Topic on Talk:LDAP hub

Hello!

My conf is:

HTTPS wiki

Extensions folder:

Auth_remoteuser

LDAPProvider

LDAPAuthorization

LDAPGroups

LDAPUserInfo

LocalSettings.php:

#Auth_remoteuser

wfLoadExtension( 'Auth_remoteuser' );

$wgAuthRemoteuserUserNameReplaceFilter = [

    '@DOMAIN.MY$' => '' // mod_krb5 and .htaccess

];

#LDAPAuthorization

wfLoadExtension( 'LDAPAuthorization' ); // breaks autologon by Auth_remoteuser

#LDAPProvider

wfLoadExtension( 'LDAPProvider' );

$LDAPProviderDomainConfigProvider = function() {

        $config = [

                'domain.my' => [

                        'connection' => [

                                "server" => "ldap.domain.my",

                                "user" => "CN=ldap,OU=unit,DC=domain,DC=my",

                                "pass" => 'pass',

                                "options" => [

                                        "LDAP_OPT_DEREF" => 1

                                ],

                                "basedn" => "dc=domain,dc=my",

                                "groupbasedn" => "dc=domain,dc=my",

                                "userbasedn" => "dc=domain,dc=my",

                                "searchattribute" => "samaccountname",

                                "searchstring" => "",

                                "usernameattribute" => "samaccountname",

                                "realnameattribute" => "cn",

                                "emailattribute" => "mail"

                        ],

                        'userinfo' => [

                                "attributes-map" => [

                                        "realname" => "cn"

                                ]

                        ],

                        'groupsync' => [

                                "mechanism" => "mappedgroups",

                                "mapping" => [

                                        "mygroup" => "OU=unit,DC=domain,DC=my"

                                ]

                        ]

                ]

        ];

        return new \MediaWiki\Extension\LDAPProvider\DomainConfigProvider\InlinePHPArray( $config );

};

php ShowUserInfo.php --domain domain.my --username user - works perfect

1) Am I right that LDAPGroups, LDAPUserInfo requires LDAPAuthorization?

2) LocalSettings.php not contains wfLoadExtension( 'LDAPGroups' ) and wfLoadExtension( 'LDAPUserInfo ' ) - is it right?

3) How to make work userinfo, groupsync and autologon again?

Thank you!

1) No. LDAPGroups and LDAPUserInfo do not require LDAPAuthorization. They only require LDAP Provider. Group-Sync and Info-Sync will be done periodically when the user session gets initialized.

2) No. LDAPGroups as well as LDAPUserInfo need to be loaded explicitly in LocalSettings.php

3) Please have a look at the example configuration on LDAP_hub/Migration_from_extension_LDAPAuthentication. It shows how to set up autologon and userinfosync. Regarding groupsync you will need to additionally load LDAPGroups extension and add the required configuration to your domain config (e.g. the JSON file).

Be aware that stripping the domain from the remote-username in $wgAuthRemoteuserUserNameReplaceFilter is not required. LDAPAuthorization will take care of this. But you will need to specify the "format". In your case this would probably be $LDAPAuthorizationAutoAuthRemoteUserStringParser = 'username-at-domain';

All right.

1) OK. I excluded LDAPAuthorization fully.

2) LDAPGroups (1.31 and dev master versions) brokes wiki (1.33) after it loaded in Localsettings.php - LDAPGroups is not compatible with the current installed version of LDAPProvider (1.0.0), it requires: 1.0.1. I'll try to update LDAPProvider. Userinfosync by LDAPUserInfo doesn't update info... ( "realname" => "cn")

3) Stripping the domain from the remote-username in $wgAuthRemoteuserUserNameReplaceFilter is required for autologon and it works perfect!

Regarding 3): Yes, of course. I thought you wanted to use LDAPAuthorization. I that case you'd not need to create the username yourself. But if you do not use LDAPAuthorization you will of course need that.

2) LDAPProvider, LDAPGroups, LDAPUserInfo updated to master version - 1.0.1, 1.0.1, 1.0.0 respectively (wiki works) but nothing changes - autoadd users to a mediawiki group (custom group) not working and realnames too... Is realnames must be at Special:Preferences?

What kind of sync-mechanism do you use? "allgroups" or "mappedgroups"? Be aware that "allgroups" requires the groups to exist on the wiki.

LDAPUserInfo should update the value of "realname" in Special:Preferences, yes.

The syncing will be made every hour, once the user is logged in. To make sure that that code should be executed, please clear all cookies and log in again.

Maybe the domain can not be found for the user. For testing, please add to mediawiki/extensions/LDAPProvider/src/Hook/UserLoadAfterLoadFromSession.php in line 127 [1] $this->domain = 'mydomain'; return true; . It should look like this

protected function findDomainForUser() {
        $this->domain = 'mydomain'; return true;
        $userDomainStore = new UserDomainStore(
        ...

You need to replace mydomain with the value of what you have defined in the domain config (case sensitive).

https://github.com/wikimedia/mediawiki-extensions-LDAPProvider/blob/master/src/Hook/UserLoadAfterLoadFromSession.php#L127

There is already a task for this: https://phabricator.wikimedia.org/T214147

Good to hear. Regarding GroupSync: This looks good. GroupSync uses the same mechanism as UserInfo. So This should work too. The "MappedGroups" mechanism does not need the groups to be available in the local wiki.

You may be able to find more information by using the debug log: $wgDebugLogGroups['LDAPGroups'] = '/tmp/LDAPGroups.log';

Many thanks to Osnard for supporting!

So, if you configured everything as in the documentation, php extensions/LDAPProvider/maintenance/ShowUserInfo.php --domain mydomain --username SomeUser output is fine, but LDAPUserInfo or LDAPGroups doesn't work:

For LDAPUserInfo you need to add $this->domain = 'mydomain'; return true; in mediawiki/extensions/LDAPProvider/src/Hook/UserLoadAfterLoadFromSession.php in line 127

Source

For LDAPGroups make sure the next output is not null:

php extensions/LDAPProvider/maintenance/ShowUserGroups.php --domain mydomain --username SomeUser

If null - you need to add 'grouprequest':

'connection' => [

...

'grouprequest' => 'MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\UserMemberOf::factory',

...

]

Please note, that 'groupsync' requires a DN of the ADGroup and not a DN of the ADOrganizationalUnit.