Extension talk:PluggableAuth/2023

hi! do you have a rough estimate when PluggableAuth will support LDAPAuthentication2? thanks a lot for your work! Stefansschauer (talk) 08:46, 27 January 2023 (UTC)Reply

@Osnard is working on the update to LDAPAuthentication2 that will be compatible with the latest version of PluggableAuth. I'm not sure if he has an estimated timeline. Cindy.cicalese (talk) 18:21, 27 January 2023 (UTC)Reply

Updates versions of the LDAP-Stack extensions should be released within the next couple of weeks Osnard (talk) 11:02, 28 March 2023 (UTC)Reply

Any news on the update of LDAP Stack addons ? I would like to use them with PluggableAuth 6.2. Aseicor (talk) 12:35, 28 April 2023 (UTC)Reply

Implemenation is basically done. Tests need to be performed before we can release officially. Sorry, no schedule for this at the moment. Hopefully very soon :) Osnard (talk) 07:31, 2 May 2023 (UTC)Reply

• ExtensionDistributor is shipping LDAPAuthorization 1.1.1 for MW 1.39, and that requires PluggableAuth 6 or later. LDAPAuthorization 1.1.0 initially works but hardcodes a call to AuthManager::singleton() like @FredBloggs71 encountered below. Fixing that the same way Fred did gets me the "Fatal error authenticating user" like @Joernc unibi encountered above., but I seem to be logged in now?
• LDAPAuthentication2 2.0.0 also seems to die with PluggableAuth 5.7, while version 1.0.4 works (I think).
• Latest versions of LDAPProvider, LDAPUserInfo, and LDAPGroups seem to work fine.

Looking forward to a full PA6-based stack! 146.6.208.47 (talk) 18:21, 8 May 2023 (UTC)Reply

Correction: LDAPAuthorization 1.1.0 which ExtensionDistributor downloads for MW 1.39 is the one that requires PluggableAuth 6+. LDAPAuthorization 1.1.1 which ExtensionDistributor downloads for MW 1.35 works fine with PluggableAuth 5.7, unpatched.

So the "works with MW 1.39" set I have now is the MW 1.35 versions of LDAPAuthentication2, LDAPAuthorization, and PluggableAuth, and the MW 1.39 versions of LDAPGroups, LDAPProvider, and LDAPUserInfo. 146.6.208.47 (talk) 21:50, 8 May 2023 (UTC)Reply

Code in REL1_39 branches is already compatible to PA6 and MW 1.39. There is no official tag release yet. Osnard (talk) 06:27, 9 May 2023 (UTC)Reply

I've got it working on 1.39.1 and 6.0.

|LDAPAuthentication2

|2.0.0 (64452f7) 15:12 13 abr 2023

|}

|LDAPAuthorization

|1.1.0 (a8f336e) 13:04 13 abr 2023

|}

|PluggableAuth

|6.2 (68bec9b) 06:51 28 mar 2023

|} 93.188.143.1 (talk) 13:49, 12 May 2023 (UTC)Reply

Thanks for the feedback! Osnard (talk) 14:05, 12 May 2023 (UTC)Reply

The discussion above is closed. Please do not modify it. No further edits should be made to this discussion.

Unable to get LDAP working with Windows AD

[edit]

Latest comment: 2 years ago13 comments2 people in discussion

RESOLVED

Use PluggableAuth version 5.7 with LDAPAuthentication2 for now. This requires getting PluggableAuth from the REL1_35 branch rather than the REL1_39 branch.

The following discussion is closed. Please do not modify it. Subsequent comments should be made on the appropriate discussion page. No further edits should be made to this discussion.

---

Hi,

After a couple of days searching and trying to get MediaWiki 1.39.1 working with AD I have made little progress (I need to replace a system running 1.19.20)

I have a new install of 1.39.1 on Ubuntu 22.04 with PHP 8.1.2 and MariaDB 10.6.11

I have LDAPAuthentication2 V1.0.1, LDAPAuthorization V1.1.0, LDAPGroups V1.0.3, LDAPProvider V1.0.5, LDAPUserInfo 1.0.0 and PlugableAuth 5.7

I have used: CheckConnection.php, ShowUserInfo.php, CheckLogin.php and ShowUserGroups.php and they all look good.

When all the LDAP and PlugableAuth modules are disabled I can login ok, but as soon as I enable them with my config (below) when I try to login (with either AD or local accounts) then I get:

[3741686381932c827775572e] /index.php/Special:PluggableAuthLogin Error: Call to undefined method MediaWiki\Auth\AuthManager::singleton()

Backtrace:

from /var/www/mediawiki/extensions/PluggableAuth/includes/PluggableAuthLogin.php(25)

#0 /var/www/mediawiki/includes/specialpage/SpecialPage.php(701): PluggableAuthLogin->execute()

#1 /var/www/mediawiki/includes/specialpage/SpecialPageFactory.php(1428): SpecialPage->run()

#2 /var/www/mediawiki/includes/MediaWiki.php(316): MediaWiki\SpecialPage\SpecialPageFactory->executePath()

#3 /var/www/mediawiki/includes/MediaWiki.php(904): MediaWiki->performRequest()

#4 /var/www/mediawiki/includes/MediaWiki.php(562): MediaWiki->main()

#5 /var/www/mediawiki/index.php(50): MediaWiki->run()

#6 /var/www/mediawiki/index.php(46): wfIndexMain()

#7 {main}

My config from LocalSettings.php is like:

$wgShowExceptionDetails=true;

$wgDebugToolbar=true;

$wgDebugLogFile = "/var/www/mediawiki/debug.log";

wfLoadExtension( 'PluggableAuth' );

$wgPluggableAuth_EnableAutoLogin = false; #if true, disables the logout option

$wgPluggableAuth_ButtonLabelMessage = "Log In";

wfLoadExtension( 'LDAPProvider' );

$LDAPProviderDomainConfigProvider = function () {

$config = [

    "LDAP" => [

         "connection" => [

           "server" => "wdc01.<redacted>.local",

           "port" >= 389,

           "enctype" => "clear",

           "user" => "cn=<redacted>,dc=<redacted>,dc=local",

           "pass" => '<redacted>',

           "options" => [

             "LDAP_OPT_DEREF" => 1

           ],

           "basedn" => "dc=<redacted>,dc=local",

           "userbasedn" => "dc=<redacted>,dc=local",

           "groupbasedn" => "dc=<redacted>,dc=local",

           "searchattribute" => "samaccountName",

           "usernameattribute" => "samaccountName",

           "realnameattribute" => "cn",

           "emailattribute" => "userprinicpalname",

           "grouprequest" => "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\UserMemberOf::factory",

           "presearchusernamemodifiers" => [ "spacestounderscores", "lowercase" ],

         ],

         "authorization" => [ ],

         "userinfo" => [ ],

         "groupsync" => [ ],

      ]

  ];

  return new \MediaWiki\Extension\LDAPProvider\DomainConfigProvider\InlinePHPArray( $config );

};

$LDAPProviderDefaultDomain = "LDAP";

wfLoadExtension( 'LDAPAuthorization' );

wfLoadExtension( 'LDAPUserInfo' );

wfLoadExtension( 'LDAPGroups' );

wfLoadExtension( 'LDAPAuthentication2' );

$LDAPAuthentication2AllowLocalLogin=true;

Anyone got any idea what I am missing ? Stewart-G0LGS (talk) 08:38, 31 January 2023 (UTC)Reply

Please try with the PluggableAuth code in the REL1_37 branch. Confusingly, it still reports the version at 5.7, but it includes some additional changes, including a patch for the error reported above. Cindy.cicalese (talk) 16:45, 31 January 2023 (UTC)Reply

I cannot see the REL1_37 branch - am I looking in the wrong place ? Stewart-G0LGS (talk) 07:58, 1 February 2023 (UTC)Reply

Ah, it is no longer available from ExtensionDistributor. It is, however, still available at https://extdist.wmflabs.org/dist/extensions/PluggableAuth-REL1_37-c1cc644.tar.gz. Cindy.cicalese (talk) 14:43, 1 February 2023 (UTC)Reply

I am still getting the same error.

Here are all the versions

LDAPAuthentication2 1.0.1 (5be3383)

LDAPAuthorization 1.1.0 (19bd68a)

LDAPGroups 1.0.3 (a6bac29)

LDAPProvider 1.0.5 (11a2b22)

LDAPUserInfo 1.0.0 (a470354)

PluggableAuth 5.7 (c1cc644) Stewart-G0LGS (talk) 07:32, 2 February 2023 (UTC)Reply

You're still getting the same exception: "Call to undefined method MediaWiki\Auth\AuthManager::singleton()"? The code in question for that version of PluggableAuth is at https://gerrit.wikimedia.org/r/plugins/gitiles/mediawiki/extensions/PluggableAuth/+/c1cc6445797f565a3ebf44378e486aecbb6a4f7f/includes/PluggableAuthLogin.php#25, so it does not appear that it should be going into the "else" branch on MediaWiki 1.39. Could you please double check that the exception is the same?

Also pinging @Osnard in case he has any suggestions for using LDAPAuthentication2 with MediaWiki 1.39 until it becomes compatible with the new version of PluggableAuth. Cindy.cicalese (talk) 14:06, 2 February 2023 (UTC)Reply

Here is what I get now:

[72a16925e43fd72c13bfd319] /index.php/Special:PluggableAuthLogin Error: Call to undefined method MediaWiki\Auth\AuthManager::singleton()

Backtrace:

from /var/www/mediawiki/extensions/LDAPAuthentication2/src/PluggableAuth.php(33)

#0 /var/www/mediawiki/extensions/PluggableAuth/includes/PluggableAuthLogin.php(36): MediaWiki\Extension\LDAPAuthentication2\PluggableAuth->authenticate()

#1 /var/www/mediawiki/includes/specialpage/SpecialPage.php(701): PluggableAuthLogin->execute()

#2 /var/www/mediawiki/includes/specialpage/SpecialPageFactory.php(1428): SpecialPage->run()

#3 /var/www/mediawiki/includes/MediaWiki.php(316): MediaWiki\SpecialPage\SpecialPageFactory->executePath()

#4 /var/www/mediawiki/includes/MediaWiki.php(904): MediaWiki->performRequest()

#5 /var/www/mediawiki/includes/MediaWiki.php(562): MediaWiki->main()

#6 /var/www/mediawiki/index.php(50): MediaWiki->run()

#7 /var/www/mediawiki/index.php(46): wfIndexMain()

#8 {main} Stewart-G0LGS (talk) 15:24, 2 February 2023 (UTC)Reply

OK, so it is no longer failing in PluggableAuth. It is failing in LDAPAuthentication2, but for a similar reason with the same error. It looks like it is failing at https://gerrit.wikimedia.org/r/plugins/gitiles/mediawiki/extensions/LDAPAuthentication2/+/5be33832beac4e5c9a65783e71db28b57ad2a5cf/src/PluggableAuth.php#287, although it should not get here in MediaWiki 1.39. Perhaps @Osnard can give additional insight. Cindy.cicalese (talk) 16:24, 2 February 2023 (UTC)Reply

I am not sure why, but after re-installing LDAPAuthentication2 1.0.1 (5be3383) I can now login using the local mw-admin acount, but if I try to login using a LDAP account I get:

[fe27640825e9da3c1617b10f] /index.php/Special:PluggableAuthLogin Error: Call to a member function getId() on null

Backtrace:

from /var/www/mediawiki/extensions/LDAPAuthentication2/src/PluggableAuth.php(69)

#0 /var/www/mediawiki/extensions/PluggableAuth/includes/PluggableAuthLogin.php(36): MediaWiki\Extension\LDAPAuthentication2\PluggableAuth->authenticate()

#1 /var/www/mediawiki/includes/specialpage/SpecialPage.php(701): PluggableAuthLogin->execute()

#2 /var/www/mediawiki/includes/specialpage/SpecialPageFactory.php(1428): SpecialPage->run()

#3 /var/www/mediawiki/includes/MediaWiki.php(316): MediaWiki\SpecialPage\SpecialPageFactory->executePath()

#4 /var/www/mediawiki/includes/MediaWiki.php(904): MediaWiki->performRequest()

#5 /var/www/mediawiki/includes/MediaWiki.php(562): MediaWiki->main()

#6 /var/www/mediawiki/index.php(50): MediaWiki->run()

#7 /var/www/mediawiki/index.php(46): wfIndexMain()

#8 {main}

Any idea what this means ? Stewart-G0LGS (talk) 10:01, 3 February 2023 (UTC)Reply

That is a failure in LDAPAuthentication2 at https://gerrit.wikimedia.org/r/plugins/gitiles/mediawiki/extensions/LDAPAuthentication2/+/5be33832beac4e5c9a65783e71db28b57ad2a5cf/src/PluggableAuth.php#69. It is saying that $user is null after calling

$username = $this->normalizeUsername( $username );

$user = $this->services->getUserFactory()->newFromName( $username );

So, it seems that there is a problem with username normalization. It would be interesting to see the value of $username before and after that first line. It does not appear that you have $LDAPAuthentication2UsernameNormalizer set in your config, so it doesn't look like it should be making any modifications.

You might want to ask for more help on the LDAPAuthentication2 talk page, also to see if others have reported a similar error there. Cindy.cicalese (talk) 14:35, 3 February 2023 (UTC)Reply

I think I have now sorted it - I found a couple of errors in my LocalSettings.php where I had 'samaccountName' and not 'samaccountname'. Stewart-G0LGS (talk) 09:06, 6 February 2023 (UTC)Reply

That's great news! Cindy.cicalese (talk) 15:14, 6 February 2023 (UTC)Reply

For future reference, I have found that the REL1_35 branch of PluggableAuth also has the patch needed to run PluggableAuth version 5.7 with MediaWiki 1.39. That branch is still available from ExtensionDistributor. Cindy.cicalese (talk) 15:15, 6 February 2023 (UTC)Reply

The discussion above is closed. Please do not modify it. No further edits should be made to this discussion.

My aim is to loging to mywiki with myaccount_at_Active Directory hosted at local Data Center

Error message is clear. But I can't find the mistake. Confused!

i've done some testing:

TEST 1 success:

//$ldaprdn  = "cn=myname,dc=localdomain";

//$ldappass = 'mypass';

$ldapconn=ldap_connect("ldaps://localdatacenter.localdomain:3269");

//$ldapbind=ldap_bind($ldapconn,$ldaprdn,$ldappass);

//if ($ldapbind) {

//       echo "LDAP bind successful.\n";

//   } else {

//       echo "LDAP bind failed.";

//   }

<b>Output: LDAP bind at-port 3269 successful.</b>

TEST 2 failed:

>php extensions/LDAPProvider/maintenance/ShowUserInfo.php  -d mydomain -u myname

MWException from line 196 of /var/lib/mediawiki-1.39.2/extensions/LDAPProvider/src/Client.php: Could not bind to LDAP: (49) Invalid credentials

#0 /var/lib/mediawiki-1.39.2/extensions/LDAPProvider/src/Client.php(119): MediaWiki\Extension\LDAPProvider\Client->establishBinding()

#1 /var/lib/mediawiki-1.39.2/extensions/LDAPProvider/src/Client.php(257): MediaWiki\Extension\LDAPProvider\Client->init()

#2 /var/lib/mediawiki-1.39.2/extensions/LDAPProvider/maintenance/ShowUserInfo.php(49): MediaWiki\Extension\LDAPProvider\Client->getUserInfo()

#3 /var/lib/mediawiki-1.39.2/maintenance/includes/MaintenanceRunner.php(309): MediaWiki\Extension\LDAPProvider\Maintenance\ShowUserInfo->execute()

#4 /var/lib/mediawiki-1.39.2/maintenance/doMaintenance.php(85): MediaWiki\Maintenance\MaintenanceRunner->run()

#5 /var/lib/mediawiki-1.39.2/extensions/LDAPProvider/maintenance/ShowUserInfo.php(72): require_once('...')

#6 {main}

--

ldap.json

{

       "localdomain": {

               "connection": {

                       "server": "localdatercenter.localdomain",

                       "port": "3269",

                       "user": "CN=myname,OU=Users,DC=localdomain",

                       "pass": "mypass",

                       "enctype": "ssl",

                       "options": {

                               "LDAP_OPT_DEREF": 1

                       },

                       "basedn": "dc=uni-kl,dc=de",

                       "userbasedn": "DC=localdomain",

                       "groupbasedn": "DC=localdomain",

                       "searchattribute": "samaccountname",

                       "usernameattribute": "samaccountname",

                       "realnameattribute": "cn",

                       "emailattribute": "mail",

                       "grouprequest": "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\UserMemberOf::factory",

                       "presearchusernamemodifiers": [ "spacestounderscores", "lowercase" ]

               },

               "userinfo": [],

               "authorization": [],

               "groupsync": {

                       "mapping": {

                               "Mitglied": "CN=...",

                               "bureaucrat": "CN=...",

                               "interface-admin": "CN=...",

                               "sysop": "CN=..."

                       }

               }

       }

}

TEST 3 failed: Login to mywiki

Spezial:Version

LDAPAuthentication2    1.0.31.0.3 (54d804e) 09:48, 13. Mär. 2023

LDAPAuthorization    1.1.0 (8a98b7d) 09:50, 13. Mär. 2023

LDAPGroups    1.0.3  (17bfc3f) 09:52, 13. Mär. 2023

LDAPProvider    1.0.5 (d2084d2) 09:46, 13. Mär. 2023    

LDAPUserInfo    1.0.0 (47dc6d3) 09:54, 13. Mär. 2023

PluggableAuth    5.7

--

Interner Fehler

[03839e8ca03a35a73cf2ad09] /vpewiki/index.php/Spezial:PluggableAuthLogin MWException: Could not bind to LDAP: (49) Invalid credentials

Backtrace:

from /var/lib/mediawiki-1.39.2/extensions/LDAPProvider/src/Client.php(196)

#0 /var/lib/mediawiki-1.39.2/extensions/LDAPProvider/src/Client.php(119): MediaWiki\Extension\LDAPProvider\Client->establishBinding()

#1 /var/lib/mediawiki-1.39.2/extensions/LDAPProvider/src/Client.php(364): MediaWiki\Extension\LDAPProvider\Client->init()

#2 /var/lib/mediawiki-1.39.2/extensions/LDAPAuthentication2/src/PluggableAuth.php(195): MediaWiki\Extension\LDAPProvider\Client->canBindAs()

#3 /var/lib/mediawiki-1.39.2/extensions/LDAPAuthentication2/src/PluggableAuth.php(62): MediaWiki\Extension\LDAPAuthentication2\PluggableAuth->checkLDAPLogin()

#4 /var/lib/mediawiki-1.39.2/extensions/PluggableAuth-REL1_35/includes/PluggableAuthLogin.php(36): MediaWiki\Extension\LDAPAuthentication2\PluggableAuth->authenticate()

#5 /var/lib/mediawiki-1.39.2/includes/specialpage/SpecialPage.php(701): PluggableAuthLogin->execute()

#6 /var/lib/mediawiki-1.39.2/includes/specialpage/SpecialPageFactory.php(1428): SpecialPage->run()

#7 /var/lib/mediawiki-1.39.2/includes/MediaWiki.php(316): MediaWiki\SpecialPage\SpecialPageFactory->executePath()

#8 /var/lib/mediawiki-1.39.2/includes/MediaWiki.php(904): MediaWiki->performRequest()

#9 /var/lib/mediawiki-1.39.2/includes/MediaWiki.php(562): MediaWiki->main()

#10 /var/lib/mediawiki-1.39.2/index.php(50): MediaWiki->run()

#11 /var/lib/mediawiki-1.39.2/index.php(46): wfIndexMain()

#12 {main} Hlsisadm2023 (talk) 12:10, 22 March 2023 (UTC)Reply

You may want to ask your question at Extension_talk:LDAPProvider, since your PluggableAuth configuration appears to be OK. It appears to be an LDAP issue. Cindy.cicalese (talk) 13:22, 22 March 2023 (UTC)Reply

Has anyone experienced this error: "Please choose a valid domain" during login with PluggableAuth?

I dont know if its a missconfig, a bug or it dosent support yet 1.39.

Thanks! Aseicor (talk) 14:19, 14 April 2023 (UTC)Reply

What version of which extensions are you using? What does your config look like? Yes, PluggableAuth does support MediaWiki 1.39, but you need to be sure you are running the appropriate versions of the extensions with the correct config. Cindy.cicalese (talk) 14:38, 14 April 2023 (UTC)Reply

Hi, thanks for your response im ruining mediawiki 1.39.1

|PluggableAuth

|6.2 (68bec9b)

|}

Pluggable array with these pluggins:

|LDAPAuthorization

|1.1.0 (8a98b7d)

|}

|LDAPAuthentication2

|2.0.0 (984847c)

|}

The rest of the extensions:

|LDAPGroups

|1.0.3 (17bfc3f)

|}

|LDAPProvider

|1.0.5 (c440a49)

|}

|LDAPUserInfo

|1.0.0 (47dc6d3)

|} Aseicor (talk) 16:09, 14 April 2023 (UTC)Reply

LDAPAuth* are not compatible with PluggableAuth version 6.2 yet. You need to use PluggableAuth 5.7. Cindy.cicalese (talk) 16:50, 14 April 2023 (UTC)Reply

i tried with PluggableAuth 5.7 (REL_1.35), it said this error:

"Fatal error: Uncaught ExtensionDependencyError: LDAPAuthorization is not compatible with the current installed version of PluggableAuth (5.7), it requires: 6.*"

So i also downgraded LDAPAuthorization addon to REL_1.35 and now i've got this error:

"Depreceated: Use of PersonalUrls hook (used in PluggableAuthHooks::modifyLoginURLs) was deprecated in MediaWiki 1.39. [Called from MediaWiki\HookContainer\HookContainer::run in /var/www/html/mediawiki-1.39.1/includes/HookContainer/HookContainer.php at line 137] in /var/www/html/mediawiki-1.39.1/includes/debug/MWDebug.php on line 381"

And on the Special:login page i get:

Las credenciales suministradas no están asociadas con ningún usuario en esta wiki.

(credentials provided are not asociated with any user on this wiki)

I asume error is that is expecting something from mediawiki rel 1.35 is there a way to fix this and use the addon on version 1.39?

Sorry for too many questions im quite new to working with mediawiki. Aseicor (talk) 17:05, 14 April 2023 (UTC)Reply

i also modified to the old cfg options in LocalSettings.php:

##### LDAPAuthentication2 ####

$LDAPAuthentication2UsernameNormalizer = 'strtolower';

##### PLUGGABLE AUTH ####

$wgPluggableAuth_EnableLocalLogin = false;

$wgPluggableAuth_ButtonLabelMessage = 'LDAP Login';

$wgPluggableAuth_Class = ["LDAPAuthentication2"]; Aseicor (talk) 17:23, 14 April 2023 (UTC)Reply

I was/am having the same warning in the PHP logs, and did the following to get rid of the warning. However, hiding the 'Log in' button when using 'EnableAutoLogin' won't be able to jive any longer. But, the login works and I'm not getting error on the site or site logs.

Edited the 'extension.json' file line

"Hooks": {

...

"PersonalUrls": "PluggableAuthHooks::modifyLoginURLs",

...

to

"Hooks": {

...

"SkinTemplateNavigation::Universal": "PluggableAuthHooks::onSkinTemplateNavigationUniversal",

...

And in the includes/PluggableAuthHooks.php file, changed the section 'Implements PersonalUrls hook.' to this

public static function onSkinTemplateNavigationUniversal(

SkinTemplate $skin,

array &$links

) {

if ($GLOBALS['wgPluggableAuth_EnableAutoLogin']) {

unset($links['personal']['logout']);

}

} Alongaks (talk) 19:04, 24 April 2023 (UTC)Reply

i will try and let you know if this works for me, thanks! 93.188.143.1 (talk) 11:50, 25 April 2023 (UTC)Reply

FWIW, it is fixed in version 6.2 of the plugin. I am on v5.7 and didn't have the means to update as of yet. Alongaks (talk) 12:10, 25 April 2023 (UTC)Reply

Dosent work for me :(

Guess i have to wait for 6.2 compatibility with Ldap2 and auth.

Thanks anyway. 93.188.143.1 (talk) 13:14, 25 April 2023 (UTC)Reply

Got it working with latest 1.39 versions, error was here:

$wgPluggableAuth_Config = array(

      array('plugin' => 'LDAPAuthentication2',

            'buttonLabelMessage' => 'Login mydomain',

            'data' => ['domain' => 'mydomain']

            ),

      array('plugin' => 'LDAPAuthorization'),

); Aseicor (talk) 10:12, 3 May 2023 (UTC)Reply

The discussion above is closed. Please do not modify it. No further edits should be made to this discussion.

"Fatal error authenticating user" on MW 1.39.3

[edit]

Latest comment: 1 year ago10 comments6 people in discussion

The following discussion is closed. Please do not modify it. Subsequent comments should be made on the appropriate discussion page. No further edits should be made to this discussion.

---

I am using PluggableAuth and SimpleSAMLphp. On Wikis upgraded from 1.35.8 to 1.39.2, this works as desired (thanks to a fix from the SimpleSAMLphp discussion page :)

If I deploy a new 1.39.2 wiki, though, I get "Fatal error authenticating user" when signing in with a SAML user. A wiki user with correct attributes is created, and if I navigate away from the error page the user is authenticated and can use the wiki as expected. I see no significant difference between the LocalSettings.php between an upgraded and a newly created wiki.

Is there any way to get more debug information from the PluggableAuth extension? Joernc unibi (talk) 08:43, 18 April 2023 (UTC)Reply

BTW: This does not only happen on the first login (i.e. when the wiki user is created), but also on subsequent logins, when the wiki user is already present. Joernc unibi (talk) 08:44, 18 April 2023 (UTC)Reply

Actually, it's MW 1.39.3, not 1.39.2 that has the problem. And the error occurs both with a newly installed 1.39.3 and one upgraded from 1.39.2. I am using the extension from https://extdist.wmflabs.org/dist/extensions/ for 1.39, which seems to be version 6.2 of PluggableAuth. Joernc unibi (talk) 09:27, 20 April 2023 (UTC)Reply

Hi man, I am facing the same problem in version 1.39.3 with PlugableAuth in 6.1 and simplesaml in 5.0.1 when I want to log in I keep getting the error 'Fatal error during user authentication. If I click on 'connect' I get my azure login page, once authenticated I come back to the mediawiki login page with the authentication error, but if I click on 'connect' again the SAML authentication is done correctly and I can navigate the wiki etc. Any idea how to solve this? Have you been able to solve it on your side or have you chosen to stay in 1.39.2 (which I understand is the latest and most up to date version with which extensions and authentication are error free?) Thank you in advance for your feedback bro' ! If the developers wanted to look into the subject it would be nice for people who use their application in a production environment !!!

Best regards, Baldrom (talk) 12:42, 27 April 2023 (UTC)Reply

Have you tried the latest version of PluggableAuth (6.3)? Haven't tried it myself yet, but would love to hear the results :) Joernc unibi (talk) 06:28, 8 May 2023 (UTC)Reply

I just tried MW 1.39.3 together with PluggableAuth 6.3 (68bec9b) found in https://extdist.wmflabs.org/dist/extensions/PluggableAuth-REL1_40-e6e97b1.tar.gz. Unfortunately, the error persists and I get an error on logging in. Joernc unibi (talk) 11:44, 9 May 2023 (UTC)Reply

I have the same problem after upgrading to Mediawiki 1.39.3 and extensions.

I use LDAPAuthentication2 (REL1_39-7dc2ea5) and tried multiple PluggableAuth versions (REL1_39-68bec9b, REL1_40-e6e97b1, master-ffa4ba8).

Username and password fields are not displayed at all.

Update: LDAPAuthentication2 master-dd5b9e3 fixed my problem. AVNeu (talk) 17:34, 9 May 2023 (UTC)Reply

I am getting this exact error but it comes on subsequent log ins within the same browser session. I can log in and out using AzureAD, but when I try to log in again within the same browser session I get this error.

Even after getting the error, clicking home page then log in again only to find out the user is authenticated. This extra step is confusing for users.

MW Version 1.39.2

Running extensions PluggableAuth v6.2 and SimpleSaml v5.0.

The SimpleSaml framework installed is 2.0. Gachangi (talk) 16:11, 15 May 2023 (UTC)Reply

Hi,

MW 1.39.3

SimpleSAMLphp library 2.0.3  

PluggableAuth 6.2

SimpleSAMLphp extension 5.0.1

same issue i am also facing , actually Ad authenticates me but after authenticattion its sending me to https://wiki.com/index.php/Special:PluggableAuthLogin displaying.

Fatal error authenticating user.

But when i click on login button or main page , iam authenticated/login & my username is displaying properly.

app is working properly, not getting why saml redirecting me to Special:PluggableAuthLogin

if i could redirect directly to main_page then error is not there.

Need to know where we can set redirect_url or relaystate , so that i can redirect to main_page directly.

Please suggest!! Pooja2425 (talk) 08:53, 22 May 2023 (UTC)Reply

@Pooja2425 @Gachangi @AVNeu @Joernc unibi see my comment here: https://www.mediawiki.org/w/index.php?title=Extension%20talk%3APluggableAuth/2023#c-Nnyby-20230608010200-Pooja2425-20230510081200

Basically, updating PluggableAuth and SimpleSAMLphp both to the new version 7.0-dev resolves this issue for me. Seems like it was a known bug that was fixed recently: https://phabricator.wikimedia.org/T322828 Nnyby (talk) 01:10, 8 June 2023 (UTC)Reply

The discussion above is closed. Please do not modify it. No further edits should be made to this discussion.

"Fatal error authenticating user" on MW 1.39.3

[edit]

Latest comment: 1 year ago5 comments3 people in discussion

The following discussion is closed. Please do not modify it. Subsequent comments should be made on the appropriate discussion page. No further edits should be made to this discussion.

---

HI

we are using MW version 1.39.3

PluggableAuth 6.2,

SimpleSAMLphp extension 5.0.1,

Simplesamlphp library 2.0.3

Now after Integrating Simplesaml Library AAD starts giving us results when we check on

Https://app.com/simplesaml/module.php/admin/test/default-sp

http://schemas.microsoft.com/identity/claims/ full user details .

But in reply url : Https://app.com//simplesaml/module.php/saml/sp/saml2-acs.php/default-sp

it redirect us to wiki main page with Fatal error authenticating user .

Also in SimpleSAMLphp.log log file we re getting

Could not get authentication plugin instance.

Getting PluggableAuth instance

ERROR: return to URL is null or empty

We are using only above mentioned 2 extensions + simplesaml library currently.

Do we need to add LDAPAuthentication2 for this too.

Please suggest us . Pooja2425 (talk) 08:12, 10 May 2023 (UTC)Reply

So, I got things to work. This seems to be a known bug documented here: https://phabricator.wikimedia.org/T322828 that was fixed just recently in PluggableAuth. So, now using the latest version of PluggableAuth 7.0-dev, as well as updating the SimpleSAMLphp extension to 7.0-dev as well, login succeeds with no errors. Nnyby (talk) 01:02, 8 June 2023 (UTC)Reply

LDAP and SAML are two different authentication methods, installing the LDAP module should not change anything for you. My advice for the moment is: downgrade to MW 1.39.2 - if possible.

The fact that upgrading LDAPAuthentication2 to a development version, as AVneu describes in Extension talk:PluggableAuth/2023#h-"Fatal_error_authenticating_user"_on_MW_1.39.3-20230418084300, suggests that the problem is not within the PluggableAuth module but in SimpleSAMLphp. Joernc unibi (talk) 09:18, 10 May 2023 (UTC)Reply

I downgraded to mediawiki 1.39.2 and I am still seeing this error in my environment, using PluggableAuth 6.2 with SimpleSAMLphp 5.0.1. Nnyby (talk) 23:52, 7 June 2023 (UTC)Reply

HI @Joernc unibi

after sso authentication redirect us to https://wiki/Special:PluggableAuthLogin giving error Fatal error authenticating user.

even we are authenticated, & when we click on login or main page . our username /email id is displaying on app as we r logged in .

can we redirect directly to main_page, as when we are going on main_page sso working. only issue with https://wiki/Special:PluggableAuthLogin this page, rest all pages sso working.

Seems like Login Redirect issue.

please suggest. Pooja2425 (talk) 11:16, 19 May 2023 (UTC)Reply

The discussion above is closed. Please do not modify it. No further edits should be made to this discussion.

Deprecation warning

[edit]

Latest comment: 2 years ago2 comments2 people in discussion

RESOLVED

Fixed

The following discussion is closed. Please do not modify it. Subsequent comments should be made on the appropriate discussion page. No further edits should be made to this discussion.

---

I am using PluggableAuth 5.7. and LDAPAuthentication2 1.0.1 on mediawiki 1.39. I am getting this warning in my logs: FastCGI sent in stderr: "PHP message: PHP Deprecated:  Use of PersonalUrls hook (used in PluggableAuthHooks::modifyLoginURLs) was deprecated in MediaWiki 1.39

Is this a critical message? Stefansschauer (talk) 07:48, 17 May 2023 (UTC)Reply

No, it is not a critical message, and it is fixed in later versions. Cindy.cicalese (talk) 12:17, 17 May 2023 (UTC)Reply

The discussion above is closed. Please do not modify it. No further edits should be made to this discussion.

MediaWiki version 1.39.3

Today (June 5, 2023) I am getting following error after updating to newest version of SimpleSAMLphp and PluggableAuth extensions:

Fatal error: Uncaught ExtensionDependencyError: SimpleSAMLphp is not compatible with the current installed version of PluggableAuth (6.2), it requires: >= 7.0.

Using PluggableAuth-REL1_39-dc30743.tar.gz and SimpleSAMLphp-REL1_39-9ffe0de.tar.gz

According to extension.json file of both extensions, newest version is 7.0-dev, and still getting this error. How and when can this be solved?

Please suggest. Anderst25 (talk) 09:27, 5 June 2023 (UTC)Reply

We have set up MediaWiki (Docker) with SimplesamlPHP and PluggableAuth extensions.

I have verified that Simplesaml is returning attributes and before I managed to login with the same config (but only if I was logged in with my SAML account already).

Now a few days later the only thing I get in return is: Fatal error authenticating user.

When looked in the debugging log I get the following error from PluggableAuth: [PluggableAuth] ERROR: return to URL is null or empty

We have set the following settings in LocalSettings.php: Innofaith (talk) 07:43, 8 June 2023 (UTC)Reply

What versions of PluggableAuth and SimpleSAMLphp are you using? This sounds like a bug that was fixed recently, so you could try updating to the latest version of both extensions. Cindy.cicalese (talk) 12:33, 8 June 2023 (UTC)Reply

Just read the topics below with the recomendation to revert to MW 1.39.2 and Extensions both to the 7.0-dev verson. With this change the problem persists.

I do get a new error under the original error. The debugging log now shows:

• [PluggableAuth] ERROR: return to URL is null or empty
• [DBConnection] Wikimedia\Rdbms\LoadBalancer::getLocalConnection: reused a connection for local/0
• [DBQuery] LCStoreDB::get [0.001s] database: SELECT lc_value FROM `wiki_l10n_cache` WHERE lc_lang = 'en-gb' AND lc_key = 'messages:pluggableauth-fatal-error' LIMIT 1 Innofaith (talk) 12:52, 8 June 2023 (UTC)Reply

Are you using the database for the session store?

The DBQuery statement is not an additional error. It is indicating that the localized message text for the error message was retrieved from the database.

It would be helpful to see any other lines from the debug log that start with [PluggableAuth] or [SimpleSAMLphp].

Note that, although it will not cause any issues, $wgPluggableAuth_ReturnToUrl is not a valid config variable and can be removed. Cindy.cicalese (talk) 13:37, 8 June 2023 (UTC)Reply

Yes, due to the known bug with the PHPSESSID I have installed pdo_mysql and use this to write the sessions. I also verified this and simplesamlphp is creating tables in the database.

I think we are going in the right directing, because I dont see any related entries in the debug log with [SimpleSAMLphp].

I do get an error that Pluggableauth could not get the authentication plugin instance. So it's probably somewhere in the config. However to me on first sight the config seems to be correct, or am I mising something (or is there a config in another place)? I will remove $wgPluggableAuth_ReturnToUrl as it is not valid Innofaith (talk) 16:21, 8 June 2023 (UTC)Reply

Agreed, if you are seeing that it cannot get the authentication plugin instance, then there is likely an issue with configuration. I would doublecheck $wgSimpleSAMLphp_InstallDir including the file permissions. Cindy.cicalese (talk) 16:31, 8 June 2023 (UTC)Reply

You also don't need returnToUrl in the data section. Cindy.cicalese (talk) 16:37, 8 June 2023 (UTC)Reply

I have removed the returnToUrl sections.

I also checked the file permissions, they all seem to be readable and executable:

-rwxrwxrwx 1 1000 1000   40 May 12 15:58 .markdownlintrc

-rwxrwxrwx 1 1000 1000 8.0K May 12 15:58 CONTRIBUTING.md

-rwxrwxrwx 1 1000 1000  964 May 12 15:58 COPYING

-rwxrwxrwx 1 1000 1000  24K May 12 15:58 LICENSE

-rwxrwxrwx 1 1000 1000 1.3K May 12 15:58 README.md

-rwxrwxrwx 1 1000 1000 2.9K May 12 15:58 SECURITY.md

-rwxrwxrwx 1 1000 1000 2.7K May 12 15:58 TESTING.md

drwxrwxrwx 1 1000 1000  512 May 12 15:58 attributemap

drwxrwxrwx 1 1000 1000  512 May 12 15:58 bin

drwxrwxrwx 1 1000 1000  512 Apr 17 12:13 cert

-rwxrwxrwx 1 1000 1000 4.5K May 12 15:58 composer.json

-rwxrwxrwx 1 1000 1000 234K May 12 15:58 composer.lock

drwxrwxrwx 1 1000 1000  512 Jun  9 06:20 config

drwxrwxrwx 1 1000 1000  512 May 12 15:58 docs

drwxrwxrwx 1 1000 1000  512 May 12 15:58 extra

drwxrwxrwx 1 1000 1000  512 May 12 15:58 lib

drwxrwxrwx 1 1000 1000  512 May 12 15:58 locales

drwxrwxrwx 1 1000 1000  512 Jun  9 06:20 metadata

drwxrwxrwx 1 1000 1000  512 May 12 15:58 modules

drwxrwxrwx 1 1000 1000  512 May 12 15:58 public

drwxrwxrwx 1 1000 1000  512 May 12 15:58 routing

drwxrwxrwx 1 1000 1000  512 May 12 15:58 src

drwxrwxrwx 1 1000 1000  512 May 12 15:58 templates

drwxrwxrwx 1 1000 1000  512 May 12 15:58 tests

drwxrwxrwx 1 1000 1000  512 May 12 15:58 vendor

The config is set to :

$wgSimpleSAMLphp_InstallDir = "/etc/simplesamlphp";

My compose.yml mounts the volume at the same place.

   volumes:

     - /mnt/c/Users/User/Docker/mediawiki/extensions/PluggableAuth:/var/www/html/extensions/PluggableAuth

     - /mnt/c/Users/User/Docker/mediawiki/extensions/SimpleSAMLphp:/var/www/html/extensions/SimpleSAMLphp

     - /mnt/c/Users/User/Docker/mediawiki/simplesamlphp:/etc/simplesamlphp

I even tried hosting a phpinfo() in a folder with the same permission, this is executable.

I am a little bit at a loss here, as in my eyes this should be working. Innofaith (talk) 06:46, 9 June 2023 (UTC)Reply

I could use a bit more debugging output when it cannot get the instance. That error is generated at https://gerrit.wikimedia.org/r/plugins/gitiles/mediawiki/extensions/PluggableAuth/+/refs/heads/master/includes/PluggableAuthFactory.php#223. If you would feel comfortable editing PluggableAuth/includes/PluggableAuthFactory.php, you could add the following at line 223:

$this->logger->debug( 'name = ' . $name );

$this->logger->debug( 'pluggableAuthConfig = ' . print_r( $this->pluggableAuthConfig, true ) );

The most likely cause of that failure is $name being null because of a session issue. Cindy.cicalese (talk) 13:07, 9 June 2023 (UTC)Reply

Thanks for your ongoing support, I have added the 2 lines and this is the output.

[PluggableAuth] In execute()

[PluggableAuth] Getting PluggableAuth instance

[PluggableAuth] Could not get authentication plugin instance.

[PluggableAuth] name =

[PluggableAuth] pluggableAuthConfig = Array

(

[pluggableauthlogin0] => Array

(

[configId] => Log in using Office365

[plugin] => SimpleSAMLphp

[spec] => Array

(

[class] => MediaWiki\Extension\SimpleSAMLphp\SimpleSAMLphp

[services] => Array

(

[0] => TitleFactory

[1] => UserFactory

[2] => SimpleSAMLphpSAMLClientFactory

[3] => SimpleSAMLphpMandatoryUserInfoProviderFactory

)

)

[data] => Array

(

[authSourceId] => default-sp

[usernameAttribute] => http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

[realNameAttribute] => http://schemas.microsoft.com/identity/claims/displayname

[emailAttribute] => http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

)

[groupsyncs] => Array

(

)

[label] => RawMessage Object

(

[interface:protected] => 1

[language:protected] =>

[key:protected] => Log in using Office365

[keysToTry:protected] => Array

(

[0] => Log in using Office365

)

[parameters:protected] => Array

(

)

[useDatabase:protected] => 1

[contextPage:protected] =>

[content:protected] =>

[message:protected] => Log in using Office365

)

)

) Innofaith (talk) 14:02, 9 June 2023 (UTC)Reply

I have checked the database and when I try to login SimpleSAMLphp is actively writing to the database I got tables for:

kvstore

saml_LogoutStore

tableVersion Innofaith (talk) 14:07, 9 June 2023 (UTC)Reply

That output confirms that it is not able to get $name from the session:

[PluggableAuth] name =

$name is set from the session at https://gerrit.wikimedia.org/r/plugins/gitiles/mediawiki/extensions/PluggableAuth/+/refs/heads/master/includes/PluggableAuthFactory.php#178. It seems that somehow the request or session is getting corrupted. I would look earlier in the debug log to see if there's any other indication of an earlier problem. Cindy.cicalese (talk) 14:23, 9 June 2023 (UTC)Reply

I will put the log from between the HTTP headers and the log I just posted. I don't see any errors, but some mentions about dirtydata.

• [DBReplication] ChronologyProtector using store APCUBagOStuff
• [DBReplication] ChronologyProtector fetching positions for 2417c9c0fba5912bca29f0a8c6730e1c
• [DBReplication] Wikimedia\Rdbms\ChronologyProtector::applySessionReplicationPosition: DEFAULT (database) has no position
• [DBConnection] Wikimedia\Rdbms\LoadBalancer::lazyLoadReplicationPositions: executed chronology callback.
• [DBConnection] Wikimedia\Rdbms\LoadBalancer::getLocalConnection: opened new connection for local/0
• [DBQuery] Wikimedia\Rdbms\DatabaseMysqlBase::serverIsReadOnly [0s] database: SELECT @@GLOBAL.read_only AS Value
• [DBQuery] Wikimedia\Rdbms\Database::beginIfImplied (LCStoreDB::get) [0s] database: BEGIN
• [DBQuery] LCStoreDB::get [0s] database: SELECT lc_value FROM `wiki_l10n_cache` WHERE lc_lang = 'en-gb' AND lc_key = 'deps' LIMIT 1
• [DBConnection] Wikimedia\Rdbms\LoadBalancer::getLocalConnection: reused a connection for local/0
• [DBQuery] LCStoreDB::get [0.002s] database: SELECT lc_value FROM `wiki_l10n_cache` WHERE lc_lang = 'en-gb' AND lc_key = 'list' LIMIT 1
• [DBConnection] Wikimedia\Rdbms\LoadBalancer::getLocalConnection: reused a connection for local/0
• [DBQuery] LCStoreDB::get [0s] database: SELECT lc_value FROM `wiki_l10n_cache` WHERE lc_lang = 'en-gb' AND lc_key = 'preload' LIMIT 1
• [DBConnection] Wikimedia\Rdbms\LoadBalancer::getLocalConnection: reused a connection for local/0
• [DBQuery] LCStoreDB::get [0.001s] database: SELECT lc_value FROM `wiki_l10n_cache` WHERE lc_lang = 'en-gb' AND lc_key = 'preload' LIMIT 1
• [DBConnection] Wikimedia\Rdbms\LoadBalancer::getLocalConnection: reused a connection for local/0
• [DBQuery] LCStoreDB::get [0s] database: SELECT lc_value FROM `wiki_l10n_cache` WHERE lc_lang = 'en-gb' AND lc_key = 'fallbackSequence' LIMIT 1
• [session] Session "293d252826fde6d70feb745dd400f6b6" requested without UserID cookie
• [session] SessionBackend "293d252826fde6d70feb745dd400f6b6" is unsaved, marking dirty in constructor
• [session] SessionBackend "8la08esvfk8693cr266mf15nve379817" metadata dirty due to ID reset (formerly "293d252826fde6d70feb745dd400f6b6")
• [session] SessionBackend "8la08esvfk8693cr266mf15nve379817" save: dataDirty=1 metaDirty=1 forcePersist=0
• [session] Persisting session due to no pre-existing stored session
• [cookie] setcookie: "SimpleSAMLSessionID", "8la08esvfk8693cr266mf15nve379817", "0", "/", "", "1", "1", ""
• [cookie] already deleted setcookie: "wikidb_wiki_UserID", "", "1654785017", "/", "", "1", "1", ""
• [cookie] already deleted setcookie: "wikidb_wiki_Token", "", "1654785017", "/", "", "1", "1", ""
• [cookie] already deleted setcookie: "forceHTTPS", "", "1654785017", "/", "", "", "1", ""
• [session] SessionBackend "8la08esvfk8693cr266mf15nve379817" save: dataDirty=1 metaDirty=1 forcePersist=0
• [cookie] already set setcookie: "SimpleSAMLSessionID", "8la08esvfk8693cr266mf15nve379817", "0", "/", "", "1", "1", ""
• [cookie] already deleted setcookie: "wikidb_wiki_UserID", "", "1654785017", "/", "", "1", "1", ""
• [cookie] already deleted setcookie: "wikidb_wiki_Token", "", "1654785017", "/", "", "1", "1", ""
• [cookie] already deleted setcookie: "forceHTTPS", "", "1654785017", "/", "", "", "1", ""
• [cookie] already set setcookie: "SimpleSAMLSessionID", "8la08esvfk8693cr266mf15nve379817", "0", "/", "", "1", "1", ""
• [cookie] already deleted setcookie: "wikidb_wiki_UserID", "", "1654785017", "/", "", "1", "1", ""
• [cookie] already deleted setcookie: "wikidb_wiki_Token", "", "1654785017", "/", "", "1", "1", ""
• [cookie] already deleted setcookie: "forceHTTPS", "", "1654785017", "/", "", "", "1", ""
• [session] SessionBackend "8la08esvfk8693cr266mf15nve379817" Taking over PHP session
• [SQLBagOStuff] MainObjectStash using store ReplicatedBagOStuff
• [DBConnection] Wikimedia\Rdbms\LoadBalancer::getLocalConnection: reused a connection for local/0
• [DBQuery] LCStoreDB::get [0s] database: SELECT lc_value FROM `wiki_l10n_cache` WHERE lc_lang = 'en-gb' AND lc_key = 'specialPageAliases' LIMIT 1
• [DBConnection] Wikimedia\Rdbms\LoadBalancer::getLocalConnection: reused a connection for local/0
• [DBQuery] LCStoreDB::get [0s] database: SELECT lc_value FROM `wiki_l10n_cache` WHERE lc_lang = 'en-gb' AND lc_key = 'namespaceGenderAliases' LIMIT 1 Innofaith (talk) 14:31, 9 June 2023 (UTC)Reply

I think I have figured it out. There was a stray setting that was turned on in the config:

$wgSessionName = 'SimpleSAMLSessionID';

I removed it and now it is logging me in properly.

Thank you @Cindy.cicalese for your help. Innofaith (talk) 14:43, 9 June 2023 (UTC)Reply

Yay! That's great! I'm happy to be able to help. Cindy.cicalese (talk) 14:47, 9 June 2023 (UTC)Reply

When also allowing local login with $wgPluggableAuth_EnableLocalLogin = true; the button label for logging in with, e.g., Google is "0" with no option to change "0" to something like "Login with Google". Action uselang=qqx does not reveal a system message meant for this. Any hint? [[kgh]] (talk) 15:05, 14 July 2023 (UTC)Reply

Ah, I see. I now tried to connect a second provider, and this one gets the "1" label for the button — still, no obvious way to relabel the label. [[kgh]] (talk) 16:00, 14 July 2023 (UTC)Reply

The array index in the $wgPluggableAuth_Config array is the default button label. It can be overwritten with a message if you specify buttonLabelMessage in the config array. It is explained at Extension:PluggableAuth#Version 6.0 or later in the $wgPluggableAuth_Config description, but please feel free to clarify if that isn't clear enough. Cindy.cicalese (talk) 02:45, 15 July 2023 (UTC)Reply

Cool. I looked at if before but somehow did not see it. A senior moment for sure. Thanks a lot! I hopefully improved the docu a bit. [[kgh]] (talk) 09:35, 15 July 2023 (UTC)Reply

Setup

• MediaWiki 1.39.4 (c3f5338) 16:45, 25. Jul. 2023
• OpenID Connect 7.0.1 (6b550e6) 00:15, 8. Jul. 2023
• PluggableAuth 7.0.0 (548242e) 17:44, 12. Jun. 2023

LocalSettings

wfLoadExtension( 'OpenIDConnect' );
$wgOpenIDConnect_UseEmailNameAsUserName = true;

wfLoadExtension( 'PluggableAuth' );
$wgPluggableAuth_Config["Google"] = [
    'plugin' => 'OpenIDConnect',
    'buttonLabelMessage' => 'Pt-login-button-google',
    'data' => [
        'providerURL' => 'https://accounts.google.com',
        'clientID' => '......',
        'clientsecret' => '......',
    ]
];
$wgPluggableAuth_Config["Microsoft"] = [
    'plugin' => 'OpenIDConnect',
    'buttonLabelMessage' => 'Pt-login-button-microsoft',
    'data' => [
        'providerURL' => 'https://login.microsoftonline.com/....../v2.0/',
        'clientID' => '......',
        'clientsecret' => '......'
    ]
];
$wgPluggableAuth_EnableLocalLogin = true;

I can connect with Google without problems. However, when trying to sign in with Microsoft, I get the " Fatal error authenticating user." message on the wiki. The error log remains silent, and on top, the Sign-in logs for the respective application in the Azure AD portal indicate that the sign-in was successful. I am a bit puzzled as to how to get Microsoft working.

This is what I have tried:

I removed $wgPluggableAuth_EnableLocalLogin = true; from the setup - the same result.

I removed the "Google" array from the setup to test if it works with a single provider - the same result. I assume naming the array instead of leaving it blank does not matter.

Since I am known under the same name both at Google as well as at Microsoft, I used $wgOpenIDConnect_UseEmailNameAsUserName = true; to make sure that there is no conflict in account creation and determining the user name. (By the way: How does the extension react to people trying to sign in from Google or Microsoft, depending on where they are based at the time? - probably worth opening another thread for this.)

Any hint is appreciated. [[kgh]] (talk) 16:33, 26 July 2023 (UTC)Reply

Hold your horses. I managed and must admit I had senior moments when setting this up. Instead of providing the clientsecret, I provided the clientsecretID. This way, I was destined to fail.

The only myth remains about why the log recorded a successful authentication even though it was impossible due to a wrong secret. This myth is another story we do not need to expand into.

For others who want to do a dual login with Google and Microsoft. The config I posted is a working example. [[kgh]] (talk) 19:15, 27 July 2023 (UTC)Reply

After Upgrading wi Ubuntu 22.04 our LDAP-Login doesnt work anymore.

Already updates Mediawiki to 1.4

Pluggable-Auth to REL1.4

LDAP-Providerto REL1.4

LDAPAuthenticationto REL1.4

LDAPUserInfoto REL1.4

LDAPGroupsto REL1.4

When i head to Login it always shows my data could not be verified.

php extensions/LDAPProvider/maintenance/CheckLogin.php --domain xyz --username xyz

results in "OK"

Already searched the Internet for 4 Hours and tried tons of approaches...

Can't get it to work...

My current configuration regarding LDAP

$ldapJsonFile = "$IP/ldap.json";

$ldapConfig = false;

if (is_file($ldapJsonFile) && is_dir("$IP/extensions/LDAPProvider")) {

  $testJson = @json_decode(file_get_contents($ldapJsonFile),true);

  if (is_array($testJson)) {

   $ldapConfig = true;

  } else {

   error_log("Found invalid JSON in file: $IP/ldap.json");

  }

}

if ( $ldapConfig ) {

   wfLoadExtension('PluggableAuth');

   $wgPluggableAuth_EnableAutoLogin = false;

   $wgPluggableAuth_EnableLocalLogin = false;

   $wgPluggableAuth_ButtonLabel = 'Anmelden';

   wfLoadExtension('LDAPProvider');

   $LDAPProviderDomainConfigProvider = "\\MediaWiki\\Extension\\LDAPProvider\\DomainConfigProvider\\LocalJSONFile::newInstance";

   $LDAPProviderDomainConfigs = $ldapJsonFile;

   $LDAPProviderDefaultDomain = "MyDomain";

   wfLoadExtension('LDAPAuthentication2');

   $LDAPAuthentication2AllowLocalLogin = false;

   wfLoadExtension('LDAPAuthorization');

   wfLoadExtension('LDAPUserInfo');

   wfLoadExtension('LDAPGroups');

   $wgPluggableAuth_EnableLocalProperties = false;

   $wgPluggableAuth_ExtraLoginFields = [];

   $wgPluggableAuth_Class = ["LDAPAuthentication2"];

   $wgPluggableAuth_Config = array(

     array('plugin' => 'LDAPAuthentication2',

           'buttonLabelMessage' => 'Login',

           'data' => ['domain' => 'MyDomain']

           ),

);

   $wgLDAPDebug = 3;

   $wgGroupPermissions['domuser']['edit'] = true;

} TropicDE (talk) 11:37, 8 August 2023 (UTC)Reply

I'm assuming that you mean REL1_40. Please try REL1_39. I believe that the LDAP extensions only update the branches for LTS versions. The REL1_39 branches of the extensions should work with MediaWiki 1.40. Cindy.cicalese (talk) 13:48, 8 August 2023 (UTC)Reply

Is there an easy way to download PluggableAuth 6.x? Only versions 5.7 and 7.0 are being presented with the ExtensionDistributor:

• PluggableAuth-REL1_35-cf04712 is 5.7
• PluggableAuth-REL1_39-1cbf448 is 7.0
• PluggableAuth-REL1_40-8104ed9 is 7.0 Cpeel (talk) 23:32, 3 September 2023 (UTC)Reply

You can download the extension from git using the instructions at Download_from_Git#Using_Git_to_download_MediaWiki_extensions. You can then checkout the relevant tag. Cindy.cicalese (talk) 00:23, 4 September 2023 (UTC)Reply

Perfect - thank you! Cpeel (talk) 01:14, 5 September 2023 (UTC)Reply

Hello

Im using MW 1.39 with SSO implemented with Azure AD

after log in using AzureAD the session is expiring very fast.

i increase the value of session.gc_maxlifetime

but no result

which the good paremetre please to put on my MW to avoid that session expire very fast ?

ThanKs Raoufgui (talk) 12:43, 4 September 2023 (UTC)Reply

You could set :$wgRememberMe to 'always' to extend the session. You may also try setting $wgExtendedLoginCookieExpiration. Cindy.cicalese (talk) 17:46, 4 September 2023 (UTC)Reply

thank you very much i tried $wgExtendedLoginCookieExpiration and it works for me Raoufgui (talk) 13:46, 8 September 2023 (UTC)Reply

Hi,

I'm trying to use an AD's LDAP to authenticate on wiki. But i've got this error. When i try to authenticate on the website, it redirects automatically to the error: The supplied credentials could not be authenticated. Everything is updated. I did see in this forum a compatibily issue in Pluggable Auth 6.0 and Authentication2. But Pluggable Auth is updated now, but my problem still. If someone knows how to help me, please

Thanks! 189.9.13.119 (talk) 14:25, 18 September 2023 (UTC)Reply

When reporting an error, please be sure to include version information for MediaWiki and all relevant extensions as well as configuration information. Also, please turn on debug logging as described at Manual:How to debug#Logging and include the relevant portions of the debug log. Cindy.cicalese (talk) 14:39, 18 September 2023 (UTC)Reply

I'm using MediaWiki 1.39, PlugabbleAuth 7.0.0 and LDAPAuthentication2 3.0.0-alpha.

I could not get some good information from the logs. Maybe i did not see something

The main debug file just contains that DB queries:

[DBConnection] Wikimedia\Rdbms\LoadBalancer::getLocalConnection: reused a connection for localAutoCommit/0

[DBQuery] SqlBagOStuff::doUnlock [0s] localhost: SELECT RELEASE_LOCK('wiki_soc:messages:en') AS released

[MessageCache] MessageCache::loadUnguarded: Loading en... local cache is empty, global cache is empty, loading from database

[DBReplication] LBFactory shutdown completed

This is from the logs, but when i try to get that LogGroups from the plugins and ldap, nothing appears. Checkusernames.php from maintenance is working. 189.9.13.119 (talk) 15:08, 18 September 2023 (UTC)Reply

You could probably get more detailed assistance at Extension talk:LDAPAuthentication2 or the talk pages of the other extensions in the LDAP stack. It would be helpful to provide them with redacted information from your configuration arrays. Cindy.cicalese (talk) 15:20, 18 September 2023 (UTC)Reply

Ok, thank you! Do you think Authetication2 might be the main issue about this error? 189.9.13.89 (talk) 16:08, 18 September 2023 (UTC)Reply

It is likely a configuration issue either with that extension or AD. Cindy.cicalese (talk) 17:34, 18 September 2023 (UTC)Reply

OK, there was a missconfiguration on PluggableAuthConfig, it's fixed. Thanks! But now i've got a error "The cannot be authenticated". When i try a wrong password it gives me another error "Could not authenticate credentials against domain 'ccabr.intraer'". That means the user authenticates, right? But stil doesn't work. It just returns me that the user cannot be authenticated. 189.9.13.119 (talk) 18:37, 18 September 2023 (UTC)Reply

Possibly. The debug logs should help. It is still likely a configuration issue either with one of the extensions or AD. Cindy.cicalese (talk) 01:39, 19 September 2023 (UTC)Reply

OK, thank you! The logs are not helping that much but i'm analyzing it, the configuration too. If you have any hints i'm very grateful. 189.9.13.119 (talk) 14:08, 19 September 2023 (UTC)Reply

You should search the logs for lines that begin with PluggableAuth, LDAPAuthentication2, LDAPProvider, or the names of any of the other LDAP extensions that you have installed. That information should hopefully show you how you are progressing through the authentication flow and where it is failing.

From what you are describing, it sounds like you are ending up at https://gerrit.wikimedia.org/r/plugins/gitiles/mediawiki/extensions/PluggableAuth/+/refs/heads/master/includes/PluggableAuthLogin.php#135, which means that LDAPAuthentication2's authenticate() function is returning false. Your best bet is still to ask on the talk page for that extension or search through the archives for similar issues. Cindy.cicalese (talk) 15:17, 19 September 2023 (UTC)Reply

WOW! Thanks a lot! I'm doing my best to fix this. We do not use email in our AD, may this be some problem to the authentication? As it seems we tries to get it. I'm going to get checkuser info again to see if i can get some more info. Thanks again. 189.9.13.89 (talk) 18:22, 19 September 2023 (UTC)Reply

2023-09-21 19:01:47 servername wiki: In execute()

2023-09-21 19:01:47 servername wiki: Getting PluggableAuth instance

2023-09-21 19:01:47 servername wiki: Plugin name: LDAPAuthentication2

2023-09-21 19:01:48 servername wiki: Try to authenticate user: user

2023-09-21 19:01:48 servername wiki: Not local login. Checking LDAP...

2023-09-21 19:01:48 servername wiki: LDAP domain: my.domain

2023-09-21 19:01:48 servername wiki: Username not found in user info provided by LDAP!Please check LDAP domain configuration. Specifically usernameattribute

2023-09-21 19:01:48 servername wiki: LDAP user info results for user user: Array

(

    [cn] => user

    [sn] => user

    [givenname] => user

    [distinguishedname] => CN=user,OU=Users,DC=my,DC=domain

    [displayname] => user

    [memberof] => CN=user_wiki,OU=Groups,DC=my,DC=domain

    [name] => user

    [samaccountname] => user

    [userprincipalname] => user@my.domain

    [objectcategory] => CN=Person,CN=Schema,CN=Configuration,DC=my,DC=domain

    [dn] => CN=user,OU=Users,DC=my,DC=domain

)

2023-09-21 19:01:48 servername wiki: Authentication failure.

that's the error 2804:14C:658F:8EAA:D54F:4EC2:2B64:DDAB (talk) 19:08, 21 September 2023 (UTC)Reply

I've got it! Actualli in the ldap.json file, in usernameattribute, i had to put a different value than "samaccountname", it was just "name". Thank you a lot for the support! 2804:14C:658F:8EAA:D54F:4EC2:2B64:DDAB (talk) 19:41, 21 September 2023 (UTC)Reply

That information i've got in that part of the ad search return [name] => user, if someone's facing the same problem, i suggest to do that, watch the ad's return and match with the ldap.json file. 2804:14C:658F:8EAA:D54F:4EC2:2B64:DDAB (talk) 19:43, 21 September 2023 (UTC)Reply

The relevant portion appears to be: "Username not found in user info provided by LDAP!Please check LDAP domain configuration. Specifically usernameattribute".

What is your configuration for usernameattribute in LDAPProvider? See Extension:LDAPProvider#Static_JSON_file. Does that configuration value match one of the array indices in the array above?

If it is not obvious what the problem is from that, please request assistance at Extension talk:LDAPProvider. Cindy.cicalese (talk) 19:49, 21 September 2023 (UTC)Reply

Great! Apparently we were typing at the same time. I'm glad you found the issue. Please feel free to update the documentation for Extension:LDAPProvider if you feel it is not clear. Cindy.cicalese (talk) 19:50, 21 September 2023 (UTC)Reply

Hi

We are struggling with the slow loading of our wiki page on first-time login (when not taking from cache). One action that is taking more than a minute is the Special:UserLogin part. I can read this in the PluggableAuth extension page:

"If a single authentication plugin is used and local login is disabled, the Special:UserLogin page will be bypassed."

We are only using SimpleSAMLphp as authentication plugin and we have set $wgPluggableAuth_EnableLocalLogin = false;

Any idea why we are still not bypassing this Special:UserLogin page? Thanks. Anderst25 (talk) 14:43, 18 September 2023 (UTC)Reply

The display of the Special:UserLogin page is bypassed, since there is no information to gather from the user. However, there is still a redirect to the Special:UserLogin code that handles that step in the login interaction. In your case, based upon the discussion at https://phabricator.wikimedia.org/T344913, this is where the SimpleSAMLphp login interaction is initiated. It is the SimpleSAMLphp library that is introducing the latency while Special:UserLogin waits for a response. Cindy.cicalese (talk) 15:01, 18 September 2023 (UTC)Reply

Hi,

I am trying to configure LDAP authentication using PluggableAuth and LDAPAuthentication2 extensions in our private wiki. When I open the wiki page, it is not logged in automatically as expected. But If I click on the login, it says - "The supplied credentials could not be authenticated"

I checked logs, only authentication log is created and below is the only error I can see.

"wiki: Login failed in primary authentication because no provider accepted"

Other logs are not created, I dont understand why?

I am not sure if the configuration is correct. is there an option to test the connection to verify it is able to authenticate? can someone help with this?

Below codes added in LocalSettings.php:

wfLoadExtension( 'PluggableAuth' );

$wgPluggableAuth_EnableAutoLogin = false; #if true, disables the logout option

$wgPluggableAuth_ButtonLabelMessage = "Log In";

wfLoadExtension( 'LDAPProvider' );

$LDAPProviderDomainConfigProvider = function () {

$config = [

    "steps.net" => [

         "connection" => [

           "server" => "steps.net",

           "port" => 636,

           "enctype" => "ssl",

           "user" => 'user1@steps.net',

           "pass" => 'password',

           "options" => [

             "LDAP_OPT_DEREF" => 1

           ],

           "basedn" => "dc=steps,dc=net",

           "userbasedn" => "dc=steps,dc=net",

           "groupbasedn" => "dc=steps,dc=net",

           "searchattribute" => "sAMAccountName",

           "usernameattribute" => "cn",

           "realnameattribute" => "cn",

           "emailattribute" => "mail",

           "grouprequest" => "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\UserMemberOf::factory",

           "presearchusernamemodifiers" => [ "spacestounderscores", "lowercase" ],

         ],

         "authorization" => [ ],

         "userinfo" => [ ],

         "groupsync" => [ ],

      ]

  ];

  return new \MediaWiki\Extension\LDAPProvider\DomainConfigProvider\InlinePHPArray( $config );

};

$LDAPProviderDefaultDomain = "steps.net";

wfLoadExtension( 'LDAPAuthorization' );

wfLoadExtension( 'LDAPUserInfo' );

wfLoadExtension( 'LDAPGroups' );

wfLoadExtension( 'LDAPAuthentication2' );

$LDAPAuthentication2AllowLocalLogin=true;

$wgShowExceptionDetails=true;

$wgDebugToolbar=true;

$wgDebugLogFile = "/var/log/mediawiki/Debug-LDAPTest.log";

$wgDebugLogGroups['session'] = "/var/log/mediawiki/session-LDAPTest.log";

$wgDebugLogGroups['authentication'] = "/var/log/mediawiki/authentication-LDAPTest.log";

$wgDebugLogGroups['PluggableAuth'] = "/tmp/PluggableAuth-LDAPTest.log";

$wgDebugLogGroups['LDAP'] = "/tmp/LDAP-LDAPTest.log";

$wgDebugLogGroups['MediaWiki\\Extension\\LDAPProvider\\Client'] = "/tmp/LDAPProviderClient-LDAPTest.log";

$wgDebugLogGroups['LDAPGroups'] = "/tmp/LDAPGroup-LDAPTest.log";

$wgDebugLogGroups['LDAPUserInfo'] = "/tmp/LDAPUserInfo-LDAPTest.log";

$wgDebugLogGroups['LDAPAuthentication2'] = "/tmp/LDAPAuthentication2-LDAPTest.log";

$wgDebugLogGroups['LDAPAuthorization'] = "/tmp/LDAPAuthorization-LDAPTest.log";

Software Versions:

MediaWiki 1.39.4

PHP 8.0.25 (apache2handler)

MySQL 8.0.26

PluggableAuth 7.0.0 (1cbf448) 05:33, 29 August 2023

LDAPAuthentication2 2.0.2 (b83f5d1) 07:23, 4 September 2023

LDAPAuthorization 2.0.1 (fbb1c3b) 07:23, 4 September 2023

LDAPGroups 2.0.1 (1f945ca) 07:23, 4 September 2023

LDAPProvider 2.0.1 (cc5cb2c) 14:06, 19 September 2023

LDAPUserInfo 2.0.0 (01a4b9e) 10:03, 14 June 2023

Thanks in advance... Testergt1302 (talk) 10:15, 12 October 2023 (UTC)Reply

It is probably an issue with configuration. I suggest you ask for help at Extension talk:LDAPProvider. Cindy.cicalese (talk) 14:53, 12 October 2023 (UTC)Reply

Hi Cindy,

I posted it there, but no response received till now. :( Testergt1302 (talk) 05:50, 16 October 2023 (UTC)Reply

ok. Cindy, posted it there. Testergt1302 (talk) 10:26, 13 October 2023 (UTC)Reply

after updating wiki we are seeing that for some users after login. we use 1.39.5 (f78a5fb) 06:10, October 10, 2023 . Note some users can login , others not. here is the full error: [c1f8b982694f124ffaf407db] /mediawiki/index.php?title=Special:UserLogin&returnto=Special%3ARecentChanges TypeError: preg_match(): Argument #2 ($subject) must be of type string, array given Backtrace: from /var/www/mediawiki/includes/parser/Sanitizer.php(1899)

1. 0 /var/www/mediawiki/includes/parser/Sanitizer.php(1899): preg_match()
2. 1 /var/www/mediawiki/extensions/PluggableAuth/includes/PrimaryAuthenticationProvider.php(194): Sanitizer::validateEmail()
3. 2 /var/www/mediawiki/extensions/PluggableAuth/includes/PrimaryAuthenticationProvider.php(163): MediaWiki\Extension\PluggableAuth\PrimaryAuthenticationProvider->updateUserRealNameAndEmail()
4. 3 /var/www/mediawiki/includes/auth/AuthManager.php(606): MediaWiki\Extension\PluggableAuth\PrimaryAuthenticationProvider->continuePrimaryAuthentication()
5. 4 /var/www/mediawiki/includes/specialpage/AuthManagerSpecialPage.php(374): MediaWiki\Auth\AuthManager->continueAuthentication()
6. 5 /var/www/mediawiki/includes/specialpage/AuthManagerSpecialPage.php(504): AuthManagerSpecialPage->performAuthenticationStep()
7. 6 /var/www/mediawiki/includes/htmlform/HTMLForm.php(729): AuthManagerSpecialPage->handleFormSubmit()
8. 7 /var/www/mediawiki/includes/specialpage/AuthManagerSpecialPage.php(435): HTMLForm->trySubmit()
9. 8 /var/www/mediawiki/includes/specialpage/LoginSignupSpecialPage.php(320): AuthManagerSpecialPage->trySubmit()
10. 9 /var/www/mediawiki/includes/specialpage/SpecialPage.php(701): LoginSignupSpecialPage->execute()
11. 10 /var/www/mediawiki/includes/specialpage/SpecialPageFactory.php(1428): SpecialPage->run()
12. 11 /var/www/mediawiki/includes/MediaWiki.php(316): MediaWiki\SpecialPage\SpecialPageFactory->executePath()
13. 12 /var/www/mediawiki/includes/MediaWiki.php(904): MediaWiki->performRequest()
14. 13 /var/www/mediawiki/includes/MediaWiki.php(562): MediaWiki->main()
15. 14 /var/www/mediawiki/index.php(50): MediaWiki->run()
16. 15 /var/www/mediawiki/index.php(46): wfIndexMain()
17. 16 {main} RobFantini (talk) 00:16, 14 October 2023 (UTC)Reply

note this only happens to those who have not logged in lately.. RobFantini (talk) 16:04, 14 October 2023 (UTC)Reply

What version of PluggableAuth and other related extensions are you using? Cindy.cicalese (talk) 15:34, 15 October 2023 (UTC)Reply

PluggableAuth 7.0.0 (211d5ba) 05:47, August 15, 2023

LDAPAuthentication2 2.0.1

the other Ldap extensions are 2.0.0

I'll work on getting debug set up. RobFantini (talk) 22:00, 15 October 2023 (UTC)Reply

Also, please turn on debug logging and include relevant portions of the log. Cindy.cicalese (talk) 15:39, 15 October 2023 (UTC)Reply

[LDAPProvider] Found user DN: 'uid=amy,ou=People,dc=test,dc=com'

[LDAPProvider] MediaWiki\Extension\LDAPProvider\Client::getSearchString: User DN is: 'uid=amy,ou=People,dc=test,dc=com'

[DBConnection] Wikimedia\Rdbms\LoadBalancer::getLocalConnection: reused a connection for localAutoCommit/0

[DBQuery] SqlBagOStuff::fetchBlobs [0s] localhost: SELECT keyname,value,exptime FROM `objectcache` WHERE keyname = 'fbcwiki:ldap-provider:

user-info:amy:ou=People,dc=test,dc=com' AND (exptime >= '20231015232138')

[LDAPProvider] Ran LDAP search for '(uid=amy)' in 0.0020978450775146 seconds.

[DBConnection] Wikimedia\Rdbms\LoadBalancer::getLocalConnection: reused a connection for localAutoCommit/0

[DBQuery] Wikimedia\Rdbms\DatabaseMysqlBase::getServerId [0s] localhost: SELECT @@server_id AS id

[DBQuery] SqlBagOStuff::modifyTableSpecificBlobsForSet [0.003s] localhost: REPLACE INTO `objectcache` (keyname,value,exptime) VALUES ('fbcwiki:

ldap-provider:user-info:amy:ou=People,dc=test,dc=com',.......

[DBConnection] Wikimedia\Rdbms\LoadBalancer::getLocalConnection: reused a connection for localAutoCommit/0

[LDAPAuthentication2] LDAP login succeeded.

[DBQuery] Wikimedia\Rdbms\DatabaseMysqlBase::open [0s] localhost: SET group_concat_max_len = 262144, `sql_mode` =

[DBConnection] Wikimedia\Rdbms\LoadBalancer::getLocalConnection: opened new connection for local/0

[DBPerformance] Expectation (masterConns <= 0) by MediaWiki::main not met (actual: 2):

[connect to localhost (fbcwiki)]

1. 0 /var/www/mediawiki/includes/libs/rdbms/TransactionProfiler.php(219): Wikimedia\Rdbms\TransactionProfiler->reportExpectationViolated()
2. 1 /var/www/mediawiki/includes/libs/rdbms/loadbalancer/LoadBalancer.php(980): Wikimedia\Rdbms\TransactionProfiler->recordConnection()
3. 2 /var/www/mediawiki/includes/libs/rdbms/loadbalancer/LoadBalancer.php(944): Wikimedia\Rdbms\LoadBalancer->getServerConnection()
4. 3 /var/www/mediawiki/includes/libs/rdbms/database/DBConnRef.php(95): Wikimedia\Rdbms\LoadBalancer->getConnectionInternal()
5. 4 /var/www/mediawiki/includes/libs/rdbms/database/DBConnRef.php(101): Wikimedia\Rdbms\DBConnRef->ensureConnection()
6. 5 /var/www/mediawiki/includes/libs/rdbms/database/DBConnRef.php(344): Wikimedia\Rdbms\DBConnRef->__call()
7. 6 /var/www/mediawiki/includes/user/User.php(416): Wikimedia\Rdbms\DBConnRef->selectRow()
8. 7 /var/www/mediawiki/includes/user/User.php(1660): User->load()
9. 8 /var/www/mediawiki/extensions/LDAPAuthentication2/src/PluggableAuth.php(130): User->getId()
10. 9 /var/www/mediawiki/extensions/PluggableAuth/includes/PluggableAuthLogin.php(101): MediaWiki\Extension\LDAPAuthentication2\PluggableAuth->aut

henticate()

1. 10 /var/www/mediawiki/includes/specialpage/SpecialPage.php(701): MediaWiki\Extension\PluggableAuth\PluggableAuthLogin->execute()
2. 11 /var/www/mediawiki/includes/specialpage/SpecialPageFactory.php(1428): SpecialPage->run()
3. 12 /var/www/mediawiki/includes/MediaWiki.php(316): MediaWiki\SpecialPage\SpecialPageFactory->executePath()
4. 13 /var/www/mediawiki/includes/MediaWiki.php(904): MediaWiki->performRequest()
5. 14 /var/www/mediawiki/includes/MediaWiki.php(562): MediaWiki->main()
6. 15 /var/www/mediawiki/index.php(50): MediaWiki->run()
7. 16 /var/www/mediawiki/index.php(46): wfIndexMain()
8. 17 {main}

[DBQuery] Wikimedia\Rdbms\Database::beginIfImplied (User::load) [0s] localhost: BEGIN

[DBQuery] User::load [0s] localhost: SELECT actor_id,actor_user,actor_name FROM `actor` WHERE actor_name = 'Amy' LIMIT 1

[DBConnection] Wikimedia\Rdbms\LoadBalancer::getLocalConnection: reused a connection for local/0 RobFantini (talk) 23:32, 15 October 2023 (UTC)Reply

If you want I could email or upload a more complete log..... RobFantini (talk) 23:38, 15 October 2023 (UTC)Reply

Well,

TypeError: preg_match(): Argument #2 ($subject) must be of type string, array given Backtrace: from /var/www/mediawiki/includes/parser/Sanitizer.php(1899)

coming from

extensions/PluggableAuth/includes/PrimaryAuthenticationProvider.php(194): Sanitizer::validateEmail()

lets me think that either the LDAP server returns an odd value for what you have configured in emailattribute. Can you please check that value, e.g. by running extensions/LDAPProvider/maintenance/ShowUserInfo.php for the affected user?

Alternatively some handler of hook IsValidEmailAddr is messing up the e-mail address. But this seems unlikely. Osnard (talk) 09:59, 16 October 2023 (UTC)Reply

sudo -u www-data php  extensions/LDAPProvider/maintenance/ShowUserInfo.php --username amy  --domain test.com

uid => amy 
mail => 
  0 => amy@test.com  
memberof => 
  0 => cn=nextcloud,ou=groups,dc=test,dc=com 
  1 => cn=UNIX Users,ou=groups,dc=test,dc=com 
givenname => Amy 
sn => O'test
cn => Amy O'test 
dn => uid=amy,ou=People,dc=test,dc=com

RobFantini (talk) 12:15, 16 October 2023 (UTC)Reply

Hello

Is there a way for me to further debug if some handler of hook IsValidEmailAddr is messing up the e-mail address ? RobFantini (talk) 11:01, 17 October 2023 (UTC)Reply

Well

mail => 
  0 => amy@test.com

is probably already the explanation.

It should more be

mail => amy@test.com

Unfortunately I can not tell why your LDAP server returns this value or why this only occurs for some users.

Can you check the same command with a user that hasn't got a problem? Osnard (talk) 11:14, 17 October 2023 (UTC)Reply

well in our ldap a person can have more then one email address .

the ones which have more then one email address do have an issue logging in to wiki.

for instance I can login and my returned from extensions/LDAPProvider/maintenance/ShowUserInfo.php is:

rob@test

amy has 5 different email addresses with these as prefix :

0 =>

1 =>

..

4 =>

we use openldap . RobFantini (talk) 12:03, 17 October 2023 (UTC)Reply

so the ones who can log in have just one email address, and ShowUserInfo.php returns something like

rob@test

without a 0 => prefix RobFantini (talk) 12:19, 17 October 2023 (UTC)Reply

is there a way to turn off email checking in LocalSettings.php ? RobFantini (talk) 12:37, 17 October 2023 (UTC)Reply

I have created a patch for this on https://gerrit.wikimedia.org/r/c/mediawiki/extensions/LDAPAuthentication2/+/966807

You can download the patched extension code via https://gerrit.wikimedia.org/r/changes/mediawiki%2Fextensions%2FLDAPAuthentication2~966807/revisions/2/archive?format=tgz

If you confirm this fixes the issue we can merge and release it. Osnard (talk) 11:14, 18 October 2023 (UTC)Reply

I got this error after untaring the file into extensions/PluggableAuth

Fatal error: Uncaught Exception: It was attempted to load LDAPAuthentication2 twice, from /var/www/mediawiki/extensions/LDAPAuthentication2/extension.json and /var/www/mediawiki/extensions/PluggableAuth/extension.json. in /var/www/mediawiki/includes/registration/ExtensionProcessor.php:772 Stack trace: #0 /var/www/mediawiki/includes/registration/ExtensionProcessor.php(280): ExtensionProcessor->extractCredits() #1 /var/www/mediawiki/includes/registration/ExtensionRegistry.php(421): ExtensionProcessor->extractInfo() #2 /var/www/mediawiki/includes/registration/ExtensionRegistry.php(276): ExtensionRegistry->readFromQueue() #3 /var/www/mediawiki/includes/Setup.php(278): ExtensionRegistry->loadFromQueue() #4 /var/www/mediawiki/includes/WebStart.php(86): require_once('...') #5 /var/www/mediawiki/index.php(44): require('...') #6 {main} thrown in /var/www/mediawiki/includes/registration/ExtensionProcessor.php on line 772

here is a directory listing:

1. ls -l

total 236

-rw-r--r-- 1 www-data www-data 135 Oct 18 18:34 CODE_OF_CONDUCT.md

-rw-r--r-- 1 www-data www-data 1212 Oct 18 18:34 composer.json

-rw-r--r-- 1 www-data www-data 1070 Jan 27 2023 COPYING

drwxr-xr-x 2 www-data www-data 4096 Aug 16 19:33 docs/

-rw-r--r-- 1 www-data www-data 1645 Oct 18 18:34 extension.json

-rw-r--r-- 1 www-data www-data 493 Oct 18 18:34 Gruntfile.js

drwxr-xr-x 2 www-data www-data 4096 Oct 18 18:34 i18n/

drwxr-xr-x 4 www-data www-data 4096 Aug 16 19:33 includes/

-rw-r--r-- 1 www-data www-data 241 Oct 18 18:34 package.json

-rw-r--r-- 1 www-data www-data 191732 Oct 18 18:34 package-lock.json

-rw-r--r-- 1 www-data www-data 265 Oct 18 18:34 README.mediawiki

drwxr-xr-x 2 www-data www-data 4096 Oct 18 18:34 src/

drwxr-xr-x 4 www-data www-data 4096 Jan 27 2023 tests/ RobFantini (talk) 22:45, 18 October 2023 (UTC)Reply

The patch is an update to LDAPAuthentication2, not PluggableAuth. You should be untarring it into extensions/LDAPAuthentication2, not extensions/PluggableAuth. Cindy.cicalese (talk) 22:48, 18 October 2023 (UTC)Reply

Hello Cindy.

the patch fixed the issue.

thank you very much! RobFantini (talk) 01:08, 19 October 2023 (UTC)Reply

I'm glad that worked for you. Cindy.cicalese (talk) 16:35, 19 October 2023 (UTC)Reply

@Cindy.cicalese Hi, in paragraph Version_7.0.0_or_later i have pushed the description right to the respective 'description' column, but now what do we write in the 'default value' for $wgPluggableAuth_EnableFastLogout please ? Thanks. --Christian 🇫🇷 FR (talk) 16:56, 8 December 2023 (UTC)Reply

Thanks for the updates and fixes! The value should be false; I added it. Cindy.cicalese (talk) 19:31, 8 December 2023 (UTC)Reply