Hi there,
here's another group issue where I didn'f find a solution in older threads...: We try to allow page creation etc. only to a AD group 'IT'.
Behaviour: If we uncomment the line
$wgLDAPRequiredGroups = array( "MyDomain"=> array( "dc=My,dc=Dom,dc=ain" ) );
we can logon. If the line is active we get a "wrong password" error message. In either case there is no check if the user is in the group 'IT'.
- Settings:
- Wiki-Version: 1.19.0
- PHP: 5.4.4-7 (apache2handler)
- MySQL: 5.5.24-9
- LDAP Authentication Plugin (Version 2.0a) <-- Version 2.0c couldn't be downloaded...
- LocalSettings.php
# Enable LDAP Authentication require_once( "$IP/extensions/LdapAuthentication/LdapAuthentication.php" ); $wgAuth = new LdapAuthenticationPlugin(); $wgLDAPDomainNames = array( "MyDomain" ); $wgLDAPServerNames = array( "MyDomain" => "PrimDomContrl.MyDomain" ); $wgLDAPSearchStrings = array( "MyDomain" => "My\\USER-NAME" ); $wgLDAPEncryptionType = array( "MyDomain" => "clear" ); # $wgLDAPUseLocal = true; $wgLDAPAccessDeniedPage = array( "MyDomain" => "Missing rights!" ); $wgMinimalPasswordLength = 1; $wgLDAPBaseDNs = array( "MyDomain" => "dc=My,dc=Dom,dc=ain" ); $wgLDAPSearchAttributes = array( "MyDomain" => "sAMAccountName" ); $wgLDAPRetrievePrefs = array( "MyDomain" => "true" ); $wgLDAPDebug = 3; //for debugging LDAP $wgDebugLogGroups["ldap"] = "/tmp/ldaplog.log"; $wgShowExceptionDetails = true; //for debugging MediaWiki $wgLDAPGroupUseFullDN = array( "MyDomain"=>true ); $wgLDAPGroupsUseMemberOf = array( "MyDomain" => true ); $wgLDAPGroupObjectclass = array( "MyDomain"=>"group" ); $wgLDAPGroupAttribute = array( "MyDomain"=>"member" ); $wgLDAPGroupSearchNestedGroups = array( "MyDomain" => true ); $wgLDAPGroupNameAttribute = array( "MyDomain"=>"cn" ); # The following permissions were set based on your choice in the installer $wgGroupPermissions['*']['createaccount'] = false; $wgGroupPermissions['*']['edit'] = false; $wgGroupPermissions['*']['read'] = false; $wgGroupPermissions['*']['createpage'] = false; $wgGroupPermissions['*']['createtalk'] = false; $wgLDAPRequiredGroups = array( "MyDomain"=> array( "dc=My,dc=Dom,dc=ain" ) ); # This section defines permissions which allow only logged-in users to edit # # Deny access to Anonymous # But allow Anonymous to login # $wgWhitelistRead = array ("Special:Userlogin"); # # Allow logged in users to do these things # $wgGroupPermissions['it']['move'] = true; $wgGroupPermissions['it']['read'] = true; $wgGroupPermissions['it']['edit'] = true; $wgGroupPermissions['it']['createpage'] = true; $wgGroupPermissions['it']['createtalk'] = true; $wgGroupPermissions['it']['upload'] = true; $wgGroupPermissions['it']['reupload'] = true; $wgGroupPermissions['it']['reupload-shared'] = true; $wgGroupPermissions['it']['minoredit'] = true;
- Log-Output:
2012-10-18 08:56:48 Localhost mywiki: 2.0a Entering validDomain 2012-10-18 08:56:48 Localhost mywiki: 2.0a User is not using a valid domain (). 2012-10-18 08:56:48 Localhost mywiki: 2.0a Setting domain as: MyDomain 2012-10-18 08:56:48 Localhost mywiki: 2.0a Entering allowPasswordChange 2012-10-18 08:56:48 Localhost mywiki: 2.0a Entering modifyUITemplate 2012-10-18 08:56:48 Localhost mywiki: 2.0a Allowing the ain domain, adding it to the list. 2012-10-18 08:56:52 Localhost mywiki: 2.0a Entering validDomain 2012-10-18 08:56:52 Localhost mywiki: 2.0a User is using a valid domain (MyDomain). 2012-10-18 08:56:52 Localhost mywiki: 2.0a Setting domain as: MyDomain 2012-10-18 08:56:52 Localhost mywiki: 2.0a Entering getCanonicalName 2012-10-18 08:56:52 Localhost mywiki: 2.0a Username isn't empty. 2012-10-18 08:56:52 Localhost mywiki: 2.0a Entering Connect 2012-10-18 08:56:52 Localhost mywiki: 2.0a Using TLS or not using encryption. 2012-10-18 08:56:52 Localhost mywiki: 2.0a Using servers: ldap://PrimDomContrl.MyDomain:389 2012-10-18 08:56:52 Localhost mywiki: 2.0a PHP's LDAP connect method returned true (note, this does not imply it connected to the server). 2012-10-18 08:56:52 Localhost mywiki: 2.0a Entering getUserDN 2012-10-18 08:56:52 Localhost mywiki: 2.0a Doing an anonymous bind 2012-10-18 08:56:52 Localhost mywiki: 2.0a Created a regular filter: (sAMAccountName=XXX-TESTUSER) 2012-10-18 08:56:52 Localhost mywiki: 2.0a Entering getBaseDN 2012-10-18 08:56:52 Localhost mywiki: 2.0a basedn is not set for this type of entry, trying to get the default basedn. 2012-10-18 08:56:52 Localhost mywiki: 2.0a Entering getBaseDN 2012-10-18 08:56:52 Localhost mywiki: 2.0a Using base: dc=My,dc=Dom,dc=ain 2012-10-18 08:56:52 Localhost mywiki: 2.0a Couldn't find an entry 2012-10-18 08:56:52 Localhost mywiki: 2.0a Fetched username is not a string (check your hook code...). This message can be safely ignored if you do not have the SetUsernameAttributeFromLDAP hook defined. 2012-10-18 08:56:52 Localhost mywiki: 2.0a Munged username: XXX-TESTUSER 2012-10-18 08:56:52 Localhost mywiki: 2.0a Entering authenticate for username XXX-TESTUSER 2012-10-18 08:56:52 Localhost mywiki: 2.0a 2012-10-18 08:56:52 Localhost mywiki: 2.0a Entering Connect 2012-10-18 08:56:52 Localhost mywiki: 2.0a Using TLS or not using encryption. 2012-10-18 08:56:52 Localhost mywiki: 2.0a Using servers: ldap://PrimDomContrl.MyDomain:389 2012-10-18 08:56:52 Localhost mywiki: 2.0a PHP's LDAP connect method returned true (note, this does not imply it connected to the server). 2012-10-18 08:56:52 Localhost mywiki: 2.0a Entering getSearchString 2012-10-18 08:56:52 Localhost mywiki: 2.0a Doing a straight bind 2012-10-18 08:56:52 Localhost mywiki: 2.0a userdn is: My\XXX-TESTUSER 2012-10-18 08:56:52 Localhost mywiki: 2.0a 2012-10-18 08:56:52 Localhost mywiki: 2.0a Binding as the user 2012-10-18 08:56:52 Localhost mywiki: 2.0a Bound successfully 2012-10-18 08:56:52 Localhost mywiki: 2.0a Entering getUserDN 2012-10-18 08:56:52 Localhost mywiki: 2.0a Created a regular filter: (sAMAccountName=XXX-TESTUSER) 2012-10-18 08:56:52 Localhost mywiki: 2.0a Entering getBaseDN 2012-10-18 08:56:52 Localhost mywiki: 2.0a basedn is not set for this type of entry, trying to get the default basedn. 2012-10-18 08:56:52 Localhost mywiki: 2.0a Entering getBaseDN 2012-10-18 08:56:52 Localhost mywiki: 2.0a Using base: dc=My,dc=Dom,dc=ain 2012-10-18 08:56:52 Localhost mywiki: 2.0a Fetched UserDN: CN=TESTUSER\, XXX-,OU=Undef. User,OU=MyBranch,OU=MyComp,DC=My,DC=Dom,DC=ain 2012-10-18 08:56:52 Localhost mywiki: 2.0a Entering getGroups 2012-10-18 08:56:52 Localhost mywiki: 2.0a Retrieving LDAP group membership 2012-10-18 08:56:52 Localhost mywiki: 2.0a Using memberOf 2012-10-18 08:56:52 Localhost mywiki: 2.0a Got the following groups: cn=xxx-user,ou=xxx-lists,dc=My,dc=Dom,dc=ain::cn=xxx-admins,ou=it,dc=My,dc=Dom,dc=ain:: [...] 2012-10-18 08:56:52 Localhost mywiki: 2.0a Entering checkGroups 2012-10-18 08:56:52 Localhost mywiki: 2.0a Checking for (new style) group membership 2012-10-18 08:56:52 Localhost mywiki: 2.0a Required groups: dc=My,dc=Dom,dc=ain 2012-10-18 08:56:52 Localhost mywiki: 2.0a Checking against: cn=xxx-user,ou=xxx-lists,dc=My,dc=Dom,dc=ain 2012-10-18 08:56:52 Localhost mywiki: 2.0a Checking against: cn=xxx-admins,ou=it,dc=My,dc=Dom,dc=ain [...] 2012-10-18 08:56:52 Localhost mywiki: 2.0a Couldn't find the user in any groups. 2012-10-18 08:56:52 Localhost mywiki: 2.0a Entering strict. 2012-10-18 08:56:52 Localhost mywiki: 2.0a Returning false in strict(). 2012-10-18 08:56:52 Localhost mywiki: 2.0a Entering allowPasswordChange 2012-10-18 08:56:52 Localhost mywiki: 2.0a Entering modifyUITemplate 2012-10-18 08:56:52 Localhost mywiki: 2.0a Allowing the local domain, adding it to the list.
Any hints?