Talk:LDAP hub/Migration from extension LDAPAuthentication

Jump to navigation Jump to search

About this board

Migration from LDAP Authentication MAP Accounts

3
93.184.128.35 (talkcontribs)

Hi all,

i'am currently migrating from MediaWiki 1.15 with LDAP Authentication to MediaWiki 1.35 with LDAP Autheentication2.

Until now everything works as expected, SSO is activated in (IIS 2019), users are logging automatically and accounts created automatically.

But some users are still present in DB. Is there any chance to map thoose existing accounts to the users logging in with the same username ? For now evey time a user is logging in, a new account is created.

Usernames are currently differ only in uppercase or lowercase characters.


I did some tests with the following settings without success.....

$LDAPAuthentication2AllowLocalLogin = false;

$wgAuthRemoteuserAllowUserSwitch = true;

$wgPluggableAuth_EnableAutoLogin  = true ;

$wgPluggableAuth_EnableLocalProperties = true;

$LDAPAuthentication2sernameNormalizer = 'strtolower';


All plugin versions are 1.35


loaded plugins:

wfLoadExtensions( [

'Auth_remoteuser',

'PluggableAuth',

'LDAPProvider',

'LDAPAuthentication2',

'LDAPAuthorization',

'LDAPUserInfo',

'LDAPGroups',

'WikiEditor',

'HitCounters',

'TopTenPages'

] );


LDAP Config:

$config = [

"BRK-NT" => [

"connection" => [

"server" => "xxx",

"user" => "CN=xx,OU=xx,OU=xx,OU=ITZ,DC=xx,DC=xx,DC=xx",

"pass" => "xxxxx",

"options" => [

"LDAP_OPT_DEREF" => 1

],

"basedn" => "DC=xx,DC=xx,DC=xx",

"groupbasedn" => "DC=xx,DC=xx,DC=xx",

"userbasedn" => "DC=xx,DC=xx,DC=xx",

"searchattribute" => "samaccountname",

"searchstring" => "xx\\USER-NAME",

"usernameattribute" => "samaccountname",

"realnameattribute"=> "displayname",

"emailattribute"=> "mail",

"grouprequest"=>  "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\UserMemberOf::factory",

"presearchusernamemodifiers"=> [ "spacestounderscores", "lowercase" ]

],

"userinfo" => [

"attributes-map" => [

"email" => "mail",

"realname" => "displayname",

"nickname" => "samaccountName",

]

],

"groupsync" => [

"mapping" => [

"bureaucrat" => $LDAP_Groups_bureaucrat,

"sysop" => $LDAP_Groups_sysop

]

],

"authorization" => [

"rules" => [

"groups" => $LDAP_Groups_required

]

]

]

];


thx in advance


lufi

Osnard (talkcontribs)

Looks like you have a typo in "$LDAPAuthentication2sernameNormalizer". Try to set

$LDAPAuthentication2UsernameNormalizer = $LDAPAuthorizationAutoAuthUsernameNormalizer = 'strtolower';
89.0.162.157 (talkcontribs)

Thx, looks good. Sry. I think this was a Copy and Paste fail......

Reply to "Migration from LDAP Authentication MAP Accounts"

LDAP errors while moving from mediawiki 1.26 to 1.31

2
Michedaino (talkcontribs)

Hi all,

I am movin my wiki from :

mediawiki 1.26 / CentOS release 6.3 / PHP 5.3.3 / MySQL 5.1.73

to

mediawiki 1.31 / Red Hat Enterprise Linux Server release 7.8 / PHP 7.1.33 / MySQL 5.7.9


I had to change ldap auth mode from LdapAuthentication to PluggableAuth


OLD file config:

<?php


// Disable reading by anonymous users

$wgGroupPermissions['*']['read'] = false;

$wgGroupPermissions['unix']['read'] = true;

// allow these pages for anonymous users

$wgWhitelistRead = array ("Pagina_principale", "Admin_xxx", "Admin_xc",  "Special:Userlogin" );

// Disable anonymous editing

$wgGroupPermissions['*']['edit'] = false;


// Prevent new user registrations except by sysops

$wgGroupPermissions['*']['createaccount'] = false;

/* Extension: LDAP Authentication

        http://www.mediawiki.org/wiki/Extension:LDAP_Authentication/Options#Enabling_the_plugin         */

require_once( "{$IP}/xxx/extensions/wikimedia-mediawiki-extensions-LdapAuthentication-07fe5c5/LdapAuthentication.php" );

$wgAuth = new LdapAuthenticationPlugin();

// The names of one or more domains you wish to use

// These names will be used for the other options, it is freely choosable and not dependent

// on your system. These names will show in the Login-Screen, so it is important that the user

// understands the meaning.

//

// REQUIRED

// Default: none

$wgLDAPDomainNames = array( "xxx" );

// The fully qualified name of one or more servers per domain you wish to use. If you are

// going to use SSL or StartTLS, it is important that the server names provided here exactly

// match the name provided by the SSL certificate returned by the server; otherwise, you may

// have problems.

//

// REQUIRED

// Default: none

$wgLDAPServerNames = array( "xx" => "xx.corp" );

// Allow the use of the local database as well as the LDAP database.

// Mostly for transitional purposes. Unless you *really* know what you are doing,

// don't use this option. It will likely cause you annoying problems, and

// it will cause me annoying support headaches.

// Warning: Using this option will allow MediaWiki to leak LDAP passwords into

// its local database. It's highly recommended that this setting not be used for

// anything other than transitional purposes.

//

// Default: false

$wgLDAPUseLocal = true;

// The type of encryption you would like to use when connecting to the LDAP server.

// Available options are 'tls', 'ssl', and 'clear'

//

// Default: tls

$wgLDAPEncryptionType = array( "xx" => "clear" );

// Connect with a non-standard port

// Available in 1.2b+

// Default: 389 for clear/tls, 636 for ssl

#$wgLDAPPort = array( "xx" => 389 );

// User and password used for proxyagent access.

// Please use a user with limited access, NOT your directory manager!

$wgLDAPProxyAgent = array( "xx" => "CN=xx,OU=xx,OU=xxx,OU=xx,OU=xx,DC=xx,DC=xx" );

$wgLDAPProxyAgentPassword = array( "xx" => "xx" );

// Search filter.

// These options are only needed if you want to search for users to bind with them. In otherwords,

// if you cannot do direct binds based upon $wgLDAPSearchStrings, then you'll need these two options.

// If you need a proxyagent to search, remember to set $wgLDAPProxyAgent, and $wgLDAPProxyAgentPassword.

// Anonymous searching is supported. To do an anonymous search, use SearchAttibutes and don't set a Proxy

// agent for the domain required.

#$wgLDAPSearchAttributes = array( "xx" => "cn" );

$wgLDAPSearchAttributes = array( "xx" => "sAMAccountName" );

// Base DNs. Group and User base DNs will be used if available; if they are not defined, the search

// will default to $wgLDAPBaseDNs

$wgLDAPBaseDNs = array( "xx" => "DC=xx,DC=xx" );

/* Group options

     Using LDAP groups in any way requires $wgLDAPBaseDNs to be set!                                             */

// Whether the username in the group is a full DN (AD generally does this), or

// just the username (posix groups generally do this)

// Default: false

$wgLDAPGroupUseFullDN = array( "xx" => false );

// Munge the case of the username to lowercase when doing searches in groups

// Default: false

$wgLDAPLowerCaseUsername = array( "xx" => true );

// Use the exact name retrieved from LDAP after the user has authenticated to search for groups.

// This requires the SetUsernameAttributeFromLDAP hook to be used (see the smartcard section).

// Default: false

$wgLDAPGroupUseRetrievedUsername = array( "xx" => false );

// The objectclass of the groups we want to search for

$wgLDAPGroupObjectclass = array( "xx" => "group" );

// The attribute used for group members

$wgLDAPGroupAttribute = array( "xx" => "member" );

// The naming attribute of the group

$wgLDAPGroupNameAttribute = array( "xx" => "cn" );

// Use the FullDN for the Group Search

$wgLDAPGroupUseFullDN = array("xx"=>true);

#$wgLDAPGroupBaseDNs = array("xx"=>"OU=xx,OU=XX,OU=XX,OU=XX,DC=XX,DC=corp");

// Use the memberOf attribute to find groups.

// If memberOf is used, it will be the only method used for searching for groups.

// Default: false

// Available in 1.2b+

$wgLDAPGroupsUseMemberOf = array( "XX" => false );

//

//  Group based login restriction configuration options

//

//

// An array of the groups the user is required to be a member of.

$wgLDAPRequiredGroups = array(

  "XX" => array(

   "CN=xx_Users,OU=Servizio WiKi,OU=gruppi,OU=xxx,OU=Aziende,OU=xx,DC=xx,DC=xx",

  )

);

// An array of the groups the user cannot be a member of.

// Available in 1.2b+

/*

$wgLDAPExcludedGroups = array(

  "xx" => array(

    'cn=evilgroup,dc=xx,dc=xx,dc=it',

    'cn=evilgroup2,dc=xx,dc=xx,dc=it',

     )

);

*/


now I created json file :ldapprovider.json:


{

   "LDAP": {

       "connection": {

           "server": "xx.corp",

           "user": "CN=xx,OU=xx,OU=xx,OU=xx,OU=xx,DC=xx,DC=corp",

           "pass": "xxx",

           "options": {

               "LDAP_OPT_DEREF": 1

           },

           "basedn": "DC=xx,DC=corp",

           "groupbasedn": "DC=xx,DC=corp",

           "userbasedn": "DC=xx,DC=corp",

           "searchattribute": "sAMAccountName",

           "searchstring": "CN=xx_Users,OU=xx,OU=xx,OU=xx,OU=xx,OU=xx,DC=xx,DC=corp",

           "usernameattribute": "uid",

           "realnameattribute": "cn",

           "emailattribute": "mail",

           "presearchusernamemodifiers ": "lowercase"

       }

   }

}


and in LocalSettings.php


wfLoadExtension( 'PluggableAuth' );

wfLoadExtension( 'Auth_remoteuser' );

wfLoadExtension( 'LDAPProvider' );

wfLoadExtension( 'LDAPAuthentication2' );

wfLoadExtension( 'LDAPAuthorization' );

wfLoadExtension( 'LDAPUserInfo' );

wfLoadExtension( 'LDAPGroups' );

$LDAPProviderDomainConfigs = "$IP/iside/ldapprovider.json";

$LDAPProviderCacheType = CACHE_NONE;


I cannot authenticate with errors: Could not authenticate credentials against domain "LDAP"


I tried :


php extensions/LDAPProvider/maintenance/ShowUserInfo.php --domain LDAP --username xxx


it works !!


I activate debugging:


# cat LDAP.log

2021-06-23 14:45:51 plb00sweb01 mediawiki_unix-wikimwdia_: In execute()

2021-06-23 14:45:51 plb00sweb01 mediawiki_unix-wikimwdia_: Getting PluggableAuth singleton

2021-06-23 14:45:51 plb00sweb01 mediawiki_unix-wikimwdia_: Class name: MediaWiki\Extension\LDAPAuthentication2\PluggableAuth

2021-06-23 14:45:51 plb00sweb01 mediawiki_unix-wikimwdia_: ldap_connect( $hostname = 'ldap://xxx.corp:389', $port = 389 );

2021-06-23 14:45:51 plb00sweb01 mediawiki_unix-wikimwdia_: # __METHOD__ returns Resource id #248

2021-06-23 14:45:51 plb00sweb01 mediawiki_unix-wikimwdia_: Setting LDAP_OPT_PROTOCOL_VERSION to 3

2021-06-23 14:45:51 plb00sweb01 mediawiki_unix-wikimwdia_: ldap_set_option( $linkID, $option = 17, $newval = 3 );

2021-06-23 14:45:51 plb00sweb01 mediawiki_unix-wikimwdia_: # returns 1

2021-06-23 14:45:51 plb00sweb01 mediawiki_unix-wikimwdia_: Setting LDAP_OPT_REFERRALS to 0

2021-06-23 14:45:51 plb00sweb01 mediawiki_unix-wikimwdia_: ldap_set_option( $linkID, $option = 8, $newval = 0 );

2021-06-23 14:45:51 plb00sweb01 mediawiki_unix-wikimwdia_: # returns 1

2021-06-23 14:45:51 plb00sweb01 mediawiki_unix-wikimwdia_: Setting LDAP_OPT_DEREF to 1

2021-06-23 14:45:51 plb00sweb01 mediawiki_unix-wikimwdia_: ldap_set_option( $linkID, $option = 2, $newval = 1 );

2021-06-23 14:45:51 plb00sweb01 mediawiki_unix-wikimwdia_: # returns 1

2021-06-23 14:45:51 plb00sweb01 mediawiki_unix-wikimwdia_: ldap_bind( $linkID, $bindRDN = 'CN=xxx,OU=xx,OU=xxI,OU=xx,OU=xx,DC=xx,DC=corp', $bindPassword = 'XXXX' );

2021-06-23 14:45:51 plb00sweb01 mediawiki_unix-wikimwdia_: # returns 1

2021-06-23 14:45:51 plb00sweb01 mediawiki_unix-wikimwdia_: MediaWiki\Extension\LDAPProvider\Client::getSearchString: User DN is: 'CN=xx,OU=xxx,OU=xx,OU=xx,OU=xx,OU=xx,DC=xx,DC=corp'

2021-06-23 14:45:51 plb00sweb01 mediawiki_unix-wikimwdia_: ldap_bind( $linkID, $bindRDN = 'CN=xx,OU=xx,OU=xx,OU=xx,OU=xx,OU=xx,DC=xx,DC=corp', $bindPassword = 'XXXX' );

2021-06-23 14:45:51 plb00sweb01 mediawiki_unix-wikimwdia_: # returns

2021-06-23 14:45:51 plb00sweb01 mediawiki_unix-wikimwdia_: Authentication failure.

2021-06-23 14:45:51 plb00sweb01 mediawiki_unix-wikimwdia_: ERROR: Could not authenticate credentials against domain "LDAP"


any ideas ??? Thankyou

Osnard (talkcontribs)

Has a username transformation been applied maybe? Check the DN in the second `ldap_bind` call and see if the username is the same as you have entered in the CLI.

Reply to "LDAP errors while moving from mediawiki 1.26 to 1.31"

My connexion to LDAP server doesn't seems to work

8
Amaury Palao (talkcontribs)

Hi,

I am new to mediawiki, and I am trying to use account from a LDAP server to enter my wiki. However, whenever I try a connection the site give me this :

There seems to be a problem with your login session; this action has been canceled as a precaution against session hijacking. Please resubmit the form.


This is the added settings on my LocalSettings.php, I have censore the sensible information with * :


$wgDebugDumpSql = true;

$wgShowExceptionDetails = true;

$wgShowSQLErrors = true;

$wgShowDBErrorBacktrace = true;

$wgDebugLogGroups['PluggableAuth'] =

$wgDebugLogGroups['LDAP'] =

$wgDebugLogGroups['mediawiki\\Extension\\LDAPProvider\\Client'] =

$wgDebugLogGroups['LDAPGroups'] =

$wgDebugLogGroups['LDAPUserInfo'] =

$wgDebugLogGroups['LDAPAuthentication2'] =

$wgDebugLogGroups['LDAPAuthorization'] = '/tmp/LDAP.log';

$wgGroupPermissions['*']['createaccount'] = false;

$wgGroupPermissions['*']['read'] = false;

$wgGroupPermissions['*']['edit'] = false;

$wgGroupPermissions['Reader']['createaccount'] = false;

$wgGroupPermissions['Reader']['read'] = true;

$wgGroupPermissions['Reader']['edit'] = false;

$wgGroupPermissions['Writer']['createaccount'] = false;

$wgGroupPermissions['Writer']['read'] = true;

$wgGroupPermissions['Writer']['edit'] = true;

wfLoadExtensions( [

        'PluggableAuth',

        'Auth_remoteuser',

        'LDAPProvider',

        'LDAPAuthentication2',

        'LDAPAuthorization',

        'LDAPUserInfo'

] );

#$wgSessionCacheType = 'session-cache';

#$wgObjectCaches['session-cache'] = [ 'factory' => 'ObjectCache::newAnything', 'keyspace' => 'shared-session' ];

$LDAPAuthorizationAutoAuthRemoteUserStringParser = 'domain-backslash-username';

$LDAPAuthentication2UsernameNormalizer = 'strtolower';

$LDAPAuthentication2AllowLocalLogin = true;

$wgAuthRemoteuserAllowUserSwitch = true;

#$wgPluggableAuth_EnableLocalLogin = true;

#$LDAPProviderDomainConfigs = "$IP/extensions/LDAPProvider/docs/ldapprovider.json";

$wgAuthRemoteuserUserName = function() {

        $user = '';

        if( isset( $_SERVER[ 'REMOTE_USER' ] ) ) {

                $user = strtolower( $_SERVER[ 'REMOTE_USER' ] );

        }

        return $user;

};

$LDAPProviderDomainConfigProvider = function() {

        $config = [

                'nrcanLDAP' => [

                        'connection' => [

                                "server" => "*****************",

                                "options" => [

                                        "LDAP_OPT_DEREF" => 1

                                ],

                                "basedn" => "dc=**,dc=**,dc=**,dc=**",

                                "groupbasedn" => "dc=**,dc=**,dc=**,dc=**",

                                "userbasedn" => "dc=**,dc=**,dc=**,dc=**",

                                "searchattribute" => "***",

                                #"usernameattribute" => "uid",

                                #"realnameattribute" => "fullname",

                                #"emailattribute" => "mail",

                                "grouprequest" => "mediawiki\\Extension\\LDAPProvider\\src\\UserGroupsRequest\\GroupMember::factory"

                        ],

'authorization' => [

                                'rules' => [

                                        'groups' => [

                                                'required' => [

                                                        'dc=**,dc=**,dc=**,dc=**'

                                                ]

                                        ]

                                ]

                        ],

                        'userinfo' => [

                                'attributes-map' => [

                                        'email' => 'mail',

                                        'realname' => 'fullname'

                                ]

                        ]

                ]

        ];

        return new \MediaWiki\Extension\LDAPProvider\DomainConfigProvider\InlinePHPArray( $config );

};

Osnard (talkcontribs)

Can you please give additional information about your environment? E.g. software versions. Have you tried debugging? Can you please share the results?

Amaury Palao (talkcontribs)

I have tried to debug, but I didn't found the log file.

There is the details of the environment :


Product

Version

MediaWiki 1.34.2

PHP 7.2.24-0ubuntu0.18.04.6 (apache2handler)

MariaDB 10.1.44-MariaDB-0ubuntu0.18.04.1

ICU 60.2


Extension

Version

License

Description

Authors

Auth_remoteuser 2.1.1 (4079f81) 18:07, 11 November 2019 GPL-2.0-or-later Automatically logs-in users using the REMOTE_USER environment variable Otheus Shelling, Rusty Burchfield, James Kinsman, Daniel Thomas, Ian Ward Comfort, Mark A. Hershberger and Stefan Engelhardt

LDAPAuthentication2 1.0.1 (370d143) 23:28, 3 September 2020 GPL-2.0 Allows authentication against a LDAP resource Cindy Cicalese, Mark A. Hershberger and Robert Vogel

LDAPAuthorization 1.1.0 (fc0c8cb) 03:15, 14 September 2020 GPL-2.0 Restrict login based on specified LDAP values Cindy Cicalese, Mark A. Hershberger and Robert Vogel

LDAPProvider 1.0.5 (dbcb18e) 23:38, 3 September 2020 GPL-2.0+ Provides a common infratructure to connect to a LDAP resource and run queries against it Cindy Cicalese, Mark A. Hershberger and Robert Vogel

LDAPUserInfo 1.0.0 (39cca83) 23:58, 9 July 2020 GPL-2.0 Allows to synchronize user information and preferences with a LDAP resource Cindy Cicalese, Mark A. Hershberger and Robert Vogel

Lockdown – (95cdc71) 07:27, 14 March 2020 GPL-2.0-or-later Per namespace group permissions Daniel Kinzler, Platonides, Mark A. Hershberger and others

PluggableAuth 5.7 (17fb1ea) 04:20, 13 September 2019 MIT Provides framework for pluggable authentication and authorization Cindy Cicalese

Osnard (talkcontribs)

Try to save the debug log into "$IP/cache/LDAP.log" instead of '"/tmp/LDAP.log'.

Amaury Palao (talkcontribs)

I did, however the file remain empty no matter what I do, but the error still remains.

Osnard (talkcontribs)

The message "There seems to be a problem with your login session; this action has been canceled as a precaution against session hijacking. Please resubmit the form." seems very unrelated to LDAP. can you confirm it does not happen when LDAP extensions are disabled? For me this looks like you session storage mechanism has an issue in general, or your browser does not have cookies enabled.

Amaury Palao (talkcontribs)

I think I found a lead. It seems to be a problem of authentication with the hosting server of LDAP. I will keep you inform if I found any answer.

Osnard (talkcontribs)

Good luck and thanks for sharing!

Reply to "My connexion to LDAP server doesn't seems to work"
Dimassc (talkcontribs)

I'm trying to migrate from the old LdapAuthentication to the new LDAP Hub extensions. Now I can login to the LDAP and restrict groups but I can't get LDAPGroups to sync with local groups, and no local login works.

The explained LDAPGroups problem here: Topic:Vu74250r33xa1507

For the local login I created a user like this:

php ./wikiutic/maintenance/createAndPromote.php --force --bureaucrat admin password

My LocalSettings.php :

# Autenticació LDAP

wfLoadExtensions( [

   'PluggableAuth', // Autenticació base

   'LDAPProvider', // Autenticació base

   'LDAPAuthentication2', // Autenticació base

   'LDAPAuthorization', // Per restringir accés per grups

   'LDAPGroups' // Per sincronitzar grups ldap amb locals

] );

// $wgPluggableAuth_EnableAutoLogin = true; /* Si activem desactiva la opció de fer logout */

$wgPluggableAuth_EnableLocalLogin = false;

$wgPluggableAuth_ButtonLabel = "Inicia sessió";

$LDAPAuthentication2UsernameNormalizer = 'strtoupper'; // strtolower no funciona

$LDAPAuthentication2AllowLocalLogin = true;

$wgLDAPUseLocal = false; // Permetre autentificació local wiki. Mirar que no estigui sobreescrit a LdapAuthentication.php

$LDAPProviderDomainConfigProvider = function() {

   $config = [

       'LDAP' => [

           'connection' => [

               "server" => "golum.trueta.intranet",

               "enctype" => 'clear',

               "basedn" => "dc=htrueta,dc=intranet",

               "userbasedn" => "dc=htrueta,dc=intranet", // u=Users,dc=htrueta,dc=intranet

               "searchstring" => "uid=USER-NAME,ou=Users,dc=htrueta,dc=intranet",

               "searchattribute" => "uid",

               "usernameattribute" => "uid",

               "realnameattribute" => "cn",

               "emailattribute" => "mail",

               "groupbasedn" => "dc=htrueta,dc=intranet", // ou=Groups,dc=htrueta,dc=intranet

               "groupattribute" => "memberuid",

               "groupobjectclass" => "posixgroup",

               "grouprequest" => "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\Configurable::factory"

           ],

           'authorization' => [

               'rules' => [

                   'groups' => [

                       'required' => [ "cn=Domain Admins,ou=Groups,dc=htrueta,dc=intranet",

                                       "cn=s103,ou=Groups,dc=htrueta,dc=intranet",

                                       "cn=wikiUtic,ou=Groups,dc=htrueta,dc=intranet",

                                       "cn=wikiUticLectura,ou=Groups,dc=htrueta,dc=intranet",

                                       "cn=lt2b,ou=Groups,dc=htrueta,dc=intranet",

                                       "cn=lt1,ou=Groups,dc=htrueta,dc=intranet",

                                       "cn=lt15,ou=Groups,dc=htrueta,dc=intranet"]

                   ]

               ]

           ],

           'groupsync' => [

               "mechanism" => "allgroups",

               "mapping" => [

                   "s103" => "cn=s103,ou=Groups,dc=htrueta,dc=intranet",

                   "Domain admins" => "cn=Domain Admins,ou=Groups,dc=htrueta,dc=intranet"

               ],

               "locally-managed" => [ "local", "wiki", "group", "names" ]

           ]

       ]

   ];

   return new \MediaWiki\Extension\LDAPProvider\DomainConfigProvider\InlinePHPArray( $config );

};

I tried with $wgPluggableAuth_EnableLocalLogin to true but two login buttons appears. No one works.

I tried with $wgLDAPUseLocal to true and it don't work.

When I try to login I select "local" in the domain (it appears below my "ldap" domain).

Osnard (talkcontribs)
Gektor93 (talkcontribs)

Hi to all MediaWiki community,


I got a task to configure MediaWiki with LDAP authorization true Windows Server 2019 Active Directory. Please note that it is the first time when I do something that looks like. Before it, I never did any integration with LDAP. I just reed about extensions on the MediaWiki site, read other topics and tried to do my best. I read other topics where was the same issue, but it didn't help me with resolve mine.


I got an issue and I want to ask your help with solving it.


My lab bellow:

CentOS 8.2.2

PostgreSQL 12.3

NGINX 1.14.1

PHP 7.4.8


Windows Server 2019

Active Directory installed

Firewall disabled


Please note that telnet successful from CentOS to WS19 on 389 port

#Connected to 192.168.0.100

#Escape character is '^]' .

As I understood it is mean that telnet to 389 port successful.


When I am trying to login with my domain user I got an error below:


[b932cd5d151b528a1846bc00] /index.php?title=Special:PluggableAuthLogin MWException from line 169 of /var/www/html/mediawiki/extensions/LDAPProvider/src/Client.php: Could not bind to LDAP: (-1) Can't contact LDAP server


#0 /var/www/html/mediawiki/extensions/LDAPProvider/src/Client.php(92): MediaWiki\Extension\LDAPProvider\Client->establishBinding()

#1 /var/www/html/mediawiki/extensions/LDAPProvider/src/Client.php(329): MediaWiki\Extension\LDAPProvider\Client->init()

#2 /var/www/html/mediawiki/extensions/LDAPAuthentication2/src/PluggableAuth.php(77): MediaWiki\Extension\LDAPProvider\Client->canBindAs()

#3 /var/www/html/mediawiki/extensions/PluggableAuth/includes/PluggableAuthLogin.php(30): MediaWiki\Extension\LDAPAuthentication2\PluggableAuth->authenticate()

#4 /var/www/html/mediawiki/includes/specialpage/SpecialPage.php(575): PluggableAuthLogin->execute()

#5 /var/www/html/mediawiki/includes/specialpage/SpecialPageFactory.php(611): SpecialPage->run()

#6 /var/www/html/mediawiki/includes/MediaWiki.php(296): MediaWiki\Special\SpecialPageFactory->executePath()

#7 /var/www/html/mediawiki/includes/MediaWiki.php(900): MediaWiki->performRequest()

#8 /var/www/html/mediawiki/includes/MediaWiki.php(527): MediaWiki->main()

#9 /var/www/html/mediawiki/index.php(44): MediaWiki->run()

#10 {main}


Here is my Localsettings.php config below:


wfLoadExtension( 'LDAPProvider' );

$LDAPProviderDomainConfigs = "/etc/mediawiki/ldapprovider.json";

wfLoadExtension( 'PluggableAuth' );

$wgPluggableAuth_EnableLocalLogin = true;

$wgGroupPermissions['user']['autocreateaccount'] = true;

$wgGroupPermissions['user']['createaccount'] = true;

wfLoadExtension( 'LDAPAuthorization' );

wfLoadExtension( 'LDAPAuthentication2' );

$LDAPAuthentication2UsernameNormalizer = 'strtolower';

$LDAPAuthentication2AllowLocalLogin = true;


Here is my ldapprovider.json config bellow:

{

    "lenovo.local": {

            "connection": {

                "server": "ldap.lenovo.local",

"user": "cn=admin.mediawiki,dc=lenovo,dc=local",

"pass": "P@ssw0rd",

                "options": {

                          "LDAP_OPT_DEREF": 1

                },

                "port": 389,

                "enctype": "clear",

                "basedn": "dc=lenovo,dc=local",

                "userbasedn": "ou=Users,dc=lenovo,dc=local",

                "searchattribute": "uid",

                "usernameattribute": "uid",

                "realnameattribute": "cn",

                "emailattribute": "mail",

                "searchstring": "uid=USER-NAME,ou=Users,dc=lenovo,dc=local",

                "groupbasedn": "ou=Users,dc=lenovo,dc=local",

                "groupobjectclass": "posixgroup",

                "groupattribute": "memberuid",

                "grouprequest": "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\Configurable::factory"

            }

        }

}

As I understood on the ldapprovider.json the "username" and "pass" using to get into Active Directory with these credentials and retrieve information about users in the Active Directory catalog.I created the user "admin.mediawiki" and added him to the admin groups for some reason.


The "ou" is an Organization Unit where located users, groups, or another OU and etc., for a test I indicate a default OU=Users, which created after installing AD and contain a test user.


Could you please help me with this issue or maybe provide working examples of Localsettings.php and ldapprovider.json or there is maybe another FAQ on MediaWiki which I should read.


I can describe everything in more detail in personal correspondence, if you suddenly need any detailed information.


Thank you in advance.


For Russian speakers:


Могу более подробно все описать в личной переписке , если вдруг понадобится какая либо подробная информация.

Заранее спасибо.

Osnard (talkcontribs)

In general this looks good. Please enable debugging and try to use the commandline scripts like extensions/LDAPProvider/maintenance/ShowUserInfo.php or extensions/LDAPProvider/maintenance/CheckLogin.php first.

"Can't contact LDAP server" indicates that you might have a wrong username or password set or, that you LDAP/AD might not allow insecure connection (without TLS). Actually the "enctype": "clear" could be the best guess. I believe MS AD does not allow this anymore.

Gektor93 (talkcontribs)

Dear Osnard,

Thanks for your respond.


Here is a result of ShowUserInfo.php


MWException from line 169 of /var/www/html/mediawiki/extensions/LDAPProvider/src/Client.php: Could not bind to LDAP: (-1) Can't contact LDAP server

#0 /var/www/html/mediawiki/extensions/LDAPProvider/src/Client.php(92): MediaWiki\Extension\LDAPProvider\Client->establishBinding()

#1 /var/www/html/mediawiki/extensions/LDAPProvider/src/Client.php(230): MediaWiki\Extension\LDAPProvider\Client->init()

#2 /var/www/html/mediawiki/extensions/LDAPProvider/maintenance/ShowUserInfo.php(48): MediaWiki\Extension\LDAPProvider\Client->getUserInfo()

#3 /var/www/html/mediawiki/maintenance/doMaintenance.php(99): MediaWiki\Extension\LDAPProvider\Maintenance\ShowUserInfo->execute()

#4 /var/www/html/mediawiki/extensions/LDAPProvider/maintenance/ShowUserInfo.php(71): require_once('/var/www/html/m...')

#5 {main}


and CheckLogin.php



root@localhost maintenance]# php CheckLogin..php --domain lenovo.local --username mikhail

Could not open input file: CheckLogin..php

[root@localhost maintenance]# php CheckLogin.php --domain lenovo.local --username mikhail

Password:P@ssw0rd

MWException from line 169 of /var/www/html/mediawiki/extensions/LDAPProvider/src/Client.php: Could not bind to LDAP: (-1) Can't contact LDAP server

#0 /var/www/html/mediawiki/extensions/LDAPProvider/src/Client.php(92): MediaWiki\Extension\LDAPProvider\Client->establishBinding()

#1 /var/www/html/mediawiki/extensions/LDAPProvider/src/Client.php(329): MediaWiki\Extension\LDAPProvider\Client->init()

#2 /var/www/html/mediawiki/extensions/LDAPProvider/maintenance/CheckLogin.php(50): MediaWiki\Extension\LDAPProvider\Client->canBindAs()

#3 /var/www/html/mediawiki/maintenance/doMaintenance.php(99): MediaWiki\Extension\LDAPProvider\Maintenance\CheckLogin->execute()

#4 /var/www/html/mediawiki/extensions/LDAPProvider/maintenance/CheckLogin.php(76): require_once('/var/www/html/m...')

#5 {main}

Gektor93 (talkcontribs)

Dear Osnard,


This is a debbug log i think:


2020-07-21 23:12:29 localhost.localdomain wikidb: ldap_connect( $hostname = 'ldap://lenovo.local:389', $port = 389 );

2020-07-21 23:12:29 localhost.localdomain wikidb: # __METHOD__ returns Resource id #213

2020-07-21 23:12:29 localhost.localdomain wikidb: Setting LDAP_OPT_PROTOCOL_VERSION to 3

2020-07-21 23:12:29 localhost.localdomain wikidb: ldap_set_option( $linkID, $option = 17, $newval = 3 );

2020-07-21 23:12:29 localhost.localdomain wikidb: # returns 1

2020-07-21 23:12:29 localhost.localdomain wikidb: Setting LDAP_OPT_REFERRALS to 0

2020-07-21 23:12:29 localhost.localdomain wikidb: ldap_set_option( $linkID, $option = 8, $newval = 0 );

2020-07-21 23:12:29 localhost.localdomain wikidb: # returns 1

2020-07-21 23:12:29 localhost.localdomain wikidb: Setting LDAP_OPT_DEREF to 1

2020-07-21 23:12:29 localhost.localdomain wikidb: ldap_set_option( $linkID, $option = 2, $newval = 1 );

2020-07-21 23:12:29 localhost.localdomain wikidb: # returns 1

2020-07-21 23:12:29 localhost.localdomain wikidb: ldap_bind( $linkID, $bindRDN = 'cn=admin.mediawiki,ou=Users,dc=lenovo,dc=local', $bindPassword = 'XXXX' );

2020-07-21 23:12:29 localhost.localdomain wikidb: # returns

2020-07-21 23:12:29 localhost.localdomain wikidb: ldap_error( $linkID );

2020-07-21 23:12:29 localhost.localdomain wikidb: # returns Can't contact LDAP server

2020-07-21 23:12:29 localhost.localdomain wikidb: ldap_errno( $linkID );

2020-07-21 23:12:29 localhost.localdomain wikidb: # returns -1

Osnard (talkcontribs)

Okay, so it clearly fails with the connection. Try using "enctype": "ssl". You can also write up a little test script to check which connection parameters are required in your setup. As it is AD "clear" will not work.

Gektor93 (talkcontribs)

Dear Osnard,


But why with first version of LDAPAuthentication it works?I had different config which work, but only with MediaWiki 1.30

Gektor93 (talkcontribs)

It was on my old Localsettings.php file. And it work correctly. I could login with AD user.

What the difference ?


$wgGroupPermissions['*']['autocreateaccount'] = true;

$wgGroupPermissions['*']['createaccount'] = false;

if ( !isset( $_SERVER['REMOTE_ADDR'] ) OR $_SERVER['REMOTE_ADDR'] == '192.168.7.30') {

$wgGroupPermissions['*']['read'] = true;

$wgGroupPermissions['*']['edit'] = true;

}

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

# LDAP ---------------------------------------------------------------------------------------

require_once('extensions/LdapAuthentication/LdapAuthentication.php');

require_once ('includes/AuthPlugin.php');

$wgAuth = new LdapAuthenticationPlugin();


$wgLDAPDomainNames = array('JAKONDA.LOCAL');

$wgLDAPServerNames = array('JAKONDA.LOCAL' => 'dc1.jakonda.local');

$wgLDAPPort = array('JAKONDA.LOCAL' => 389);

$wgLDAPEncryptionType = array('JAKONDA.LOCAL' => 'false');


$wgLDAPUseLocal = true;


$wgLDAPSearchStrings = array('JAKONDA.LOCAL' => 'USER-NAME@JAKONDA.LOCAL',);

$wgLDAPProxyAgent = array('JAKONDA.LOCAL' => 'admin.mediawiki');

$wgLDAPProxyAgentPassword = array('JAKONDA.LOCAL' => 'Aa1234567');

$wgLDAPSearchAttributes = array('JAKONDA.LOCAL' => 'sAMAccountName');

$wgLDAPBaseDNs = array('JAKONDA.LOCAL' => 'dc=jakonda,dc=local');

$wgLDAPGroupBaseDNs = array('JAKONDA.LOCAL' => 'dc=jakonda,dc=local');

$wgLDAPUserBaseDNs = array('JAKONDA.LOCAL' => 'dc=jakonda,dc=local');


$wgLDAPRetrievePrefs = array('JAKONDA.LOCAL' => 'true');

$wgLDAPPreferences = array('JAKONDA.LOCAL' => array('email' => 'mail','realname' => 'displayname'));


$wgLDAPDisableAutoCreate = array('JAKONDA.LOCAL' => true);


$wgLDAPGroupUseFullDN = array('JAKONDA.LOCAL' => true);

$wgLDAPLowerCaseUsername = array('JAKONDA.LOCAL' => true);

$wgLDAPGroupObjectclass = array('JAKONDA.LOCAL' => 'group');

$wgLDAPGroupAttribute = array('JAKONDA.LOCAL' => 'member');

$wgLDAPGroupNameAttribute = array('JAKONDA.LOCAL' => 'cn');

$wgLDAPGroupsUseMemberOf = array('JAKONDA.LOCAL' => true);


# Можно задать члены групп AD, каким разрешать доступ к MediaWiki

$wgLDAPRequiredGroups = array('JAKONDA.LOCAL' => array('cn=evilgroup,ou=groups,dc=AD,dc=jakonda,dc=local'));


# Можно задать члены групп AD, каким запрещать доступ к MediaWiki&nbsp;

#$wgLDAPExcludedGroups = array('JAKONDA.LOCAL' => array('cn=evilgroup,ou=groups,dc=AD,dc=jakonda,dc=local'));

$wgLDAPGroupSearchNestedGroups = array('JAKONDA.LOCAL' => true);

$wgLDAPActiveDirectory = array('JAKONDA.LOCAL' => true);


$wgLDAPDebug = 99;

$wgDebugLogGroups["ldap"] = "/tmp/ldap.log";

#-----------------------------------------------------------------------------------------------------

Osnard (talkcontribs)

Have you changed the new JSON config from above, before you posted it? E.G. replaced "dc1.jakonda.local" with "ldap.lenovo.local". Because if not, I need to assume, your new config and the old working config are very different as they have different servers configured.

Could you please create a nee PHP file with the contents from "Example 1" on https://www.php.net/manual/en/function.ldap-bind.php and fill in your credentials. Then run it and share the results.

Gektor93 (talkcontribs)

Dear Osnard,

Yes, they are different. I just shared it, which was working in the past. Let's imagine that domain name the same. Please note that it totally different configs. And I had two separate domain controllers. Just share it to show you that it was work without any encryption.

Osnard (talkcontribs)

So two separate domain controllers. And the old config (the one without encryption) worked with both?

Gektor93 (talkcontribs)

Old config worked with WS2012R2 without encryption. New config didn`t work with WS19 and WS2012R2 also without encrypt.

@Osnard could you please share links on how to config Localsettings.php or ldapprovider.json from the beginning.

I think that I do some stupid mistakes and walking around it.


Many thanks,

Osnard (talkcontribs)
Gektor93 (talkcontribs)

Hi Osnard,


I started with new config . And encountered with the issue below :


[root@localhost ~]# php /var/www/html/mediawiki/maintenance/update.php


[6932f3de4fc05b2ba466fa5f] [no req]   MWException from line 42 of /var/www/html/mediawiki/extensions/LDAPProvider/src/DomainConfigProvider/LocalJSONFile.php:

Could not access configuration file '/etc/mediawiki/ldapprovider.json'!

Please set up a domain configuration file for the LDAPProvider extension.


Backtrace:

#0 /var/www/html/mediawiki/extensions/LDAPProvider/src/DomainConfigProvider/LocalJSONFile.php(73): MediaWiki\Extension\LDAPProvider\DomainConfigProvider\LocalJSONFile->__construct()

#1 [internal function]: MediaWiki\Extension\LDAPProvider\DomainConfigProvider\LocalJSONFile::newInstance()

#2 /var/www/html/mediawiki/extensions/LDAPProvider/src/DomainConfigFactory.php(106): call_user_func_array()

#3 /var/www/html/mediawiki/extensions/LDAPAuthentication2/src/Setup.php(12): MediaWiki\Extension\LDAPProvider\DomainConfigFactory::getInstance()

#4 /var/www/html/mediawiki/includes/Setup.php(906): MediaWiki\Extension\LDAPAuthentication2\Setup::init()

#5 /var/www/html/mediawiki/maintenance/doMaintenance.php(83): require_once(string)

#6 /var/www/html/mediawiki/maintenance/update.php(277): require_once(string)

#7 {main}


Last time when it happened I just create a folder mediawiki int /etc and add ldapprovider.json file in with config bellow:


{

"acme.com": {

"connection": {

"server": "ldap.acme.com",

"port": "389",

"user": "CN=mikhail,OU=Users,DC=acme,DC=com",

"pass": "P@ssw0rd",

"enctype": "clear",

"options": {

"LDAP_OPT_DEREF": 1

},

"basedn": "dc=acme,dc=com",

"userbasedn": "dc=acme,dc=com",

"groupbasedn": "dc=acme,dc=com",

"searchattribute": "samaccountname",

"usernameattribute": "samaccountname",

"realnameattribute": "cn",

"emailattribute": "mail",

"grouprequest": "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\UserMemberOf::factory",

"presearchusernamemodifiers": [ "spacestounderscores", "lowercase" ]

},

"userinfo": [],

"authorization": [],

"groupsync": {

"mapping": {

"engineering": "CN=EngineeringCoreTeam,OU=Groups,DC=acme,DC=com",

"bureaucrat": "CN=Mediawiki Admins,OU=Groups,DC=acme,DC=com",

"interface-admin": "CN=Mediawiki Admins,OU=Groups,DC=acme,DC=com",

"sysop": "CN=Mediawiki Admins,OU=Groups,DC=acme,DC=com"

}

}

}

}


It is the OK ? Because in

Create an LDAP configuration file. For simplicity, we place this new file at /var/www/ldap.json then protect it for reading by the web-server.

Gektor93 (talkcontribs)

Dear Osnard,

As I said early it was very stupid mistake. The problem was in the IP of the AD\DNS server. It was indicated by mistake and after I change it ... it works! After more than one month)))) Thank you very much for your support in my case.


P.S. And yes, it works without encryption. But I will enable it in my final config)

Osnard (talkcontribs)

Glad to hear this!

Reply to "LDAP login issue"
213.138.74.76 (talkcontribs)

Hey guys, i've just migrated but there is a trouble now.

I recieve a "Could not authenticate credentials against domain "domain"" error.

My config is here:

wfLoadExtension( 'PluggableAuth' );

wfLoadExtension( 'LDAPProvider' );

wfLoadExtension( 'LDAPAuthentication2' );


$LDAPAuthentication2UsernameNormalizer = 'strtolower';

$LDAPAuthentication2AllowLocalLogin = true;


$LDAPProviderDomainConfigProvider = function() {

   $config = [

       'domain => [

           'connection' => [

               "server" => "domain.com",

               "user" => "domaincom\\user",

               "pass" => 'Password02', //no binding error

               "options" => [

                   "LDAP_OPT_DEREF" => 1

               ],

               "basedn" => "DC=domain,DC=com",

               "groupbasedn" => "DC=domain,DC=com",

               "userbasedn" => "DC=domain,DC=com",

               "searchattribute" => "sAMAccountName",

               "searchstring" => "sAMAccountName=USER-NAME,DC=domain,DC=com",

//if i change to domaincom\\USER-NAME i'll recieve (PluggableAuthPrimaryAuthenticationProvider returned an invalid username:) error

               "usernameattribute" => "sAMAccountName",

               "realnameattribute" => "cn",

               "emailattribute" => "mail"

           ]

       ]

   ];

   return new \MediaWiki\Extension\LDAPProvider\DomainConfigProvider\InlinePHPArray( $config );

};

$LDAPAuthentication2AllowLocalLogin=true;

$wgShowExceptionDetails = true;


Pls, help me to catch the tail of this problem.


Thanks in advance.

213.138.74.76 (talkcontribs)

Update: php extensions/LDAPProvider/maintenance/ShowUserInfo.php --domain domain --username SomeUser works properly

Osnard (talkcontribs)

Have you also tried extensions/LDAPProvider/maintenance/CheckLogin.php --domain domain --username SomeUser?

109.165.87.163 (talkcontribs)

Yes.

If i change "searchstring" => "sAMAccountName=USER-NAME,DC=domain,DC=com to domaincom\\USER-NAME

php extensions/LDAPProvider/maintenance/CheckLogin.php --domain domaincom --username user

Auth is OK


But then i try auth in usual way, i receive another error:


[568043a6f699c2aa8ba284f2] /mediawiki/index.php?title=%D0%A1%D0%BB%D1%83%D0%B6%D0%B5%D0%B1%D0%BD%D0%B0%D1%8F:%D0%92%D1%85%D0%BE%D0%B4&returnto=%D0%97%D0%B0%D0%B3%D0%BB%D0%B0%D0%B2%D0%BD%D0%B0%D1%8F+%D1%81%D1%82%D1%80%D0%B0%D0%BD%D0%B8%D1%86%D0%B0 DomainException from line 612 of /var/lib/mediawiki/includes/auth/AuthManager.php: PluggableAuthPrimaryAuthenticationProvider returned an invalid username:

Backtrace:

#0 /var/lib/mediawiki/includes/specialpage/AuthManagerSpecialPage.php(355): MediaWiki\Auth\AuthManager->continueAuthentication(array)

#1 /var/lib/mediawiki/includes/specialpage/AuthManagerSpecialPage.php(482): AuthManagerSpecialPage->performAuthenticationStep(string, array)

#2 /var/lib/mediawiki/includes/htmlform/HTMLForm.php(660): AuthManagerSpecialPage->handleFormSubmit(array, VFormHTMLForm)

#3 /var/lib/mediawiki/includes/specialpage/AuthManagerSpecialPage.php(416): HTMLForm->trySubmit()

#4 /var/lib/mediawiki/includes/specialpage/LoginSignupSpecialPage.php(316): AuthManagerSpecialPage->trySubmit()

#5 /var/lib/mediawiki/includes/specialpage/SpecialPage.php(565): LoginSignupSpecialPage->execute(NULL)

#6 /var/lib/mediawiki/includes/specialpage/SpecialPageFactory.php(568): SpecialPage->run(NULL)

#7 /var/lib/mediawiki/includes/MediaWiki.php(288): SpecialPageFactory::executePath(Title, RequestContext)

#8 /var/lib/mediawiki/includes/MediaWiki.php(861): MediaWiki->performRequest()

#9 /var/lib/mediawiki/includes/MediaWiki.php(524): MediaWiki->main()

#10 /var/lib/mediawiki/index.php(42): MediaWiki->run()

#11 {main}

Osnard (talkcontribs)

It looks like the "usernameattribute" is not "sAMAccountName". Be careful, the configured attribute name is case sensitive. Can you try to set "samaccountname".

You can use php extensions/LDAPProvider/maintenance/ShowUserInfo.php --domain YourDomain --username SomeUser to see exactly what the application sees.

213.138.74.76 (talkcontribs)

Thanks! That is a solution.

177.95.128.116 (talkcontribs)

Thanks a lot for all the talk here, just solved my problem following this thread. It seems the "sAMAccountName" and " domaincom\\USER-NAME" should be the default or example configuration for these plugins, it should probably be on their pages.

Osnard (talkcontribs)
Reply to "Invalid credentials"

Example 1 - User Name is empty

2
Igor-the-insane (talkcontribs)

I am trying example 1

This function os returning nothing :


$wgAuthRemoteuserUserName = function() {

   $user = '';

   if( isset( $_SERVER[ 'REMOTE_USER' ] ) ) {

       $user = strtolower( $_SERVER[ 'REMOTE_USER' ] );

   }

   return $user;

};


Suggestions ?


Osnard (talkcontribs)

So is $_SERVER[ 'REMOTE_USER' ] even set? If not, you might need to configure your webserver e.g. to use the Kerberos protocol (Apache: "mod_auth_kerb") for authentication.

Reply to "Example 1 - User Name is empty"

wgLDAPGroupUseFullDN replacement

2
Dimassc (talkcontribs)

I'm migrating from the old LdapAuthentication to the new stack and it didn't work. I need a replacement for $wgLDAPGroupUseFullDN = array( "LDAP"=>false)

I need to search members in groups like this: (&(objectclass={GROUPOBJECTCLASS})({GROUPATTRIBUTE}=$username))

Instead of this this plugin is doing this search: (&(objectclass={GROUPOBJECTCLASS})({GROUPATTRIBUTE}=$userDN))

I modified Configurable.php to archive this but it'd nice to have a ldap provider parameter to configure that.

Thx

Osnard (talkcontribs)
Reply to "wgLDAPGroupUseFullDN replacement"

could not authenticate credentials against domain

6
Shertster (talkcontribs)

Hi all,

I migrated recently from mediawiki 1.32 to 1.34 and so I was forced to change from LDAPAuthentication to LDAPHub, my version and configuration are :

MediaWiki 1.34.0
PHP 7.3.11-1~deb10u1 (fpm-fcgi)
MariaDB 10.3.21-MariaDB-1:10.3.21+maria~buster-log
ICU 63.1

Plugins :

PluggableAuth : 5.7

LDAPAuthentication2 : 1.0.1

LDAPProvider : 1.0.1

LDAPAuthorization : 1.0.0


#### new ldap conf

wfLoadExtension( 'LDAPProvider' );

$LDAPProviderDomainConfigs = "extensions/LDAPProvider/ldapprovider.json";

wfLoadExtension( 'PluggableAuth' );

$wgPluggableAuth_EnableLocalLogin = true;

$wgGroupPermissions['user']['autocreateaccount'] = true;

$wgGroupPermissions['user']['createaccount'] = true;

wfLoadExtension( 'LDAPAuthorization' );

wfLoadExtension( 'LDAPAuthentication2' );

$LDAPAuthentication2UsernameNormalizer = 'strtolower';

$LDAPAuthentication2AllowLocalLogin = true;


the json is :


{

    "localdomain.tld": {

            "connection": {

                "server": "ldap.localdomain.tld",

                "options": {

                          "LDAP_OPT_DEREF": 1

                },

                "port": 389,

                "enctype": "tls",

                "basedn": "dc=localdomain,dc=tld",

                "userbasedn": "ou=people,dc=localdomain,dc=tld",

                "searchattribute": "uid",

                "usernameattribute": "uid",

                "realnameattribute": "cn",

                "emailattribute": "mail",

                "searchstring": "ou=people,uid=USER-NAME,dc=localdomain,dc=tld",

                "groupbasedn": "ou=group,dc=localdomain,dc=tld",

                "groupobjectclass": "posixgroup",

                "groupattribute": "memberuid",

                "grouprequest": "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\Configurable::factory"

            },

            "authorization": {

                "rules": {

                    "groups": {

                        "required": [

                            "cn=tsism,ou=group,dc=localdomain,dc=tld"

                        ]

                    }

                }

            }

        }

}


when I try to login using the web form I get :


"Could not authenticate credentials against domain "localdomain.tld"


If I use ShowUserInfo.php utility I get correct information, but CheckLogin.php fails,

do you have a suggestion on how to cehck/debug this issue ?

I guess it's something wrong my configuration, but I dont' understand how to start the

troubleshoot.


thank you


M.

Osnard (talkcontribs)

Is there any information in the debugging logs? You can enable them as described here.

Does your LDAP allow this particular user to bind? You can test on Linux by using ldapsearch (https://serverfault.com/a/514873).

Shertster (talkcontribs)

Thank You Osnard, I realyl don't know how I missed that part, after enablingthe debug on the ldap part we were able to fix the authentication problem, the searchstring order needed t obe fixed from

"searchstring": "ou=people,uid=USER-NAME,dc=localdomain,dc=tld"


to


"searchstring": "uid=USER-NAME,ou=people,dc=localdomain,dc=tld"


basically uid and ou where in wrong position preventing the bind to work.


Now the login with plugagbleauth returns "Fatal exception of type "DomainException""


in the debug I found :


[error] [7ab5c01906e24316bf5102cf] /index.php?title=Special:PluggableAuthLogin   ErrorException from line 39 of /mnt/data/mediawiki/mediawiki-1.34.0/extensions/PluggableAuth/includes/PluggableAuthLogin.php: PHP Notice: Array to string conversion

#0 /mnt/data/mediawiki/mediawiki-1.34.0/extensions/PluggableAuth/includes/PluggableAuthLogin.php(39): MWExceptionHandler::handleError(integer, string, string, integer, array)


in the debug for the plugi neveything seems ok :


2020-01-08 10:57:45 wiki mediawiki-wk_: Authenticated new user: Array

2020-01-08 10:57:45 wiki mediawiki-wk_: User is authorized.


I wonder if the presence of a picture in the Ldap can give probelms,

(we have an attribute called jpegphoto and the picture is shown as binary data in

the debug and using ShowUserInfo.php)


M.


Osnard (talkcontribs)

It looks like $username provided by LDAPAuthentication2 was an array instead of a string. This is very stange. Can you share the output of ShowUserInfo.php? Please strip any sensitive information any binary data. The field "uid" is of special interest.

I don't think that the binary-data from the jpeg is an issue.

Shertster (talkcontribs)

Hi ,

I found the probelm , some users were defined in a strange way , they had two uid attributes.

this was made to create some sort of "alias" mechanism, once I deleted the extra uid attribute

all worked as expected.


Sorry for the chaos


M.

Osnard (talkcontribs)

Good to hear! Thanks for the feedback!

Reply to "could not authenticate credentials against domain"

Is there any example for Active Directory?

5
24.218.251.105 (talkcontribs)

The lack of clear examples of how to configure this whole stack is really frustrating. I can't figure out how to see any log files for LDAP authentication. I just get a spinning page load whenever I enter the correct LDAP credentials and an error when using incorrect ones.

Osnard (talkcontribs)

I have updated the page just recently. Please have another look. My apologies for the inconvenience.

JonathanKing~mediawikiwiki (talkcontribs)

Thanks Osnard. I did base my config on your example, and you and I are looking this over on another talk page. I appreciate all the work you must have put into all of this to replace Ryan's older system. I'd suggest you might have fewer support requests if you can put together more documentation about how the entire system works and how exactly to use it. I am happy to contribute my Active Directory config once it's working :)

Osnard (talkcontribs)

Yeah, I currently try to team up with others to improve documentation. Your contribution would be very appreciated!

Possebon (talkcontribs)

@JonathanKing~mediawikiwiki do you mind to share your working Active Directory configuration?

I've been struggling with this for the last 3 weeks without success.

Reply to "Is there any example for Active Directory?"
There are no older topics