Topic on Project:Support desk

I have installed mediawiki 1.33.1 and working fine without LDAP. I try to do login using LDAP authentication. I have installed Auth_remoteuser, LDAPAuthentication2, LDAPAuthorization, LDAPProvider, LDAPUserInfo and PluggableAuth.   Please help me to do the configuration and autoauth using LDAP.

Here are the my Virtual host configuration details

<VirtualHost *:9004>
    ServerName localhost
    ServerAlias localhost
    DocumentRoot "${INSTALL_DIR}/www/mediawiki-1-33-1" 
    <Directory "${INSTALL_DIR}/www/mediawiki-1-33-1">
    Options +Indexes +Includes +FollowSymLinks +MultiViews
    AllowOverride All
    Order allow,deny
    Allow from all
    AuthName "My Intranet"
    AuthType SSPI 
    SSPIAuth On 
    SSPIAuthoritative On
    SSPIDomain MyDomainName
    SSPIOmitDomain On
    SSPIOfferBasic On
    #SSPIBasicPreferred On
    #SSPIofferSSPI On
    require valid-user
    require user "NT AUTHORITY\ANONYMOUS LOGON" denied 
   </Directory>
</VirtualHost>

Here are the my Localsettings details

       $wgCookieSecure = false; 
       wfLoadExtensions([  'PluggableAuth',
         'Auth_remoteuser',
         'LDAPProvider',
         'LDAPAuthentication2',
         'LDAPAuthorization',
         'LDAPUserInfo'
 ]);
  $LDAPAuthorizationAutoAuthRemoteUserStringParser = 'username-at-domain';
  $LDAPAuthentication2UsernameNormalizer = 'strtolower';
  $LDAPAuthentication2AllowLocalLogin = false;
  $wgAuthRemoteuserAllowUserSwitch = true;
  $wgPluggableAuth_EnableLocalLogin = false;
 $wgAuthRemoteuserUserName = function() {
 $user = '';
 if( isset( $_SERVER[ 'REMOTE_USER' ] ) ) {
    echo $user = strtolower( $_SERVER[ 'REMOTE_USER' ] ); // Returns my remote user name
 }
 return $user;
};
$LDAPProviderDomainConfigProvider = function() {
$config = [
 'company.local' => [
   'connection' => [
      "server" => "coo.tc.net",
      "options" => [
            "LDAP_OPT_DEREF" => 1
      ],
      "basedn" => "o=Company",
      "groupbasedn" => "o=Company",
      "userbasedn" => "o=Company",
      "searchattribute" => "uid",
      "usernameattribute" => "uid",
      "realnameattribute" => "fullname",
      "emailattribute" => "mail",
      "grouprequest" => "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\GroupMember::factory"
  ],
  'authorization' => [
     'rules' => [
        'groups' => [
           'required' => [
              'cn=WikiAccess,ou=Groups,o=Company'
            ]
         ]
      ]
  ],
 'userinfo' => [
        'attributes-map' => [
           'email' => 'mail',
           'realname' => 'fullname'
        ]
  ]
 ]
];
return new \MediaWiki\Extension\LDAPProvider\DomainConfigProvider\InlinePHPArray( $config );
};

Were you able to get this to work? I am having the same issue with the config. I was able to get it to return my full name from the table, but still wouldn't connect to Active Directory to login.

@Kking01 what have you tried? Does your single sign on work outside of MW?

@Tviv54 How does your current configuration behave?

@MarkAHershberger Yes All single sign on works. We have quite a few other things that use LDAP and all work fine. This is an older instance of Mediawiki that I have upgraded through the years. I just pushed it from 1.29 to 1.33, and all plugins functioned correctly except for the LdapAuthentication. This is why I switched to use the LdapHub migration. Way more involved as it uses 6 plugins instead of just the one. I just maybe doing something wrong.

$_SERVER[ 'REMOTE_USER' ] - Return my name from the Active directory.

My current configuration is not working properly. I tried with my windows user credential but Login attempt failed and returns "There seems to be a problem with your login session; this action has been canceled as a precaution against session hijacking. Please resubmit the form."

$_SERVER[ 'REMOTE_USER' ] - Return my name from the Active directory.

Good.

Your current configuration, like @Kking01's is using both Auth_remoteuser and LDAPAuthentication2. Since REMOTE_USER is being set, remove LDAPAuthentication2.

Remove the snippet for setting $wgAuthRemoteuserUserName and just use its default.

Would you please share the configuration details

Based on my comments and your configuration, here is what I would do:

$wgCookieSecure = false; 
wfLoadExtensions([
         'Auth_remoteuser',
         'LDAPProvider',
         'LDAPAuthorization',
         'LDAPUserInfo'
]);
$LDAPAuthorizationAutoAuthRemoteUserStringParser = 'username-at-domain';
$LDAPAuthentication2UsernameNormalizer = 'strtolower';
$LDAPAuthentication2AllowLocalLogin = false;
$wgAuthRemoteuserAllowUserSwitch = true;

$LDAPProviderDomainConfigProvider = function() {
$config = [
 'company.local' => [
   'connection' => [
      "server" => "corp.tcc.inet",
      "options" => [
            "LDAP_OPT_DEREF" => 1
      ],
      "basedn" => "o=Company",
      "groupbasedn" => "o=Company",
      "userbasedn" => "o=Company",
      "searchattribute" => "uid",
      "usernameattribute" => "uid",
      "realnameattribute" => "fullname",
      "emailattribute" => "mail",
      "grouprequest" => "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\GroupMember::factory"
  ],
  'authorization' => [
     'rules' => [
        'groups' => [
           'required' => [
              'cn=WikiAccess,ou=Groups,o=Company'
            ]
         ]
      ]
  ],
 'userinfo' => [
        'attributes-map' => [
           'email' => 'mail',
           'realname' => 'fullname'
        ]
  ]
 ]
];
return new \MediaWiki\Extension\LDAPProvider\DomainConfigProvider\InlinePHPArray( $config );
};

Thanks MArk but i am getting Notice error when i click login link Notice: Undefined index: wgPluggableAuth_Class in D:\wamp64\www\mediawiki-1-33-1\extensions\PluggableAuth\includes\PluggableAuth.php on line 40"

Sorry... I updated the snippet above to remove references to PluggableAuth. I forgot to do that before. Could you try it now?