Topic on Project:Support desk

Login Error with LDAP Authentication Extension

23
Ablum010777 (talkcontribs)

I upgraded from Version 1.32.2 to 1.33.0. Since then I cannot log in to the wiki with the LDAP Authentication. We would still like to use that extension so that our people don't need to remember a new password, and we do it for security reasons. What happened with the LDAP Authentication extension that it totally shot the login procedure? And what alternative is there to that extension?

Sam Madisha (talkcontribs)

Did you manage to fix the error. what is the solution?

Osnard (talkcontribs)
Ablum010777 (talkcontribs)

I read everything that was written there, but it seems very complicated to me, and therefore useless. What I need is a simple extension that authenticates users against our LDAP through contact with the LDAP server. The LDAP Authentication extension provided us with exactly that. I did not see any way to configure Auth_remoteuser or LDAP Authorization in that same way. How about simply retrofitting the LDAP Authentication extension for MediaWiki 1.33.0?

185.20.218.15 (talkcontribs)

Same problem here :`-(

217.114.64.90 (talkcontribs)

Here the same. Would be nice, when it can be fixed.

Ablum010777 (talkcontribs)

Please take a look at these error messages from my Apache Webserver error log:

[Fri Aug 09 10:10:34.102519 2019] [php7:warn] [pid 21580] [client 10.50.152.24:60371] PHP Warning:  array_merge(): Argument #1 is not an array in /srv/www/htdocs/testwiki/extensions/PluggableAuth/includes/PluggableAuthBeginAuthenticationRequest.php on line 36

[Fri Aug 09 10:10:34.102659 2019] [php7:warn] [pid 21580] [client 10.50.152.24:60371] PHP Warning:  array_filter() expects parameter 1 to be array, null given in /srv/www/htdocs/testwiki/includes/auth/AuthenticationRequest.php on line 308

[Fri Aug 09 10:10:34.102754 2019] [php7:warn] [pid 21580] [client 10.50.152.24:60371] PHP Warning:  array_keys() expects parameter 1 to be array, null given in /srv/www/htdocs/testwiki/includes/auth/AuthenticationRequest.php on line 308

[Fri Aug 09 10:10:34.102829 2019] [php7:warn] [pid 21580] [client 10.50.152.24:60371] PHP Warning:  array_intersect(): Argument #2 is not an array in /srv/www/htdocs/testwiki/includes/auth/AuthenticationRequest.php on line 312

[Fri Aug 09 10:10:34.102924 2019] [php7:warn] [pid 21580] [client 10.50.152.24:60371] PHP Warning:  in_array() expects parameter 2 to be array, null given in /srv/www/htdocs/testwiki/includes/auth/AuthenticationRequest.php on line 329

[Fri Aug 09 10:10:34.103009 2019] [php7:warn] [pid 21580] [client 10.50.152.24:60371] PHP Warning:  in_array() expects parameter 2 to be array, null given in /srv/www/htdocs/testwiki/includes/auth/AuthenticationRequest.php on line 329

[Fri Aug 09 10:10:34.103107 2019] [php7:warn] [pid 21580] [client 10.50.152.24:60371] PHP Warning:  array_merge(): Argument #1 is not an array in /srv/www/htdocs/testwiki/extensions/PluggableAuth/includes/PluggableAuthBeginAuthenticationRequest.php on line 36

[Fri Aug 09 10:10:34.103228 2019] [php7:warn] [pid 21580] [client 10.50.152.24:60371] PHP Warning:  array_merge(): Argument #1 is not an array in /srv/www/htdocs/testwiki/extensions/PluggableAuth/includes/PluggableAuthBeginAuthenticationRequest.php on line 36

[Fri Aug 09 10:10:34.103319 2019] [php7:warn] [pid 21580] [client 10.50.152.24:60371] PHP Warning:  array_filter() expects parameter 1 to be array, null given in /srv/www/htdocs/testwiki/includes/auth/AuthenticationRequest.php on line 308

[Fri Aug 09 10:10:34.103392 2019] [php7:warn] [pid 21580] [client 10.50.152.24:60371] PHP Warning:  array_keys() expects parameter 1 to be array, null given in /srv/www/htdocs/testwiki/includes/auth/AuthenticationRequest.php on line 308

[Fri Aug 09 10:10:34.103482 2019] [php7:warn] [pid 21580] [client 10.50.152.24:60371] PHP Warning:  array_intersect(): Argument #2 is not an array in /srv/www/htdocs/testwiki/includes/auth/AuthenticationRequest.php on line 312

[Fri Aug 09 10:10:34.103573 2019] [php7:warn] [pid 21580] [client 10.50.152.24:60371] PHP Warning:  in_array() expects parameter 2 to be array, null given in /srv/www/htdocs/testwiki/includes/auth/AuthenticationRequest.php on line 329

[Fri Aug 09 10:10:34.103663 2019] [php7:warn] [pid 21580] [client 10.50.152.24:60371] PHP Warning:  in_array() expects parameter 2 to be array, null given in /srv/www/htdocs/testwiki/includes/auth/AuthenticationRequest.php on line 329

[Fri Aug 09 10:10:34.103753 2019] [php7:warn] [pid 21580] [client 10.50.152.24:60371] PHP Warning:  array_merge(): Argument #1 is not an array in /srv/www/htdocs/testwiki/extensions/PluggableAuth/includes/PluggableAuthBeginAuthenticationRequest.php on line 36

Osnard (talkcontribs)
Cindy.cicalese (talkcontribs)

What version of MediaWiki and relevant extensions are you using? In particular, I find it odd that you are getting an exception at "PluggableAuthBeginAuthenticationRequest.php on line 36", since there are not 36 lines in that file, nor have there been in the history of that file as far as I can tell. I'm guessing that you added some debugging statements to that file that changed the line count? If so, I'd be interested in knowing what the values are of $GLOBALS['wgPluggableAuth_ExtraLoginFields'] and parent::getFieldInfo() before the call to array_merge().

Ablum010777 (talkcontribs)

I am working with PHP Version 7.2.5. (Osnard wrote that this would be fine.)

These are the extensions in my LocalSettings.php:

wfLoadExtension( 'CodeEditor' );
wfLoadExtension( 'PdfHandler' );
wfLoadExtension( 'SyntaxHighlight_GeSHi' );
wfLoadExtension( 'WikiEditor' );
wfLoadExtension( 'SimpleMathJax' );
require_once( "$IP/extensions/Realnames/Realnames.php" );

This is the configuration for the LDAP Authentication:
wfLoadExtension( 'PluggableAuth' );
wfLoadExtension ( 'Auth_remoteuser' );
wfLoadExtension ( 'LDAPProvider' );
wfLoadExtension ( 'LDAPAuthentication2' );
wfLoadExtension ( 'LDAPAuthorization' );
wfLoadExtension ( 'LDAPUserInfo' );
$wgPluggableAuth_EnableLocalLogin = true;
$LDAPAuthorizationAutoAuthRemoteUserStringParser = 'username-at-domain';
$LDAPAuthentication2UsernameNormalizer = 'strtolower';
$LDAPAuthentication2AllowLocalLogin = true;
$wgAuthRemoteuserAllowUserSwitch = true;
$wgPluggableAuth_ExtraLoginFields = array (
   'Login' => array ( 'type' => 'string', 'label' => 'Benutzername', 'optional' => false, 'sensitive' => true ),
   'Passwort' => array( 'type' => 'password', 'label' => 'Passwort', 'optional' => false, 'sensitive' => true )
);
$wgAuthRemoteuserUserName = function () {
   $user = '';
   if ( isset ($_SERVER[ 'REMOTE_USER' ] ) ) {
        $user = strtolower ( $_SERVER[ 'REMOTE_USER' ] );
   }
   return $user;
};
$LDAPProviderDomainConfigs = "/etc/mediawiki/ldapprovider.json";

I also have the following extensions activated: SphinxSearch Collection (for PDF rendering) Visual Editor

This is the ldapprovider.json file:

{
   'testwiki': {
       'connection': {
           "server": "geo-infra.rlp",
           "options": {
               "LDAP_OPT_DEREF": 1
           },
           "basedn": "ou=group,ou=VermKV,o=Landesverwaltung Rheinland-Pfalz,c=de",
           "userbasedn": "ou=group,ou=VermKV,o=Landesverwaltung Rheinland-Pfalz,c=de",
           "groupbasedn": "ou=group,ou=VermKV,o=Landesverwaltung Rheinland-Pfalz,c=de",
           "searchattribute": "uid",
           "usernameattribute": "uid",
           "realnameattribute": "displayName",
           "emailattribute": "mail",
           "grouprequest": "MediaWiki\\Extension\\LDAPProvider\\UserGroupRequest\\GroupMember::factory"
       },
       'authorization': {
           'rules': {
               'groups': {
                   'required': "cn=wiki_testcontainer,ou=group,ou=VermKV,o=Landesverwaltung Rheinland-Pfalz,c=de"
               }
           }
       },
       'userinfo': {
           'attributes-map': {
               'email': 'mail',
               'realname': 'displayName'
           }
       }
   }
}

And the PluggableAuthBeginAuthenticationRequest.php:

<?php
use \MediaWiki\Auth\ButtonAuthenticationRequest;
use \MediaWiki\Auth\AuthManager;
class PluggableAuthBeginAuthenticationRequest extends
       ButtonAuthenticationRequest {
       public function __construct() {
               if ( isset( $GLOBALS['wgPluggableAuth_ButtonLabelMessage'] ) ) {
                       $label = wfMessage( $GLOBALS['wgPluggableAuth_ButtonLabelMessage'] );
               } elseif ( $GLOBALS['wgPluggableAuth_ButtonLabel'] ) {
                       $label = new RawMessage( $GLOBALS['wgPluggableAuth_ButtonLabel'] );
               } else {
                       $label = wfMessage( 'pluggableauth-loginbutton-label' );
               }
               parent::__construct(
                       'pluggableauthlogin',
                       $label,
                       wfMessage( 'pluggableauth-loginbutton-help' ),
                       true );
       }
       /**
        * Returns field information.
        * @return array field information
        */
       public function getFieldInfo() {
               if ( $this->action !== AuthManager::ACTION_LOGIN ) {
                       return [];
               }
               error_log( 'A:' . var_export( $GLOBALS['wgPluggableAuth_ExtraLoginFields'], 1 ) ); // this is what Osnard asked me to add
               error_log( 'B:' . var_export( parent::getFieldInfo(), 1 ) ); // this, too
               error_log( 'C:' . var_export( array_merge( $GLOBALS['wgPluggableAuth_ExtraLoginFields'], parent::getFieldInfo() ), 1 ) ); // this, too.
               return array_merge( $GLOBALS['wgPluggableAuth_ExtraLoginFields'],
                       parent::getFieldInfo() );
       }
}

The result of Osnard's recommendations are:


A:MediaWiki\\Extension\\LDAPAuthentication2\\ExtraLoginFields::__set_state( 
   array(
       'domain' => array (
           'type' => 'select',
           'label' => Message::__set_state( 
               array(
                   'interface' => true,
                   'language' => false,
                   'key' => 'yourdomainname',
                   'keysToTry' => array (
                       0 => 'yourdomainname',
                       ),
                       'parameters' => 
                       array (
                       ),
                       'format' => 'parse',
                       'useDatabase' => true,
                       'title' => NULL,
                       'content' => NULL,
                       'message' => NULL,
                   )
               ),
               'help' => Message::__set_state( 
                   array(
                       'interface' => true,
                       'language' => false,
                       'key' => 'authmanager-domain-help',
                       'keysToTry' => array (
                           0 => 'authmanager-domain-help',
                       ),
                       'parameters' => array (
                       ),
                       'format' => 'parse',
                       'useDatabase' => true,
                       'title' => NULL,
                       'content' => NULL,
                       'message' => NULL,
                   )
               ),
               'options' => array (
                   'testwiki' => RawMessage::__set_state(
                       array(
                           'interface' => true,
                           'language' => false,
                           'key' => 'testwiki',
                           'keysToTry' => array (
                               0 => 'testwiki',
                           ),
                           'parameters' => array (
                           ),
                           'format' => 'parse',
                           'useDatabase' => true,
                           'title' => NULL,
                           'content' => NULL,
                           'message' => 'testwiki',
                       )
                   )
               ),
               'local' => RawMessage::__set_state(
                   array(    
                       'interface' => true,
                       'language' => false,
                       'key' => 'local',
                       'keysToTry' => array (
                           0 => 'local',
                       ),
                       'parameters' => array (
                       ),
                       'format' => 'parse',
                       'useDatabase' => true,
                       'title' => NULL,
                       'content' => NULL,
                       'message' => 'local',
                   )
               ),
           ),
       ),
       'username' => array (
           'type' => 'string',
           'label' => Message::__set_state(
               array(
                   'interface' => true,
                   'language' => false,
                   'key' => 'userlogin-yourname',
                   'keysToTry' => array (
                       0 => 'userlogin-yourname',
                   ),
                   'parameters' => array (
                   ),
                   'format' => 'parse',
                   'useDatabase' => true,
                   'title' => NULL,
                   'content' => NULL,
                   'message' => NULL,
               )
           ),
           'help' => Message::__set_state(
               array(
                   'interface' => true,
                   'language' => false,
                   'key' => 'authmanager-username-help',
                   'keysToTry' => array (
                       0 => 'authmanager-username-help',
                   ),
                   'parameters' => array (
                   ),
                   'format' => 'parse',
                   'useDatabase' => true,
                   'title' => NULL,
                   'content' => NULL,
                   'message' => NULL,
               )
           ),
       ),
       'password' => array (
           'type' => 'password',
           'label' => Message::__set_state( 
               array(
                   'interface' => true,
                   'language' => false,
                   'key' => 'userlogin-yourpassword',
                   'keysToTry' => array (
                       0 => 'userlogin-yourpassword',
                   ),
                   'parameters' => array (
                   ),
                   'format' => 'parse',
                   'useDatabase' => true,
                   'title' => NULL,
                   'content' => NULL,
                   'message' => NULL,
               )
           ),
           'help' => Message::__set_state(
               array(
                   'interface' => true,
                   'language' => false,
                   'key' => 'authmanager-password-help',
                   'keysToTry' => array (
                       0 => 'authmanager-password-help',
                   ),
                   'parameters' => array (
                   ),
                   'format' => 'parse',
                   'useDatabase' => true,
                   'title' => NULL,
                   'content' => NULL,
                   'message' => NULL,
               )
           ),
           'sensitive' => true,
       ),
   )
),
B:array (
   'pluggableauthlogin' => array (
       'type' => 'button',
       'label' => Message::__set_state(
           array(
               'interface' => true,
               'language' => false,
               'key' => 'pluggableauth-loginbutton-label',
               'keysToTry' => array (
                   0 => 'pluggableauth-loginbutton-label',
               ),
               'parameters' => array (
               ),
               'format' => 'parse',
               'useDatabase' => true,
               'title' => NULL,
               'content' => NULL,
               'message' => NULL,
           )
       ),
       'help' => Message::__set_state(
           array(
               'interface' => true,
               'language' => false,
               'key' => 'pluggableauth-loginbutton-help',
               'keysToTry' => array (
                   0 => 'pluggableauth-loginbutton-help',
               ),
               'parameters' => array (
               ),
               'format' => 'parse',
               'useDatabase' => true,
               'title' => NULL,
               'content' => NULL,
               'message' => NULL,
           )
       ),
   ),
),
C: NULL
Osnard (talkcontribs)

Can you try to remove the $wgPluggableAuth_ExtraLoginFields from you configuration? This is set implicitly by Extension:LDAPAuthentication2. Maybe this collides.

Ablum010777 (talkcontribs)

I already did, but it doesn't help. This is always the result:

[89dad82860e957e43a00ac89] /testwiki/ MWException from line 54 of /srv/www/htdocs/testwiki/extensions/LDAPProvider/src/DomainConfigProvider/LocalJSONFile.php: Could not parse configuration file '/etc/mediawiki/ldapprovider.json'!

Backtrace:

#0 /srv/www/htdocs/testwiki/extensions/LDAPProvider/src/DomainConfigProvider/LocalJSONFile.php(73): MediaWiki\Extension\LDAPProvider\DomainConfigProvider\LocalJSONFile->__construct(string)

#1 [internal function]: MediaWiki\Extension\LDAPProvider\DomainConfigProvider\LocalJSONFile::newInstance(MediaWiki\Extension\LDAPProvider\Config)

#2 /srv/www/htdocs/testwiki/extensions/LDAPProvider/src/DomainConfigFactory.php(106): call_user_func_array(string, array)

#3 /srv/www/htdocs/testwiki/extensions/LDAPAuthentication2/src/Setup.php(13): MediaWiki\Extension\LDAPProvider\DomainConfigFactory::getInstance()

#4 /srv/www/htdocs/testwiki/includes/Setup.php(903): MediaWiki\Extension\LDAPAuthentication2\Setup::init()

#5 /srv/www/htdocs/testwiki/includes/WebStart.php(77): require_once(string)

#6 /srv/www/htdocs/testwiki/index.php(39): require(string)

#7 {main}

Osnard (talkcontribs)

The error message Could not parse configuration file '/etc/mediawiki/ldapprovider.json'! suggests that there might be a syntax error in that file or the file is nor readable by the webserver. From the example you have posted above I believe the single quotes are the problem. Try using double quotes everywhere in JSON.

Ablum010777 (talkcontribs)

I use double quotes in the JSON file everywhere. Besides I am testing on a console now. It seems to me that the variable containing the text boxes for the login name and the password are not passed to the LocalJSONFile.php file correctly, since I always read NULL. This is my ldapprovider.json now:

{

   "testwiki": {

       "connection": {

           "server": "geo-infra.rlp",

           "options": {

               "LDAP_OPT_DEREF": 1

           },

           "basedn": "ou=group,ou=VermKV,o=Landesverwaltung Rheinland-Pfalz,c=de",

           "userbasedn": "ou=group,ou=VermKV,o=Landesverwaltung Rheinland-Pfalz,c=de",

           "groupbasedn": "ou=group,ou=VermKV,o=Landesverwaltung Rheinland-Pfalz,c=de",

           "searchattribute": "uid",

           "usernameattribute": "uid",

           "realnameattribute": "displayName",

           "emailattribute": "mail",

           "grouprequest": "MediaWiki\\Extension\\LDAPProvider\\UserGroupRequest\\GroupMember::factory"

       },

       "authorization": {

           "rules": {

               "groups": {

                   "required": "cn=wiki_testcontainer,ou=group,ou=VermKV,o=Landesverwaltung Rheinland-Pfalz,c=de"

               }

           }

       },

       "authentication": {

           "emailattribute": 'mail',

           "realnameattribute": "displayName"

           "usernameattribute": "uid"

       }

   }

}


That is also why these two fields (login name and password) are missing when I set the local login variables to false.

Cindy.cicalese (talkcontribs)

From the code you posted, your "C:" printout should be an array containing the merged contents of the two other arrays, but instead it is printing:

C: NULL

which would match the fact that the function appears to be returning NULL. But, how can the result of merging two populated arrays be null?

Ablum010777 (talkcontribs)

The problem has been solved. The variable $GLOBALS['PluggableAuth_ExtraLoginFields'] needs explicit typecasting to array.

Osnard (talkcontribs)
Ablum010777 (talkcontribs)

In PluggableAuthBeginAuthenticationRequest.php (code line printed in bold):

<?php

use \MediaWiki\Auth\ButtonAuthenticationRequest;

use \MediaWiki\Auth\AuthManager;

class PluggableAuthBeginAuthenticationRequest extends

       ButtonAuthenticationRequest {

       public function __construct() {

               if ( isset( $GLOBALS['wgPluggableAuth_ButtonLabelMessage'] ) ) {

                       $label = wfMessage( $GLOBALS['wgPluggableAuth_ButtonLabelMessage'] );

               } elseif ( $GLOBALS['wgPluggableAuth_ButtonLabel'] ) {

                       $label = new RawMessage( $GLOBALS['wgPluggableAuth_ButtonLabel'] );

               } else {

                       $label = wfMessage( 'pluggableauth-loginbutton-label' );

               }

               parent::__construct(

                       'pluggableauthlogin',

                       $label,

                       wfMessage( 'pluggableauth-loginbutton-help' ),

                       true );

       }

       /**

        * Returns field information.

        * @return array field information

        */

       public function getFieldInfo() {

               if ( $this->action !== AuthManager::ACTION_LOGIN ) {

                       return [];

               }

               return array_merge( (array) $GLOBALS['wgPluggableAuth_ExtraLoginFields'],

                       parent::getFieldInfo() );

       }

}

Cindy.cicalese (talkcontribs)

Ah, interesting. The printout:


error_log( 'A:' . var_export( $GLOBALS['wgPluggableAuth_ExtraLoginFields'], 1 ) );


is giving:


A:MediaWiki\\Extension\\LDAPAuthentication2\\ExtraLoginFields::__set_state(

   array(

...


rather than


A:array(

...

Osnard (talkcontribs)
Hawaiian717 (talkcontribs)

This feels like overkill. We use LDAP with Auth_remoteuser but don't need any MediaWiki extensions for the LDAP part, since Apache httpd does the authentication to the LDAP server. The relevant bit of our LocalSettings.php file looks like this:


wfLoadExtension('Auth_remoteuser');

#$wgAuth = new Auth_remoteuser();

$wgAuthRemoteuserMailDomain = "spawar.navy.mil";


Then we put a .htaccess file in the root of our wiki with the following (we could also do it in a config file in /etc/httpd/conf.d/):


AuthName "wiki"

AuthType Basic

AuthBasicProvider ldap

AuthLDAPURL <our LDAP url>

Require valid-user

Osnard (talkcontribs)

Yes. This is true, if you don't need features like form-based-authentication, group-based-login-restrictions, groupy-sync or user-info-synchronization.

This post was hidden by Osnard (history)
Reply to "Login Error with LDAP Authentication Extension"