Topic on Extension talk:LDAP Authentication

LDAP auth works, but cannot get SSO to work...

15 comments • 18:39, 17 January 2017 7 years ago
15
74.67.242.176 (talkcontribs)

This problem has been driving me insane. (Note: all versions and settings are below) I have mediawiki setup with the LDAP Authentication plugin. I have it successfully authenticate against AD, it will filter by group without any trouble, and it will even import nickname, realname, and email addresses without any issues. I add the appropriate settings to turn on SSO (and take out the one line I don't need) and then all I get is HTTP 500 errors. I have gone through an unbelieveable amount of documentation on this and found nothing. Other plugins can do SSO, but they can't do the group based filtering that this one can. I need some help understanding what is going wrong.


OS: Windows Server 2008 R2 SP1

Webserver: IIS 7.5 (I have to use this; Apache is not an option.)

Mediawiki Version: 1.20.2

LDAP Authentication Version: 2.0c

PHP Version: 5.3.21

MySQL Version: 5.5

LDAP Directory: Active Directory on Server 2008 R2 running at Server 2003 Level


Web Site Authentication Settings:

Anonymous Authentication: Disabled

Basic Authentication: Enabled

Windows Authentication: Enabled


Here are the added lines to my localsettings.php:

require_once("$IP/extensions/LdapAuthentication/LdapAuthentication.php");

$wgAuth = new LdapAuthenticationPlugin();

$wgLDAPDomainNames = array( "CPHOSPITAL" );

$wgLDAPBaseDNs = array( "CPHOSPITAL"=>"dc=cphospital,dc=org" );

$wgLDAPServerNames = array( "CPHOSPITAL" => "CPH-SRV-DC1 CPH-SRV-DC2" );

$wgLDAPSearchStrings = array( "CPHOSPITAL" => "USER-NAME@CPHOSPITAL.ORG" );

$wgLDAPEncryptionType = array( "CPHOSPITAL" => "clear" );

$wgLDAPRetrievePrefs = array( 'CPHOSPITAL' => true );

$wgLDAPPreferences = array( "CPHOSPITAL"=>array( "email"=>"mail","realname"=>"cn","nickname"=>"sAMAccountName","language"=>"preferredLanguage") );

$wgLDAPRequiredGroups = array( "CPHOSPITAL"=>array("CN=Information Systems - Security,OU=Information Systems,OU=Departments,OU=Canton Potsdam Hospital,DC=cphospital,DC=org") );

$wgLDAPGroupUseFullDN = array( "CPHOSPITAL"=>true );

$wgLDAPGroupObjectclass = array( "CPHOSPITAL"=>"group" );

$wgLDAPGroupAttribute = array( "CPHOSPITAL"=>"member" );

$wgLDAPGroupSearchNestedGroups = array( "CPHOSPITAL"=>true );

$wgLDAPGroupNameAttribute = array( "CPHOSPITAL"=>"cn" );

$wgLDAPSearchAttributes = array( "CPHOSPITAL"=>"sAMAccountName" );

This setup works perfectly. Here is what I changed to turn on SSO:

require_once("$IP/extensions/LdapAuthentication/LdapAuthentication.php");

'''require_once("$IP/extensions/LdapAuthentication/LdapAutoAuthentication.php");'''

'''//'''$wgAuth = new LdapAuthenticationPlugin();

'''$wgLDAPAutoAuthDomain = "CPHOSPITAL";''' 

$wgLDAPDomainNames = array( "CPHOSPITAL" );

$wgLDAPBaseDNs = array( "CPHOSPITAL"=>"dc=cphospital,dc=org" );

$wgLDAPServerNames = array( "CPHOSPITAL" => "CPH-SRV-DC1 CPH-SRV-DC2" );

$wgLDAPSearchStrings = array( "CPHOSPITAL" => "USER-NAME@CPHOSPITAL.ORG" );

$wgLDAPEncryptionType = array( "CPHOSPITAL" => "clear" );

$wgLDAPRetrievePrefs = array( 'CPHOSPITAL' => true );

$wgLDAPPreferences = array( "CPHOSPITAL"=>array( "email"=>"mail","realname"=>"cn","nickname"=>"sAMAccountName","language"=>"preferredLanguage") );

$wgLDAPRequiredGroups = array( "CPHOSPITAL"=>array("CN=Information Systems - Security,OU=Information Systems,OU=Departments,OU=Canton Potsdam Hospital,DC=cphospital,DC=org") );

$wgLDAPGroupUseFullDN = array( "CPHOSPITAL"=>true );

$wgLDAPGroupObjectclass = array( "CPHOSPITAL"=>"group" );

$wgLDAPGroupAttribute = array( "CPHOSPITAL"=>"member" );

$wgLDAPGroupSearchNestedGroups = array( "CPHOSPITAL"=>true );

$wgLDAPGroupNameAttribute = array( "CPHOSPITAL"=>"cn" );

$wgLDAPSearchAttributes = array( "CPHOSPITAL"=>"sAMAccountName" );

'''AutoAuthSetup();'''

After that, it will only give me HTTP 500 errors; it will not display the website. Have no idea what to do. Any help would be appreciated. Thanks.

Reply Edited by Wargo 17:55, 12 October 2013 10 years ago
Nimbl (talkcontribs)

I have a similar problem getting the SSO / AutoLogin feature to work properly, and I assume that the person above is having the same issue. I have tested Kerberos login on my server, and it works fine, setting the REMOTE_USER with the proper username. Manual LDAP authentication works fine. But trying to turn on the Auto Login function immediately causes a HTTP 500 Internal Server error, complaining about "Call to a member function isLoggedIn()". I imagine that the order in which this stuff gets invoked is out of whack. Here's my debugging information below.

Versions: PHP 5.3.3, MediaWiki 1.19.2, LDAP Authentication Plugin 2.0d

The Apache log gives this:

[Thu Feb 14 14:41:16 2013] [error] [client 192.168.1.228] PHP Fatal error: Call to a member function isLoggedIn() on a non-object in /www/wiki/extensions/LdapAuthentication/LdapAuthentication.php on line 1136 

require_once( "$IP/extensions/LdapAuthentication/LdapAuthentication.php" );
require_once( "$IP/extensions/LdapAuthentication/LdapAutoAuthentication.php" );
#$wgAuth = new LdapAuthenticationPlugin(); ## commented out for autologin
$wgLDAPAutoAuthDomain = "MYDEPARTMENTAD"; ## added for autologin
# ldap config
$wgLDAPDomainNames = array( "MYDEPARTMENTAD" );
$wgLDAPServerNames = array( "MYDEPARTMENTAD" => "ad.mydepartment.uni.edu" );
$wgLDAPEncryptionType = array( "MYDEPARTMENTAD" => "ssl" );
$wgLDAPSearchAttributes = array( "MYDEPARTMENTAD"=>"sAMAccountName" );
$wgLDAPBaseDNs = array('MYDEPARTMENTAD' => 'dc=mydepartment,dc=uni,dc=edu');
$wgLDAPGroupBaseDNs = array('MYDEPARTMENTAD' => 'ou=Groups,Ou=MyDepartment,dc=mydepartment,dc=uni,dc=edu');
$wgLDAPUserBaseDNs = array('MYDEPARTMENTAD' => 'ou=Users,Ou=MyDepartment,dc=mydepartment,dc=uni,dc=edu');
# since we can't do anonymous binds, nor straight bind with autologin
$wgLDAPProxyAgent = array("MYDEPARTMENTAD"=>"cn=LDAP SEARCH,cn=Users,dc=mydepartment,dc=uni,dc=edu");
$wgLDAPProxyAgentPassword = array("MYDEPARTMENTAD"=>"pass-redacted");
if (isset($_SERVER["REMOTE_USER"])) $wgLDAPAutoAuthUsername = preg_replace( '/@.*/', '', $_SERVER["REMOTE_USER"]); ## added for autologin
AutoAuthSetup(); ## added for autologin

If I comment out the lines with "## added for autologin" and re-enable "$wgAuth = new LdapAuthenticationPlugin();" things work just fine. I appreciate this useful extension, and am eager to get the SSO/AutoLogin functionality fixed.

Reply 19:57, 14 February 2013 11 years ago
Matthewj9 (talkcontribs)

I am having exactly the same problem as described above. LDAP authentication works correctly provided you don't enable autologin. If you do, the browser gets HTTP error 500 (internal server error) and Apache logs an error as follows:

[Fri Feb 22 11:34:17 2013] [error] [client 10.1.44.6] PHP Fatal error: Call to a member function isLoggedIn() on a non-object in /var/lib/mediawiki/extensions/LdapAuthentication/LdapAuthentication.php on line 1071, referer: http://mydomlinuxweb1/mediawiki/index.php/Main_Page

Versions: Apache/2.2.22 (Ubuntu), Mediawiki 1.19.2-2, PHP 5.4.6-1ubuntu1.1 (apache2handler), MySQL 5.5.29-0ubuntu0.12.10.1

I have tried 2 versions of the LdapAuthentication extension, the current Git master dated 22 Jan 2013 and the version tagged as REL 1_20 dated 22 Oct 2012. Both behave similarly although the line number in LdapAuthentication.php which comes up in the Apache logs is naturally different.

My config for autologin is as follows. 

require_once( "$IP/extensions/LdapAuthentication/LdapAutoAuthentication.php" );
require_once( "$IP/extensions/LdapAuthentication/LdapAuthentication.php" );

#remove comment on line below to change to non-autoauth (which works) 
#$wgAuth = new LdapAuthenticationPlugin(); 

$wgLDAPDomainNames = array("MYDOM");
$wgLDAPServerNames = array("MYDOM"=>"MYDOMacs1.MYDOM.gov.uk");

#comment out the 2 lines below to change to non-autoauth
$wgLDAPAutoAuthDomain = "MYDOM";
$wgLDAPAutoAuthUsername = $_SERVER["REMOTE_USER"]; #I have got KrbLocalUserMapping On in my apache2.conf so REMOTE_USER already has @REALM stripped off 

$wgLDAPProxyAgent = array("MYDOM"=>"CN=mydomldap,OU=MYDOM ICT,OU=MYDOM,DC=MYDOM,DC=gov,DC=uk");
$wgLDAPProxyAgentPassword = array("MYDOM"=>"Mypass");
$wgLDAPBaseDNs = array("MYDOM"=>"OU=MYDOM,DC=MYDOM,DC=gov,DC=uk");

$wgLDAPSearchAttributes = array("MYDOM"=>"samaccountname");
$wgLDAPEncryptionType = array( "MYDOM"=>"ssl");

#comment out the line below to change to non-autoauth
AutoAuthSetup();

My planned next step is to try out the AutomaticREMOTE USER extension since we already have Apache set up with mod_auth_kerb such that $_SERVER["REMOTE_USER"] contains the Windows username. Would be really interested to get autologon with LdapAuthentication extension working though, since then we could get mediawiki to display the full name e.g. Fred Smith and not the username e.g. f-smith.

I have tried to look at the log output from the extension itself using the config below. However it never logs anything. The output log file exists and is writable. Am I missing something? 

$wgLDAPDebug = 3;
$wgDebugLogGroups["LDAP"] = "/tmp/debug.log";
Reply Edited 12:57, 22 February 2013 11 years ago
203.125.234.20 (talkcontribs)
Reply 02:56, 28 May 2013 10 years ago
209.253.190.225 (talkcontribs)

The web address link is dead, is the latest version available somewhere else?

Reply 17:49, 16 October 2013 10 years ago
Ryan lane (talkcontribs)

Every page of the documentation has a link to download. Use the "master" version.

Reply 18:23, 16 October 2013 10 years ago
209.253.190.225 (talkcontribs)

Firstly let me thank you for responding so quickly and I apologize for my ignorance but when you say documentation do you mean the README, Release-notes, etc. or are you talking about the Mediawiki website help? Thanks!

Reply 19:15, 18 October 2013 10 years ago
209.253.190.225 (talkcontribs)

Ok, I've done that, but SSO still isn't working. Is there something I have to modify in one of the PHP files?

Reply 20:26, 18 October 2013 10 years ago
65.248.131.254 (talkcontribs)

I too am having the exact same issue with code I pulled a few days ago. What are we doing wrong?

Reply 21:37, 12 December 2013 10 years ago
69.42.187.210 (talkcontribs)

Did anyone ever get this resolved or is this one of those things you've just lived with? I think a lot of people going through the process of installing and running into the same issue would really benefit from documented resolution.

Thanks!

Reply 19:05, 4 September 2014 9 years ago
203.127.197.23 (talkcontribs)

Is this resolved? I am facing the same issue now. I can't get LDAP Auto Authentication (I assume similar to SSO) to work. Please advise. Thanks

Reply 01:52, 30 June 2015 8 years ago
189.84.30.212 (talkcontribs)

Does this issue has a solution already?

has been 3 years...

since kerberos is working in apache, userId is in $_SERVER['REMOTE_USER'], is just a matter of make a LDAP query to check this user out. how difficult is that??!!

Reply 14:29, 23 March 2016 8 years ago
189.84.30.212 (talkcontribs)

To whom It may Concern...

I just fixed the problem and made the MediaWiki run flawlessly with Active Directory Kerberos.

There are two main problems:

1 - MediaWiki has a bug to deal with user account with capital and lower case letters.

2 – There is a bug in the ktpass windows command to generate the keytab file

First problem.

Just edit the file ./extensions/LdapAuthentication/LdapAutoAuthentication.php

Locate the lines:

// If the user is using auto authentication, we need to ensure

// that he/she isn't trying to fool us by sending a username other

// than the one the web server got from the auto-authentication method.

if ( $this->useAutoAuth() && $this->getConf( 'AutoAuthUsername' ) != $username ) {

$this->getConf( 'AutoAuthUsername' ) has the user credential name inside the Kerberos ticket, that might have capital letters, while $username is a credential name already processed by mediaWiki (all lowercase).

Just change this line to

if ( $this->useAutoAuth() && strtolower($this->getConf( 'AutoAuthUsername' )) != $username ) {

Voilá!!!! Problem Solved

3 years waiting for this!!!!

Second Problem.

If you want to link the same active directory account to query for user groups as the one linked to the Kerberos user principal name, you cannot use the parameter “/pass *” when creating the keytab file with the command ktpass.

e.g

You have in Active directory the user Bernardo and want to use the password 12345

If you do:

ktpass /out file.keytab /princ HTTP/host.domain.com@REALM.INTRA /mapuser Bernardo /ptype KRB5_NT_PRINCIPAL /CRYPTO RC4-HMAC-NT /pass * SetPass

It will ask to type the password. Although the file.keytab will work, you will no longer be able to log in this account (nor query AD for groups for that matter).

What you should do instead is:

ktpass /out file.keytab /princ HTTP/host.domain.com@REALM.INTRA /mapuser Bernardo /ptype KRB5_NT_PRINCIPAL /CRYPTO RC4-HMAC-NT /pass 12345 SetPass

this way you still can use the ad account

reference

https://social.technet.microsoft.com/Forums/windowsserver/en-US/dbf2028b-139a-484d-9067-39dd694f2a4b/can-not-logon-account-after-using-ktpass-to-map-a-spn-to-it?forum=winserverDS

Regards

Bernardo Labronici

Reply 17:25, 31 March 2016 8 years ago
2003:75:F5A:80FC:38EC:30DF:43CF:BF5C (talkcontribs)

The auto login method with kerberos is still not working. I get another error though:

AutoAuthSetup() is not supported with AuthManager.

Is this going to get fixed soon?

Reply 10:55, 17 December 2016 7 years ago
198.239.156.250 (talkcontribs)
Reply 18:39, 17 January 2017 7 years ago
Reply to "LDAP auth works, but cannot get SSO to work..."
Retrieved from "https://www.mediawiki.org/wiki/Topic:R1yhfghkt6cmz5hp"