLDAPEncryptionType    = array('LOCAL' => 'clear');
$wgMinimalPasswordLength = 1;
$wgLDAPBaseDNs           = array('LOCAL' => 'ou=Users,ou=LOCAL,dc=domain,dc=local');

$wgLDAPSearchStrings     = array('LOCAL' => 'LOCAL\\USER-NAME');
$wgLDAPSearchAttributes  = array('LOCAL' => 'sAMAccountName' );

$wgLDAPDisableAutoCreate = array('LOCAL' => false);

Any help would be greatly appreciated!

Tz1971 (talkcontribs)

currently I am using Centos 7.3, MySql 5.7 and PHP 7.1 LDAP TLS

LdapAuthentication: REL1_28 2016-11-18T19:08:52 770c89e

in /etc/openldap/ldap.conf

I add

TLS_REQCERT allow    

TLS hard

and LocalSettings.php setting

$wgLDAPEncryptionType  = array('domain.com' => 'tls');

at this point cannot authenticate

so i tweak and change some code in LdapAuthenticationPlugin at line 547

if ( !ldap_start_tls( $this->ldapconn ) ) {

add @

if ( !@ldap_start_tls( $this->ldapconn ) ) {

for autocreation, I stuck at /includes/auth/AuthManager.php between line 1612 and 1626

// Is the IP user able to create accounts?

$anon = new User;

/*

if ( !$anon->isAllowedAny( 'createaccount', 'autocreateaccount' ) ) {

.....

}

*/

comment out this block, now working. (need better solution rather than comment out)

for group permission

# Implicit group for all visitors

$wgGroupPermissions['*']['createaccount'] = false; // ??? not working

$wgGroupPermissions['*']['autocreateaccount'] = false;  // ???

$wgGroupPermissions['*']['read'] = false;

$wgGroupPermissions['*']['edit'] = false;

$wgGroupPermissions['*']['createpage'] = false;

$wgGroupPermissions['*']['createtalk'] = false;

$wgGroupPermissions['*']['writeapi'] = false;

Aarango1 (talkcontribs)

Same here. Any help is appreciated. My config:

require_once( "$IP/extensions/LdapAuthentication/LdapAuthentication.php" );

$wgAuth = new LdapAuthenticationPlugin();

$wgLDAPDomainNames = array("iRedMail");

$wgLDAPServerNames = array("iRedMail" => "192.168.XX.XX");

$wgLDAPPort = array("iRedMail" => 389);

$wgLDAPEncryptionType = array( "iRedMail" => "clear");

$wgLDAPBaseDNs = array( "iRedMail"=>"o=domains,dc=example,dc=com");

$wgLDAPProxyAgent = array("iRedMail"=>"cn=vmail,dc=example,dc=com");

$wgLDAPProxyAgentPassword = array( "iRedMail"=>"*****");

$wgLDAPUserBaseDNs = array( "iRedMail"=>"o=domains,dc=example,dc=com");

$wgLDAPSearchAttributes = array( "iRedMail" => "mail");

$wgLDAPLowerCaseUsername = array( "iRedMail"=>true);

$wgLDAPUseLocal = true;

$wgLDAPDebug = 3;

$wgDebugLogGroups['ldap'] = '/tmp/debug.log';

Legaulph (talkcontribs)

Same issue

TroySettle (talkcontribs)

FWIW, I finally got it working. Not sure what the difference is here... the $wgGroupPermissions item is not listed on the LDAP extension instructions, but I think this is what did it.

require_once ("$IP/extensions/LdapAuthentication/LdapAuthentication.php");
$wgAuth = new LdapAuthenticationPlugin();
#$wgLDAPUseLocal = true;
$wgLDAPDomainNames       = array('LOCAL');
$wgLDAPServerNames       = array('LOCAL' => 'local-dc2.mydomain.local');
$wgLDAPEncryptionType    = array('LOCAL' => 'clear');
$wgMinimalPasswordLength = 1;
$wgLDAPBaseDNs           = array('LOCAL' => 'ou=Users,ou=LOCAL,dc=mydomain,dc=local');
$wgLDAPSearchStrings     = array('LOCAL' => 'LOCAL\\USER-NAME');
$wgLDAPSearchAttributes  = array('LOCAL' => 'sAMAccountName' );
$wgLDAPRetrievePrefs     = array('LOCAL' => true );
$wgGroupPermissions['*']['autocreateaccount'] = true;
Aarango1 (talkcontribs)

I tried with that TroySettle but not luck. I receive same fails, what versions do you have installed? (Mediawiki and LDAP please) Thanks.

Did you create Wiki as Open? private?

NOTE: I solved using wiki 1.23 version.

Legaulph (talkcontribs)

I had to set $wgGroupPermissions['*']['createaccount'] = true;

130.219.8.234 (talkcontribs)

That still did not work for me.

My other anonymous permissions are set to false.

$wgGroupPermissions['*']['edit'] = false; $wgGroupPermissions['*']['read'] = false;

I want this to be a private wiki.

130.219.8.234 (talkcontribs)

It would seem I had to clear all session data and remove cookies from previous logon attempts with my test user as well as comment out self::saveDomain( $user, $_SESSION['wsDomain'] ); from one of the extension's configuration files. It now works.

153.96.128.5 (talkcontribs)

I had this problem, too. In my case, the solution was the one that has already been mentioned above:

1. switch back to local auth in LocalSettings.php; then login with a *local* admin/bureaucrat account (the one you set up when installing the wiki).

2. create a local user with the same name as one that exists in LDAP (give him a bullsh*t password, no need to match the LDAP one). Not mandatory, but if you are smart, this user should be a bureaucrat as you need at least one LDAP-based bureaucrat anyways. Lets call this user "Ldapboss".

3. switch again to LDAP auth in LocalSettings.php; then login with the user Ldapboss you just created. Of course you need to use the user's actual LDAP password this time. Btw, your local admin is now locked out of the system (unless you set wgLDAPUseLocal to true). This is why you need an LDAP-based bureaucrat.

From this point on, weirdly enough, auto account creation works. It's like, you need at least one successful login to make it work. Not sure why, doesn't make sense.

Ask a colleague to log on, or alternatively, rename your Ldapboss user to Ldapboss_Trash (Renameuser extension) and logout. Then login again with Ldapboss using again the LDAP credentials. Now, you Ldapboss is auto-created (this time as a simple user, as it should).

Actually, on Ryan D Lane (creator and ex-maintainer of the plugin) has this written on a 2009 blog post --- Quote:

"Before enabling the plugin, you should create a user in the local wiki database that exists in AD, and promote that user to sysop. After the plugin is enabled, you will not be able to log in as any user who does not exist in AD."

Brain wang (talkcontribs)

Hi,

While I executed step 3, then use Ldapboss login with LDAP password, I got the following error:

[WMFhIqwRAAIAABOptNUAAAAG] 2017-03-09 14:05:24: Fatal exception of type "DBQueryError"

Is it normal?

But it looks I have already logged in.

223.166.93.186 (talkcontribs)

Hi,

Any news on Brain Wang's problem? I experience the same issue. The user seems to be logged in, however logging in with an other user from LDAP still fails.

195.212.29.162 (talkcontribs)

Today I ran into the same issue, and found that the LDAP plugin does not have the right to autocreate users, despite the allowed autocreateaccount Group Permission setting. Then I found that the referred table (ldap_domains) did not exist in the database (and thus throwing the authmanager-autocreate-noperm errors). Creating the table in the right database based on the extensions/LdapAuthentication/schema/ldap-mysql.sql seems to fixed the issue:

# mysql -u root -p

Enter password:

mysql> use my_wiki

Reading table information for completion of table and column names

You can turn off this feature to get a quicker startup with -A

Database changed

mysql> CREATE TABLE ldap_domains (domain_id int not null primary key auto_increment,domain varchar(255) binary not null,user_id int not null);

Query OK, 0 rows affected (0.00 sec)

85.220.204.126 (talkcontribs)

This worked for me. Thanks

145.109.211.76 (talkcontribs)

I am running a private Wiki

$wgGroupPermissions['*']['autocreateaccount'] = true;

fixed it for me. If you read the changelog of 1.27:

* MediaWiki will now auto-create users as necessary, removing the need for

  extensions to do so. An 'autocreateaccount' right is added to allow

  auto-creation when 'createaccount' is not granted to all users.

31.221.114.66 (talkcontribs)

I resolved the problem by setting the $wgGroupPermissions['*']['autocreateaccount'] = true but also assigning CHMOD permissions to all .php files in /mediawiki to 777 for the local account I was using.

70.67.200.45 (talkcontribs)

For anyone else with this error:

Do set $wgGroupPermissions['*']['autocreateaccount'] = true;

Then delete your session cookie and reload the page to get a new session before trying again. Your session gets added to an account auto-creation blacklist when it fails the first time, which happens to give the exact same error message.

213.33.64.46 (talkcontribs)

This exact method worked for me too, thanks! Removing the session-cookie was the one thing I missed after unsuccessfully adding the configuration-option

73.44.250.189 (talkcontribs)

I had the same issue - I did not need to add any particular wgGroupPermissions, I just followed responses from:

153.96.128.5

and 195.212.29.162


Was racking my brain as to why it wasn't working, thanks for your help.

This comes up quite high on the search for issue, so I thought I'd add my 2 cents.

I am running on mediaWiki 1.29 due to legacy php/database and other things related - we're not in a position to do much upgrades and were stuck in using this, which is fine for us, thanks.

Reply to "Automatic account creation is not allowed"

1.34 Login fails, but test will work (Active Directory)

2
Tuxwiki (talkcontribs)

Hi,

I try to migrate the ldap login from 1.32 to 1.34 using the new ldap system.

My problem is that the test from LDAP hub#Debugging will work, but the log in from the web page will fails.

The ldap login itself looks , because I will see the user ldap data in it.

In the debug log I see this error:

Ran LDAP search for '(sAMAccountName=XXX)' in 0.0094449520111084 seconds.

Authenticated new user:

Authenticated new user: MediaWiki\Extension\LDAPProvider\Client::getUserDN: search with array (

  'base' => 'dc=foo,dc=foo',

  'filter' => '(sAMAccountName=)',

  'attributes' =>

  array (

   0 => '*',

   1 => 'memberof',

  ),

)

ldap_search( $linkID, $baseDN = 'dc=foo,dc=foo', $filter = '(sAMAccountName=)', $attributes = [ '*', 'memberof' ], $attrsonly = , $sizelimit = , $timelimit = , $deref =  );

# returns Resource id #38

ldap_count_entries( $linkiID, $result = 'Resource id #38' );

# returns 0

Could not get user DN!


Versions:

Installed software

Product Version
MediaWiki 1.34.0
PHP 7.3.13 (fpm-fcgi)
MariaDB 10.3.21-MariaDB
ICU 62.1

Installed extensions:

LDAPAuthentication2 1.0.1 (cb07184)

LDAPAuthorization 1.0.0 (95d34b2)

LDAPProvider 1.0.1 (04dc101)

LDAPUserInfo 1.0.0 (2107f5a)

PluggableAuth5.7 (17fb1ea)


Plugin config:


Have anybody an idea what the problem is?

Tuxwiki (talkcontribs)

After change sAMAccountName to samaccountname, now the error "Could not get user DN!" is gone and the log will end with:

User is authorized

Real name and email address did not change.


But the on the webpage itself only an error is shown:

MediaWiki\Extension\LDAPProvider\LDAPNoDomainConfigException from line 61 of /usr/share/mediawiki/extensions/LDAPProvider/src/DomainConfigFactory.php: No configuration available for domain 'invaliddomain'!

Backtrace:

#0 /usr/share/mediawiki/extensions/LDAPProvider/src/ClientFactory.php(55): MediaWiki\Extension\LDAPProvider\DomainConfigFactory->factory(string, string)

#1 /usr/share/mediawiki/extensions/LDAPProvider/src/Hook/UserLoadAfterLoadFromSession.php(145): MediaWiki\Extension\LDAPProvider\ClientFactory->getForDomain(string)

#2 /usr/share/mediawiki/extensions/LDAPProvider/src/Hook/UserLoadAfterLoadFromSession.php(101): MediaWiki\Extension\LDAPProvider\Hook\UserLoadAfterLoadFromSession->createLdapClientForDomain()

#3 /usr/share/mediawiki/extensions/LDAPProvider/src/Hook/UserLoadAfterLoadFromSession.php(90): MediaWiki\Extension\LDAPProvider\Hook\UserLoadAfterLoadFromSession->process()

#4 /usr/share/mediawiki/includes/Hooks.php(174): MediaWiki\Extension\LDAPProvider\Hook\UserLoadAfterLoadFromSession::callback(User)

#5 /usr/share/mediawiki/includes/Hooks.php(202): Hooks::callHook(string, array, array, NULL)

#6 /usr/share/mediawiki/includes/user/User.php(375): Hooks::run(string, array)

#7 /usr/share/mediawiki/includes/user/User.php(2238): User->load()

#8 /usr/share/mediawiki/includes/MediaWiki.php(570): User->getName()

#9 /usr/share/mediawiki/includes/MediaWiki.php(525): MediaWiki->setDBProfilingAgent()

#10 /usr/share/mediawiki/index.php(44): MediaWiki->run()

#11 {main}

Reply to "1.34 Login fails, but test will work (Active Directory)"

Incorrect username or password entered. Please try again.

7
Wrathofmcgrath (talkcontribs)

I'm struggling to find any useful logs and have been stuck on this for sometime. Any and all help would be much appreciated. I'm pretty new to linux, php, mediawiki administration. Without a lot of information to go on I think the issue is the cert setup, but not sure how to confirm that.

Installed:

MediaWiki 1.30.0
LDAP Authentication Plugin 2.1.0 (b19888c) 03:11, 14 April 2018

Configuration:

#LDAP Auth

require_once( "$IP/extensions/LdapAuthentication/LdapAuthentication.php" );

$wgAuth = new LdapAuthenticationPlugin();

$wgLDAPDomainNames = array('DOMAIN');

$wgLDAPServerNames = array('DOMAIN' => 'DC1.domain.com');

$wgLDAPEncryptionType = array('DOMAIN' => 'tls'); ##I've tried clear and ssl

$wgLDAPProxyAgent =  array('DOMAIN' => 'CN=Wiki LDAP,OU=Service Accounts,DC=domain,DC=com');

$wgLDAPProxyAgentPassword = array('DOMAIN' => 'WikiLDAPPASSWORD');

$wgLDAPSearchAttributes = array('DOMAIN' => 'sAMAccountName');

$wgLDAPBaseDNs = array('DOMAIN' => 'cn=People,dc=domain,dc=com');

$wgMinimalPasswordLength = 1;

$wgLDAPDebug = 3;

$wgDebugLogGroups['ldap'] = '/tmp/ldap-debug.log';

Logs:

root@SERVER1:/var/lib/mediawiki# cat /tmp/ldap-debug.log

2019-12-02 16:49:45 SERVER1 site_wiki: 2.1.0 Entering strict.

2019-12-02 16:49:45 SERVER1 site_wiki: 2.1.0 Entering getDomain

2019-12-02 16:49:45 SERVER1 site_wiki: 2.1.0 Returning true in strict().

2019-12-02 18:05:02 SERVER1 site_wiki: 2.1.0 Entering strict.

2019-12-02 18:05:02 SERVER1 site_wiki: 2.1.0 Entering getDomain

2019-12-02 18:05:02 SERVER1 site_wiki: 2.1.0 Returning true in strict().

2019-12-02 18:12:35 SERVER1 site_wiki: 2.1.0 Entering strict.

2019-12-02 18:12:35 SERVER1 site_wiki: 2.1.0 Entering getDomain

2019-12-02 18:12:35 SERVER1 site_wiki: 2.1.0 Returning true in strict().

2019-12-02 18:33:38 SERVER1 site_wiki: 2.1.0 Entering strict.

2019-12-02 18:33:38 SERVER1 site_wiki: 2.1.0 Entering getDomain

2019-12-02 18:33:38 SERVER1 site_wiki: 2.1.0 Returning true in strict().


I did at one point see this in the apache2 error.log but it stopped coming up.

[php7:warn] [pid 1465] [client 172.21.193.14:54312] PHP Warning:  ldap_start_tls(): Unable to start TLS: Connect error in /var/lib/mediawiki/extensions/LdapAuthentication/LdapAuthenticationPlugin.php on line 614, referer: https://SERVER1.domain.com/mediawiki/index.php?title=Special:UserLogin&returnto=Special:ListUsers

Wrathofmcgrath (talkcontribs)

I just tried the latest version of the extension and I get this error when running the update.php script


PHP Fatal error:  Uncaught Error: Class 'LdapAuthenticationPlugin' not found in /var/lib/mediawiki/LocalSettings.php:165

Stack trace:

#0 /var/lib/mediawiki/maintenance/doMaintenance.php(65): require()

#1 /var/lib/mediawiki/maintenance/update.php(249): require_once('/var/lib/mediaw...')

#2 {main}

  thrown in /var/lib/mediawiki/LocalSettings.php on line 165

Ciencia Al Poder (talkcontribs)

Apparently, in LocalSettings.php you should have those lines:

require_once ('extensions/LdapAuthentication/LdapAuthentication.php');
require_once ('includes/AuthPlugin.php');
$wgAuth = new LdapAuthenticationPlugin();

See if any of them are missing.

Wrathofmcgrath (talkcontribs)

Based on this link [1] I don't need the require_once ('includes/AuthPlugin.php'); line

[1] https://blog.ryandlane.com/2009/03/23/using-the-ldap-authentication-plugin-for-mediawiki-the-basics-part-1/


I re signed the cert and now when I enable this extension no one is able to login, including the local account. I feel like this is progress... I do have a local account that is also an AD account (because I read you needed that) and that account is a bureaucrat, and a wiki administrator. no new information in the /tmp/ldap-debug.log. Is there anything else I should check?

Wrathofmcgrath (talkcontribs)

ok so I changed /etc/ldap/ldap.conf file to:

TLS_REQCERT     never

and now the local wiki account that exists in AD can login...not sure if its actually doing ldap auth though. and the other local account (not in AD) can't login, which I think(maybe) is normal behavior. Now, why can't other AD accounts login? do I have to have users create their AD account on mediawiki and then it'll work with ldap auth? or should this extension automatically check with the ldap server to see its an AD account and create the mediawiki user based on that?

Ciencia Al Poder (talkcontribs)
Wrathofmcgrath (talkcontribs)

That comment is comment is confusing to me...

default is set to false so it should "automatically create an account for a user if the account exists in LDAP, but not in MediaWiki."?

Regardless I've tried both and it didn't change the behavior.

Reply to "Incorrect username or password entered. Please try again."

Error after importing database with phpmyadmin

7
Tmhoskins (talkcontribs)

[24dbcafdfdd1b46c128f4a7a] /NRTwiki/Main_Page Wikimedia\Rdbms\DBQueryError from line 1587 of /var/www/html/SNRTwiki/includes/libs/rdbms/database/Database.php: A database query error has occurred. Did you forget to run your application's database schema updater after upgrading?

Query: SELECT user_id,user_name,user_real_name,user_email,user_touched,user_token,user_email_authenticated,user_email_token,user_email_token_expires,user_registration,user_editcount,user_actor.actor_id FROM `user` JOIN `actor` `user_actor` ON ((user_actor.actor_user = user_id)) WHERE user_id = '1' LIMIT 1

Function: User::loadFromDatabase

Error: 1146 Table 'wikidb.actor' doesn't exist (localhost)

Backtrace:

#0 /var/www/html/SNRTwiki/includes/libs/rdbms/database/Database.php(1556): Wikimedia\Rdbms\Database->getQueryExceptionAndLog(string, integer, string, string)

#1 /var/www/html/SNRTwiki/includes/libs/rdbms/database/Database.php(1274): Wikimedia\Rdbms\Database->reportQueryError(string, integer, string, string, boolean)

#2 /var/www/html/SNRTwiki/includes/libs/rdbms/database/Database.php(1784): Wikimedia\Rdbms\Database->query(string, string)

#3 /var/www/html/SNRTwiki/includes/libs/rdbms/database/Database.php(1875): Wikimedia\Rdbms\Database->select(array, array, array, string, array, array)

#4 /var/www/html/SNRTwiki/includes/user/User.php(1442): Wikimedia\Rdbms\Database->selectRow(array, array, array, string, array, array)

#5 /var/www/html/SNRTwiki/includes/user/User.php(531): User->loadFromDatabase(integer)

#6 /var/www/html/SNRTwiki/includes/libs/objectcache/WANObjectCache.php(1253): User->{closure}(boolean, integer, array, NULL)

#7 /var/www/html/SNRTwiki/includes/libs/objectcache/WANObjectCache.php(1414): WANObjectCache->{closure}(boolean, integer, array, NULL)

#8 /var/www/html/SNRTwiki/includes/libs/objectcache/WANObjectCache.php(1258): WANObjectCache->doGetWithSetCallback(string, integer, Closure, array, NULL)

#9 /var/www/html/SNRTwiki/includes/user/User.php(555): WANObjectCache->getWithSetCallback(string, integer, Closure, array)

#10 /var/www/html/SNRTwiki/includes/user/User.php(474): User->loadFromCache()

#11 /var/www/html/SNRTwiki/includes/user/User.php(411): User->loadFromId(integer)

#12 /var/www/html/SNRTwiki/includes/session/UserInfo.php(89): User->load()

#13 /var/www/html/SNRTwiki/includes/session/CookieSessionProvider.php(122): MediaWiki\Session\UserInfo::newFromId(string)

#14 /var/www/html/SNRTwiki/includes/session/SessionManager.php(466): MediaWiki\Session\CookieSessionProvider->provideSessionInfo(WebRequest)

#15 /var/www/html/SNRTwiki/includes/session/SessionManager.php(191): MediaWiki\Session\SessionManager->getSessionInfoForRequest(WebRequest)

#16 /var/www/html/SNRTwiki/includes/WebRequest.php(748): MediaWiki\Session\SessionManager->getSessionForRequest(WebRequest)

#17 /var/www/html/SNRTwiki/includes/session/SessionManager.php(130): WebRequest->getSession()

#18 /var/www/html/SNRTwiki/includes/Setup.php(816): MediaWiki\Session\SessionManager::getGlobalSession()

#19 /var/www/html/SNRTwiki/includes/WebStart.php(77): require_once(string)

#20 /var/www/html/SNRTwiki/index.php(39): require(string)

#21 {main}


I tried doing this manually on the command line and it dropped a lot fo the tables I needed. So I decided to use phpmyadmin since we are using for our old wiki version 1.26.

Ciencia Al Poder (talkcontribs)

MediaWiki 1.26 doesn't have the actor table. And this stacktrace doesn't get any code path from Extension:LDAP Authentication. I don't know what are you trying to do TBH.

MarkAHershberger (talkcontribs)

Also, MW 1.26 is not supported. You should upgrade to 1.31 at least.

Tmhoskins (talkcontribs)

I am trying to dump the database from an older version 1.26 into my new version 1.33. This is the error I get when I try to access the web interface of the new version 1.33. Sounds like I need a different LDAP authentication extension, but that still doesn't solve the database issue, which is why i am getting this error. Seems like dumping the DB from 1.26 into 1.33 isn't one to one?

Ciencia Al Poder (talkcontribs)

You need to run update.php after upgrading MediaWiki to 1.33 (or any other version more recent than the database schema you had)

Tmhoskins (talkcontribs)

Ran php update.php inside the html/site/maintenance folder and I get: symfony/ldap: 4.3.2 installed, ^4.3 required.

Error: your composer.lock file is not up to date. Run "composer update --no-dev" to install newer dependencies. After some googling I ran: composer upate --lock and it doesn't have anything to update. It's just going in circles.


Also, this is a fresh install of Mediawiki 1.33 on a VM its not an older Mediawiki that I upgraded. I do need to dump the old database from the another mediawiki 1.26 into the new version. That's where I am having issues. Not to mention I cannot get LdapAuth Extension to work at all.

Tmhoskins (talkcontribs)

This is solved. Mediawiki is using the composer file for other things so to get php to update the schema I had to run "php maintenance/update.php --skip-external-dependencies" after I dumped the database in the new wiki with phpmyadmin.

However LdapAuth is still not working even though I used this other guys info for configuration that seemed to work for him: https://github.com/shanept/mediawiki-LdapAuth/issues/13bottom comment.


Please Advise.

Reply to "Error after importing database with phpmyadmin"

$wgAuth removed in MediaWiki 1.33

11
81.14.176.5 (talkcontribs)

I'm currently on MediaWiki 1.32.2 and using the LDAP Authentication extension version REL1_32-e2cab88 - everything works fine.

I have a pretty simple setup - connection to one Active Directory server using ssl, restricting users that are able to login to a certain AD group.


As of 7/3/19 the current stable MediaWiki version is now 1.33.

I tried to upgrade and use the LDAP Authentication extension version REL1_33-d82149e with the same ldap settings that were working on 1.32 and REL1_32-e2cab88, but it does not work.

The version REL1_33-d82149e has some accommodations for the new mediawiki version - the update.php script runs without errors.

But it seems like the extension is completely ignored by mediawiki - users can login using the local user credentials, but the login does not work with login credentials from Active Directory.

The logs are also missing despite using $wgLDAPDebug, $wgDebugLogGroups configuration variables.


My guess is that this is caused by the removal of the $wgAuth variable (as stated in the release notes for mediawiki 1.33).

The newer configuration variables for authentication purposes are now $wgAuthManagerAutoConfig or $wgAuthManagerConfig.


The problem is that i don't know how to configure these variables or if they are supported by the LDAP Authentication extension at all.

The configuration examples are still using the old variable $wgAuth.


Did someone figure out how to configure this extension to work with MediaWiki 1.33 and can help out?

MarkAHershberger (talkcontribs)

Could you look at the LDAP hub. It says it is in draft, but people have successfully been using those new extensions for a while now.

2001:67C:2344:50:0:0:0:85 (talkcontribs)

I can confirm this issue. I've got freshly installed 1.33 mediawiki and LDAP_Authentication extension is not working at all. There is no errors from update.php script and I've tried different configuration options in LocalSettings.php but no success. It looks like this extension is not activated at all. Any advice?

TheNetStriker (talkcontribs)

I have exactly the same problem after the update to 1.3.3. Did you find any solution for this? I also didn't found any information on how to switch to this new LDAP hub.

Osnard (talkcontribs)
217.114.64.90 (talkcontribs)

Here the same. Would be nice, when it can be fixed.

UnplanedDowntimer (talkcontribs)

Same here, the plugin is dead on my 1.3.3 Mediawiki, it even doesn't write debug information to the configured file. Any suggestions to get it to life again?

Osnard (talkcontribs)
Mark Ziegler (talkcontribs)

Does anyone know if the LdapAuthentication for Versions extension will be adjusted for v1.33+ at all?

Or is the switch to LDAP stack indispensable?

Osnard (talkcontribs)
Gslin (talkcontribs)

Use the solution in Topic:Tfu65b5pncef5p6s to solve. Change the original $wgAuth = new LdapAuthenticationPlugin(); to:

   $wgAuthManagerAutoConfig['primaryauth'] += [
       LdapPrimaryAuthenticationProvider::class => [
           'class' => LdapPrimaryAuthenticationProvider::class,
           'args' => [[
                  'authoritative' => true, // don't allow local non-LDAP accounts
              ]],
           'sort' => 50, // must be smaller than local pw provider
       ],
   ];
Reply to "$wgAuth removed in MediaWiki 1.33"
162.96.9.2 (talkcontribs)

I have been using LDAP Authentication with LDAPS without any issues for many years. I'm now trying to use the same configuration on a RHEL8 server and cannot get it to work. The debug log isn't very helpful, it just says "failed to bind". When using "clear" option, everything works, so I know it's something with SSL. Certificates are fine because they are set up identical to a RHEL7 where everything is working.

Does anyone has any idea?

Reply to "SSL on RHEL8"
195.85.237.130 (talkcontribs)

Hi! I installed the Extension on my MediaWiki 1.32 running on Xampp (PHP 7). Setup the configs as following:


$wgLDAPDomainNames = array(

  'MYDOMAIN',

);

$wgLDAPServerNames = array(

  'MYDOMAIN' => 'MYLDAPSERVER',

 

);

$wgLDAPEncryptionType = array(

  'MYDOMAIN' => 'ssl',

);

$wgLDAPSearchAttributes = array(

  'MYDOMAIN' => 'sAMAccountName',

);

$wgLDAPBaseDNs = array(

  'MYDOMAIN' => 'DC=manz,DC=lc',

);

$wgLDAPGroupBaseDNs = array(

'MYDOMAIN' => 'OU=DE,OU=RT,OU=User,DC=MYDOMAIN,DC=lc',

);

$wgLDAPUserBaseDNs = array(

'MYDOMAIN' => 'OU=DE,OU=RT,OU=User,DC=MYDOMAIN,DC=lc',

);


There is an actual domain name and the ip for the LDAP Server,however for privacy reasons I would like to hide them. It seems like there is a connection established, however the Extension can not find the user. Log tells me:


2019-03-04 10:22:34 WINWIKI x: 2.1.0 Couldn't find an entry

2019-03-04 10:22:34 WINWIKI x: 2.1.0 userdn is:

2019-03-04 10:22:34 WINWIKI x: 2.1.0 User DN is blank


195.85.237.130 (talkcontribs)

I got it to work, the problem was actually that a proxy user was needed in order to do the search.

80.157.191.124 (talkcontribs)

How did you configured your Proxy? Like in the docs?


$wgLDAPProxyAgent = array( 'testLDAPdomain' => 'cn=proxyagent,ou=profile,dc=LDAP,dc=example,dc=com', ); $wgLDAPProxyAgentPassword = array( 'testLDAPdomain' => 'S0M3L0ngP@$$w0r6ofS0meV@rie222y!', );


Reply to "User DN is blank"