Topic on Extension talk:LDAP Authentication

Trying to use Windows AD ldap for authentication.

5
Jac09876 (talkcontribs)

Good day,

I try to authenticate against Windows Server 2012 R2. But whatever I tried, it does not work.  Mediawiki is running, and I can login with a local account. But not with an Active Directory account.

I run Mediawiki on CentOS Linux release 7.2.1511, and use the following versions:

Product Version

MediaWiki 1.26.2

PHP 5.4.16 (apache2handler)

MariaDB 5.5.47-MariaDB

ICU 50.1.2

This the ldap configuration from LocalSettings.php::

require_once ("$IP/extensions/LdapAuthentication/LdapAuthentication.php");

$wgAuth = new LdapAuthenticationPlugin();

$wgLDAPDomainNames = array(

'acme'

);

$wgLDAPServerNames = array(

'acme' => 'acme-hq-AD1.internal.acme.com'

);

$wgLDAPBaseDNs = array(

'acme' => 'DC=internal,DC=acme,DC=com'

);

#$wgLDAPActiveDirectory = array(

#       "acme"=>true

#);

$wgLDAPSearchAttributes = array(

"acme"=>"sAMAccountName"

);

$wgLDAPRetrievePrefs = array(

"acme" => "true"

);

$wgLDAPPreferences = array(

'acme' => array(

'email' => 'mail',

'realname' => 'displayname'

)

);

$wgLDAPEncryptionType = array(

#  'acme' => 'clear'

'acme' => 'ssl'

#  'acme' => 'tls'

);

$wgLDAPSearchStrings = array(

#'acme' => 'acme\\USER-NAME'

'acme' => 'USER-NAME@acme'

);

$wgLDAPUseLocal = false;

$wgMinimalPasswordLength = 1;

$wgLDAPProxyAgent =  array(

'acme' => 'CN=acme-hq-mediawiki,OU=Service Accounts,OU=HeadQuarters,DC=internal,DC=acme,DC=com'

);

$wgLDAPProxyAgentPassword = array(

'acme' => 'p@sSw0rD'

);

ldapsearch works:

[root@wiki]#  ldapsearch -x -LLL -h acme-hq-ad1.internal.acme.com -D 'CN=acme-hq-mediawiki,OU=Service Accounts,OU=HeadQuarters,DC=internal,DC=acme,DC=com' -w p@sSw0rD -b"DC=internal,DC=acme,DC=com" -s sub "(objectClass=user)" givenName

dn: CN=acme-hq-AD1,OU=Domain Controllers,DC=internal,DC=acme,DC=com

etc...

This is the Mediawiki logging

2016-04-21 19:40:33 wiki.acme.com

localhost.localdomain acme_wiki: 2.1.0 Entering validDomain

2016-04-21 19:40:33 wiki.acme.com

localhost.localdomain acme_wiki: 2.1.0 User is using a valid domain (acme).

2016-04-21 19:40:33 wiki.acme.com

localhost.localdomain acme_wiki: 2.1.0 Setting domain as: acme

2016-04-21 19:40:34 wiki.acme.com

localhost.localdomain acme_wiki: 2.1.0 Entering getCanonicalName

2016-04-21 19:40:34 wiki.acme.com

localhost.localdomain acme_wiki: 2.1.0 Username is: acme-hq-mediawiki

2016-04-21 19:40:34 wiki.acme.com

localhost.localdomain acme_wiki: 2.1.0 Entering getDomain

2016-04-21 19:40:34 wiki.acme.com

localhost.localdomain acme_wiki: 2.1.0 Munged username: acme-hq-mediawiki

2016-04-21 19:40:34 wiki.acme.com

localhost.localdomain acme_wiki: 2.1.0 Entering getCanonicalName

2016-04-21 19:40:34 wiki.acme.com

localhost.localdomain acme_wiki: 2.1.0 Username is an IP, not munging.

2016-04-21 19:40:34 wiki.acme.com

localhost.localdomain acme_wiki: 2.1.0 Entering getCanonicalName

2016-04-21 19:40:34 wiki.acme.com

localhost.localdomain acme_wiki: 2.1.0 Username is an IP, not munging.

2016-04-21 19:40:34 wiki.acme.com

localhost.localdomain acme_wiki: 2.1.0 Entering getDomain

2016-04-21 19:40:34 wiki.acme.com

localhost.localdomain acme_wiki: 2.1.0 Entering userExists

2016-04-21 19:40:34 wiki.acme.com

localhost.localdomain acme_wiki: 2.1.0 Entering getDomain

2016-04-21 19:40:34 wiki.acme.com

localhost.localdomain acme_wiki: 2.1.0 Entering getDomain

2016-04-21 19:40:34 wiki.acme.com

localhost.localdomain acme_wiki: 2.1.0 Entering authenticate for username acme-hq-mediawiki

2016-04-21 19:40:34 wiki.acme.com

localhost.localdomain acme_wiki: 2.1.0 Entering getDomain

2016-04-21 19:40:34 wiki.acme.com

localhost.localdomain acme_wiki: 2.1.0 Entering getDomain

2016-04-21 19:40:34 wiki.acme.com

localhost.localdomain acme_wiki: 2.1.0 Entering getDomain

2016-04-21 19:40:34 wiki.acme.com

localhost.localdomain acme_wiki: 2.1.0 Entering Connect

2016-04-21 19:40:34 wiki.acme.com

localhost.localdomain acme_wiki: 2.1.0 Entering getDomain

2016-04-21 19:40:34 wiki.acme.com

localhost.localdomain acme_wiki: 2.1.0 Using SSL

2016-04-21 19:40:34 wiki.acme.com

localhost.localdomain acme_wiki: 2.1.0 Entering getDomain

2016-04-21 19:40:34 wiki.acme.com

localhost.localdomain acme_wiki: 2.1.0 Entering getDomain

2016-04-21 19:40:34 wiki.acme.com

localhost.localdomain acme_wiki: 2.1.0 Entering getDomain

2016-04-21 19:40:34 wiki.acme.com

localhost.localdomain acme_wiki: 2.1.0 Using servers: ldaps://acme-hq-AD1.internal.acme.com:636

2016-04-21 19:40:51 wiki.acme.com

localhost.localdomain acme_wiki: 2.1.0 Entering getDomain

2016-04-21 19:40:51 wiki.acme.com

localhost.localdomain acme_wiki: 2.1.0 PHP's LDAP connect method returned true (note, this does not imply it connected to the server).

2016-04-21 19:40:51 wiki.acme.com

localhost.localdomain acme_wiki: 2.1.0 Entering getSearchString

2016-04-21 19:40:51 wiki.acme.com

localhost.localdomain acme_wiki: 2.1.0 Entering getDomain

2016-04-21 19:40:51 wiki.acme.com

localhost.localdomain acme_wiki: 2.1.0 Doing a straight bind

2016-04-21 19:40:51 wiki.acme.com

localhost.localdomain acme_wiki: 2.1.0 userdn is: acme-hq-mediawiki@acme

2016-04-21 19:40:51 wiki.acme.com

localhost.localdomain acme_wiki: 2.1.0 Entering getDomain

2016-04-21 19:40:51 wiki.acme.com

localhost.localdomain acme_wiki: 2.1.0 Binding as the user

2016-04-21 19:40:51 wiki.acme.com

localhost.localdomain acme_wiki: 2.1.0 Failed to bind as acme-hq-mediawiki@acme

2016-04-21 19:40:51 wiki.acme.com

localhost.localdomain acme_wiki: 2.1.0 Entering allowPasswordChange

2016-04-21 19:40:51 wiki.acme.com

localhost.localdomain acme_wiki: 2.1.0 Entering getDomain

2016-04-21 19:40:51 wiki.acme.com

localhost.localdomain acme_wiki: 2.1.0 Entering getDomain

2016-04-21 19:40:51 wiki.acme.com

localhost.localdomain acme_wiki: 2.1.0 Entering modifyUITemplate

2016-04-21 19:40:51 wiki.acme.com

localhost.localdomain acme_wiki: 2.1.0 Entering getDomain

2016-04-21 19:40:51 wiki.acme.com

localhost.localdomain acme_wiki: 2.1.0 Entering getDomain

2016-04-21 19:40:51 wiki.acme.com

localhost.localdomain acme_wiki: 2.1.0 Entering getDomain

[root@wiki mediawiki]#

What do I wrong?

Thanks!

Regards,

- Jac

Jac09876 (talkcontribs)

ldapsearch with TLS also works:

[root@wiki]# ldapsearch -x -ZZ -LLL -h acme-hq-ad1.internal.acme.com -D 'CN=acme-hq-mediawiki,OU=Service Accounts,OU=HeadQuarters,DC=internal,DC=acme,DC=com' -w p@sSw0rD -b"DC=internal,DC=acme,DC=com" -s sub "(objectClass=user)" givenName

dn: CN=acme-HQ-AD1,OU=Domain Controllers,DC=internal,DC=acme,DC=com

etc.

- Jac

Jac09876 (talkcontribs)

Hello,

Does anyone have a clue what's wrong? Mr. Lane?

Please help!

Thanks,

- Jac

Jac09876 (talkcontribs)

It is caused by SELinux: it blocks http using ldap by default:

[root@wiki mediawiki]# getsebool -a | grep ldap

authlogin_nsswitch_use_ldap --> off

dhcpd_use_ldap --> off

httpd_can_connect_ldap --> off

[root@wiki mediawiki]#

[root@wiki mediawiki]# setsebool httpd_can_connect_ldap 1

[root@wiki mediawiki]# getsebool -a | grep ldap

authlogin_nsswitch_use_ldap --> off

dhcpd_use_ldap --> off

httpd_can_connect_ldap --> on

Because of this ldapsearch did work.

So the problem is solved.

- Jac

Javierdiazus (talkcontribs)

This worked for me, it finally solved my ldap authentication issue (not communicating to ldap), in spite of all correct settings in place.

The only suggestion I would add is:

setsebool -p httpd_can_connect_ldap 1

-p makes the changes persistent after a reboot, otherwise, next time it reboots, the setting goes back to off

Thanks for tip!!!

--- Javier

Reply to "Trying to use Windows AD ldap for authentication."