I posted to wrong page . moved to https://www.mediawiki.org/wiki/Talk:LDAP_hub
Talk:LDAP hub/Migration from extension LDAPAuthentication
Hi all,
i'am currently migrating from MediaWiki 1.15 with LDAP Authentication to MediaWiki 1.35 with LDAP Autheentication2.
Until now everything works as expected, SSO is activated in (IIS 2019), users are logging automatically and accounts created automatically.
But some users are still present in DB. Is there any chance to map thoose existing accounts to the users logging in with the same username ? For now evey time a user is logging in, a new account is created.
Usernames are currently differ only in uppercase or lowercase characters.
I did some tests with the following settings without success.....
$LDAPAuthentication2AllowLocalLogin = false;
$wgAuthRemoteuserAllowUserSwitch = true;
$wgPluggableAuth_EnableAutoLogin = true ;
$wgPluggableAuth_EnableLocalProperties = true;
$LDAPAuthentication2sernameNormalizer = 'strtolower';
All plugin versions are 1.35
loaded plugins:
wfLoadExtensions( [
'Auth_remoteuser',
'PluggableAuth',
'LDAPProvider',
'LDAPAuthentication2',
'LDAPAuthorization',
'LDAPUserInfo',
'LDAPGroups',
'WikiEditor',
'HitCounters',
'TopTenPages'
] );
LDAP Config:
$config = [
"BRK-NT" => [
"connection" => [
"server" => "xxx",
"user" => "CN=xx,OU=xx,OU=xx,OU=ITZ,DC=xx,DC=xx,DC=xx",
"pass" => "xxxxx",
"options" => [
"LDAP_OPT_DEREF" => 1
],
"basedn" => "DC=xx,DC=xx,DC=xx",
"groupbasedn" => "DC=xx,DC=xx,DC=xx",
"userbasedn" => "DC=xx,DC=xx,DC=xx",
"searchattribute" => "samaccountname",
"searchstring" => "xx\\USER-NAME",
"usernameattribute" => "samaccountname",
"realnameattribute"=> "displayname",
"emailattribute"=> "mail",
"grouprequest"=> "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\UserMemberOf::factory",
"presearchusernamemodifiers"=> [ "spacestounderscores", "lowercase" ]
],
"userinfo" => [
"attributes-map" => [
"email" => "mail",
"realname" => "displayname",
"nickname" => "samaccountName",
]
],
"groupsync" => [
"mapping" => [
"bureaucrat" => $LDAP_Groups_bureaucrat,
"sysop" => $LDAP_Groups_sysop
]
],
"authorization" => [
"rules" => [
"groups" => $LDAP_Groups_required
]
]
]
];
thx in advance
lufi
Looks like you have a typo in "$LDAPAuthentication2sernameNormalizer". Try to set
$LDAPAuthentication2UsernameNormalizer = $LDAPAuthorizationAutoAuthUsernameNormalizer = 'strtolower';
Thx, looks good. Sry. I think this was a Copy and Paste fail......
Hi all,
I am movin my wiki from :
mediawiki 1.26 / CentOS release 6.3 / PHP 5.3.3 / MySQL 5.1.73
to
mediawiki 1.31 / Red Hat Enterprise Linux Server release 7.8 / PHP 7.1.33 / MySQL 5.7.9
I had to change ldap auth mode from LdapAuthentication to PluggableAuth
OLD file config:
<?php
// Disable reading by anonymous users
$wgGroupPermissions['*']['read'] = false;
$wgGroupPermissions['unix']['read'] = true;
// allow these pages for anonymous users
$wgWhitelistRead = array ("Pagina_principale", "Admin_xxx", "Admin_xc", "Special:Userlogin" );
// Disable anonymous editing
$wgGroupPermissions['*']['edit'] = false;
// Prevent new user registrations except by sysops
$wgGroupPermissions['*']['createaccount'] = false;
/* Extension: LDAP Authentication
http://www.mediawiki.org/wiki/Extension:LDAP_Authentication/Options#Enabling_the_plugin */
require_once( "{$IP}/xxx/extensions/wikimedia-mediawiki-extensions-LdapAuthentication-07fe5c5/LdapAuthentication.php" );
$wgAuth = new LdapAuthenticationPlugin();
// The names of one or more domains you wish to use
// These names will be used for the other options, it is freely choosable and not dependent
// on your system. These names will show in the Login-Screen, so it is important that the user
// understands the meaning.
//
// REQUIRED
// Default: none
$wgLDAPDomainNames = array( "xxx" );
// The fully qualified name of one or more servers per domain you wish to use. If you are
// going to use SSL or StartTLS, it is important that the server names provided here exactly
// match the name provided by the SSL certificate returned by the server; otherwise, you may
// have problems.
//
// REQUIRED
// Default: none
$wgLDAPServerNames = array( "xx" => "xx.corp" );
// Allow the use of the local database as well as the LDAP database.
// Mostly for transitional purposes. Unless you *really* know what you are doing,
// don't use this option. It will likely cause you annoying problems, and
// it will cause me annoying support headaches.
// Warning: Using this option will allow MediaWiki to leak LDAP passwords into
// its local database. It's highly recommended that this setting not be used for
// anything other than transitional purposes.
//
// Default: false
$wgLDAPUseLocal = true;
// The type of encryption you would like to use when connecting to the LDAP server.
// Available options are 'tls', 'ssl', and 'clear'
//
// Default: tls
$wgLDAPEncryptionType = array( "xx" => "clear" );
// Connect with a non-standard port
// Available in 1.2b+
// Default: 389 for clear/tls, 636 for ssl
#$wgLDAPPort = array( "xx" => 389 );
// User and password used for proxyagent access.
// Please use a user with limited access, NOT your directory manager!
$wgLDAPProxyAgent = array( "xx" => "CN=xx,OU=xx,OU=xxx,OU=xx,OU=xx,DC=xx,DC=xx" );
$wgLDAPProxyAgentPassword = array( "xx" => "xx" );
// Search filter.
// These options are only needed if you want to search for users to bind with them. In otherwords,
// if you cannot do direct binds based upon $wgLDAPSearchStrings, then you'll need these two options.
// If you need a proxyagent to search, remember to set $wgLDAPProxyAgent, and $wgLDAPProxyAgentPassword.
// Anonymous searching is supported. To do an anonymous search, use SearchAttibutes and don't set a Proxy
// agent for the domain required.
#$wgLDAPSearchAttributes = array( "xx" => "cn" );
$wgLDAPSearchAttributes = array( "xx" => "sAMAccountName" );
// Base DNs. Group and User base DNs will be used if available; if they are not defined, the search
// will default to $wgLDAPBaseDNs
$wgLDAPBaseDNs = array( "xx" => "DC=xx,DC=xx" );
/* Group options
Using LDAP groups in any way requires $wgLDAPBaseDNs to be set! */
// Whether the username in the group is a full DN (AD generally does this), or
// just the username (posix groups generally do this)
// Default: false
$wgLDAPGroupUseFullDN = array( "xx" => false );
// Munge the case of the username to lowercase when doing searches in groups
// Default: false
$wgLDAPLowerCaseUsername = array( "xx" => true );
// Use the exact name retrieved from LDAP after the user has authenticated to search for groups.
// This requires the SetUsernameAttributeFromLDAP hook to be used (see the smartcard section).
// Default: false
$wgLDAPGroupUseRetrievedUsername = array( "xx" => false );
// The objectclass of the groups we want to search for
$wgLDAPGroupObjectclass = array( "xx" => "group" );
// The attribute used for group members
$wgLDAPGroupAttribute = array( "xx" => "member" );
// The naming attribute of the group
$wgLDAPGroupNameAttribute = array( "xx" => "cn" );
// Use the FullDN for the Group Search
$wgLDAPGroupUseFullDN = array("xx"=>true);
#$wgLDAPGroupBaseDNs = array("xx"=>"OU=xx,OU=XX,OU=XX,OU=XX,DC=XX,DC=corp");
// Use the memberOf attribute to find groups.
// If memberOf is used, it will be the only method used for searching for groups.
// Default: false
// Available in 1.2b+
$wgLDAPGroupsUseMemberOf = array( "XX" => false );
//
// Group based login restriction configuration options
//
//
// An array of the groups the user is required to be a member of.
$wgLDAPRequiredGroups = array(
"XX" => array(
"CN=xx_Users,OU=Servizio WiKi,OU=gruppi,OU=xxx,OU=Aziende,OU=xx,DC=xx,DC=xx",
)
);
// An array of the groups the user cannot be a member of.
// Available in 1.2b+
/*
$wgLDAPExcludedGroups = array(
"xx" => array(
'cn=evilgroup,dc=xx,dc=xx,dc=it',
'cn=evilgroup2,dc=xx,dc=xx,dc=it',
)
);
*/
now I created json file :ldapprovider.json:
{
"LDAP": {
"connection": {
"server": "xx.corp",
"user": "CN=xx,OU=xx,OU=xx,OU=xx,OU=xx,DC=xx,DC=corp",
"pass": "xxx",
"options": {
"LDAP_OPT_DEREF": 1
},
"basedn": "DC=xx,DC=corp",
"groupbasedn": "DC=xx,DC=corp",
"userbasedn": "DC=xx,DC=corp",
"searchattribute": "sAMAccountName",
"searchstring": "CN=xx_Users,OU=xx,OU=xx,OU=xx,OU=xx,OU=xx,DC=xx,DC=corp",
"usernameattribute": "uid",
"realnameattribute": "cn",
"emailattribute": "mail",
"presearchusernamemodifiers ": "lowercase"
}
}
}
and in LocalSettings.php
wfLoadExtension( 'PluggableAuth' );
wfLoadExtension( 'Auth_remoteuser' );
wfLoadExtension( 'LDAPProvider' );
wfLoadExtension( 'LDAPAuthentication2' );
wfLoadExtension( 'LDAPAuthorization' );
wfLoadExtension( 'LDAPUserInfo' );
wfLoadExtension( 'LDAPGroups' );
$LDAPProviderDomainConfigs = "$IP/iside/ldapprovider.json";
$LDAPProviderCacheType = CACHE_NONE;
I cannot authenticate with errors: Could not authenticate credentials against domain "LDAP"
I tried :
php extensions/LDAPProvider/maintenance/ShowUserInfo.php --domain LDAP --username xxx
it works !!
I activate debugging:
# cat LDAP.log
2021-06-23 14:45:51 plb00sweb01 mediawiki_unix-wikimwdia_: In execute()
2021-06-23 14:45:51 plb00sweb01 mediawiki_unix-wikimwdia_: Getting PluggableAuth singleton
2021-06-23 14:45:51 plb00sweb01 mediawiki_unix-wikimwdia_: Class name: MediaWiki\Extension\LDAPAuthentication2\PluggableAuth
2021-06-23 14:45:51 plb00sweb01 mediawiki_unix-wikimwdia_: ldap_connect( $hostname = 'ldap://xxx.corp:389', $port = 389 );
2021-06-23 14:45:51 plb00sweb01 mediawiki_unix-wikimwdia_: # __METHOD__ returns Resource id #248
2021-06-23 14:45:51 plb00sweb01 mediawiki_unix-wikimwdia_: Setting LDAP_OPT_PROTOCOL_VERSION to 3
2021-06-23 14:45:51 plb00sweb01 mediawiki_unix-wikimwdia_: ldap_set_option( $linkID, $option = 17, $newval = 3 );
2021-06-23 14:45:51 plb00sweb01 mediawiki_unix-wikimwdia_: # returns 1
2021-06-23 14:45:51 plb00sweb01 mediawiki_unix-wikimwdia_: Setting LDAP_OPT_REFERRALS to 0
2021-06-23 14:45:51 plb00sweb01 mediawiki_unix-wikimwdia_: ldap_set_option( $linkID, $option = 8, $newval = 0 );
2021-06-23 14:45:51 plb00sweb01 mediawiki_unix-wikimwdia_: # returns 1
2021-06-23 14:45:51 plb00sweb01 mediawiki_unix-wikimwdia_: Setting LDAP_OPT_DEREF to 1
2021-06-23 14:45:51 plb00sweb01 mediawiki_unix-wikimwdia_: ldap_set_option( $linkID, $option = 2, $newval = 1 );
2021-06-23 14:45:51 plb00sweb01 mediawiki_unix-wikimwdia_: # returns 1
2021-06-23 14:45:51 plb00sweb01 mediawiki_unix-wikimwdia_: ldap_bind( $linkID, $bindRDN = 'CN=xxx,OU=xx,OU=xxI,OU=xx,OU=xx,DC=xx,DC=corp', $bindPassword = 'XXXX' );
2021-06-23 14:45:51 plb00sweb01 mediawiki_unix-wikimwdia_: # returns 1
2021-06-23 14:45:51 plb00sweb01 mediawiki_unix-wikimwdia_: MediaWiki\Extension\LDAPProvider\Client::getSearchString: User DN is: 'CN=xx,OU=xxx,OU=xx,OU=xx,OU=xx,OU=xx,DC=xx,DC=corp'
2021-06-23 14:45:51 plb00sweb01 mediawiki_unix-wikimwdia_: ldap_bind( $linkID, $bindRDN = 'CN=xx,OU=xx,OU=xx,OU=xx,OU=xx,OU=xx,DC=xx,DC=corp', $bindPassword = 'XXXX' );
2021-06-23 14:45:51 plb00sweb01 mediawiki_unix-wikimwdia_: # returns
2021-06-23 14:45:51 plb00sweb01 mediawiki_unix-wikimwdia_: Authentication failure.
2021-06-23 14:45:51 plb00sweb01 mediawiki_unix-wikimwdia_: ERROR: Could not authenticate credentials against domain "LDAP"
any ideas ??? Thankyou
Has a username transformation been applied maybe? Check the DN in the second `ldap_bind` call and see if the username is the same as you have entered in the CLI.
Hi,
I am new to mediawiki, and I am trying to use account from a LDAP server to enter my wiki. However, whenever I try a connection the site give me this :
There seems to be a problem with your login session; this action has been canceled as a precaution against session hijacking. Please resubmit the form.
This is the added settings on my LocalSettings.php, I have censore the sensible information with * :
$wgDebugDumpSql = true;
$wgShowExceptionDetails = true;
$wgShowSQLErrors = true;
$wgShowDBErrorBacktrace = true;
$wgDebugLogGroups['PluggableAuth'] =
$wgDebugLogGroups['LDAP'] =
$wgDebugLogGroups['mediawiki\\Extension\\LDAPProvider\\Client'] =
$wgDebugLogGroups['LDAPGroups'] =
$wgDebugLogGroups['LDAPUserInfo'] =
$wgDebugLogGroups['LDAPAuthentication2'] =
$wgDebugLogGroups['LDAPAuthorization'] = '/tmp/LDAP.log';
$wgGroupPermissions['*']['createaccount'] = false;
$wgGroupPermissions['*']['read'] = false;
$wgGroupPermissions['*']['edit'] = false;
$wgGroupPermissions['Reader']['createaccount'] = false;
$wgGroupPermissions['Reader']['read'] = true;
$wgGroupPermissions['Reader']['edit'] = false;
$wgGroupPermissions['Writer']['createaccount'] = false;
$wgGroupPermissions['Writer']['read'] = true;
$wgGroupPermissions['Writer']['edit'] = true;
wfLoadExtensions( [
'PluggableAuth',
'Auth_remoteuser',
'LDAPProvider',
'LDAPAuthentication2',
'LDAPAuthorization',
'LDAPUserInfo'
] );
#$wgSessionCacheType = 'session-cache';
#$wgObjectCaches['session-cache'] = [ 'factory' => 'ObjectCache::newAnything', 'keyspace' => 'shared-session' ];
$LDAPAuthorizationAutoAuthRemoteUserStringParser = 'domain-backslash-username';
$LDAPAuthentication2UsernameNormalizer = 'strtolower';
$LDAPAuthentication2AllowLocalLogin = true;
$wgAuthRemoteuserAllowUserSwitch = true;
#$wgPluggableAuth_EnableLocalLogin = true;
#$LDAPProviderDomainConfigs = "$IP/extensions/LDAPProvider/docs/ldapprovider.json";
$wgAuthRemoteuserUserName = function() {
$user = '';
if( isset( $_SERVER[ 'REMOTE_USER' ] ) ) {
$user = strtolower( $_SERVER[ 'REMOTE_USER' ] );
}
return $user;
};
$LDAPProviderDomainConfigProvider = function() {
$config = [
'nrcanLDAP' => [
'connection' => [
"server" => "*****************",
"options" => [
"LDAP_OPT_DEREF" => 1
],
"basedn" => "dc=**,dc=**,dc=**,dc=**",
"groupbasedn" => "dc=**,dc=**,dc=**,dc=**",
"userbasedn" => "dc=**,dc=**,dc=**,dc=**",
"searchattribute" => "***",
#"usernameattribute" => "uid",
#"realnameattribute" => "fullname",
#"emailattribute" => "mail",
"grouprequest" => "mediawiki\\Extension\\LDAPProvider\\src\\UserGroupsRequest\\GroupMember::factory"
],
'authorization' => [
'rules' => [
'groups' => [
'required' => [
'dc=**,dc=**,dc=**,dc=**'
]
]
]
],
'userinfo' => [
'attributes-map' => [
'email' => 'mail',
'realname' => 'fullname'
]
]
]
];
return new \MediaWiki\Extension\LDAPProvider\DomainConfigProvider\InlinePHPArray( $config );
};
Can you please give additional information about your environment? E.g. software versions. Have you tried debugging? Can you please share the results?
I have tried to debug, but I didn't found the log file.
There is the details of the environment :
Product
Version
MediaWiki 1.34.2
PHP 7.2.24-0ubuntu0.18.04.6 (apache2handler)
MariaDB 10.1.44-MariaDB-0ubuntu0.18.04.1
ICU 60.2
Extension
Version
License
Description
Authors
Auth_remoteuser 2.1.1 (4079f81) 18:07, 11 November 2019 GPL-2.0-or-later Automatically logs-in users using the REMOTE_USER environment variable Otheus Shelling, Rusty Burchfield, James Kinsman, Daniel Thomas, Ian Ward Comfort, Mark A. Hershberger and Stefan Engelhardt
LDAPAuthentication2 1.0.1 (370d143) 23:28, 3 September 2020 GPL-2.0 Allows authentication against a LDAP resource Cindy Cicalese, Mark A. Hershberger and Robert Vogel
LDAPAuthorization 1.1.0 (fc0c8cb) 03:15, 14 September 2020 GPL-2.0 Restrict login based on specified LDAP values Cindy Cicalese, Mark A. Hershberger and Robert Vogel
LDAPProvider 1.0.5 (dbcb18e) 23:38, 3 September 2020 GPL-2.0+ Provides a common infratructure to connect to a LDAP resource and run queries against it Cindy Cicalese, Mark A. Hershberger and Robert Vogel
LDAPUserInfo 1.0.0 (39cca83) 23:58, 9 July 2020 GPL-2.0 Allows to synchronize user information and preferences with a LDAP resource Cindy Cicalese, Mark A. Hershberger and Robert Vogel
Lockdown – (95cdc71) 07:27, 14 March 2020 GPL-2.0-or-later Per namespace group permissions Daniel Kinzler, Platonides, Mark A. Hershberger and others
PluggableAuth 5.7 (17fb1ea) 04:20, 13 September 2019 MIT Provides framework for pluggable authentication and authorization Cindy Cicalese
Try to save the debug log into "$IP/cache/LDAP.log" instead of '"/tmp/LDAP.log'.
I did, however the file remain empty no matter what I do, but the error still remains.
The message "There seems to be a problem with your login session; this action has been canceled as a precaution against session hijacking. Please resubmit the form." seems very unrelated to LDAP. can you confirm it does not happen when LDAP extensions are disabled? For me this looks like you session storage mechanism has an issue in general, or your browser does not have cookies enabled.
I think I found a lead. It seems to be a problem of authentication with the hosting server of LDAP. I will keep you inform if I found any answer.
Good luck and thanks for sharing!
I'm trying to migrate from the old LdapAuthentication to the new LDAP Hub extensions. Now I can login to the LDAP and restrict groups but I can't get LDAPGroups to sync with local groups, and no local login works.
The explained LDAPGroups problem here: Topic:Vu74250r33xa1507
For the local login I created a user like this:
php ./wikiutic/maintenance/createAndPromote.php --force --bureaucrat admin password
My LocalSettings.php :
# Autenticació LDAP
wfLoadExtensions( [
'PluggableAuth', // Autenticació base
'LDAPProvider', // Autenticació base
'LDAPAuthentication2', // Autenticació base
'LDAPAuthorization', // Per restringir accés per grups
'LDAPGroups' // Per sincronitzar grups ldap amb locals
] );
// $wgPluggableAuth_EnableAutoLogin = true; /* Si activem desactiva la opció de fer logout */
$wgPluggableAuth_EnableLocalLogin = false;
$wgPluggableAuth_ButtonLabel = "Inicia sessió";
$LDAPAuthentication2UsernameNormalizer = 'strtoupper'; // strtolower no funciona
$LDAPAuthentication2AllowLocalLogin = true;
$wgLDAPUseLocal = false; // Permetre autentificació local wiki. Mirar que no estigui sobreescrit a LdapAuthentication.php
$LDAPProviderDomainConfigProvider = function() {
$config = [
'LDAP' => [
'connection' => [
"server" => "golum.trueta.intranet",
"enctype" => 'clear',
"basedn" => "dc=htrueta,dc=intranet",
"userbasedn" => "dc=htrueta,dc=intranet", // u=Users,dc=htrueta,dc=intranet
"searchstring" => "uid=USER-NAME,ou=Users,dc=htrueta,dc=intranet",
"searchattribute" => "uid",
"usernameattribute" => "uid",
"realnameattribute" => "cn",
"emailattribute" => "mail",
"groupbasedn" => "dc=htrueta,dc=intranet", // ou=Groups,dc=htrueta,dc=intranet
"groupattribute" => "memberuid",
"groupobjectclass" => "posixgroup",
"grouprequest" => "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\Configurable::factory"
],
'authorization' => [
'rules' => [
'groups' => [
'required' => [ "cn=Domain Admins,ou=Groups,dc=htrueta,dc=intranet",
"cn=s103,ou=Groups,dc=htrueta,dc=intranet",
"cn=wikiUtic,ou=Groups,dc=htrueta,dc=intranet",
"cn=wikiUticLectura,ou=Groups,dc=htrueta,dc=intranet",
"cn=lt2b,ou=Groups,dc=htrueta,dc=intranet",
"cn=lt1,ou=Groups,dc=htrueta,dc=intranet",
"cn=lt15,ou=Groups,dc=htrueta,dc=intranet"]
]
]
],
'groupsync' => [
"mechanism" => "allgroups",
"mapping" => [
"s103" => "cn=s103,ou=Groups,dc=htrueta,dc=intranet",
"Domain admins" => "cn=Domain Admins,ou=Groups,dc=htrueta,dc=intranet"
],
"locally-managed" => [ "local", "wiki", "group", "names" ]
]
]
];
return new \MediaWiki\Extension\LDAPProvider\DomainConfigProvider\InlinePHPArray( $config );
};
I tried with $wgPluggableAuth_EnableLocalLogin to true but two login buttons appears. No one works.
I tried with $wgLDAPUseLocal to true and it don't work.
When I try to login I select "local" in the domain (it appears below my "ldap" domain).
Hi to all MediaWiki community,
I got a task to configure MediaWiki with LDAP authorization true Windows Server 2019 Active Directory. Please note that it is the first time when I do something that looks like. Before it, I never did any integration with LDAP. I just reed about extensions on the MediaWiki site, read other topics and tried to do my best. I read other topics where was the same issue, but it didn't help me with resolve mine.
I got an issue and I want to ask your help with solving it.
My lab bellow:
CentOS 8.2.2
PostgreSQL 12.3
NGINX 1.14.1
PHP 7.4.8
Windows Server 2019
Active Directory installed
Firewall disabled
Please note that telnet successful from CentOS to WS19 on 389 port
#Connected to 192.168.0.100
#Escape character is '^]' .
As I understood it is mean that telnet to 389 port successful.
When I am trying to login with my domain user I got an error below:
[b932cd5d151b528a1846bc00] /index.php?title=Special:PluggableAuthLogin MWException from line 169 of /var/www/html/mediawiki/extensions/LDAPProvider/src/Client.php: Could not bind to LDAP: (-1) Can't contact LDAP server
#0 /var/www/html/mediawiki/extensions/LDAPProvider/src/Client.php(92): MediaWiki\Extension\LDAPProvider\Client->establishBinding()
#1 /var/www/html/mediawiki/extensions/LDAPProvider/src/Client.php(329): MediaWiki\Extension\LDAPProvider\Client->init()
#2 /var/www/html/mediawiki/extensions/LDAPAuthentication2/src/PluggableAuth.php(77): MediaWiki\Extension\LDAPProvider\Client->canBindAs()
#3 /var/www/html/mediawiki/extensions/PluggableAuth/includes/PluggableAuthLogin.php(30): MediaWiki\Extension\LDAPAuthentication2\PluggableAuth->authenticate()
#4 /var/www/html/mediawiki/includes/specialpage/SpecialPage.php(575): PluggableAuthLogin->execute()
#5 /var/www/html/mediawiki/includes/specialpage/SpecialPageFactory.php(611): SpecialPage->run()
#6 /var/www/html/mediawiki/includes/MediaWiki.php(296): MediaWiki\Special\SpecialPageFactory->executePath()
#7 /var/www/html/mediawiki/includes/MediaWiki.php(900): MediaWiki->performRequest()
#8 /var/www/html/mediawiki/includes/MediaWiki.php(527): MediaWiki->main()
#9 /var/www/html/mediawiki/index.php(44): MediaWiki->run()
#10 {main}
Here is my Localsettings.php config below:
wfLoadExtension( 'LDAPProvider' );
$LDAPProviderDomainConfigs = "/etc/mediawiki/ldapprovider.json";
wfLoadExtension( 'PluggableAuth' );
$wgPluggableAuth_EnableLocalLogin = true;
$wgGroupPermissions['user']['autocreateaccount'] = true;
$wgGroupPermissions['user']['createaccount'] = true;
wfLoadExtension( 'LDAPAuthorization' );
wfLoadExtension( 'LDAPAuthentication2' );
$LDAPAuthentication2UsernameNormalizer = 'strtolower';
$LDAPAuthentication2AllowLocalLogin = true;
Here is my ldapprovider.json config bellow:
{
"lenovo.local": {
"connection": {
"server": "ldap.lenovo.local",
"user": "cn=admin.mediawiki,dc=lenovo,dc=local",
"pass": "P@ssw0rd",
"options": {
"LDAP_OPT_DEREF": 1
},
"port": 389,
"enctype": "clear",
"basedn": "dc=lenovo,dc=local",
"userbasedn": "ou=Users,dc=lenovo,dc=local",
"searchattribute": "uid",
"usernameattribute": "uid",
"realnameattribute": "cn",
"emailattribute": "mail",
"searchstring": "uid=USER-NAME,ou=Users,dc=lenovo,dc=local",
"groupbasedn": "ou=Users,dc=lenovo,dc=local",
"groupobjectclass": "posixgroup",
"groupattribute": "memberuid",
"grouprequest": "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\Configurable::factory"
}
}
}
As I understood on the ldapprovider.json the "username" and "pass" using to get into Active Directory with these credentials and retrieve information about users in the Active Directory catalog.I created the user "admin.mediawiki" and added him to the admin groups for some reason.
The "ou" is an Organization Unit where located users, groups, or another OU and etc., for a test I indicate a default OU=Users, which created after installing AD and contain a test user.
Could you please help me with this issue or maybe provide working examples of Localsettings.php and ldapprovider.json or there is maybe another FAQ on MediaWiki which I should read.
I can describe everything in more detail in personal correspondence, if you suddenly need any detailed information.
Thank you in advance.
For Russian speakers:
Могу более подробно все описать в личной переписке , если вдруг понадобится какая либо подробная информация.
Заранее спасибо.
In general this looks good. Please enable debugging and try to use the commandline scripts like extensions/LDAPProvider/maintenance/ShowUserInfo.php or extensions/LDAPProvider/maintenance/CheckLogin.php first.
"Can't contact LDAP server" indicates that you might have a wrong username or password set or, that you LDAP/AD might not allow insecure connection (without TLS). Actually the "enctype": "clear" could be the best guess. I believe MS AD does not allow this anymore.
Dear Osnard,
Thanks for your respond.
Here is a result of ShowUserInfo.php
MWException from line 169 of /var/www/html/mediawiki/extensions/LDAPProvider/src/Client.php: Could not bind to LDAP: (-1) Can't contact LDAP server
#0 /var/www/html/mediawiki/extensions/LDAPProvider/src/Client.php(92): MediaWiki\Extension\LDAPProvider\Client->establishBinding()
#1 /var/www/html/mediawiki/extensions/LDAPProvider/src/Client.php(230): MediaWiki\Extension\LDAPProvider\Client->init()
#2 /var/www/html/mediawiki/extensions/LDAPProvider/maintenance/ShowUserInfo.php(48): MediaWiki\Extension\LDAPProvider\Client->getUserInfo()
#3 /var/www/html/mediawiki/maintenance/doMaintenance.php(99): MediaWiki\Extension\LDAPProvider\Maintenance\ShowUserInfo->execute()
#4 /var/www/html/mediawiki/extensions/LDAPProvider/maintenance/ShowUserInfo.php(71): require_once('/var/www/html/m...')
#5 {main}
and CheckLogin.php
root@localhost maintenance]# php CheckLogin..php --domain lenovo.local --username mikhail
Could not open input file: CheckLogin..php
[root@localhost maintenance]# php CheckLogin.php --domain lenovo.local --username mikhail
Password:P@ssw0rd
MWException from line 169 of /var/www/html/mediawiki/extensions/LDAPProvider/src/Client.php: Could not bind to LDAP: (-1) Can't contact LDAP server
#0 /var/www/html/mediawiki/extensions/LDAPProvider/src/Client.php(92): MediaWiki\Extension\LDAPProvider\Client->establishBinding()
#1 /var/www/html/mediawiki/extensions/LDAPProvider/src/Client.php(329): MediaWiki\Extension\LDAPProvider\Client->init()
#2 /var/www/html/mediawiki/extensions/LDAPProvider/maintenance/CheckLogin.php(50): MediaWiki\Extension\LDAPProvider\Client->canBindAs()
#3 /var/www/html/mediawiki/maintenance/doMaintenance.php(99): MediaWiki\Extension\LDAPProvider\Maintenance\CheckLogin->execute()
#4 /var/www/html/mediawiki/extensions/LDAPProvider/maintenance/CheckLogin.php(76): require_once('/var/www/html/m...')
#5 {main}
Dear Osnard,
This is a debbug log i think:
2020-07-21 23:12:29 localhost.localdomain wikidb: ldap_connect( $hostname = 'ldap://lenovo.local:389', $port = 389 );
2020-07-21 23:12:29 localhost.localdomain wikidb: # __METHOD__ returns Resource id #213
2020-07-21 23:12:29 localhost.localdomain wikidb: Setting LDAP_OPT_PROTOCOL_VERSION to 3
2020-07-21 23:12:29 localhost.localdomain wikidb: ldap_set_option( $linkID, $option = 17, $newval = 3 );
2020-07-21 23:12:29 localhost.localdomain wikidb: # returns 1
2020-07-21 23:12:29 localhost.localdomain wikidb: Setting LDAP_OPT_REFERRALS to 0
2020-07-21 23:12:29 localhost.localdomain wikidb: ldap_set_option( $linkID, $option = 8, $newval = 0 );
2020-07-21 23:12:29 localhost.localdomain wikidb: # returns 1
2020-07-21 23:12:29 localhost.localdomain wikidb: Setting LDAP_OPT_DEREF to 1
2020-07-21 23:12:29 localhost.localdomain wikidb: ldap_set_option( $linkID, $option = 2, $newval = 1 );
2020-07-21 23:12:29 localhost.localdomain wikidb: # returns 1
2020-07-21 23:12:29 localhost.localdomain wikidb: ldap_bind( $linkID, $bindRDN = 'cn=admin.mediawiki,ou=Users,dc=lenovo,dc=local', $bindPassword = 'XXXX' );
2020-07-21 23:12:29 localhost.localdomain wikidb: # returns
2020-07-21 23:12:29 localhost.localdomain wikidb: ldap_error( $linkID );
2020-07-21 23:12:29 localhost.localdomain wikidb: # returns Can't contact LDAP server
2020-07-21 23:12:29 localhost.localdomain wikidb: ldap_errno( $linkID );
2020-07-21 23:12:29 localhost.localdomain wikidb: # returns -1
Okay, so it clearly fails with the connection. Try using "enctype": "ssl". You can also write up a little test script to check which connection parameters are required in your setup. As it is AD "clear" will not work.
Dear Osnard,
But why with first version of LDAPAuthentication it works?I had different config which work, but only with MediaWiki 1.30
It was on my old Localsettings.php file. And it work correctly. I could login with AD user.
What the difference ?
$wgGroupPermissions['*']['autocreateaccount'] = true;
$wgGroupPermissions['*']['createaccount'] = false;
if ( !isset( $_SERVER['REMOTE_ADDR'] ) OR $_SERVER['REMOTE_ADDR'] == '192.168.7.30') {
$wgGroupPermissions['*']['read'] = true;
$wgGroupPermissions['*']['edit'] = true;
}
| 1
2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 |
# LDAP ---------------------------------------------------------------------------------------
require_once('extensions/LdapAuthentication/LdapAuthentication.php'); require_once ('includes/AuthPlugin.php'); $wgAuth = new LdapAuthenticationPlugin();
$wgLDAPServerNames = array('JAKONDA.LOCAL' => 'dc1.jakonda.local'); $wgLDAPPort = array('JAKONDA.LOCAL' => 389); $wgLDAPEncryptionType = array('JAKONDA.LOCAL' => 'false');
$wgLDAPProxyAgent = array('JAKONDA.LOCAL' => 'admin.mediawiki'); $wgLDAPProxyAgentPassword = array('JAKONDA.LOCAL' => 'Aa1234567'); $wgLDAPSearchAttributes = array('JAKONDA.LOCAL' => 'sAMAccountName'); $wgLDAPBaseDNs = array('JAKONDA.LOCAL' => 'dc=jakonda,dc=local'); $wgLDAPGroupBaseDNs = array('JAKONDA.LOCAL' => 'dc=jakonda,dc=local'); $wgLDAPUserBaseDNs = array('JAKONDA.LOCAL' => 'dc=jakonda,dc=local');
$wgLDAPPreferences = array('JAKONDA.LOCAL' => array('email' => 'mail','realname' => 'displayname'));
$wgLDAPLowerCaseUsername = array('JAKONDA.LOCAL' => true); $wgLDAPGroupObjectclass = array('JAKONDA.LOCAL' => 'group'); $wgLDAPGroupAttribute = array('JAKONDA.LOCAL' => 'member'); $wgLDAPGroupNameAttribute = array('JAKONDA.LOCAL' => 'cn'); $wgLDAPGroupsUseMemberOf = array('JAKONDA.LOCAL' => true);
$wgLDAPRequiredGroups = array('JAKONDA.LOCAL' => array('cn=evilgroup,ou=groups,dc=AD,dc=jakonda,dc=local'));
#$wgLDAPExcludedGroups = array('JAKONDA.LOCAL' => array('cn=evilgroup,ou=groups,dc=AD,dc=jakonda,dc=local')); $wgLDAPGroupSearchNestedGroups = array('JAKONDA.LOCAL' => true); $wgLDAPActiveDirectory = array('JAKONDA.LOCAL' => true);
$wgDebugLogGroups["ldap"] = "/tmp/ldap.log"; #----------------------------------------------------------------------------------------------------- |
Have you changed the new JSON config from above, before you posted it? E.G. replaced "dc1.jakonda.local" with "ldap.lenovo.local". Because if not, I need to assume, your new config and the old working config are very different as they have different servers configured.
Could you please create a nee PHP file with the contents from "Example 1" on https://www.php.net/manual/en/function.ldap-bind.php and fill in your credentials. Then run it and share the results.
Dear Osnard,
Yes, they are different. I just shared it, which was working in the past. Let's imagine that domain name the same. Please note that it totally different configs. And I had two separate domain controllers. Just share it to show you that it was work without any encryption.
So two separate domain controllers. And the old config (the one without encryption) worked with both?
Old config worked with WS2012R2 without encryption. New config didn`t work with WS19 and WS2012R2 also without encrypt.
@Osnard could you please share links on how to config Localsettings.php or ldapprovider.json from the beginning.
I think that I do some stupid mistakes and walking around it.
Many thanks,
Every available documention is here on mw.org. E.g.
- LDAP_hub/Migration_from_extension_LDAPAuthentication
- Manual:Active_Directory_Integration
- and the extension description pages
Also look through the respective talk pages. We have hat plenty of such cases and almost always found a solution. My apologies for not being more helpful.
Hi Osnard,
I started with new config . And encountered with the issue below :
[root@localhost ~]# php /var/www/html/mediawiki/maintenance/update.php
[6932f3de4fc05b2ba466fa5f] [no req] MWException from line 42 of /var/www/html/mediawiki/extensions/LDAPProvider/src/DomainConfigProvider/LocalJSONFile.php:
Could not access configuration file '/etc/mediawiki/ldapprovider.json'!
Please set up a domain configuration file for the LDAPProvider extension.
Backtrace:
#0 /var/www/html/mediawiki/extensions/LDAPProvider/src/DomainConfigProvider/LocalJSONFile.php(73): MediaWiki\Extension\LDAPProvider\DomainConfigProvider\LocalJSONFile->__construct()
#1 [internal function]: MediaWiki\Extension\LDAPProvider\DomainConfigProvider\LocalJSONFile::newInstance()
#2 /var/www/html/mediawiki/extensions/LDAPProvider/src/DomainConfigFactory.php(106): call_user_func_array()
#3 /var/www/html/mediawiki/extensions/LDAPAuthentication2/src/Setup.php(12): MediaWiki\Extension\LDAPProvider\DomainConfigFactory::getInstance()
#4 /var/www/html/mediawiki/includes/Setup.php(906): MediaWiki\Extension\LDAPAuthentication2\Setup::init()
#5 /var/www/html/mediawiki/maintenance/doMaintenance.php(83): require_once(string)
#6 /var/www/html/mediawiki/maintenance/update.php(277): require_once(string)
#7 {main}
Last time when it happened I just create a folder mediawiki int /etc and add ldapprovider.json file in with config bellow:
{
"acme.com": {
"connection": {
"server": "ldap.acme.com",
"port": "389",
"user": "CN=mikhail,OU=Users,DC=acme,DC=com",
"pass": "P@ssw0rd",
"enctype": "clear",
"options": {
"LDAP_OPT_DEREF": 1
},
"basedn": "dc=acme,dc=com",
"userbasedn": "dc=acme,dc=com",
"groupbasedn": "dc=acme,dc=com",
"searchattribute": "samaccountname",
"usernameattribute": "samaccountname",
"realnameattribute": "cn",
"emailattribute": "mail",
"grouprequest": "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\UserMemberOf::factory",
"presearchusernamemodifiers": [ "spacestounderscores", "lowercase" ]
},
"userinfo": [],
"authorization": [],
"groupsync": {
"mapping": {
"engineering": "CN=EngineeringCoreTeam,OU=Groups,DC=acme,DC=com",
"bureaucrat": "CN=Mediawiki Admins,OU=Groups,DC=acme,DC=com",
"interface-admin": "CN=Mediawiki Admins,OU=Groups,DC=acme,DC=com",
"sysop": "CN=Mediawiki Admins,OU=Groups,DC=acme,DC=com"
}
}
}
}
It is the OK ? Because in
- Manual:Active_Directory_Integration indicated that I should to use LDAP settings from a single location - ldap.json
Create an LDAP configuration file. For simplicity, we place this new file at /var/www/ldap.json then protect it for reading by the web-server.
Dear Osnard,
As I said early it was very stupid mistake. The problem was in the IP of the AD\DNS server. It was indicated by mistake and after I change it ... it works! After more than one month)))) Thank you very much for your support in my case.
P.S. And yes, it works without encryption. But I will enable it in my final config)
Glad to hear this!
Hey guys, i've just migrated but there is a trouble now.
I recieve a "Could not authenticate credentials against domain "domain"" error.
My config is here:
wfLoadExtension( 'PluggableAuth' );
wfLoadExtension( 'LDAPProvider' );
wfLoadExtension( 'LDAPAuthentication2' );
$LDAPAuthentication2UsernameNormalizer = 'strtolower';
$LDAPAuthentication2AllowLocalLogin = true;
$LDAPProviderDomainConfigProvider = function() {
$config = [
'domain => [
'connection' => [
"server" => "domain.com",
"user" => "domaincom\\user",
"pass" => 'Password02', //no binding error
"options" => [
"LDAP_OPT_DEREF" => 1
],
"basedn" => "DC=domain,DC=com",
"groupbasedn" => "DC=domain,DC=com",
"userbasedn" => "DC=domain,DC=com",
"searchattribute" => "sAMAccountName",
"searchstring" => "sAMAccountName=USER-NAME,DC=domain,DC=com",
//if i change to domaincom\\USER-NAME i'll recieve (PluggableAuthPrimaryAuthenticationProvider returned an invalid username:) error
"usernameattribute" => "sAMAccountName",
"realnameattribute" => "cn",
"emailattribute" => "mail"
]
]
];
return new \MediaWiki\Extension\LDAPProvider\DomainConfigProvider\InlinePHPArray( $config );
};
$LDAPAuthentication2AllowLocalLogin=true;
$wgShowExceptionDetails = true;
Pls, help me to catch the tail of this problem.
Thanks in advance.
Update: php extensions/LDAPProvider/maintenance/ShowUserInfo.php --domain domain --username SomeUser works properly
Have you also tried extensions/LDAPProvider/maintenance/CheckLogin.php --domain domain --username SomeUser?
Yes.
If i change "searchstring" => "sAMAccountName=USER-NAME,DC=domain,DC=com to domaincom\\USER-NAME
php extensions/LDAPProvider/maintenance/CheckLogin.php --domain domaincom --username user
Auth is OK
But then i try auth in usual way, i receive another error:
[568043a6f699c2aa8ba284f2] /mediawiki/index.php?title=%D0%A1%D0%BB%D1%83%D0%B6%D0%B5%D0%B1%D0%BD%D0%B0%D1%8F:%D0%92%D1%85%D0%BE%D0%B4&returnto=%D0%97%D0%B0%D0%B3%D0%BB%D0%B0%D0%B2%D0%BD%D0%B0%D1%8F+%D1%81%D1%82%D1%80%D0%B0%D0%BD%D0%B8%D1%86%D0%B0 DomainException from line 612 of /var/lib/mediawiki/includes/auth/AuthManager.php: PluggableAuthPrimaryAuthenticationProvider returned an invalid username:
Backtrace:
#0 /var/lib/mediawiki/includes/specialpage/AuthManagerSpecialPage.php(355): MediaWiki\Auth\AuthManager->continueAuthentication(array)
#1 /var/lib/mediawiki/includes/specialpage/AuthManagerSpecialPage.php(482): AuthManagerSpecialPage->performAuthenticationStep(string, array)
#2 /var/lib/mediawiki/includes/htmlform/HTMLForm.php(660): AuthManagerSpecialPage->handleFormSubmit(array, VFormHTMLForm)
#3 /var/lib/mediawiki/includes/specialpage/AuthManagerSpecialPage.php(416): HTMLForm->trySubmit()
#4 /var/lib/mediawiki/includes/specialpage/LoginSignupSpecialPage.php(316): AuthManagerSpecialPage->trySubmit()
#5 /var/lib/mediawiki/includes/specialpage/SpecialPage.php(565): LoginSignupSpecialPage->execute(NULL)
#6 /var/lib/mediawiki/includes/specialpage/SpecialPageFactory.php(568): SpecialPage->run(NULL)
#7 /var/lib/mediawiki/includes/MediaWiki.php(288): SpecialPageFactory::executePath(Title, RequestContext)
#8 /var/lib/mediawiki/includes/MediaWiki.php(861): MediaWiki->performRequest()
#9 /var/lib/mediawiki/includes/MediaWiki.php(524): MediaWiki->main()
#10 /var/lib/mediawiki/index.php(42): MediaWiki->run()
#11 {main}
It looks like the "usernameattribute" is not "sAMAccountName". Be careful, the configured attribute name is case sensitive. Can you try to set "samaccountname".
You can use php extensions/LDAPProvider/maintenance/ShowUserInfo.php --domain YourDomain --username SomeUser to see exactly what the application sees.
Thanks! That is a solution.
Thanks a lot for all the talk here, just solved my problem following this thread. It seems the "sAMAccountName" and " domaincom\\USER-NAME" should be the default or example configuration for these plugins, it should probably be on their pages.
There is already a task filed to make attribute names case insensitive: https://phabricator.wikimedia.org/T226693
I am trying example 1
This function os returning nothing :
$wgAuthRemoteuserUserName = function() {
$user = '';
if( isset( $_SERVER[ 'REMOTE_USER' ] ) ) {
$user = strtolower( $_SERVER[ 'REMOTE_USER' ] );
}
return $user;
};
Suggestions ?
So is $_SERVER[ 'REMOTE_USER' ] even set? If not, you might need to configure your webserver e.g. to use the Kerberos protocol (Apache: "mod_auth_kerb") for authentication.
I'm migrating from the old LdapAuthentication to the new stack and it didn't work. I need a replacement for $wgLDAPGroupUseFullDN = array( "LDAP"=>false)
I need to search members in groups like this: (&(objectclass={GROUPOBJECTCLASS})({GROUPATTRIBUTE}=$username))
Instead of this this plugin is doing this search: (&(objectclass={GROUPOBJECTCLASS})({GROUPATTRIBUTE}=$userDN))
I modified Configurable.php to archive this but it'd nice to have a ldap provider parameter to configure that.
Thx
Hi! Please finy my response at https://www.mediawiki.org/w/index.php?title=Topic:Vh0ssod5bin73ptd&topic_showPostId=vh2kzibyyrpavusg#flow-post-vh2kzibyyrpavusg
Hi all,
I migrated recently from mediawiki 1.32 to 1.34 and so I was forced to change from LDAPAuthentication to LDAPHub, my version and configuration are :
| MediaWiki | 1.34.0 |
| PHP | 7.3.11-1~deb10u1 (fpm-fcgi) |
| MariaDB | 10.3.21-MariaDB-1:10.3.21+maria~buster-log |
| ICU | 63.1 |
Plugins :
PluggableAuth : 5.7
LDAPAuthentication2 : 1.0.1
LDAPProvider : 1.0.1
LDAPAuthorization : 1.0.0
#### new ldap conf
wfLoadExtension( 'LDAPProvider' );
$LDAPProviderDomainConfigs = "extensions/LDAPProvider/ldapprovider.json";
wfLoadExtension( 'PluggableAuth' );
$wgPluggableAuth_EnableLocalLogin = true;
$wgGroupPermissions['user']['autocreateaccount'] = true;
$wgGroupPermissions['user']['createaccount'] = true;
wfLoadExtension( 'LDAPAuthorization' );
wfLoadExtension( 'LDAPAuthentication2' );
$LDAPAuthentication2UsernameNormalizer = 'strtolower';
$LDAPAuthentication2AllowLocalLogin = true;
the json is :
{
"localdomain.tld": {
"connection": {
"server": "ldap.localdomain.tld",
"options": {
"LDAP_OPT_DEREF": 1
},
"port": 389,
"enctype": "tls",
"basedn": "dc=localdomain,dc=tld",
"userbasedn": "ou=people,dc=localdomain,dc=tld",
"searchattribute": "uid",
"usernameattribute": "uid",
"realnameattribute": "cn",
"emailattribute": "mail",
"searchstring": "ou=people,uid=USER-NAME,dc=localdomain,dc=tld",
"groupbasedn": "ou=group,dc=localdomain,dc=tld",
"groupobjectclass": "posixgroup",
"groupattribute": "memberuid",
"grouprequest": "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\Configurable::factory"
},
"authorization": {
"rules": {
"groups": {
"required": [
"cn=tsism,ou=group,dc=localdomain,dc=tld"
]
}
}
}
}
}
when I try to login using the web form I get :
"Could not authenticate credentials against domain "localdomain.tld"
If I use ShowUserInfo.php utility I get correct information, but CheckLogin.php fails,
do you have a suggestion on how to cehck/debug this issue ?
I guess it's something wrong my configuration, but I dont' understand how to start the
troubleshoot.
thank you
M.
Is there any information in the debugging logs? You can enable them as described here.
Does your LDAP allow this particular user to bind? You can test on Linux by using ldapsearch (https://serverfault.com/a/514873).
Thank You Osnard, I realyl don't know how I missed that part, after enablingthe debug on the ldap part we were able to fix the authentication problem, the searchstring order needed t obe fixed from
"searchstring": "ou=people,uid=USER-NAME,dc=localdomain,dc=tld"
to
"searchstring": "uid=USER-NAME,ou=people,dc=localdomain,dc=tld"
basically uid and ou where in wrong position preventing the bind to work.
Now the login with plugagbleauth returns "Fatal exception of type "DomainException""
in the debug I found :
[error] [7ab5c01906e24316bf5102cf] /index.php?title=Special:PluggableAuthLogin ErrorException from line 39 of /mnt/data/mediawiki/mediawiki-1.34.0/extensions/PluggableAuth/includes/PluggableAuthLogin.php: PHP Notice: Array to string conversion
#0 /mnt/data/mediawiki/mediawiki-1.34.0/extensions/PluggableAuth/includes/PluggableAuthLogin.php(39): MWExceptionHandler::handleError(integer, string, string, integer, array)
in the debug for the plugi neveything seems ok :
2020-01-08 10:57:45 wiki mediawiki-wk_: Authenticated new user: Array
2020-01-08 10:57:45 wiki mediawiki-wk_: User is authorized.
I wonder if the presence of a picture in the Ldap can give probelms,
(we have an attribute called jpegphoto and the picture is shown as binary data in
the debug and using ShowUserInfo.php)
M.
It looks like $username provided by LDAPAuthentication2 was an array instead of a string. This is very stange. Can you share the output of ShowUserInfo.php? Please strip any sensitive information any binary data. The field "uid" is of special interest.
I don't think that the binary-data from the jpeg is an issue.
Hi ,
I found the probelm , some users were defined in a strange way , they had two uid attributes.
this was made to create some sort of "alias" mechanism, once I deleted the extra uid attribute
all worked as expected.
Sorry for the chaos
M.
Good to hear! Thanks for the feedback!