Topic on Extension talk:LDAP Authentication

ldap auth works fine for existing except for new users

3 comments • 06:41, 1 April 2015 9 years ago
3
Oxtan (talkcontribs)

hi,

long time user of this extension here. I have a weird issue that is causing me some pain.

Our wiki server was running in a debian linux box and now we have migrated it to a centos cluster running apache2 behind a haproxy load balancer. Everything works except this.

Our apache hosts authenticate our users using ldap using basic auth on https. Once authenticated to the web server, the mw extension takes over with this config:

##### LdapAuth plugin #####

## load the library
require_once( "$IP/extensions/LdapAuthentication/LdapAuthentication.php" );
require_once( "$IP/extensions/LdapAuthentication/LdapAutoAuthentication.php" );

## create an object
$wgAuth = new LdapAuthenticationPlugin();

# we are using AD, so define it here
$wgLDAPDomainNames = array(
    "AD",
);

# ldap servers for AD
$wgLDAPServerNames = array(
    "AD" => "dc01.domain.tld dc02.domain.tld dc03.domain.tld"
);

$wgLDAPEncryptionType = array(
    "AD" => "clear"
);

$wgLDAPProxyAgent = array(
    "AD" => "CN=sa_mediawiki,OU=Service_accounts,DC=domain,DC=tld"
);

$wgLDAPProxyAgentPassword = array(
    "AD" => "verysafe"
);

$wgLDAPBaseDNs = array(
    "AD" => "dc=domain,dc=tld"
);

$wgLDAPSearchAttributes = array(
    "AD" => "sAMAccountName",
);

//Option for allowing the retreival of user preferences from LDAP.
//Only pulls a small amount of info currently.
//Default: false
//DEPRECATED in 1.2a
$wgLDAPRetrievePrefs = array(
    "AD"=>false
);

//Option for pulling specific preferences. Available options
//are "email", "realname", "nickname", "language"
//Ensure all attribute names given are in lower case.
//Default: none; disabled
//Available in 1.2a
$wgLDAPPreferences = array(
    "AD"=>array( "email"=>"mail","realname"=>"displayname","nickname"=>"cn","language"=>"preferredlanguage")
);


# if (isset($_SERVER["REMOTE_USER"])) $wgLDAPAutoAuthUsername = $_SERVER["REMOTE_USER"];

$wgLDAPAutoAuthUsername = preg_replace( '/@.*/', '', $_SERVER["REMOTE_USER"] );

$wgLDAPAutoAuthDomain = "AD" ;

# debugging this extension, uncomment if needed
$wgLDAPDebug = 1;
$wgDebugLogGroups['ldap'] = '/srv/apacheprod/html/mediawiki/tmp/ldap_debug.log';

AutoAuthSetup();

and this is what I see in the ldap_debug.log

2015-03-11 09:13:17 wiki.iriszorg.nl wikidb: 1.2e Entering Connect
2015-03-11 09:13:17 wiki.iriszorg.nl wikidb: 1.2e Connected successfully
2015-03-11 09:13:17 wiki.iriszorg.nl wikidb: 1.2e Entering getSearchString
2015-03-11 09:13:17 wiki.iriszorg.nl wikidb: 1.2e Doing a proxy bind
2015-03-11 09:13:17 wiki.iriszorg.nl wikidb: 1.2e Entering getUserDN
2015-03-11 09:13:17 wiki.iriszorg.nl wikidb: 1.2e Entering getBaseDN
2015-03-11 09:13:17 wiki.iriszorg.nl wikidb: 1.2e basedn is not set for this type of entry, trying to get the default basedn.
2015-03-11 09:13:17 wiki.iriszorg.nl wikidb: 1.2e Entering getBaseDN
2015-03-11 09:13:17 wiki.iriszorg.nl wikidb: 1.2e basedn is dc=domain,dc=tld
2015-03-11 09:13:17 wiki.iriszorg.nl wikidb: 1.2e Fetched username is not a string (check your hook code...). This message can be safely ignored if you do not have the SetUsernameAttributeFromLDAP hook defined.
2015-03-11 09:13:17 wiki.iriszorg.nl wikidb: 1.2e
2015-03-11 09:13:17 wiki.iriszorg.nl wikidb: 1.2e Entering getGroups
2015-03-11 09:13:17 wiki.iriszorg.nl wikidb: 1.2e Entering checkGroups
2015-03-11 09:13:17 wiki.iriszorg.nl wikidb: 1.2e Entering getPreferences
2015-03-11 09:13:17 wiki.iriszorg.nl wikidb: 1.2e Retrieving preferences
2015-03-11 09:13:17 wiki.iriszorg.nl wikidb: 1.2e Retrieved realname (bladibla) using attribute (displayname)
2015-03-11 09:13:17 wiki.iriszorg.nl wikidb: 1.2e Retrieved nickname (bladibla) using attribute (cn)
2015-03-11 09:13:17 wiki.iriszorg.nl wikidb: 1.2e Entering synchUsername
2015-03-11 09:13:17 wiki.iriszorg.nl wikidb: 1.2e Authentication passed
2015-03-11 09:13:17 wiki.iriszorg.nl wikidb: 1.2e Entering getCanonicalName
2015-03-11 09:13:17 wiki.iriszorg.nl wikidb: 1.2e Username isn't empty.
2015-03-11 09:13:17 wiki.iriszorg.nl wikidb: 1.2e Munged username: Bladibla
2015-03-11 09:13:17 wiki.iriszorg.nl wikidb: 1.2e User exists in LDAP; finding the user by name (Bladibla) in MediaWiki.
2015-03-11 09:13:17 wiki.iriszorg.nl wikidb: 1.2e Got id ().
2015-03-11 09:13:17 wiki.iriszorg.nl wikidb: 1.2e User does not exist in local database; creating.
2015-03-11 09:13:17 wiki.iriszorg.nl wikidb: 1.2e Entering initUser
2015-03-11 09:13:17 wiki.iriszorg.nl wikidb: 1.2e Entering updateUser
2015-03-11 09:13:17 wiki.iriszorg.nl wikidb: 1.2e Setting user preferences.
2015-03-11 09:13:17 wiki.iriszorg.nl wikidb: 1.2e Setting nickname.
2015-03-11 09:13:17 wiki.iriszorg.nl wikidb: 1.2e Setting realname.
2015-03-11 09:13:17 wiki.iriszorg.nl wikidb: 1.2e Saving user settings.

So why is the extension not creating any wiki users? As a workaround, how could I pre-create wiki users?

Thanks in advance.

Reply 09:38, 11 March 2015 9 years ago
194.244.52.149 (talkcontribs)

Hi, we have the same problem. I updated our wiki to version 1.24.0 from 1.17.0 and new users cannot register. Afetr I update to version 1.24.1, but the problem wasn't solved ... Thanks in advance.

JF (www.selcomgroup.com)

Reply 16:43, 26 March 2015 9 years ago
194.244.52.149 (talkcontribs)

I found a temporary circumvention to the problem. We use mediawiki to document internal project and applications. So I inserted an account exsisting in our OpenLDAP using sqlbuddy in the wiki_user database. The account works fine.

JF (www.selcomgroup.com)

Reply 06:41, 1 April 2015 9 years ago
Reply to "ldap auth works fine for existing except for new users"
Retrieved from "https://www.mediawiki.org/wiki/Topic:Sdbrbclmbbhk4wn4#flow-post-sdbrbdbashvdeeb4"