Topic on Extension talk:LDAP Authentication

Hi there,

here's another group issue where I didn'f find a solution in older threads...: We try to allow page creation etc. only to a AD group 'IT'.

Behaviour: If we uncomment the line

$wgLDAPRequiredGroups = array( "MyDomain"=> array( "dc=My,dc=Dom,dc=ain" ) );

we can logon. If the line is active we get a "wrong password" error message. In either case there is no check if the user is in the group 'IT'.

• Settings:
  • Wiki-Version: 1.19.0
  • PHP: 5.4.4-7 (apache2handler)
  • MySQL: 5.5.24-9
  • LDAP Authentication Plugin (Version 2.0a) <-- Version 2.0c couldn't be downloaded...

• LocalSettings.php

# Enable LDAP Authentication
require_once( "$IP/extensions/LdapAuthentication/LdapAuthentication.php" );
$wgAuth = new LdapAuthenticationPlugin();

$wgLDAPDomainNames = array( "MyDomain" );
$wgLDAPServerNames = array( "MyDomain" => "PrimDomContrl.MyDomain" );
$wgLDAPSearchStrings = array( "MyDomain" => "My\\USER-NAME" );
$wgLDAPEncryptionType = array( "MyDomain" => "clear" );
# $wgLDAPUseLocal = true;
$wgLDAPAccessDeniedPage = array( "MyDomain" => "Missing rights!" );
$wgMinimalPasswordLength = 1;
$wgLDAPBaseDNs = array( "MyDomain" => "dc=My,dc=Dom,dc=ain" );
$wgLDAPSearchAttributes = array( "MyDomain" => "sAMAccountName" );
$wgLDAPRetrievePrefs = array( "MyDomain" => "true" );
$wgLDAPDebug = 3; //for debugging LDAP
$wgDebugLogGroups["ldap"] = "/tmp/ldaplog.log";
$wgShowExceptionDetails = true; //for debugging MediaWiki
$wgLDAPGroupUseFullDN = array( "MyDomain"=>true );
$wgLDAPGroupsUseMemberOf = array( "MyDomain" => true );
$wgLDAPGroupObjectclass = array( "MyDomain"=>"group" );
$wgLDAPGroupAttribute = array( "MyDomain"=>"member" );
$wgLDAPGroupSearchNestedGroups = array( "MyDomain" => true );
$wgLDAPGroupNameAttribute = array( "MyDomain"=>"cn" );

# The following permissions were set based on your choice in the installer
$wgGroupPermissions['*']['createaccount'] = false;
$wgGroupPermissions['*']['edit'] = false;
$wgGroupPermissions['*']['read'] = false;
$wgGroupPermissions['*']['createpage'] = false;
$wgGroupPermissions['*']['createtalk'] = false;

$wgLDAPRequiredGroups = array( "MyDomain"=> array( "dc=My,dc=Dom,dc=ain" ) );

 # This section defines permissions which allow only logged-in users to edit
 #
 # Deny access to Anonymous
 # But allow Anonymous to login
 #
 $wgWhitelistRead = array ("Special:Userlogin");
 #
 # Allow logged in users to do these things
 #
 $wgGroupPermissions['it']['move']            = true;
 $wgGroupPermissions['it']['read']            = true;
 $wgGroupPermissions['it']['edit']            = true;
 $wgGroupPermissions['it']['createpage']      = true;
 $wgGroupPermissions['it']['createtalk']      = true;
 $wgGroupPermissions['it']['upload']          = true;
 $wgGroupPermissions['it']['reupload']        = true;
 $wgGroupPermissions['it']['reupload-shared'] = true;
 $wgGroupPermissions['it']['minoredit']       = true;
 

• Log-Output:

2012-10-18 08:56:48 Localhost mywiki: 2.0a Entering validDomain
2012-10-18 08:56:48 Localhost mywiki: 2.0a User is not using a valid domain ().
2012-10-18 08:56:48 Localhost mywiki: 2.0a Setting domain as: MyDomain
2012-10-18 08:56:48 Localhost mywiki: 2.0a Entering allowPasswordChange
2012-10-18 08:56:48 Localhost mywiki: 2.0a Entering modifyUITemplate
2012-10-18 08:56:48 Localhost mywiki: 2.0a Allowing the ain domain, adding it to the list.
2012-10-18 08:56:52 Localhost mywiki: 2.0a Entering validDomain
2012-10-18 08:56:52 Localhost mywiki: 2.0a User is using a valid domain (MyDomain).
2012-10-18 08:56:52 Localhost mywiki: 2.0a Setting domain as: MyDomain
2012-10-18 08:56:52 Localhost mywiki: 2.0a Entering getCanonicalName
2012-10-18 08:56:52 Localhost mywiki: 2.0a Username isn't empty.
2012-10-18 08:56:52 Localhost mywiki: 2.0a Entering Connect
2012-10-18 08:56:52 Localhost mywiki: 2.0a Using TLS or not using encryption.
2012-10-18 08:56:52 Localhost mywiki: 2.0a Using servers:  ldap://PrimDomContrl.MyDomain:389
2012-10-18 08:56:52 Localhost mywiki: 2.0a PHP's LDAP connect method returned true (note, this does not imply it connected to the server).
2012-10-18 08:56:52 Localhost mywiki: 2.0a Entering getUserDN
2012-10-18 08:56:52 Localhost mywiki: 2.0a Doing an anonymous bind
2012-10-18 08:56:52 Localhost mywiki: 2.0a Created a regular filter: (sAMAccountName=XXX-TESTUSER)
2012-10-18 08:56:52 Localhost mywiki: 2.0a Entering getBaseDN
2012-10-18 08:56:52 Localhost mywiki: 2.0a basedn is not set for this type of entry, trying to get the default basedn.
2012-10-18 08:56:52 Localhost mywiki: 2.0a Entering getBaseDN
2012-10-18 08:56:52 Localhost mywiki: 2.0a Using base: dc=My,dc=Dom,dc=ain
2012-10-18 08:56:52 Localhost mywiki: 2.0a Couldn't find an entry
2012-10-18 08:56:52 Localhost mywiki: 2.0a Fetched username is not a string (check your hook code...). This message can be safely ignored if you do not have the SetUsernameAttributeFromLDAP hook defined.
2012-10-18 08:56:52 Localhost mywiki: 2.0a Munged username: XXX-TESTUSER
2012-10-18 08:56:52 Localhost mywiki: 2.0a Entering authenticate for username XXX-TESTUSER
2012-10-18 08:56:52 Localhost mywiki: 2.0a
2012-10-18 08:56:52 Localhost mywiki: 2.0a Entering Connect
2012-10-18 08:56:52 Localhost mywiki: 2.0a Using TLS or not using encryption.
2012-10-18 08:56:52 Localhost mywiki: 2.0a Using servers:  ldap://PrimDomContrl.MyDomain:389
2012-10-18 08:56:52 Localhost mywiki: 2.0a PHP's LDAP connect method returned true (note, this does not imply it connected to the server).
2012-10-18 08:56:52 Localhost mywiki: 2.0a Entering getSearchString
2012-10-18 08:56:52 Localhost mywiki: 2.0a Doing a straight bind
2012-10-18 08:56:52 Localhost mywiki: 2.0a userdn is: My\XXX-TESTUSER
2012-10-18 08:56:52 Localhost mywiki: 2.0a
2012-10-18 08:56:52 Localhost mywiki: 2.0a Binding as the user
2012-10-18 08:56:52 Localhost mywiki: 2.0a Bound successfully
2012-10-18 08:56:52 Localhost mywiki: 2.0a Entering getUserDN
2012-10-18 08:56:52 Localhost mywiki: 2.0a Created a regular filter: (sAMAccountName=XXX-TESTUSER)
2012-10-18 08:56:52 Localhost mywiki: 2.0a Entering getBaseDN
2012-10-18 08:56:52 Localhost mywiki: 2.0a basedn is not set for this type of entry, trying to get the default basedn.
2012-10-18 08:56:52 Localhost mywiki: 2.0a Entering getBaseDN
2012-10-18 08:56:52 Localhost mywiki: 2.0a Using base: dc=My,dc=Dom,dc=ain
2012-10-18 08:56:52 Localhost mywiki: 2.0a Fetched UserDN: CN=TESTUSER\, XXX-,OU=Undef. User,OU=MyBranch,OU=MyComp,DC=My,DC=Dom,DC=ain
2012-10-18 08:56:52 Localhost mywiki: 2.0a Entering getGroups
2012-10-18 08:56:52 Localhost mywiki: 2.0a Retrieving LDAP group membership
2012-10-18 08:56:52 Localhost mywiki: 2.0a Using memberOf
2012-10-18 08:56:52 Localhost mywiki: 2.0a Got the following groups: cn=xxx-user,ou=xxx-lists,dc=My,dc=Dom,dc=ain::cn=xxx-admins,ou=it,dc=My,dc=Dom,dc=ain:: [...]
2012-10-18 08:56:52 Localhost mywiki: 2.0a Entering checkGroups
2012-10-18 08:56:52 Localhost mywiki: 2.0a Checking for (new style) group membership
2012-10-18 08:56:52 Localhost mywiki: 2.0a Required groups: dc=My,dc=Dom,dc=ain
2012-10-18 08:56:52 Localhost mywiki: 2.0a Checking against: cn=xxx-user,ou=xxx-lists,dc=My,dc=Dom,dc=ain
2012-10-18 08:56:52 Localhost mywiki: 2.0a Checking against: cn=xxx-admins,ou=it,dc=My,dc=Dom,dc=ain
[...]
2012-10-18 08:56:52 Localhost mywiki: 2.0a Couldn't find the user in any groups.
2012-10-18 08:56:52 Localhost mywiki: 2.0a Entering strict.
2012-10-18 08:56:52 Localhost mywiki: 2.0a Returning false in strict().
2012-10-18 08:56:52 Localhost mywiki: 2.0a Entering allowPasswordChange
2012-10-18 08:56:52 Localhost mywiki: 2.0a Entering modifyUITemplate
2012-10-18 08:56:52 Localhost mywiki: 2.0a Allowing the local domain, adding it to the list.

Any hints?