Extension talk:LDAP Authentication

Jump to: navigation, search

About this board

Edit description

How to ask for support

There's a couple key pieces of info I always need:

  1. The MediaWiki version you are using
  2. The LdapAuthentication extension version you are using

I very often will need to see two other things when you ask for support, so you should have them prepared:

  1. Your configuration, with sensitive stuff snipped out
  2. The extension's debug log, with sensitive stuff snipped out

When you are trying to debug an authentication problem, you should always use the most basic configuration possible. For instance, if you don't have basic authentication working yet, you shouldn't have group restrictions or group synchronization enabled yet. I will generally ask you to disable these things when debugging.

Also, $wgLDAPUseLocal is almost never what you want to use. It's a frequent cause of configuration issues, and unless you really know what you are doing, it should not be set (or explicitly set to false, which is the default).

Most importantly of all: ensure you are using the newest version of the extension. From the extension distributor, that's the "master" version. If you are using git, just make sure you use git pull && git reset --hard origin/master. This is one of the more common cause of problems.

How to submit a bug

If you've found a bug, please submit it here.

Archives

By clicking "Add topic", you agree to our Terms of Use and agree to irrevocably release your text under the CC BY-SA 3.0 License and GFDL

Error: The supplied credentials could not be authenticated.

1
Marove (talkcontribs)

Hello everybody,

Error:

while authenticating a existing user, it is not possible to logon: The supplied credentials could not be authenticated.

Solution:

the Username was "firstname_lastname". The Underscore is not allowed! Changing the LDAP-Username to firstname.lastname was the solution. The user could logon again.

I hope this is a help for everybody. I would recommend to activate the Errorlog with:

## Logging Debug-Information for LDAP
$wgLDAPDebug = 3;
$wgDebugLogGroups["ldap"] = "/var/log/nginx/wiki_ldap.log";

Regards

125.140.111.101 (talkcontribs)

hello

here is my config

require_once( "$IP/extensions/LdapAuthentication/LdapAuthentication.php" );
require_once ('includes/AuthPlugin.php');

$wgAuth = new LdapAuthenticationPlugin();
$wgLDAPDomainNames = array( 'ldap' );
$wgLDAPServerNames = array( 'ldap' => 'my.ldapserver.com' );
$wgLDAPUseLocal = false;
$wgLDAPEncryptionType = array( 'ldap' => 'clear' );
$wgLDAPPort = array( 'ldap' => 389 );
$wgLDAPDebug = 3;
$wgDebugLogGroups['ldap'] = '/tmp/ldap.log';

I just try to log in one time but created log 170 lines.

I don't know where is the problem..

I think

2017-04-07 01:13:33 (none) wikiDB: 2.1.0 Created a regular filter: (=myadmin)
2017-04-07 01:13:33 (none) wikiDB: 2.1.0 Entering getBaseDN
2017-04-07 01:13:33 (none) wikiDB: 2.1.0 Entering getDomain
2017-04-07 01:13:33 (none) wikiDB: 2.1.0 basedn is not set for this type of entry, trying to get the default basedn.
2017-04-07 01:13:33 (none) wikiDB: 2.1.0 Entering getBaseDN
2017-04-07 01:13:33 (none) wikiDB: 2.1.0 Entering getDomain
2017-04-07 01:13:33 (none) wikiDB: 2.1.0 basedn is not set.
2017-04-07 01:13:33 (none) wikiDB: 2.1.0 Using base:
2017-04-07 01:13:33 (none) wikiDB: 2.1.0 Couldn't find an entry
2017-04-07 01:13:33 (none) wikiDB: 2.1.0 userdn is:
2017-04-07 01:13:33 (none) wikiDB: 2.1.0 User DN is blank
2017-04-07 01:13:33 (none) wikiDB: 2.1.0 Entering strict.
2017-04-07 01:13:33 (none) wikiDB: 2.1.0 Entering getDomain
2017-04-07 01:13:33 (none) wikiDB: 2.1.0 Returning true in strict().

here or many attempt to Entering ~~ is the problem

help me...

MarkAHershberger (talkcontribs)

Just looking over your logs (and not knowing a lot about this plugin): have you tried setting $wgLDAPBaseDNs ?

// If you are using AD style binding (TDOMAIN\\USER-NAME or USER-NAME@TDOMAIN) and
// want to be able to use group syncing, preference pulling, etc., you'll need to set
// $wgLDAPBaseDNs and $wgLDAPSearchAttributes for the domain.
Reply to "I don't know where is the problem"

Automatic account creation is not allowed

14
TroySettle (talkcontribs)

extension for mediawiki 1.28

I'm getting closer to figuring this out, but stuck on automatically creating accounts. Here's my current (sanitized) configuration. I can authenticate, but I then get the message:

Auto-creation of a local account failed: Automatic account creation is not allowed.

require_once ("$IP/extensions/LdapAuthentication/LdapAuthentication.php");
$wgAuth = new LdapAuthenticationPlugin();
$wgLDAPUseLocal = true;

$wgLDAPDebug = 3;
$wgDebugLogGroups['ldap'] = '/tmp/debug.log';

$wgLDAPDomainNames       = array('LOCAL');
$wgLDAPServerNames       = array('LOCAL' => 'local-dc2.local.domain');
$wgLDAPEncryptionType    = array('LOCAL' => 'clear');
$wgMinimalPasswordLength = 1;
$wgLDAPBaseDNs           = array('LOCAL' => 'ou=Users,ou=LOCAL,dc=domain,dc=local');

$wgLDAPSearchStrings     = array('LOCAL' => 'LOCAL\\USER-NAME');
$wgLDAPSearchAttributes  = array('LOCAL' => 'sAMAccountName' );

$wgLDAPDisableAutoCreate = array('LOCAL' => false);

Any help would be greatly appreciated!

Tz1971 (talkcontribs)

currently I am using Centos 7.3, MySql 5.7 and PHP 7.1 LDAP TLS

LdapAuthentication: REL1_28 2016-11-18T19:08:52 770c89e

in /etc/openldap/ldap.conf

I add

TLS_REQCERT allow    

TLS hard

and LocalSettings.php setting

$wgLDAPEncryptionType  = array('domain.com' => 'tls');

at this point cannot authenticate

so i tweak and change some code in LdapAuthenticationPlugin at line 547

if ( !ldap_start_tls( $this->ldapconn ) ) {

add @

if ( !@ldap_start_tls( $this->ldapconn ) ) {

for autocreation, I stuck at /includes/auth/AuthManager.php between line 1612 and 1626

// Is the IP user able to create accounts?

$anon = new User;

/*

if ( !$anon->isAllowedAny( 'createaccount', 'autocreateaccount' ) ) {

.....

}

*/

comment out this block, now working. (need better solution rather than comment out)

for group permission

# Implicit group for all visitors

$wgGroupPermissions['*']['createaccount'] = false; // ??? not working

$wgGroupPermissions['*']['autocreateaccount'] = false;  // ???

$wgGroupPermissions['*']['read'] = false;

$wgGroupPermissions['*']['edit'] = false;

$wgGroupPermissions['*']['createpage'] = false;

$wgGroupPermissions['*']['createtalk'] = false;

$wgGroupPermissions['*']['writeapi'] = false;

Aarango1 (talkcontribs)

Same here. Any help is appreciated. My config:

require_once( "$IP/extensions/LdapAuthentication/LdapAuthentication.php" );

$wgAuth = new LdapAuthenticationPlugin();

$wgLDAPDomainNames = array("iRedMail");

$wgLDAPServerNames = array("iRedMail" => "192.168.XX.XX");

$wgLDAPPort = array("iRedMail" => 389);

$wgLDAPEncryptionType = array( "iRedMail" => "clear");

$wgLDAPBaseDNs = array( "iRedMail"=>"o=domains,dc=example,dc=com");

$wgLDAPProxyAgent = array("iRedMail"=>"cn=vmail,dc=example,dc=com");

$wgLDAPProxyAgentPassword = array( "iRedMail"=>"*****");

$wgLDAPUserBaseDNs = array( "iRedMail"=>"o=domains,dc=example,dc=com");

$wgLDAPSearchAttributes = array( "iRedMail" => "mail");

$wgLDAPLowerCaseUsername = array( "iRedMail"=>true);

$wgLDAPUseLocal = true;

$wgLDAPDebug = 3;

$wgDebugLogGroups['ldap'] = '/tmp/debug.log';

Legaulph (talkcontribs)

Same issue

TroySettle (talkcontribs)

FWIW, I finally got it working. Not sure what the difference is here... the $wgGroupPermissions item is not listed on the LDAP extension instructions, but I think this is what did it.

require_once ("$IP/extensions/LdapAuthentication/LdapAuthentication.php");
$wgAuth = new LdapAuthenticationPlugin();
#$wgLDAPUseLocal = true;
$wgLDAPDomainNames       = array('LOCAL');
$wgLDAPServerNames       = array('LOCAL' => 'local-dc2.mydomain.local');
$wgLDAPEncryptionType    = array('LOCAL' => 'clear');
$wgMinimalPasswordLength = 1;
$wgLDAPBaseDNs           = array('LOCAL' => 'ou=Users,ou=LOCAL,dc=mydomain,dc=local');
$wgLDAPSearchStrings     = array('LOCAL' => 'LOCAL\\USER-NAME');
$wgLDAPSearchAttributes  = array('LOCAL' => 'sAMAccountName' );
$wgLDAPRetrievePrefs     = array('LOCAL' => true );
$wgGroupPermissions['*']['autocreateaccount'] = true;
Aarango1 (talkcontribs)

I tried with that TroySettle but not luck. I receive same fails, what versions do you have installed? (Mediawiki and LDAP please) Thanks.

Did you create Wiki as Open? private?

NOTE: I solved using wiki 1.23 version.

Legaulph (talkcontribs)

I had to set $wgGroupPermissions['*']['createaccount'] = true;

130.219.8.234 (talkcontribs)

That still did not work for me.

My other anonymous permissions are set to false.

$wgGroupPermissions['*']['edit'] = false; $wgGroupPermissions['*']['read'] = false;

I want this to be a private wiki.

130.219.8.234 (talkcontribs)

It would seem I had to clear all session data and remove cookies from previous logon attempts with my test user as well as comment out self::saveDomain( $user, $_SESSION['wsDomain'] ); from one of the extension's configuration files. It now works.

153.96.128.5 (talkcontribs)

I had this problem, too. In my case, the solution was the one that has already been mentioned above:

1. switch back to local auth in LocalSettings.php; then login with a *local* admin/bureaucrat account (the one you set up when installing the wiki).

2. create a local user with the same name as one that exists in LDAP (give him a bullsh*t password, no need to match the LDAP one). Not mandatory, but if you are smart, this user should be a bureaucrat as you need at least one LDAP-based bureaucrat anyways. Lets call this user "Ldapboss".

3. switch again to LDAP auth in LocalSettings.php; then login with the user Ldapboss you just created. Of course you need to use the user's actual LDAP password this time. Btw, your local admin is now locked out of the system (unless you set wgLDAPUseLocal to true). This is why you need an LDAP-based bureaucrat.

From this point on, weirdly enough, auto account creation works. It's like, you need at least one successful login to make it work. Not sure why, doesn't make sense.

Ask a colleague to log on, or alternatively, rename your Ldapboss user to Ldapboss_Trash (Renameuser extension) and logout. Then login again with Ldapboss using again the LDAP credentials. Now, you Ldapboss is auto-created (this time as a simple user, as it should).

Actually, on Ryan D Lane (creator and ex-maintainer of the plugin) has this written on a 2009 blog post --- Quote:

"Before enabling the plugin, you should create a user in the local wiki database that exists in AD, and promote that user to sysop. After the plugin is enabled, you will not be able to log in as any user who does not exist in AD."

Brain wang (talkcontribs)

Hi,

While I executed step 3, then use Ldapboss login with LDAP password, I got the following error:

[WMFhIqwRAAIAABOptNUAAAAG] 2017-03-09 14:05:24: Fatal exception of type "DBQueryError"

Is it normal?

But it looks I have already logged in.

223.166.93.186 (talkcontribs)

Hi,

Any news on Brain Wang's problem? I experience the same issue. The user seems to be logged in, however logging in with an other user from LDAP still fails.

195.212.29.162 (talkcontribs)

Today I ran into the same issue, and found that the LDAP plugin does not have the right to autocreate users, despite the allowed autocreateaccount Group Permission setting. Then I found that the referred table (ldap_domains) did not exist in the database (and thus throwing the authmanager-autocreate-noperm errors). Creating the table in the right database based on the extensions/LdapAuthentication/schema/ldap-mysql.sql seems to fixed the issue:

# mysql -u root -p

Enter password:

mysql> use my_wiki

Reading table information for completion of table and column names

You can turn off this feature to get a quicker startup with -A

Database changed

mysql> CREATE TABLE ldap_domains (domain_id int not null primary key auto_increment,domain varchar(255) binary not null,user_id int not null);

Query OK, 0 rows affected (0.00 sec)

85.220.204.126 (talkcontribs)

This worked for me. Thanks

Reply to "Automatic account creation is not allowed"

Attribute based access restrictions [Solved]

2
Suaudeau (talkcontribs)

extension for mediawiki 1.28

Hello, I want to restrict the access to users with a specific attribute.

Here is one of my user:

dn: uid=doe,ou=Staff,ou=People,dc=my-university,dc=org
cn: Doe John
uid: doe
mail: john.doe@my-university.org
ou: MainBuilding

How can I restrict the access to people with ou=MainBuilding ?

Here is my LocalSettings.php config which is functional, but not restrictive enough:

require_once( "extensions/LdapAuthentication/LdapAuthentication.php" );
$wgAuth = new LdapAuthenticationPlugin();
$wgLDAPDomainNames = array('univLDAPdomain');
$wgLDAPServerNames = array('univLDAPdomain' => 'ldap.my-university.org',);
$wgLDAPEncryptionType = array('univLDAPdomain' => 'tls');
$wgLDAPSearchStrings = array(
    'univLDAPdomain' => 'uid=USER-NAME,ou=Staff,ou=people,dc=my-university,dc=org',
   );

Thank you!

Suaudeau (talkcontribs)

I have found the solution. I have just to add in LocalSettings.php:

$wgLDAPAuthAttribute = array('univLDAPdomain' => 'ou=MainBuilding',);

Is there any way to mass import all users from AD using this extension?

1
65.87.238.103 (talkcontribs)

Is there any way to mass import all users from AD using this extension?

Reply to "Is there any way to mass import all users from AD using this extension?"
203.144.93.59 (talkcontribs)

This "LDAP Authentication" plug-in is basically unmaintained. It does not work correctly in MediaWiki 1.27 or newer.

Do not waste your time trying to integrate MediaWiki with enterprise systems. It is not properly supported.

Mainframe98 (talkcontribs)

The fact that it runs successfully on wikitech:Special:Version proves the opposite.

MarkAHershberger (talkcontribs)

The copy on Wikitech is updated by the WMF but much of the functionality has been stripped. Major parts of the extension are un-maintained.

165.225.36.50 (talkcontribs)

These three steps worked for me (on WIMP):

First manually create an account for an AD user as per Ryan Lane's blog. Then login with this account (using LdapAuthenticationPlugin, but not AutoAuthentication)

$wgDisableAuthManager = true; //Disable the newly introduced Mediawiki authentication scheme that is incompatible with AutoAuth. Weird thing is that LdapAuthenticationPlugin without auto-login is unaffected.

Run >php wiki\maintenance\update.php to build ldap tables (after login as manually created AD user)

Reply to "Buyer beware!!"

LDAP Authentication fails with SSL Encryption

5
Dturtill (talkcontribs)

I am trying to configure LDAP Authentication with my AD server if i have the encryption set to clear it works fine however when i change this to ssl it fails to bind

Product Version
MediaWiki 1.28.0
PHP 5.6.30-0+deb8u1 (apache2handler)
MySQL 5.5.54-0+deb8u1
Dturtill (talkcontribs)

config is as below

require_once( “$IP/extensions/LdapAuthentication/LdapAuthentication.php” );

$wgAuth = new LdapAuthenticationPlugin();

$wgLDAPDomainNames = array( “mydomain” );

$wgLDAPServerNames = array( “mydomain”=>”server.mydomain.cmydomainltd.co.uk”  );

$wgLDAPUseLocal = false;

 $wgLDAPSearchStrings = array('mydomain' => 'mydomain\\USER-NAME',);

$wgLDAPEncryptionType = array( “mydomain”=>”clear” );

$wgLDAPBaseDNs = array( “mydomain”=>”ou=mydomain,dc=mydomain,dc=cmydomainltd,dc=co,dc=uk” );

$wgLDAPSearchAttributes = array( “mydomain”=>”sAMAccountName” );

$wgLDAPGroupUseFullDN = array( “mydomain”=>true );

$wgLDAPLowerCaseUsername = array( “mydomain”=>true );

$wgLDAPGroupObjectclass = array( “mydomain”=>”group” );

$wgLDAPGroupAttribute = array( “mydomain”=>”member” );

$wgLDAPGroupNameAttribute = array( “mydomain”=>”cn” );

$wgLDAPGroupBaseDNs = array( “mydomain”=>”ou=Groups,ou=mydomain,dc=mydomain,dc=cmydomainltd,dc=co,dc=uk” );

$wgLDAPUserBaseDNs = array( “mydomain”=>”ou=mydomain,dc=mydomain,dc=cmydomainltd,dc=co,dc=uk” );

$wgLDAPOptions = array("ad"=>array( LDAP_OPT_DEREF, 0 ));

$wgLDAPRequiredGroups = array( “mydomain”=> array(“cn=itwiki,ou=Groups,ou=mydomain,dc=mydomain,dc=cmydomainltd,dc=co,dc=uk”) );

$wgLDAPGroupSearchNestedGroups = array( “mydomain”=>true );

$wgLDAPActiveDirectory = array( "mydomain" => true);

$wgLDAPUpdateLDAP = array("DOMAIN"=>false);

$wgLDAPAddLDAPUsers = array("DOMAIN"=>false);

$wgLDAPDebug = 3;

$wgDebugLogGroups['ldap'] = "/tmp/wiki.ldap.debug-{$wgDBname}.log";

$wgShowExceptionDetails = true;

Dturtill (talkcontribs)

[a8aaa10042fe5e77d2cff1c2] 2017-03-08 10:07:02: Fatal exception of type "DBQueryErroru

Ciencia Al Poder (talkcontribs)

Try looking at the debug log for something relevant. Maybe the SSL cert is not recognized as trusted by the server and thus rejected.

Dturtill (talkcontribs)

With SSL on it just states Failed to Bind as (username)

with Clear on it seems to bind but then gives the Database error

Reply to "LDAP Authentication fails with SSL Encryption"

LDAP Authentication extention to registration not working

1
131.203.91.54 (talkcontribs)

Hi

I am trying to get LdapAuthentication extension work with my upgraded MediaWiki. Our previous setup was

Product Version
MediaWiki 1.24.4
PHP 5.6.30 (apache2handler)
MySQL 5.6.16
Apache 2.4.16
OS Windows Server 2012R2

The LdapAuthentication worked fine with the above version of MediaWiki.

Once we upgraded to the newer version, and I am getting errors below.

MediaWiki 1.28.0
PHP 7.0.15 (apache2handler)
MySQL 5.6.0
Apache 2.4.25
OS Windows Server 2012R2

I am trying to run convertExtensionToRegistration.php on LdapAuthentication and I get the following error:

C:\PHP\php.exe : Error: Global functions cannot be converted to JSON. Please move the handler for LoadExtensionSchemaUpdates inside a class.

At line:1 char:1

This does create an extension file but when I run update.php I get the following error:

C:\PHP\php.exe : [2ede5ca9f218d5e8ed5d0e2a] [no req]   MWException from line 176 of E:\Websites\MediaWiki\includes\Hooks.php: Invalid callback 

efLdapAuthenticationSchemaUpdates in hooks for LoadExtensionSchemaUpdates

At line:1 char:1

+ C:\PHP\php.exe .\maintenance\update.php

+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    + CategoryInfo          : NotSpecified: ([2ede5ca9f218d5...onSchemaUpdates:String) [], RemoteException

    + FullyQualifiedErrorId : NativeCommandError 

Backtrace:

#0 E:\Websites\MediaWiki\includes\installer\DatabaseUpdater.php(122): Hooks::run(string, array)

#1 E:\Websites\MediaWiki\includes\installer\DatabaseUpdater.php(187): DatabaseUpdater->__construct(DatabaseMysqli, boolean, UpdateMediaWiki)

#2 E:\Websites\MediaWiki\maintenance\update.php(171): DatabaseUpdater::newForDB(DatabaseMysqli, boolean, UpdateMediaWiki)

#3 E:\Websites\MediaWiki\maintenance\doMaintenance.php(111): UpdateMediaWiki->execute()

#4 E:\Websites\MediaWiki\maintenance\update.php(217): require_once(string)

#5 {main}

Can anyone please help with this?

Reply to "LDAP Authentication extention to registration not working"
Summary by Ciencia Al Poder
62.192.2.194 (talkcontribs)

Hi,

I have a mediawiki for internal Company use only. The ldap authentication extension is configured to let anyone automatically login and read the wiki who has got a Domain account. This is working without issues.

Since I activated debug- and db-error logs for the whole wiki for monitoring purporses there is a DB-Error that bothers me. It looks like this and is logged twice each time a user logs in:

[cookie] setcookie: "company_wikiUserID", "99", "1499157222", "/", "", "", "1"
[cookie] setcookie: "company_wikiUserName", "Username", "1499157222", "/", "", "", "1"
[cookie] setcookie: "company_wikiToken", "", "1483518822", "/", "", "", "1"
[cookie] setcookie: "company_wikiUserID", "99", "1499157222", "/", "", "", "1"
[cookie] setcookie: "company_wikiUserName", "Username", "1499157222", "/", "", "", "1"
[cookie] setcookie: "company_wikiToken", "", "1483518822", "/", "", "", "1"

[Bug56269] Exception thrown with an uncommited database transaction: [6f314852] /load.php?debug=false&lang=de&modules=site&only=styles&skin=monobook&* DBQueryError from line 1246 of /var/www/mediawiki-1.25.1/includes/db/Database.php: A database error has occurred. Did you forget to run maintenance/update.php after upgrading? See: https://www.mediawiki.org/wiki/Manual:Upgrading#Run_the_update_script

Query: UPDATE `ldap_domains` SET domain = 'domain.local' WHERE user_id = '99'

Function: LdapAuthenticationPlugin::saveDomain

Error: 1213 Deadlock found when trying to get lock; try restarting transaction (localhost)

#0 /var/www/mediawiki-1.25.1/includes/db/Database.php(1205): DatabaseBase->reportQueryError('Deadlock found ...', 1213, 'UPDATE `ldap_d...', 'LdapAuthenticat...', false)
#1 /var/www/mediawiki-1.25.1/includes/db/Database.php(2153): DatabaseBase->query('UPDATE `ldap_d...', 'LdapAuthenticat...')
#2 /var/www/mediawiki-1.25.1/extensions/LdapAuthentication/LdapAuthentication.php(2069): DatabaseBase->update('ldap_domains', Array, Array, 'LdapAuthenticat...')
#3 /var/www/mediawiki-1.25.1/extensions/LdapAuthentication/LdapAuthentication.php(1240): LdapAuthenticationPlugin::saveDomain(Object(User), 'domain.local')
#4 /var/www/mediawiki-1.25.1/extensions/LdapAuthentication/LdapAutoAuthentication.php(63): LdapAuthenticationPlugin->updateUser(Object(User))
#5 [internal function]: LdapAutoAuthentication::Authenticate(Object(User))
#6 /var/www/mediawiki-1.25.1/includes/Hooks.php(209): call_user_func_array('LdapAutoAuthent...', Array)
#7 /var/www/mediawiki-1.25.1/includes/User.php(365): Hooks::run('UserLoadAfterLo...', Array)
#8 /var/www/mediawiki-1.25.1/includes/User.php(2583): User->load()
#9 /var/www/mediawiki-1.25.1/extensions/FormMailer/FormMailer.php(54): User->getRealName()
#10 [internal function]: wfSetupFormMailer()
#11 /var/www/mediawiki-1.25.1/includes/Setup.php(678): call_user_func('wfSetupFormMail...')
#12 /var/www/mediawiki-1.25.1/includes/WebStart.php(138): require_once('/var/www/mediaw...')
#13 /var/www/mediawiki-1.25.1/load.php(30): require('/var/www/mediaw...')
#14 {main}

My Setup:

  • OS: Debian 8.4
  • Mediawiki: 1.25.1
  • PHP: 5.6.20
  • DBMS: MySQL 5.5.49
  • Web Server: Apache 2.4.10
  • Directory Server: Active Directory (2008 - 2012 R2)

How can I solve that Deadlock Error?

62.192.2.194 (talkcontribs)

Sorry I forgot to mention that LDAP Authentication is Version 2.1.0 REL 1.25.

Ciencia Al Poder (talkcontribs)

I've created a task in phabricator about this: task T157293

62.192.2.194 (talkcontribs)

Hi,

thanks for the reply. I managed to solve the error after the hint to the formmailer extension was given.

The problem was simply put that two variables (via User->getRealName()) were set at the wrong place of the formmailer-script (I edited that script a few months ago). After putting those into an if-clause, the error disappeared.

192.36.220.66 (talkcontribs)

Hi, i have been 2 days with this, I start to feel desperate.

Commenting $wgLDAPRequiredGroups all can log in, if i dont, nobody can (even if in the required group)

Using: Latest version (from the web), Windows server 2012R2 with AD

The modified lines in LocalSettings.php

require_once ("extensions/LdapAuthentication/LdapAuthentication.php");

$wgAuth = new LdapAuthenticationPlugin();

$wgLDAPDomainNames = array("domain");

$wgLDAPServerNames = array("ad"=>"servername.ad");

$wgLDAPUseLocal = false;

$wgLDAPEncryptionType = array("ad"=>"clear");

$wgLDAPBaseDNs = array("ad"=> "dc=ad");

$wgLDAPSearchAttributes = array("ad"=>"sAMAccountName");

$wgLDAPRetrievePrefs = array("ad" => true );

$wgLDAPPreferences = array( "ad" => array( "email" => "mail"));

$wgLDAPProxyAgent = array("ad" => "binduser@ad");

$wgLDAPProxyAgentPassword = array("ad" => "password");

$wgLDAPGroupUseFullDN = array( "ad" => true);

$wgLDAPLowerCaseUsername = array("ad" => false);

$wgLDAPGroupObjectclass = array("ad" => "group");

$wgLDAPGroupAttribute = array("ad" => "member");

$wgLDAPGroupNameAttribute = array( "ad" => "cn");

$wgLDAPGroupBaseDNs = array( "ad" => "dc=ad");

$wgLDAPUserBaseDNs = array( "ad" => "dc=ad");

$wgLDAPOptions = array("ad"=>array( LDAP_OPT_DEREF, 0 ));

$wgLDAPLowerCaseUsername = array( "ad"=>true );

$wgLDAPRequiredGroups = array( "ad" => "cn=wiki,cn=users,dc=ad");

$wgLDAPGroupSearchNestedGroups = array("ad" => true);

$wgLDAPActiveDirectory = array( "ad" => true);

$wgLDAPDebug = 3;

$wgDebugLogGroups['ldap'] = "/tmp/wiki.ldap.debug-{$wgDBname}.log";

$wgShowExceptionDetails = true;

The logs show this:

2017-02-15 15:28:28 wiki wikidb: 2.1.0 Checking against: cn=users,cn=builtin,dc=ad

2017-02-15 15:28:28 wiki wikidb: 2.1.0 Checking against: cn=domain users,cn=users,dc=ad

2017-02-15 15:28:28 wiki wikidb: 2.1.0 Checking against: cn=crp,cn=users,dc=ad

2017-02-15 15:28:28 wiki wikidb: 2.1.0 Checking against: cn=wiki,cn=users,dc=ad

2017-02-15 15:28:28 wiki wikidb: 2.1.0 Checking against: cn=projects,cn=users,dc=ad

2017-02-15 15:28:28 wiki wikidb: 2.1.0 Checking against: cn=redmine,cn=users,dc=ad

2017-02-15 15:28:28 wiki wikidb: 2.1.0 Couldn't find the user in any groups.

The user in the group wiki. Originally the group was called WIKI, created wiki and deleted the other one just in case, same result

A bit desperate here, please help!

Thx

Erengard

PS: ad is dc=something,dc=something,dc=something (obviously)

192.36.220.66 (talkcontribs)

2 days more and i founded it. For future references...:

Required Groups needs an ARRAY of groups. I was entering the group without array

$wgLDAPRequiredGroups = array( "ad" => array ( "cn=wiki,cn=users,dc=ad"));

For future evolutions, i would change so an string is converted to an array of one element. It seems like it is a normal mistake (i have even seen it like that in 2 manuals, already informed them)

Thx for your help!

Erengard

Reply to "Another $wgLDAPRequiredGroups problem..."