Extension talk:LDAP Authentication

Jump to: navigation, search

About this board

How to ask for support

There's a couple key pieces of info I always need:

  1. The MediaWiki version you are using
  2. The LdapAuthentication extension version you are using

I very often will need to see two other things when you ask for support, so you should have them prepared:

  1. Your configuration, with sensitive stuff snipped out
  2. The extension's debug log, with sensitive stuff snipped out

When you are trying to debug an authentication problem, you should always use the most basic configuration possible. For instance, if you don't have basic authentication working yet, you shouldn't have group restrictions or group synchronization enabled yet. I will generally ask you to disable these things when debugging.

Also, $wgLDAPUseLocal is almost never what you want to use. It's a frequent cause of configuration issues, and unless you really know what you are doing, it should not be set (or explicitly set to false, which is the default).

Most importantly of all: ensure you are using the newest version of the extension. From the extension distributor, that's the "master" version. If you are using git, just make sure you use git pull && git reset --hard origin/master. This is one of the more common cause of problems.

How to submit a bug

If you've found a bug, please submit it here.

Archives

By clicking "Add topic", you agree to our Terms of Use and agree to irrevocably release your text under the CC BY-SA 3.0 License and GFDL

ldap extension on mediawiki/sqlite: no such table: ldap_domains

11
Marco Ardito (talkcontribs)

Hi, I have a lan wiki with auth on active dir 2003, and everything is fine.

now I am building a "private" wiki on the same server (ubuntu 12.04/apache2), same active directory, wiki version is 1.21 and ldap extension g013532 (from git repo) REL1_21 I got it to work but I fear it is not creating sqlite tables, since

when I enter valid user/pass, I got the error "1: no such table: ldap_domains" and mediawiki page says that query "SELECT domain FROM ldap_domains WHERE user_id = '2' LIMIT 1" was generated by "LdapAuthenticationPlugin::loadDomain" caused that error.

I also applied suggestion reported here http://www.mediawiki.org/wiki/Extension:LDAP_Authentication/Suggestions (page bottom), about "case 'sqlite':". but didn't help

I feel that sqlite tables were (and are) not generated correctly, since if i list tables in sqlite3 (ubuntu cli) i find only the following tables: " archive category categorylinks change_tag external_user externallinks filearchive hitcounter image imagelinks interwiki ipblocks iwlinks job l10n_cache langlinks module_deps msg_resource msg_resource_links objectcache oldimage page page_props page_restrictions pagelinks protected_titles querycache querycache_info querycachetwo recentchanges redirect searchindex_segdir searchindex_segments site_identifiers site_stats sites tag_summary templatelinks text transcache updatelog uploadstash user user_former_groups user_groups user_newtalk "

I don't know how to debug what's not working

Any hints? Thanks, Marco

166.64.3.2 (talkcontribs)

I am having the same problem. Have your problem been fixed? If so, how was it resolved?

This post was posted by 166.64.3.2, but signed as DZ.

Marco Ardito (talkcontribs)

nope, sorry. nobody ever answered, and I'm using basic accounts, in my case this could be managed... and I had much better work to do :D a bit sad, but...

Marco

199.89.206.130 (talkcontribs)

The problem is that this extension does not create the ldap_domains table if you are using sqlite (and does not throw an error either) - it should do one or the other...

The fix is:

cd to [MediaWikiInstallLocation]/extensions/LdapAuthentication/schema

create the file ldap-sqlite.sql

add the lines:

CREATE TABLE ldap_domains (

Domain_id INTEGER PRIMARY KEY AUTOINCREMENT,

Domain TEXT,

User_id TEXT

) /$wgDBTableOptions*/;

CREATE INDEX user_id on ldap_domains (user_id);

cd ..

edit LdapAuthentication.php

In the function efLdapAuthenticationSchemaUpdates

add the lines:

       case 'sqlite':
               $updater->addExtensionTable( 'ldap_domains', "$base/schema/ldap-sqlite.sql" );
               break;

cd to [MediaWikiInstallLocation]

now run php maintenance/update.php

If you look at the output you should see an entry for creating table ldap_domains

This post was posted by 199.89.206.130, but signed as Tim Bernhardson.

82.112.219.246 (talkcontribs)

many thanks for the reply and the suggested fix. I will try (not soon, though) and report here :)

Marco

139.2.4.140 (talkcontribs)

Thanks a lot, this works fine for sqlite

202.96.41.4 (talkcontribs)

Thanks a lot!! It woks!!

PeterS3 (talkcontribs)

This fix also worked for me, on v1.30; it was missing the SQLite handling of a new user (via LDAP.)

Sbonds (talkcontribs)

Marco:

I opened a bug against the extension to apply the fix suggested by the anonymous user in this thread: https://phabricator.wikimedia.org/T108355

I also updated the extension's requirements page with "The MediaWiki database must be MySQL or PostgreSQL. SQLite is not currently supported."

Hopefully that will help keep more people from wasting time trying to make this work before finally finding this thread.

Sbonds (talkcontribs)

Also, as Google-bait, the error that was shown before I enabled lots of debugging was not so helpful: "a database query error has occurred"

Saper (talkcontribs)

Thanks, @sbonds - your patch is on its way https://gerrit.wikimedia.org/r/262707

Reply to "ldap extension on mediawiki/sqlite: no such table: ldap_domains"

Authenticating non-windows users (on an IIS-based wiki)

3
Dshinks (talkcontribs)

Hi, I don't know a great deal about authentication, so this might be a dumb question, so bear with me!

I've got Auto-Authentication working perfectly on a non-public-facing wiki for users of Windows. Users are set up in Active Directory, with permissions to the site being controlled by AD groups. I have however a small number of users accessing the wiki via non-windows systems (macOS, Linux). Although their accounts are in the Active Directory Auto-Authentication isn't working for them; they are getting prompted by the browser for a username and password.

Ideally, I'd like them to be able to benefit from auto-authentication too, if possible.

I expect that this will be mainly down to my authentication configuration in IIS. I've got it so that Windows Authentication is enabled, and all other authentication methods are disabled.

Is there any other configuration in IIS that would support auto authentication for both windows and non-windows users?

Many thanks Darren

Ciencia Al Poder (talkcontribs)

The browser communicates with the underlying operating system to get an authentication token which then sends to the server, and is what makes possible the auto-authentication.

macOS and Linux doesn't provide that (AFAIK) for Active Directory authentication, so it's not possible.

Dshinks (talkcontribs)

Thanks for that Ciencia, A couple of follow-up questions on this:

  • Should I expect API users to be affected by this? I've got a user who is now getting a 401 error when attempting to get his login token. He's still supplying the same details as he was before we enabled auto authentication. Not sure if he should be sending different parameters?
  • For our non-windows users, a suitable alternative would be to allow access to the log in screen as a fallback. They can currently access ok as the browser prompts for credentials, but it doesn't keep them logged in once their session is closed. I'll do a bit more reading, but in principle is it possible to run an auto-auth domain alongside a manual auth domain?
Reply to "Authenticating non-windows users (on an IIS-based wiki)"

Using the AuthManager PrimaryAuthenticationProvider

1
Osnard (talkcontribs)

I just wanted to share some information from T110453

Configuration with AuthManager could look like

$wgAuthManagerAutoConfig['primaryauth'] += [
   LdapPrimaryAuthenticationProvider::class => [
       'class' => LdapPrimaryAuthenticationProvider::class,
       'args' => [ [
           'authoritative' => true, // don't allow local non-LDAP accounts
       ] ],       
       'sort' => 50, // must be smaller than local pw provider
   ],     
];
Reply to "Using the AuthManager PrimaryAuthenticationProvider"

I can't create user account with Ldap extension

1
Teokraba (talkcontribs)

Hi all,

thanks Ryan for this great extension, very useful and simple to use!

I run mediawiki for a small department in a big IT company and, now, for a transitional times I need to use local & LDAP user. Not all users in LDAP can login to my Mediawiki, only user added by me in local DB (before installing/configuring LDAP extension) can log in and autocreate is disabled. For example John Doe can log in with 2 user: JohnDoe and AB123456 (the ID of LDAP) and in user table I've JohnDoe and AB123456 entry.

After this first run of configuration I need to add other users by hand but createAndPromote scripts fail...I've read THIS post but it's from 2010 and the code is changed...and I don't know PHP as well:)

Version:

MediaWiki 1.20.3
PHP 5.3.3-7+squeeze15 (apache2handler)
MySQL 5.1.49-3-log
LDAP Authentication Plugin (Versione 2.0d)

My LocalSettings.php:

$wgGroupPermissions['*']['createaccount'] = false;
...
require_once( "$IP/extensions/LdapAuthentication/LdapAuthentication.php" );
$wgAuth = new LdapAuthenticationPlugin();
$wgLDAPDomainNames = array( 'mydomain.local' );
$wgLDAPServerNames = array( 'mydomain.local' => '10.10.10.11' );
$wgLDAPPort = array( 'mydomain.local' => 3268);
$wgLDAPSearchAttributes = array( 'mydomain.local' => 'sAMAccountName' );
$wgLDAPBaseDNs = array( 'mydomain.local' => 'DC=mydomain,DC=local' );
$wgLDAPSearchStrings = array( 'mydomain.local' => "MYDOMAIN\\USER-NAME" );
$wgLDAPEncryptionType = array( 'mydomain.local' => 'clear' );
//using local & LDAP DB
$wgLDAPUseLocal = true;
$wgLDAPAddLDAPUsers = array( 'mydomain.local' => false);
$wgLDAPUpdateLDAP = array( 'mydomain.local' => false);
$wgLDAPWriterPassword = array( 'mydomain.local' => false);
$wgLDAPWriterDN = array( 'mydomain.local' => false);
$wgLDAPPreferences = array( 'mydomain.local'=>array( "email"=>"mail", "realname"=>"displayname","nickname"=>"givenname") );
$wgLDAPDisableAutoCreate = array( 'mydomain.local' => true);
$wgLDAPDebug = 6;
$wgDebugLogGroups["ldap"] = "log_debugLDAP.txt";

CreateAndPromote output:

php maintenance/createAndPromote.php TestUser testpass                                                                                  
wiki: Creating and promoting User:TestUser...Non è possibile modificare le password su questo wiki. (you can't modify the password in this wiki)
Backtrace:
#0 /var/www/wiki/maintenance/createAndPromote.php(58): User->setPassword('testpass')
#1 /var/www/wiki/maintenance/doMaintenance.php(110): CreateAndPromote->execute()
#2 /var/www/wiki/maintenance/createAndPromote.php(84): require_once('/var/www/wi...')
#3 {main}

and the SQL trace is:

Start command line script maintenance/createAndPromote.php
CACHES: EmptyBagOStuff[main] SqlBagOStuff[message] SqlBagOStuff[parser]
Class LanguageIt not found; skipped loading
LocalisationCache: using store LCStore_DB
Connecting to localhost wiki...
Profiler::instance called with bogus $wgProfiler setting, falling back to ProfilerStub for safety
Query wiki (1) (slave): SET /* DatabaseMysql::open  */ NAMES utf8
Query wiki (2) (slave): SET /* DatabaseMysql::open  */ sql_mode = 
Connected to localhost wiki.
Query wiki (3) (slave): SELECT /* LCStore_DB::get  */  lc_value  FROM `l10n_cache`  WHERE lc_lang = 'it' AND lc_key = 'deps'  LIMIT 1  
Query wiki (4) (slave): SELECT /* LCStore_DB::get  */  lc_value  FROM `l10n_cache`  WHERE lc_lang = 'it' AND lc_key = 'list'  LIMIT 1  
Query wiki (5) (slave): SELECT /* LCStore_DB::get  */  lc_value  FROM `l10n_cache`  WHERE lc_lang = 'it' AND lc_key = 'preload'  LIMIT 1  
Query wiki (6) (slave): SELECT /* LCStore_DB::get  */  lc_value  FROM `l10n_cache`  WHERE lc_lang = 'it' AND lc_key = 'preload'  LIMIT 1  
Query wiki (7) (slave): SELECT /* LCStore_DB::get  */  lc_value  FROM `l10n_cache`  WHERE lc_lang = 'it' AND lc_key = 'fallback'  LIMIT 1  
Unstubbing $wgParser on call of $wgParser::setHook from wfSpoilerExtension
Parser: using preprocessor: Preprocessor_DOM
Query wiki (8) (slave): SELECT /* DatabaseBase::tableExists  */ 1 FROM `tw_groups` LIMIT 1
Query wiki (9) (slave): SELECT /* DatabaseBase::tableExists  */ 1 FROM `tw_namespaces` LIMIT 1
Query wiki (10) (slave): SELECT /* DatabaseBase::tableExists  */ 1 FROM `tw_privileges` LIMIT 1
Query wiki (11) (slave): SELECT /* DatabaseBase::select  */  tw_grp_name  FROM `tw_groups`   
Query wiki (12) (slave): SELECT /* DatabaseBase::select  */  *  FROM `tw_namespaces`   
Query wiki (13) (slave): SELECT /* DatabaseBase::select  */  *  FROM `tw_privileges`   
Fully initialised
IP: 127.0.0.1
Query wiki (14) (slave): SELECT /* User::idForName 127.0.0.1 */  user_id  FROM `user`  WHERE user_name = 'TestUser'  LIMIT 1  
Unstubbing $wgLang on call of $wgLang::getCode from MessageCache::get
Connecting to localhost wiki...
Query wiki (15) (slave): SET /* DatabaseMysql::open 127.0.0.1 */ NAMES utf8
Query wiki (16) (slave): SET /* DatabaseMysql::open 127.0.0.1 */ sql_mode = 
Connected to localhost wiki.
Query wiki (17) (slave): SELECT /* SqlBagOStuff::getMulti 127.0.0.1 */  keyname,value,exptime  FROM `objectcache`  WHERE keyname = 'wiki-:messages:it'  
MessageCache::load: Loading it... got from global cache
Query wiki (18) (slave): SELECT /* LCStore_DB::get 127.0.0.1 */  lc_value  FROM `l10n_cache`  WHERE lc_lang = 'it' AND lc_key = 'messages:password-change- forbidden'  LIMIT 1  

and the LDAP output:

2013-04-03 08:58:51 kiwi wiki: 2.0d Entering getCanonicalName
2013-04-03 08:58:51 kiwi wiki: 2.0d Username is: TestUser
2013-04-03 08:58:51 kiwi wiki: 2.0d Entering getDomain
2013-04-03 08:58:51 kiwi wiki: 2.0d No domain found, returning invaliddomain
2013-04-03 08:58:51 kiwi wiki: 2.0d Munged username: TestUser
2013-04-03 08:58:51 kiwi wiki: 2.0d Entering allowPasswordChange
2013-04-03 08:58:51 kiwi wiki: 2.0d Entering getDomain
2013-04-03 08:58:51 kiwi wiki: 2.0d No domain found, returning invaliddomain
2013-04-03 08:58:51 kiwi wiki: 2.0d Entering getDomain
2013-04-03 08:58:51 kiwi wiki: 2.0d No domain found, returning invaliddomain
2013-04-03 08:58:51 kiwi wiki: 2.0d Entering getDomain
2013-04-03 08:58:51 kiwi wiki: 2.0d No domain found, returning invaliddomain
2013-04-03 08:58:51 kiwi wiki: 2.0d Entering getDomain
2013-04-03 08:58:51 kiwi wiki: 2.0d No domain found, returning invaliddomain 

It's possible to add users to local DB? Thanks a lot, Matteo

Reply to "I can't create user account with Ldap extension"
Ana.carvalho (talkcontribs)

Hi all,

Not all users in LDAP are authorized to own an user account in my MediaWiki. I already have users logging in because I created their accounts before installing LDAP Plugin. Now, I need to create accounts for new employees and I always receive the message "Username entered already in use. Please choose a different name.", through Special:CreateAccount.

Obviously, If I disable all LDAP configuration in LocalSettings, I'm able to create a local user account with the same LDAP username. Then , if I enable LDAP configuration again, the user is recognized with LDAP password and he can log in. The fact is that I don't want to edit LocalSettings every time I have a new employee.

My configuration is below. Thanks in advance.

require_once ('.../extensions/LdapAuthentication/LdapAuthentication.php');

$wgAuth = new LdapAuthenticationPlugin();

$wgLDAPDomainNames = array( 'AD' );

$wgLDAPServerNames = array( 'AD' => 'url' );

$wgLDAPUseLocal = false;

$wgLDAPEncryptionType = array( 'AD' => 'clear' );

$wgLDAPPort = array( 'AD' => 389 );

$wgLDAPProxyAgent = array( 'AD' => 'CN=a,OU=b,DC=c,DC=d' );

$wgLDAPProxyAgentPassword = array( 'UFPE-AD' => 'password' );

$wgLDAPSearchAttributes = array( 'AD' => 'description' );

$wgLDAPBaseDNs = array( 'AD' => 'DC=c,DC=d' );

$wgLDAPDisableAutoCreate = array( 'AD' => true );

$wgLDAPPreferences = array( 'AD' => array( 'email' => 'mail', 'realname' => 'cn','nickname' => 'givenname') );

$wgLDAPLowerCaseUsername = array( 'AD' => true);

$wgGroupPermissions['*']['createaccount'] = false;

MediaWiki: 1.29.1

PHP: 5.5.21 (apache2handler)

PostgreSQL: 9LDAP

Reply to "Account Creation"
217.6.145.253 (talkcontribs)

Is the nested groups feature actually working for anyone?

I tried

- setting $wgLDAPGroupSearchNestedGroups to true,

- additionally setting $wgLDAPGroupsUseMemberOf to false

- additionally setting $wgLDAPLowerCaseUsername to false

and none of that made a difference...

Reply to "Nested Groups"

Automatic Authentication and Group sync mutually exclusive

6
217.6.145.253 (talkcontribs)

mediawiki 1.27.1, Extension 2.1

deployed via IIS.

I have configured Group synchronization, and it worked.

Then I added in Automatic Authentication and it stopped.

I have compared the search requests of both with Wireshark and found out:

- on a working group sync the request is for whole subtree with Filter sAMAccountName=USERNAME

- with auto authentication instead it searches for "DOMAIN\USERNAME" baseObject

Why is that and what should i do?

Ciencia Al Poder (talkcontribs)

By "Automatic Authentication" do you mean Extension:Auth remoteuser? Apparently you need to tune up $wgAuthRemoteuserDomain

217.6.145.253 (talkcontribs)

No, I mean LdapAutoAuthentication

If I log in normally (using the login dialog) then my groups are added.

If I activate automatic Authentication, then it actively removes all groups from the logged in user, since it apparently can't find them.

Even though i pretty much copied the config.

Here is my config:

(DOMAIN is the Config I use for normal login, DOMAINSSO is for auto authentication.)

require_once "$IP/extensions/LdapAuthentication/LdapAuthentication.php";

require_once( "$IP/extensions/LdapAuthentication/LdapAutoAuthentication.php" );

#List of available Domains

$wgAuth = new LdapAuthenticationPlugin();

$wgLDAPDomainNames = array(  

'DOMAIN',

'DOMAINSSO',

);

#Mapping domains to domain controllers

$wgLDAPServerNames = array(

'DOMAIN' => 'mydc.domain.com',

'DOMAINSSO' => 'mydc.domain.com',

);

$wgLDAPEncryptionType = array(

'DOMAIN' => 'ssl',

'DOMAINSSO' => 'ssl',

);

#Mapping domain to Samaccountname

$wgLDAPSearchStrings = array(

'DOMAIN' => "DOMAIN\\USER-NAME",

'DOMAINSSO' => "DOMAIN\\USER-NAME",

);

$wgLDAPActiveDirectory = array(

'DOMAIN' => true,

'DOMAINSSO' => true,

);

AutoAuthSetup();

$wgGroupPermissions['*']['createaccount'] = true;

$wgLDAPLowerCaseUsername = array(

'DOMAIN'=>true,

'DOMAINSSO'=>true

);

$wgMinimalPasswordLength     = 1;

#For Group sync

$wgLDAPBaseDNs = array(

'DOMAIN' => 'dc=domain,dc=com',

'DOMAINSSO' => 'dc=domain,dc=com',

);

$wgLDAPGroupUseFullDN = array(

'DOMAIN' => true,

'DOMAINSSO' => true,

);

$wgLDAPGroupsUseMemberOf = array(

'DOMAIN' => true,

'DOMAINSSO' => true,

);

$wgLDAPUseLDAPGroups = array(

'DOMAIN' => true,

'DOMAINSSO' => true,

);

$wgLDAPActiveDirectory = array(

'DOMAIN' => true,

'DOMAINSSO' => true,

);

$wgLDAPGroupObjectclass = array(

"DOMAIN"=>"group",

"DOMAINSSO"=>"group" ,

);

$wgLDAPGroupAttribute = array(

"DOMAIN"=>"member" ,

"DOMAINSSO"=>"member" ,

);

$wgLDAPGroupNameAttribute = array(

"DOMAIN"=>"cn" ,

"DOMAINSSO"=>"cn" ,

);

$wgLDAPGroupSearchNestedGroups = array(

'DOMAIN'=>true ,

'DOMAINSSO'=>true ,

);

#Restrict anonymous users

#$wgGroupPermissions['*' ]['createaccount']     = false;

$wgGroupPermissions['*' ]['read']         = false;

$wgGroupPermissions['*' ]['edit']         = false;

#Remove the domain portion of the displayed username. Example: "DOMAIN\username" to "username"

list($dom,$userid) = explode("\\",$_SERVER['REMOTE_USER']);

#$wgLDAPAutoAuthDomain = "DOMAINSSO";

$wgLDAPAutoAuthDomain = "DOMAINSSO";

$wgLDAPAutoAuthUsername = $userid;

AutoAuthSetup();

Ciencia Al Poder (talkcontribs)

Ah, ok, I don't know very well this plugin. When you enter your credentials, those credentials are used to connect to the LDAP and retrieve user information, but with automatic login the user gives no credentials and MediaWiki can't authenticate to LDAP. I think you need to set up $wgLDAPProxyAgent and $wgLDAPProxyAgentPassword so those credentials are used to connect to the LDAP and retrieve this information.

217.6.145.253 (talkcontribs)

That was indeed the problem, thank you very much

:D

Jamal22066 (talkcontribs)

Hi, the extension says that autoauth is not supported on MW versions 1.27 and above. I can confirm this is not working for me on version 1.28. I can login using LDAP but the previous ability of not having to enter any username and password no longer works.

Reply to "Automatic Authentication and Group sync mutually exclusive"

Automatic account creation is not allowed

17
TroySettle (talkcontribs)

extension for mediawiki 1.28

I'm getting closer to figuring this out, but stuck on automatically creating accounts. Here's my current (sanitized) configuration. I can authenticate, but I then get the message:

Auto-creation of a local account failed: Automatic account creation is not allowed.

require_once ("$IP/extensions/LdapAuthentication/LdapAuthentication.php");
$wgAuth = new LdapAuthenticationPlugin();
$wgLDAPUseLocal = true;

$wgLDAPDebug = 3;
$wgDebugLogGroups['ldap'] = '/tmp/debug.log';

$wgLDAPDomainNames       = array('LOCAL');
$wgLDAPServerNames       = array('LOCAL' => 'local-dc2.local.domain');
$wgLDAPEncryptionType    = array('LOCAL' => 'clear');
$wgMinimalPasswordLength = 1;
$wgLDAPBaseDNs           = array('LOCAL' => 'ou=Users,ou=LOCAL,dc=domain,dc=local');

$wgLDAPSearchStrings     = array('LOCAL' => 'LOCAL\\USER-NAME');
$wgLDAPSearchAttributes  = array('LOCAL' => 'sAMAccountName' );

$wgLDAPDisableAutoCreate = array('LOCAL' => false);

Any help would be greatly appreciated!

Tz1971 (talkcontribs)

currently I am using Centos 7.3, MySql 5.7 and PHP 7.1 LDAP TLS

LdapAuthentication: REL1_28 2016-11-18T19:08:52 770c89e

in /etc/openldap/ldap.conf

I add

TLS_REQCERT allow    

TLS hard

and LocalSettings.php setting

$wgLDAPEncryptionType  = array('domain.com' => 'tls');

at this point cannot authenticate

so i tweak and change some code in LdapAuthenticationPlugin at line 547

if ( !ldap_start_tls( $this->ldapconn ) ) {

add @

if ( !@ldap_start_tls( $this->ldapconn ) ) {

for autocreation, I stuck at /includes/auth/AuthManager.php between line 1612 and 1626

// Is the IP user able to create accounts?

$anon = new User;

/*

if ( !$anon->isAllowedAny( 'createaccount', 'autocreateaccount' ) ) {

.....

}

*/

comment out this block, now working. (need better solution rather than comment out)

for group permission

# Implicit group for all visitors

$wgGroupPermissions['*']['createaccount'] = false; // ??? not working

$wgGroupPermissions['*']['autocreateaccount'] = false;  // ???

$wgGroupPermissions['*']['read'] = false;

$wgGroupPermissions['*']['edit'] = false;

$wgGroupPermissions['*']['createpage'] = false;

$wgGroupPermissions['*']['createtalk'] = false;

$wgGroupPermissions['*']['writeapi'] = false;

Aarango1 (talkcontribs)

Same here. Any help is appreciated. My config:

require_once( "$IP/extensions/LdapAuthentication/LdapAuthentication.php" );

$wgAuth = new LdapAuthenticationPlugin();

$wgLDAPDomainNames = array("iRedMail");

$wgLDAPServerNames = array("iRedMail" => "192.168.XX.XX");

$wgLDAPPort = array("iRedMail" => 389);

$wgLDAPEncryptionType = array( "iRedMail" => "clear");

$wgLDAPBaseDNs = array( "iRedMail"=>"o=domains,dc=example,dc=com");

$wgLDAPProxyAgent = array("iRedMail"=>"cn=vmail,dc=example,dc=com");

$wgLDAPProxyAgentPassword = array( "iRedMail"=>"*****");

$wgLDAPUserBaseDNs = array( "iRedMail"=>"o=domains,dc=example,dc=com");

$wgLDAPSearchAttributes = array( "iRedMail" => "mail");

$wgLDAPLowerCaseUsername = array( "iRedMail"=>true);

$wgLDAPUseLocal = true;

$wgLDAPDebug = 3;

$wgDebugLogGroups['ldap'] = '/tmp/debug.log';

Legaulph (talkcontribs)

Same issue

TroySettle (talkcontribs)

FWIW, I finally got it working. Not sure what the difference is here... the $wgGroupPermissions item is not listed on the LDAP extension instructions, but I think this is what did it.

require_once ("$IP/extensions/LdapAuthentication/LdapAuthentication.php");
$wgAuth = new LdapAuthenticationPlugin();
#$wgLDAPUseLocal = true;
$wgLDAPDomainNames       = array('LOCAL');
$wgLDAPServerNames       = array('LOCAL' => 'local-dc2.mydomain.local');
$wgLDAPEncryptionType    = array('LOCAL' => 'clear');
$wgMinimalPasswordLength = 1;
$wgLDAPBaseDNs           = array('LOCAL' => 'ou=Users,ou=LOCAL,dc=mydomain,dc=local');
$wgLDAPSearchStrings     = array('LOCAL' => 'LOCAL\\USER-NAME');
$wgLDAPSearchAttributes  = array('LOCAL' => 'sAMAccountName' );
$wgLDAPRetrievePrefs     = array('LOCAL' => true );
$wgGroupPermissions['*']['autocreateaccount'] = true;
Aarango1 (talkcontribs)

I tried with that TroySettle but not luck. I receive same fails, what versions do you have installed? (Mediawiki and LDAP please) Thanks.

Did you create Wiki as Open? private?

NOTE: I solved using wiki 1.23 version.

Legaulph (talkcontribs)

I had to set $wgGroupPermissions['*']['createaccount'] = true;

130.219.8.234 (talkcontribs)

That still did not work for me.

My other anonymous permissions are set to false.

$wgGroupPermissions['*']['edit'] = false; $wgGroupPermissions['*']['read'] = false;

I want this to be a private wiki.

130.219.8.234 (talkcontribs)

It would seem I had to clear all session data and remove cookies from previous logon attempts with my test user as well as comment out self::saveDomain( $user, $_SESSION['wsDomain'] ); from one of the extension's configuration files. It now works.

153.96.128.5 (talkcontribs)

I had this problem, too. In my case, the solution was the one that has already been mentioned above:

1. switch back to local auth in LocalSettings.php; then login with a *local* admin/bureaucrat account (the one you set up when installing the wiki).

2. create a local user with the same name as one that exists in LDAP (give him a bullsh*t password, no need to match the LDAP one). Not mandatory, but if you are smart, this user should be a bureaucrat as you need at least one LDAP-based bureaucrat anyways. Lets call this user "Ldapboss".

3. switch again to LDAP auth in LocalSettings.php; then login with the user Ldapboss you just created. Of course you need to use the user's actual LDAP password this time. Btw, your local admin is now locked out of the system (unless you set wgLDAPUseLocal to true). This is why you need an LDAP-based bureaucrat.

From this point on, weirdly enough, auto account creation works. It's like, you need at least one successful login to make it work. Not sure why, doesn't make sense.

Ask a colleague to log on, or alternatively, rename your Ldapboss user to Ldapboss_Trash (Renameuser extension) and logout. Then login again with Ldapboss using again the LDAP credentials. Now, you Ldapboss is auto-created (this time as a simple user, as it should).

Actually, on Ryan D Lane (creator and ex-maintainer of the plugin) has this written on a 2009 blog post --- Quote:

"Before enabling the plugin, you should create a user in the local wiki database that exists in AD, and promote that user to sysop. After the plugin is enabled, you will not be able to log in as any user who does not exist in AD."

Brain wang (talkcontribs)

Hi,

While I executed step 3, then use Ldapboss login with LDAP password, I got the following error:

[WMFhIqwRAAIAABOptNUAAAAG] 2017-03-09 14:05:24: Fatal exception of type "DBQueryError"

Is it normal?

But it looks I have already logged in.

223.166.93.186 (talkcontribs)

Hi,

Any news on Brain Wang's problem? I experience the same issue. The user seems to be logged in, however logging in with an other user from LDAP still fails.

195.212.29.162 (talkcontribs)

Today I ran into the same issue, and found that the LDAP plugin does not have the right to autocreate users, despite the allowed autocreateaccount Group Permission setting. Then I found that the referred table (ldap_domains) did not exist in the database (and thus throwing the authmanager-autocreate-noperm errors). Creating the table in the right database based on the extensions/LdapAuthentication/schema/ldap-mysql.sql seems to fixed the issue:

# mysql -u root -p

Enter password:

mysql> use my_wiki

Reading table information for completion of table and column names

You can turn off this feature to get a quicker startup with -A

Database changed

mysql> CREATE TABLE ldap_domains (domain_id int not null primary key auto_increment,domain varchar(255) binary not null,user_id int not null);

Query OK, 0 rows affected (0.00 sec)

85.220.204.126 (talkcontribs)

This worked for me. Thanks

145.109.211.76 (talkcontribs)

I am running a private Wiki

$wgGroupPermissions['*']['autocreateaccount'] = true;

fixed it for me. If you read the changelog of 1.27:

* MediaWiki will now auto-create users as necessary, removing the need for

  extensions to do so. An 'autocreateaccount' right is added to allow

  auto-creation when 'createaccount' is not granted to all users.

31.221.114.66 (talkcontribs)

I resolved the problem by setting the $wgGroupPermissions['*']['autocreateaccount'] = true but also assigning CHMOD permissions to all .php files in /mediawiki to 777 for the local account I was using.

70.67.200.45 (talkcontribs)

For anyone else with this error:

Do set $wgGroupPermissions['*']['autocreateaccount'] = true;

Then delete your session cookie and reload the page to get a new session before trying again. Your session gets added to an account auto-creation blacklist when it fails the first time, which happens to give the exact same error message.

Reply to "Automatic account creation is not allowed"
193.33.2.101 (talkcontribs)

I am trying to use it but it is not working. I have download the 1.27 version and 1.26 versión. But nothing change. I commented the lines that some users said:

self::saveDomain( $user, $_SESSION['wsDomain'] );

And still not working... My Localsettings is like this:

require_once( "$IP/extensions/LdapAuthentication/LdapAuthentication.php" );

$wgAuth = new LdapAuthenticationPlugin();

$wgLDAPDomainNames = array( 'domain.ES' );

$wgLDAPServerNames = array('domain.ES' => 'server1.domain.es server2.domain.es');

$wgLDAPUseLocal = true;

$wgLDAPSearchStrings = array( 'domain.ES' => 'USER-NAME@domain.ES' );

$wgLDAPEncryptionType = array('domain.ES'=>'clear' );

Please HELP! :(

193.33.2.101 (talkcontribs)

I finally fixed it!. I updated my MW to 1.27.1 and I did the following steps: 1. At environment variables, in the PATH, I added : ";C:\xampp\php" 2. At C:\xampp\php\php.ini, we uncommented the line ";extenion=php_ldap.dll" 3. I created the folder C:\OpenLDAP\sysconf and inside I created the file ldap.conf with the following content: "TLS_REQCERT never". 4. I restart the server.

I got the error Auto-creation of a local account failed: Automatic account creation is not allowed" when I tried to log in. I added the line "$wgGroupPermissions['*']['autocreateaccount'] = true;" at LocalSettings and it is working!

70.67.200.45 (talkcontribs)

For anyone else with this error:

Do set $wgGroupPermissions['*']['autocreateaccount'] = true;

And then delete your site cookie and refresh the page to get a new session ID before trying again; your session gets an account creation blacklist flag when it fails the first time.

Reply to "Not working with MW 1.27"

Failing to bind when using SSL encryption type

1
204.114.196.21 (talkcontribs)

Hi all,

I am getting Failing to bind and UserDN is blank error in debug logs when I am setting Encryption type as SSL in my LocalSettings.php file, However, when setting encryption type to CLEAR, its working fine.

Please suggest on this

Thanks!

Reply to "Failing to bind when using SSL encryption type"