Hello,
I'm trying to set up Kerberos login without protecting the entire wiki. I used the extension's Kerberos configuration example.
Normal LDAP login is working. When I open the special Kerperos_Login page on my wiki I see the Audit success kerberos logs in the AD event logs related to my Linux machine. There is no apache error either. In the apache access log my username appears when I visit the Kerberos_Login page.
The keytab file is fine, I tested it with the klist command and the proxy user has the SPN in AD with the respecting service name.
My problem is that the user hasn't got logged in after visiting the Kerberos_Login page.
What am I missing? How could I debug this problem?
Thank you in advance!
Environment:
AD - Windows Server 2012 R2
Linux with mediawiki - Ubuntu 16.04 x64
Mediawiki - 1.26.2
PHP - 7.0.8-0ubuntu0.16.04.1
MySQL - 5.7.13-0ubuntu0.16.04.2
LDAP Extension version - 2.1.0
Respective configuration:
apache2 config:
<Location /mediawiki/index.php/Kerberos_Login>
SSLRequireSSL
AuthType Kerberos
AuthName "Kerberos Login"
KrbMethodNegotiate On
KrbMethodK5Passwd Off
KrbLocalUserMapping On #Implemented in 5.4, strips @REALM from username
KrbAuthRealms HOME.LOCAL
KrbServiceName HTTP
Krb5KeyTab /etc/apache2/krb5_http.keytab
require valid-user
</Location>
LocalSettings.php:
require_once ("$IP/extensions/LdapAuthentication/LdapAuthentication.php");
require_once( "$IP/extensions/LdapAuthentication/LdapAutoAuthentication.php" );
$wgLDAPDomainNames = array('home.local-AD', 'home.local-KRB');
$wgLDAPServerNames = array('home.local-AD' => 'win2012r2.home.local', 'home.local-KRB' => 'win2012r2.home.local');
$wgLDAPAutoAuthDomain = 'home.local-KRB';
$wgLDAPSearchStrings = array('home.local-AD' => 'home\\USER-NAME');
$wgLDAPEncryptionType = array('home.local-AD' => 'ssl');
$wgLDAPUseLocal = false;
$wgMinimalPasswordLength = 1;
$wgLDAPBaseDNs = array('home.local-AD' => 'OU=Users_Home,DC=home,DC=local', 'home.local-KRB' => 'OU=Users_Home,DC=home,DC=local');
$wgLDAPSearchAttributes = array('home.local-AD' => 'sAMAccountName', 'home.local-KRB' => 'sAMAccountName');
$wgLDAPLowerCaseUsername = array('home.local-AD' => true, 'home.local-KRB'=> true);
$wgLDAPRequiredGroups = array('home.local-AD' => array('CN=Mediawik_Users,OU=Users_Home,DC=home,DC=local'), 'home.local-KRB' => array('CN=Mediawik_Users,OU=Users_Home,DC=home,DC=local'));
$wgLDAPGroupUseFullDN = array( 'home.local-AD'=> true, 'home.local-KRB'=> true);
$wgLDAPGroupsUseMemberOf = array( 'home.local-AD'=> true, 'home.local-KRB'=> true);
$wgLDAPGroupObjectclass = array( 'home.local-AD'=> 'group', 'home.local-KRB'=> 'group');
$wgLDAPGroupAttribute = array( 'home.local-AD'=> 'member', 'home.local-KRB'=> 'member');
$wgLDAPGroupSearchNestedGroups = array( 'home.local-AD'=> true, 'home.local-KRB'=> true);
$wgLDAPGroupNameAttribute = array( 'home.local-AD'=> 'cn', 'home.local-KRB'=> 'cn');
# Proxy user
$wgLDAPProxyAgent = array('home.local-AD' => 'CN=USERNAME,OU=Users_Home,DC=home,DC=local','home.local-KRB' => 'CN=USERNAME,OU=Users_Home,DC=home,DC=local');
$wgLDAPProxyAgentPassword = array('home.local-AD' => 'PASSWORD','home.local-KRB' => 'PASSWORD');
AutoAuthSetup();