Topic on Talk:LDAP hub

/CheckLogin.php and /ShowUserGroups.php

19
Summary by Guilherme bangemann

edit /var/www/wiki/extensions/LDAPProvider/src/UserGroupsRequest/GroupMember.php

LINE 31:

```

$groups = $this->ldapClient->search(

                         "(objectClass=*)",

                      // "(&(objectclass=group)(member=$userDN))",

                                $baseDN, [ $dn ]

                        );

```

CHANGE "(&(objectclass=group)(member=$userDN))", TO "(objectClass=*)",.

Guilherme bangemann (talkcontribs)

I'm getting error on CheckLogin.php and getting "null" on ShowUserGroups.php:


Command Line


user@userpc:/var/www/wiki$ sudo php extensions/LDAPProvider/maintenance/ShowUserInfo.php --domain solis --username guilherme_bangemann

objectclass =>

  0 => sambaSamAccount

  1 => shadowAccount

  2 => posixAccount

  3 => inetOrgPerson

  4 => organizationalPerson

  5 => person

  sambadomainname => SOLIS

  displayname => Guilherme Keunecke Bangemann

  sambahomedrive => U:

  sambakickofftime => 1893463200

  sambaprimarygroupsid => S-1-5-21-2804338137-552302570-2244938293-513

  sambaacctflags => [XU         ]

  sambasid => S-1-5-21-2804338137-552302570-2244938293-21792

  shadowwarning => 10

  shadowinactive => 10

  shadowmin => 1

  shadowmax => 365

  homedirectory => /home/guilherme

  loginshell => /bin/bash

  gidnumber => 10001

  cn => Guilherme Keunecke Bangemann

  uidnumber => 10396

  sn => Bangemann

  givenname => Guilherme Keunecke

  departmentnumber => Setor de Infraestrutura

  uid => guilherme_bangemann

  mail => guilherme_bangemann@solis.com.br

  sambantpassword => A7C1B218F8E637AA62F59D31F76DFBCD

  sambapwdlastset => 1559650352

  shadowlastchange => 18051

  userpassword => {CRYPT}$1$wn6dubOY$obSU01DXY2wolpTXxXLEq1

  dn => uid=guilherme_bangemann,ou=users,dc=solis,dc=coop,dc=br

user@userpc:/var/www/wiki$ sudo php extensions/LDAPProvider/maintenance/ShowUserGroups.php --domain solis --username guilherme_bangemann

Full DNs:

Short names:

user@userpc:/var/www/wiki$ sudo php extensions/LDAPProvider/maintenance/CheckLogin.php --domain solis --username guilherme_bangemann

Password:userpassword

FAILED



LocalSettings.php


wfLoadExtensions( [

        'PluggableAuth',

        'LDAPProvider',

        'LDAPAuthentication2',

        'LDAPAuthorization',

        'LDAPUserInfo',

        'LDAPGroups'

] );

$LDAPProviderDomainConfigProvider = function() {

        $config = [

                "solis" => [

                        "connection" => [

                                "port" => 389,

                                "enctype" => "clear",

                                "server" => "ldapslave.solis.com.br",

                                "user"   => "uid=guilherme_bangemann,ou=users,dc=solis,dc=coop,dc=br",

                                "pass"   => "userpassword",

                                "options" => [

                                         "LDAP_OPT_DEREF" => 1

                                 ],

                                "basedn"            => "dc=solis,dc=coop,dc=br",

                                "groupbasedn"       => "dc=solis,dc=coop,dc=br",

                                "userbasedn"        => "dc=solis,dc=coop,dc=br",

                                "searchattribute"   => "uid",

                                "searchstring"      => "solis\\USER-NAME",

                                "usernameattribute" => "uid",

                                "realnameattribute" => "cn",

                                "emailattribute"    => "mail",

                                "grouprequest"      => "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\GroupMember::factory"

                        ],

                        "groupsync" => [

                                "mechanism" => "allgroups",

                        ],

                        "userinfo" => [

                               "attributes-map" => [

                                         "realname" => "cn"

                                 ]

                        ],

                        "authorization" => [

                            "rules" => [

                                        "groups" => [

                                                "required" => [ "ou=users,dc=solis,dc=coop,dc=br" ]

                                        ]

]

                        ]

                ]

        ];

        return new \MediaWiki\Extension\LDAPProvider\DomainConfigProvider\InlinePHPArray( $config );

};

$wgPluggableAuth_EnableAutoLogin = false;

$wgPluggableAuth_EnableLocalLogin = false;

$wgPluggableAuth_EnableLocalProperties = false;

$wgPluggableAuth_ButtonLabel = null;

$wgPluggableAuth_ExtraLoginFields = [];



Guilherme bangemann (talkcontribs)

Please @Osnard could you help me with this problem?

When I try to login in my wiki, I get the message: Could not authenticate credentials against domain "solis"


cat debugLDAP-wiki.log


IP: 127.0.0.1

Start command line script extensions/LDAPProvider/maintenance/CheckLogin.php

[caches] cluster: APCBagOStuff, WAN: mediawiki-main-default, stash: db-replicated, message: APCBagOStuff, session: APCBagOStuff

[caches] LocalisationCache: using store LCStoreDB

[DBConnection] Wikimedia\Rdbms\LoadBalancer::openConnection: calling initLB() before first connection.

[DBReplication] Wikimedia\Rdbms\LBFactory::getChronologyProtector: using request info {

    "IPAddress": "127.0.0.1",

    "UserAgent": false,

    "ChronologyProtection": false,

    "ChronologyPositionIndex": 0

}

[DBConnection] Wikimedia\Rdbms\LoadBalancer::openConnection: connected to database 0 at 'localhost'.

[DBConnection] Wikimedia\Rdbms\{closure}: closing connection to database 'localhost'.

IP: 127.0.0.1

Start command line script extensions/LDAPProvider/maintenance/ShowUserGroups.php

[caches] cluster: APCBagOStuff, WAN: mediawiki-main-default, stash: db-replicated, message: APCBagOStuff, session: APCBagOStuff

[caches] LocalisationCache: using store LCStoreDB

[DBConnection] Wikimedia\Rdbms\LoadBalancer::openConnection: calling initLB() before first connection.

[DBReplication] Wikimedia\Rdbms\LBFactory::getChronologyProtector: using request info {

    "IPAddress": "127.0.0.1",

    "UserAgent": false,

    "ChronologyProtection": false,

    "ChronologyPositionIndex": 0

}

[DBConnection] Wikimedia\Rdbms\LoadBalancer::openConnection: connected to database 0 at 'localhost'.

[error] [15122d2a2917e2206b29694d] [no req]   ErrorException from line 19 of /var/lib/wiki/extensions/LDAPProvider/src/UserGroupsRequest/UserMemberOf.php: PHP Notice: Undefined index: memberof

#0 /var/lib/wiki/extensions/LDAPProvider/src/UserGroupsRequest/UserMemberOf.php(19): MWExceptionHandler::handleError(integer, string, string, integer, array)

#1 /var/lib/wiki/extensions/LDAPProvider/src/Client.php(346): MediaWiki\Extension\LDAPProvider\UserGroupsRequest\UserMemberOf->getUserGroups(string)

#2 /var/lib/wiki/includes/libs/objectcache/BagOStuff.php(159): MediaWiki\Extension\LDAPProvider\Client->MediaWiki\Extension\LDAPProvider\{closure}()

#3 /var/lib/wiki/extensions/LDAPProvider/src/Client.php(347): BagOStuff->getWithSetCallback(string, integer, Closure)

#4 /var/lib/wiki/extensions/LDAPProvider/maintenance/ShowUserGroups.php(48): MediaWiki\Extension\LDAPProvider\Client->getUserGroups(string)

#5 /var/lib/wiki/maintenance/doMaintenance.php(94): MediaWiki\Extension\LDAPProvider\Maintenance\ShowUserGroups->execute()

#6 /var/lib/wiki/extensions/LDAPProvider/maintenance/ShowUserGroups.php(71): require_once(string)

#7 {main}

[error] [15122d2a2917e2206b29694d] [no req]   ErrorException from line 59 of /var/lib/wiki/extensions/LDAPProvider/maintenance/ShowUserGroups.php: PHP Warning: Invalid argument supplied for foreach()

#0 /var/lib/wiki/extensions/LDAPProvider/maintenance/ShowUserGroups.php(59): MWExceptionHandler::handleError(integer, string, string, integer, array)

#1 /var/lib/wiki/extensions/LDAPProvider/maintenance/ShowUserGroups.php(50): MediaWiki\Extension\LDAPProvider\Maintenance\ShowUserGroups->showValue(MediaWiki\Extension\LDAPProvider\GroupList)

#2 /var/lib/wiki/maintenance/doMaintenance.php(94): MediaWiki\Extension\LDAPProvider\Maintenance\ShowUserGroups->execute()

#3 /var/lib/wiki/extensions/LDAPProvider/maintenance/ShowUserGroups.php(71): require_once(string)

#4 {main}

[error] [15122d2a2917e2206b29694d] [no req]   ErrorException from line 52 of /var/lib/wiki/extensions/LDAPProvider/src/GroupList.php: PHP Warning: Invalid argument supplied for foreach()

#0 /var/lib/wiki/extensions/LDAPProvider/src/GroupList.php(52): MWExceptionHandler::handleError(integer, string, string, integer, array)

#1 /var/lib/wiki/extensions/LDAPProvider/src/GroupList.php(32): MediaWiki\Extension\LDAPProvider\GroupList->makeShortNames()

#2 /var/lib/wiki/extensions/LDAPProvider/maintenance/ShowUserGroups.php(64): MediaWiki\Extension\LDAPProvider\GroupList->getShortNames()

#3 /var/lib/wiki/extensions/LDAPProvider/maintenance/ShowUserGroups.php(50): MediaWiki\Extension\LDAPProvider\Maintenance\ShowUserGroups->showValue(MediaWiki\Extension\LDAPProvider\GroupList)

#4 /var/lib/wiki/maintenance/doMaintenance.php(94): MediaWiki\Extension\LDAPProvider\Maintenance\ShowUserGroups->execute()

#5 /var/lib/wiki/extensions/LDAPProvider/maintenance/ShowUserGroups.php(71): require_once(string)

#6 {main}

[DBConnection] Wikimedia\Rdbms\{closure}: closing connection to database 'localhost'.

IP: 127.0.0.1

Start command line script extensions/LDAPProvider/maintenance/ShowUserInfo.php

[caches] cluster: APCBagOStuff, WAN: mediawiki-main-default, stash: db-replicated, message: APCBagOStuff, session: APCBagOStuff

[caches] LocalisationCache: using store LCStoreDB

[DBConnection] Wikimedia\Rdbms\LoadBalancer::openConnection: calling initLB() before first connection.

[DBReplication] Wikimedia\Rdbms\LBFactory::getChronologyProtector: using request info {

    "IPAddress": "127.0.0.1",

    "UserAgent": false,

    "ChronologyProtection": false,

    "ChronologyPositionIndex": 0

}

[DBConnection] Wikimedia\Rdbms\LoadBalancer::openConnection: connected to database 0 at 'localhost'.

[DBConnection] Wikimedia\Rdbms\{closure}: closing connection to database 'localhost'.



cat LDAP.log


2019-09-17 17:50:01 guilherme-pc wiki: ldap_connect( $hostname = 'ldap://ldapslave.solis.com.br:389', $port = 389 );

2019-09-17 17:50:01 guilherme-pc wiki: # __METHOD__ returns Resource id #198

2019-09-17 17:50:01 guilherme-pc wiki: ldap_set_option( $linkID, $option = 17, $newval = 3 );

2019-09-17 17:50:01 guilherme-pc wiki: # returns 1

2019-09-17 17:50:01 guilherme-pc wiki: ldap_set_option( $linkID, $option = 8, $newval = 0 );

2019-09-17 17:50:01 guilherme-pc wiki: # returns 1

2019-09-17 17:50:01 guilherme-pc wiki: ldap_set_option( $linkID, $option = 2, $newval = 1 );

2019-09-17 17:50:01 guilherme-pc wiki: # returns 1

2019-09-17 17:50:01 guilherme-pc wiki: ldap_bind( $linkID, $bindRDN = 'uid=guilherme_bangemann,ou=users,dc=solis,dc=coop,dc=br', $bindPassword = 'XXXX' );

2019-09-17 17:50:02 guilherme-pc wiki: # returns 1

2019-09-17 17:50:02 guilherme-pc wiki: ldap_bind( $linkID, $bindRDN = 'solis\guilherme_bangemann', $bindPassword = 'XXXX' );

2019-09-17 17:50:02 guilherme-pc wiki: # returns

2019-09-17 17:50:07 guilherme-pc wiki: ldap_connect( $hostname = 'ldap://ldapslave.solis.com.br:389', $port = 389 );

2019-09-17 17:50:07 guilherme-pc wiki: # __METHOD__ returns Resource id #198

2019-09-17 17:50:07 guilherme-pc wiki: ldap_set_option( $linkID, $option = 17, $newval = 3 );

2019-09-17 17:50:07 guilherme-pc wiki: # returns 1

2019-09-17 17:50:07 guilherme-pc wiki: ldap_set_option( $linkID, $option = 8, $newval = 0 );

2019-09-17 17:50:07 guilherme-pc wiki: # returns 1

2019-09-17 17:50:07 guilherme-pc wiki: ldap_set_option( $linkID, $option = 2, $newval = 1 );

2019-09-17 17:50:07 guilherme-pc wiki: # returns 1

2019-09-17 17:50:07 guilherme-pc wiki: ldap_bind( $linkID, $bindRDN = 'uid=guilherme_bangemann,ou=users,dc=solis,dc=coop,dc=br', $bindPassword = 'XXXX' );

2019-09-17 17:50:07 guilherme-pc wiki: # returns 1

2019-09-17 17:50:07 guilherme-pc wiki: ldap_search( $linkID, $baseDN = 'dc=solis,dc=coop,dc=br', $filter = '(uid=guilherme_bangemann)', $attributes = [ '*', 'memberof' ], $attrsonly = , $sizelimit = , $timelimit = , $deref =  );

2019-09-17 17:50:07 guilherme-pc wiki: # returns Resource id #216

2019-09-17 17:50:07 guilherme-pc wiki: ldap_get_entries( $linkID, $resultID );

2019-09-17 17:50:07 guilherme-pc wiki: # returns: array (

  'count' => 1,

  0 =>

  array (

    'objectclass' =>

    array (

      'count' => 6,

      0 => 'sambaSamAccount',

      1 => 'shadowAccount',

      2 => 'posixAccount',

      3 => 'inetOrgPerson',

      4 => 'organizationalPerson',

      5 => 'person',

    ),

    0 => 'objectclass',

    'sambadomainname' =>

    array (

      'count' => 1,

      0 => 'SOLIS',

    ),

    1 => 'sambadomainname',

    'displayname' =>

    array (

      'count' => 1,

      0 => 'Guilherme Keunecke Bangemann',

    ),

    2 => 'displayname',

    'sambahomedrive' =>

    array (

      'count' => 1,

      0 => 'U:',

    ),

    3 => 'sambahomedrive',

    'sambakickofftime' =>

    array (

      'count' => 1,

      0 => '1893463200',

    ),

    4 => 'sambakickofftime',

    'sambaprimarygroupsid' =>

    array (

      'count' => 1,

      0 => 'S-1-5-21-2804338137-552302570-2244938293-513',

    ),

    5 => 'sambaprimarygroupsid',

    'sambaacctflags' =>

    array (

      'count' => 1,

      0 => '[XU         ]',

    ),

    6 => 'sambaacctflags',

    'sambasid' =>

    array (

      'count' => 1,

      0 => 'S-1-5-21-2804338137-552302570-2244938293-21792',

    ),

    7 => 'sambasid',

    'shadowwarning' =>

    array (

      'count' => 1,

      0 => '10',

    ),

    8 => 'shadowwarning',

    'shadowinactive' =>

    array (

      'count' => 1,

      0 => '10',

    ),

    9 => 'shadowinactive',

    'shadowmin' =>

    array (

      'count' => 1,

      0 => '1',

    ),

    10 => 'shadowmin',

    'shadowmax' =>

    array (

      'count' => 1,

      0 => '365',

    ),

    11 => 'shadowmax',

    'homedirectory' =>

    array (

      'count' => 1,

      0 => '/home/guilherme',

    ),

    12 => 'homedirectory',

    'loginshell' =>

    array (

      'count' => 1,

      0 => '/bin/bash',

    ),

    13 => 'loginshell',

    'gidnumber' =>

    array (

      'count' => 1,

      0 => '10001',

    ),

    14 => 'gidnumber',

    'cn' =>

    array (

      'count' => 1,

      0 => 'Guilherme Keunecke Bangemann',

    ),

    15 => 'cn',

    'uidnumber' =>

    array (

      'count' => 1,

      0 => '10396',

    ),

    16 => 'uidnumber',

    'sn' =>

    array (

      'count' => 1,

      0 => 'Bangemann',

    ),

    17 => 'sn',

    'givenname' =>

    array (

      'count' => 1,

      0 => 'Guilherme Keunecke',

    ),

    18 => 'givenname',

    'departmentnumber' =>

    array (

      'count' => 1,

      0 => 'Setor de Infraestrutura',

    ),

    19 => 'departmentnumber',

    'uid' =>

    array (

      'count' => 1,

      0 => 'guilherme_bangemann',

    ),

    20 => 'uid',

    'mail' =>

    array (

      'count' => 1,

      0 => 'guilherme_bangemann@solis.com.br',

    ),

    21 => 'mail',

    'sambantpassword' =>

    array (

      'count' => 1,

      0 => 'A7C1B218F8E637AA62F59D31F76DFBCD',

    ),

    22 => 'sambantpassword',

    'sambapwdlastset' =>

    array (

      'count' => 1,

      0 => '1559650352',

    ),

    23 => 'sambapwdlastset',

    'shadowlastchange' =>

    array (

      'count' => 1,

      0 => '18051',

    ),

    24 => 'shadowlastchange',

    'userpassword' =>

    array (

      'count' => 1,

      0 => '{CRYPT}$1$wn6dubOY$obSU01DXY2wolpTXxXLEq1',

    ),

    25 => 'userpassword',

    'count' => 26,

    'dn' => 'uid=guilherme_bangemann,ou=users,dc=solis,dc=coop,dc=br',

  ),

)

2019-09-17 17:50:12 guilherme-pc wiki: ldap_connect( $hostname = 'ldap://ldapslave.solis.com.br:389', $port = 389 );

2019-09-17 17:50:12 guilherme-pc wiki: # __METHOD__ returns Resource id #198

2019-09-17 17:50:12 guilherme-pc wiki: ldap_set_option( $linkID, $option = 17, $newval = 3 );

2019-09-17 17:50:12 guilherme-pc wiki: # returns 1

2019-09-17 17:50:12 guilherme-pc wiki: ldap_set_option( $linkID, $option = 8, $newval = 0 );

2019-09-17 17:50:12 guilherme-pc wiki: # returns 1

2019-09-17 17:50:12 guilherme-pc wiki: ldap_set_option( $linkID, $option = 2, $newval = 1 );

2019-09-17 17:50:12 guilherme-pc wiki: # returns 1

2019-09-17 17:50:12 guilherme-pc wiki: ldap_bind( $linkID, $bindRDN = 'uid=guilherme_bangemann,ou=users,dc=solis,dc=coop,dc=br', $bindPassword = 'XXXX' );

2019-09-17 17:50:12 guilherme-pc wiki: # returns 1

2019-09-17 17:50:12 guilherme-pc wiki: ldap_search( $linkID, $baseDN = 'dc=solis,dc=coop,dc=br', $filter = '(uid=guilherme_bangemann)', $attributes = [ '*', 'memberof' ], $attrsonly = , $sizelimit = , $timelimit = , $deref =  );

2019-09-17 17:50:12 guilherme-pc wiki: # returns Resource id #214

2019-09-17 17:50:12 guilherme-pc wiki: ldap_get_entries( $linkID, $resultID );

2019-09-17 17:50:12 guilherme-pc wiki: # returns: array (

  'count' => 1,

  0 =>

  array (

    'objectclass' =>

    array (

      'count' => 6,

      0 => 'sambaSamAccount',

      1 => 'shadowAccount',

      2 => 'posixAccount',

      3 => 'inetOrgPerson',

      4 => 'organizationalPerson',

      5 => 'person',

    ),

    0 => 'objectclass',

    'sambadomainname' =>

    array (

      'count' => 1,

      0 => 'SOLIS',

    ),

    1 => 'sambadomainname',

    'displayname' =>

    array (

      'count' => 1,

      0 => 'Guilherme Keunecke Bangemann',

    ),

    2 => 'displayname',

    'sambahomedrive' =>

    array (

      'count' => 1,

      0 => 'U:',

    ),

    3 => 'sambahomedrive',

    'sambakickofftime' =>

    array (

      'count' => 1,

      0 => '1893463200',

    ),

    4 => 'sambakickofftime',

    'sambaprimarygroupsid' =>

    array (

      'count' => 1,

      0 => 'S-1-5-21-2804338137-552302570-2244938293-513',

    ),

    5 => 'sambaprimarygroupsid',

    'sambaacctflags' =>

    array (

      'count' => 1,

      0 => '[XU         ]',

    ),

    6 => 'sambaacctflags',

    'sambasid' =>

    array (

      'count' => 1,

      0 => 'S-1-5-21-2804338137-552302570-2244938293-21792',

    ),

    7 => 'sambasid',

    'shadowwarning' =>

    array (

      'count' => 1,

      0 => '10',

    ),

    8 => 'shadowwarning',

    'shadowinactive' =>

    array (

      'count' => 1,

      0 => '10',

    ),

    9 => 'shadowinactive',

    'shadowmin' =>

    array (

      'count' => 1,

      0 => '1',

    ),

    10 => 'shadowmin',

    'shadowmax' =>

    array (

      'count' => 1,

      0 => '365',

    ),

    11 => 'shadowmax',

    'homedirectory' =>

    array (

      'count' => 1,

      0 => '/home/guilherme',

    ),

    12 => 'homedirectory',

    'loginshell' =>

    array (

      'count' => 1,

      0 => '/bin/bash',

    ),

    13 => 'loginshell',

    'gidnumber' =>

    array (

      'count' => 1,

      0 => '10001',

    ),

    14 => 'gidnumber',

    'cn' =>

    array (

      'count' => 1,

      0 => 'Guilherme Keunecke Bangemann',

    ),

    15 => 'cn',

    'uidnumber' =>

    array (

      'count' => 1,

      0 => '10396',

    ),

    16 => 'uidnumber',

    'sn' =>

    array (

      'count' => 1,

      0 => 'Bangemann',

    ),

    17 => 'sn',

    'givenname' =>

    array (

      'count' => 1,

      0 => 'Guilherme Keunecke',

    ),

    18 => 'givenname',

    'departmentnumber' =>

    array (

      'count' => 1,

      0 => 'Setor de Infraestrutura',

    ),

    19 => 'departmentnumber',

    'uid' =>

    array (

      'count' => 1,

      0 => 'guilherme_bangemann',

    ),

    20 => 'uid',

    'mail' =>

    array (

      'count' => 1,

      0 => 'guilherme_bangemann@solis.com.br',

    ),

    21 => 'mail',

    'sambantpassword' =>

    array (

      'count' => 1,

      0 => 'A7C1B218F8E637AA62F59D31F76DFBCD',

    ),

    22 => 'sambantpassword',

    'sambapwdlastset' =>

    array (

      'count' => 1,

      0 => '1559650352',

    ),

    23 => 'sambapwdlastset',

    'shadowlastchange' =>

    array (

      'count' => 1,

      0 => '18051',

    ),

    24 => 'shadowlastchange',

    'userpassword' =>

    array (

      'count' => 1,

      0 => '{CRYPT}$1$wn6dubOY$obSU01DXY2wolpTXxXLEq1',

    ),

    25 => 'userpassword',

    'count' => 26,

    'dn' => 'uid=guilherme_bangemann,ou=users,dc=solis,dc=coop,dc=br',

  ),

)



cat LDAPProvider.log


2019-09-17 17:50:01 guilherme-pc wiki: Setting LDAP_OPT_PROTOCOL_VERSION to 3

2019-09-17 17:50:01 guilherme-pc wiki: Setting LDAP_OPT_REFERRALS to 0

2019-09-17 17:50:01 guilherme-pc wiki: Setting LDAP_OPT_DEREF to 1

2019-09-17 17:50:02 guilherme-pc wiki: MediaWiki\Extension\LDAPProvider\Client::getSearchString: User DN is: 'solis\guilherme_bangemann'

2019-09-17 17:50:07 guilherme-pc wiki: Setting LDAP_OPT_PROTOCOL_VERSION to 3

2019-09-17 17:50:07 guilherme-pc wiki: Setting LDAP_OPT_REFERRALS to 0

2019-09-17 17:50:07 guilherme-pc wiki: Setting LDAP_OPT_DEREF to 1

2019-09-17 17:50:07 guilherme-pc wiki: Ran LDAP search for '(uid=guilherme_bangemann)' in 0.0060989856719971 seconds.

2019-09-17 17:50:12 guilherme-pc wiki: Setting LDAP_OPT_PROTOCOL_VERSION to 3

2019-09-17 17:50:12 guilherme-pc wiki: Setting LDAP_OPT_REFERRALS to 0

2019-09-17 17:50:12 guilherme-pc wiki: Setting LDAP_OPT_DEREF to 1

2019-09-17 17:50:12 guilherme-pc wiki: Ran LDAP search for '(uid=guilherme_bangemann)' in 0.0033810138702393 seconds.



cat PluggableAuth.log


2019-09-17 17:50:41 guilherme-pc wiki: In execute()

2019-09-17 17:50:41 guilherme-pc wiki: Getting PluggableAuth singleton

2019-09-17 17:50:41 guilherme-pc wiki: Class name: MediaWiki\Extension\LDAPAuthentication2\PluggableAuth

2019-09-17 17:50:41 guilherme-pc wiki: Authentication failure.

2019-09-17 17:50:41 guilherme-pc wiki: ERROR: Could not authenticate credentials against domain "solis"



Guilherme bangemann (talkcontribs)

## LOGS

$wgDebugLogFile = "/var/log/wiki/debugLDAP-{$wgDBname}.log";

$wgDebugLogGroups['PluggableAuth'] = "/var/log/wiki/PluggableAuth.log";

$wgDebugLogGroups['LDAP'] = "/var/log/wiki/LDAP.log";

$wgDebugLogGroups['MediaWiki\\Extension\\LDAPProvider\\Client'] = "/var/log/wiki/LDAPProvider.log";

$wgDebugLogGroups['LDAPGroups'] = "/var/log/wiki/LDAPGroups.log";

$wgDebugLogGroups['LDAPUserInfo'] = "/var/log/wiki/LDAPUserInfo.log";

$wgDebugLogGroups['LDAPAuthorization'] = "/var/log/wiki/LDAPAuthorization.log";

Osnard (talkcontribs)

I can see a two things here:

  1. The search string "searchstring" => "solis\\USER-NAME", looks odd. This should probably be "searchstring" => "uid=USER-NAME,ou=users,dc=solis,dc=coop,dc=br",. Please also try to unset "searchstring" completely.
  2. You have configured "GroupMember" as "grouprequest", yet I can see from the logs that "UserMemberOf" is used. Therefore no usergroups are being returned. I can not explain this behavior, but it is probably not connected to the "authentication" issue. It would only be an issue when it comes to "authorization" (after "authentication").
Guilherme bangemann (talkcontribs)
  1. "searchstring" => uid=USER-NAME,ou=users,dc=solis,dc=coop,dc=br OK -- I'll try to unset completely to see the 'return'
  2. Yes, I saw that now. And thank you! I'll put here the logs. Another question... So the problem it is in Authorization and Authentication?
Guilherme bangemann (talkcontribs)

Question:

- Why it's authenticating a new user if it exists? I'll see the Authentication and Authorization configurations page.


BASH


guilherme_bangemann@guilherme-pc:/var/www/wiki$ sudo php extensions/LDAPProvider/maintenance/CheckLogin.php -d solis -u guilherme_bangemann

Password:********

OK



WIKI


When I try to log on site:

User guilherme_bangemann not autorized



LDAP.log


2019-09-19 12:04:21 guilherme-pc wiki: ldap_connect( $hostname = 'ldap://ldapslave.solis.com.br:389', $port = 389 );

2019-09-19 12:04:21 guilherme-pc wiki: # __METHOD__ returns Resource id #21

2019-09-19 12:04:21 guilherme-pc wiki: ldap_set_option( $linkID, $option = 17, $newval = 3 );

2019-09-19 12:04:21 guilherme-pc wiki: # returns 1

2019-09-19 12:04:21 guilherme-pc wiki: ldap_set_option( $linkID, $option = 8, $newval = 0 );

2019-09-19 12:04:21 guilherme-pc wiki: # returns 1

2019-09-19 12:04:21 guilherme-pc wiki: ldap_set_option( $linkID, $option = 2, $newval = 1 );

2019-09-19 12:04:21 guilherme-pc wiki: # returns 1

2019-09-19 12:04:21 guilherme-pc wiki: ldap_bind( $linkID, $bindRDN = 'uid=guilherme_bangemann,ou=users,dc=solis,dc=coop,dc=br', $bindPassword = 'XXXX' );

2019-09-19 12:04:21 guilherme-pc wiki: # returns 1

2019-09-19 12:04:21 guilherme-pc wiki: ldap_bind( $linkID, $bindRDN = 'uid=guilherme_bangemann,ou=users,dc=solis,dc=coop,dc=br', $bindPassword = 'XXXX' );

2019-09-19 12:04:21 guilherme-pc wiki: # returns 1

2019-09-19 12:04:21 guilherme-pc wiki: ldap_bind( $linkID, $bindRDN = 'uid=guilherme_bangemann,ou=users,dc=solis,dc=coop,dc=br', $bindPassword = 'XXXX' );

2019-09-19 12:04:21 guilherme-pc wiki: # returns 1

2019-09-19 12:04:21 guilherme-pc wiki: ldap_search( $linkID, $baseDN = 'dc=solis,dc=coop,dc=br', $filter = '(uid=guilherme_bangemann)', $attributes = [ '*', 'memberof' ], $attrsonly = , $sizelimit = , $timelimit = , $deref =  );

2019-09-19 12:04:21 guilherme-pc wiki: # returns Resource id #42

2019-09-19 12:04:21 guilherme-pc wiki: ldap_get_entries( $linkID, $resultID );

2019-09-19 12:04:21 guilherme-pc wiki: # returns: array ( ... )


2019-09-19 12:04:21 guilherme-pc wiki: ldap_search( $linkID, $baseDN = 'dc=solis,dc=coop,dc=br', $filter = '(uid=guilherme_bangemann)', $attributes = [ '*', 'memberof' ], $attrsonly = , $sizelimit = , $timelimit = , $deref =  );

2019-09-19 12:04:21 guilherme-pc wiki: # returns Resource id #55

2019-09-19 12:04:21 guilherme-pc wiki: ldap_count_entries( $linkiID, $result = 'Resource id #55' );

2019-09-19 12:04:21 guilherme-pc wiki: # returns 1

2019-09-19 12:04:21 guilherme-pc wiki: ldap_get_entries( $linkID, $resultID );

2019-09-19 12:04:21 guilherme-pc wiki: # returns: array ( ... )


2019-09-19 12:04:21 guilherme-pc wiki: ldap_search( $linkID, $baseDN = 'dc=solis,dc=coop,dc=br', $filter = '(&(objectclass=group)(member=uid=guilherme_bangemann,ou=users,dc=solis,dc=coop,dc=br))', $attributes = [ 'dn' ], $attrsonly = , $sizelimit = , $timelimit = , $deref =  );

2019-09-19 12:04:21 guilherme-pc wiki: # returns Resource id #63

2019-09-19 12:04:21 guilherme-pc wiki: ldap_get_entries( $linkID, $resultID );

2019-09-19 12:04:21 guilherme-pc wiki: # returns: array (

  'count' => 0,

)



LDAPProvider.log


2019-09-19 12:04:21 guilherme-pc wiki: Setting LDAP_OPT_PROTOCOL_VERSION to 3

2019-09-19 12:04:21 guilherme-pc wiki: Setting LDAP_OPT_REFERRALS to 0

2019-09-19 12:04:21 guilherme-pc wiki: Setting LDAP_OPT_DEREF to 1

2019-09-19 12:04:21 guilherme-pc wiki: MediaWiki\Extension\LDAPProvider\Client::getSearchString: User DN is: 'uid=guilherme_bangemann,ou=users,dc=solis,dc=coop,dc=br'

2019-09-19 12:04:21 guilherme-pc wiki: Ran LDAP search for '(uid=guilherme_bangemann)' in 0.0050511360168457 seconds.

2019-09-19 12:04:21 guilherme-pc wiki: MediaWiki\Extension\LDAPProvider\Client::getUserDN: search with array (

  'base' => 'dc=solis,dc=coop,dc=br',

  'filter' => '(uid=guilherme_bangemann)',

  'attributes' =>

  array (

    0 => '*',

    1 => 'memberof',

  ),

)

2019-09-19 12:04:21 guilherme-pc wiki: Found user DN: 'uid=guilherme_bangemann,ou=users,dc=solis,dc=coop,dc=br'

2019-09-19 12:04:21 guilherme-pc wiki: Ran LDAP search for '(&(objectclass=group)(member=uid=guilherme_bangemann,ou=users,dc=solis,dc=coop,dc=br))' in 0.0033600330352783 seconds.



PluggableAuth.log


2019-09-19 12:04:21 guilherme-pc wiki: In execute()

2019-09-19 12:04:21 guilherme-pc wiki: Getting PluggableAuth singleton

2019-09-19 12:04:21 guilherme-pc wiki: Class name: MediaWiki\Extension\LDAPAuthentication2\PluggableAuth

2019-09-19 12:04:21 guilherme-pc wiki: Authenticated new user: guilherme_bangemann

2019-09-19 12:04:21 guilherme-pc wiki: Authorization failure.




Osnard (talkcontribs)

So, as CheckLogin.php returns OK, we can assume that authentiation works. Also the error message on the form-based-authentication is "User guilherme_bangemann not authorized". So the the reason must be in the authorization part.

From your config I can see, that you restrict login capability to users from LDAP group "ou=users,dc=solis,dc=coop,dc=br" (actually, this does not look like a usual group DN). Is this group listed, when you execute ShowUserGroups.php for that particular user?

Guilherme bangemann (talkcontribs)

When I execute ShowUserGroups.php for this user "guilherme_bangemann", returns nothing. (null)

php extensions/LDAPProvider/maintenance/ShowUserGroups.php -d solis -u guilherme_bangemann

Full DNs:

Short names:


LocalSettings.php


...

"grouprequest"      => "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\GroupMember::factory"

                        ],

                        "groupsync" => [

                                "mechanism" => "mappedgroups",

                                "mapping" => [

                                        "users" => "ou=users,dc=solis,dc=coop,dc=br",

                                        "mailaliases" => "ou=mailaliases,dc=solis,dc=coop,dc=br",

                                        "groups" => "ou=groups,dc=solis,dc=coop,dc=br"

                                ] ...

... "authorization" => [

                                "rules" => [

                                        "attributes" => [

                                        ],

                                        "groups" => [

                                                "required" => [ "ou=users" ]

                                        ] ...


$wgSyncMechanismRegistry = "mappedgroups";

$LDAPAuthentication2UsernameNormalizer = 'strtolower';

$LDAPAuthentication2AllowLocalLogin = false;

$wgAutoAuthRemoteUserStringParser = "domain-backslash-username"; //"username-at-domain";

Guilherme bangemann (talkcontribs)

When I execute this command ldapsearch -b dc=solis,dc=coop,dc=br -W -h ldapslave.solis.com.br -D uid=guilherme_bangemann,ou=users,dc=solis,dc=coop,dc=br returns all LDAP user's, and I saw that has anothers groups, like mailaliasesandgroups


# guilherme_bangemann, users, solis.coop.br

dn: uid=guilherme_bangemann,ou=users,dc=solis,dc=coop,dc=br

objectClass: sambaSamAccount

objectClass: shadowAccount

objectClass: posixAccount

objectClass: inetOrgPerson

objectClass: organizationalPerson

objectClass: person

sambaDomainName: SOLIS

displayName: Guilherme Keunecke Bangemann

sambaHomeDrive: U:

sambaKickoffTime: **********

sambaPrimaryGroupSID: ***********

sambaAcctFlags: [**         ]

sambaSID: **********

shadowWarning: 10

shadowInactive: 10

shadowMin: 1

shadowMax: 365

homeDirectory: /home/guilherme

loginShell: /bin/bash

gidNumber: ******

cn: Guilherme Keunecke Bangemann

uidNumber: ******

sn: Bangemann

givenName: Guilherme Keunecke

departmentNumber: Setor de Infraestrutura

uid: guilherme_bangemann

mail: guilherme_bangemann@solis.com.br

sambaNTPassword: ******************************

sambaPwdLastSet: *************

shadowLastChange: ******

userPassword:: *********************************************************



Osnard (talkcontribs)

If ShowUserGroups.php returns nothing it is clear that authorization fails, as you have set a required group. You will probably need to configure a different grouprequest. At the moment you have MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\GroupMember::factory. Please try

  • MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\GroupUniqueMember::factory
  • MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\UserMemberOf::factory

and test each with ShowUserGroups.php.

Guilherme bangemann (talkcontribs)

MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\GroupUniqueMember::factory

Return the same thing when I use GroupMember


MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\UserMemberOf::factory

sudo php extensions/LDAPProvider/maintenance/ShowUserGroups.php -d solis -u guilherme_bangemann

PHP Notice:  Undefined index: memberof in /var/lib/wiki/extensions/LDAPProvider/src/UserGroupsRequest/UserMemberOf.php on line 19

Notice: Undefined index: memberof in /var/lib/wiki/extensions/LDAPProvider/src/UserGroupsRequest/UserMemberOf.php on line 19

Full DNs:

PHP Warning:  Invalid argument supplied for foreach() in /var/lib/wiki/extensions/LDAPProvider/maintenance/ShowUserGroups.php on line 59

Warning: Invalid argument supplied for foreach() in /var/lib/wiki/extensions/LDAPProvider/maintenance/ShowUserGroups.php on line 59

Short names:

PHP Warning:  Invalid argument supplied for foreach() in /var/lib/wiki/extensions/LDAPProvider/src/GroupList.php on line 52

Warning: Invalid argument supplied for foreach() in /var/lib/wiki/extensions/LDAPProvider/src/GroupList.php on line 52



May be "groupsync" => [ or "authorization" => [ ?? Or in my config this is OK?

Osnard (talkcontribs)

Okay, obviously MemberOf is not the right choice. So it should be GroupMember or GroupUniqueMember. Can you please give me an example of a "group" object in your LDAP? Full DN and attributes?

BTW: In authorization.rules.groups.required you should use a full group DN. The value "ou=users" is probably wrong. It should proably be "ou=users,dc=solis,dc=coop,dc=br"

Guilherme bangemann (talkcontribs)

FULL DN and attributes examples:


# felipe_dahmer, users, solis.coop.br

dn: uid=felipe_dahmer,ou=users,dc=solis,dc=coop,dc=br

sambaDomainName: SOLIS

displayName: Felipe Augusto Dahmer

uid: felipe_dahmer

cn: Felipe Augusto Dahmer

mail: felipe_dahmer@solis.com.br

sn: Dahmer


# janete, users, solis.coop.br

dn: uid=janete,ou=users,dc=solis,dc=coop,dc=br

sambaDomainName: SOLIS

displayName: Janete Becker

uid: janete

cn: Janete Becker

mail: janete@solis.com.br

sn: Becker


# solis-pml, mailaliases, solis.coop.br

dn: cn=solis-pml,ou=mailaliases,dc=solis,dc=coop,dc=br

objectClass: nisMailAlias

cn: solis-pml


# alerta-ucpel, mailaliases, solis.coop.br

dn: cn=alerta-ucpel,ou=mailaliases,dc=solis,dc=coop,dc=br

cn: alerta-ucpel


# guilherme_bangemann, users, solis.coop.br

dn: uid=guilherme_bangemann,ou=users,dc=solis,dc=coop,dc=br

sambaDomainName: SOLIS

displayName: Guilherme Keunecke Bangemann

cn: Guilherme Keunecke Bangemann

sn: Bangemann

uid: guilherme_bangemann

mail: guilherme_bangemann@solis.com.br


# sandroroberto, users, solis.coop.br

dn: uid=sandroroberto,ou=users,dc=solis,dc=coop,dc=br

sambaDomainName: SOLIS

displayName: Sandro Roberto Thome

cn: Sandro Roberto Thome

sn: Thome

uid: sandroroberto

mail: sandroroberto@solis.com.br


# newsletter, users, solis.coop.br

dn: uid=newsletter,ou=users,dc=solis,dc=coop,dc=br

sambaDomainName: SOLIS

displayName: Newsletter Solis

uid: newsletter

cn: Newsletter Solis

mail: newsletter@solis.com.br

sn: Solis



ALL ATTRIBUTES to filter:


# guilherme_bangemann, users, solis.coop.br

dn: uid=guilherme_bangemann,ou=users,dc=solis,dc=coop,dc=br

objectClass:

sambaDomainName:

displayName:

sambaHomeDrive:

sambaKickoffTime:

sambaPrimaryGroupSID:

sambaAcctFlags:

sambaSID:

shadowWarning:

shadowInactive:

shadowMin:

shadowMax:

homeDirectory:

loginShell:

gidNumber:

cn:

uidNumber:

sn:

givenName:

departmentNumber:

uid:

mail:

sambaNTPassword:

sambaPwdLastSet:

shadowLastChange:

userPassword::

Guilherme bangemann (talkcontribs)

OK, I changed the code here sudo vim www/wiki/extensions/LDAPProvider/src/UserGroupsRequest/GroupMember.php


LINE 31:

$groups = $this->ldapClient->search(

                         "(objectClass=*)",

                                //      "(&(objectclass=group)(member=$userDN))",

                                $baseDN, [ $dn ]

                        );

I just put "(objectClass=*)",

and commented "(&(objectclass=group)(member=$userDN))",


RETURNED ALL FULL DNs of ALL members and ALL short names of them... How can I filter this to just return my dnand my short name?:

guilherme_bangemann@guilherme-pc:/var/www/wiki$ sudo php /var/www/wiki/extensions/LDAPProvider/maintenance/ShowUserGroups.php -d solis -u guilherme_bangemann

Full DNs:

dc=solis,dc=coop,dc=br

ou=users,dc=solis,dc=coop,dc=br

ou=groups,dc=solis,dc=coop,dc=br

ou=computers,dc=solis,dc=coop,dc=br

uid=niumar,ou=users,dc=solis,dc=coop,dc=br

cn=solis,ou=groups,dc=solis,dc=coop,dc=br

uid=taffarel,ou=users,dc=solis,dc=coop,dc=br

uid=guilherme_bangemann,ou=users,dc=solis,dc=coop,dc=br

uid=sandroroberto,ou=users,dc=solis,dc=coop,dc=br

uid=newsletter,ou=users,dc=solis,dc=coop,dc=br

Short names:

solis

users

groups

computers

...

lucas_horn

felipe_dahmer

janete

solis-pml

alerta-ucpel

guilherme_bangemann

sandroroberto

...

newsletter

Osnard (talkcontribs)

Okay, so this change made it work? If so, we can assume this to be a bug and put in a configuration option into the extension

Guilherme bangemann (talkcontribs)

It's working. I tried with 2 members of group users. I'll try with another groups and then I'll return here.

About the "bug", may be a bug, but I can't be sure. Will be good if put in a configuration option into the extension, this would help the others.


Thank you @Osnard. When I'm sure, I'll close the ticked.. OK? :D


Osnard (talkcontribs)
Guilherme bangemann (talkcontribs)

Ok! Thank You!

I think it's ok from now.. Thank you @Osnard for your attention. Any problem I'll re-open this ticket.


edit /var/www/wiki/extensions/LDAPProvider/src/UserGroupsRequest/GroupMember.php

LINE 31:

```

$groups = $this->ldapClient->search(

                         "(objectClass=*)",

                      // "(&(objectclass=group)(member=$userDN))",

                                $baseDN, [ $dn ]

                        );

```

CHANGE "(&(objectclass=group)(member=$userDN))", TO "(objectClass=*)",.

Osnard (talkcontribs)

This change looks strange. This basically means the you query _all_ LDAP objects (users, groups, etc.) and not just group objects that are assigned to a certain user. Are you sure this search delivers the required information?

Reply to "/CheckLogin.php and /ShowUserGroups.php"