Topic on Extension talk:LDAP Authentication

Incorrect username or password entered. Please try again.

7 comments • 18:49, 2 December 2019 4 years ago

7

I'm struggling to find any useful logs and have been stuck on this for sometime. Any and all help would be much appreciated. I'm pretty new to linux, php, mediawiki administration. Without a lot of information to go on I think the issue is the cert setup, but not sure how to confirm that.

Installed:

MediaWiki	1.30.0

LDAP Authentication Plugin	2.1.0 (b19888c) 03:11, 14 April 2018

Configuration:

#LDAP Auth

require_once( "$IP/extensions/LdapAuthentication/LdapAuthentication.php" );

$wgAuth = new LdapAuthenticationPlugin();

$wgLDAPDomainNames = array('DOMAIN');

$wgLDAPServerNames = array('DOMAIN' => 'DC1.domain.com');

$wgLDAPEncryptionType = array('DOMAIN' => 'tls'); ##I've tried clear and ssl

$wgLDAPProxyAgent = array('DOMAIN' => 'CN=Wiki LDAP,OU=Service Accounts,DC=domain,DC=com');

$wgLDAPProxyAgentPassword = array('DOMAIN' => 'WikiLDAPPASSWORD');

$wgLDAPSearchAttributes = array('DOMAIN' => 'sAMAccountName');

$wgLDAPBaseDNs = array('DOMAIN' => 'cn=People,dc=domain,dc=com');

$wgMinimalPasswordLength = 1;

$wgLDAPDebug = 3;

$wgDebugLogGroups['ldap'] = '/tmp/ldap-debug.log';

Logs:

root@SERVER1:/var/lib/mediawiki# cat /tmp/ldap-debug.log

2019-12-02 16:49:45 SERVER1 site_wiki: 2.1.0 Entering strict.

2019-12-02 16:49:45 SERVER1 site_wiki: 2.1.0 Entering getDomain

2019-12-02 16:49:45 SERVER1 site_wiki: 2.1.0 Returning true in strict().

2019-12-02 18:05:02 SERVER1 site_wiki: 2.1.0 Entering strict.

2019-12-02 18:05:02 SERVER1 site_wiki: 2.1.0 Entering getDomain

2019-12-02 18:05:02 SERVER1 site_wiki: 2.1.0 Returning true in strict().

2019-12-02 18:12:35 SERVER1 site_wiki: 2.1.0 Entering strict.

2019-12-02 18:12:35 SERVER1 site_wiki: 2.1.0 Entering getDomain

2019-12-02 18:12:35 SERVER1 site_wiki: 2.1.0 Returning true in strict().

2019-12-02 18:33:38 SERVER1 site_wiki: 2.1.0 Entering strict.

2019-12-02 18:33:38 SERVER1 site_wiki: 2.1.0 Entering getDomain

2019-12-02 18:33:38 SERVER1 site_wiki: 2.1.0 Returning true in strict().

I did at one point see this in the apache2 error.log but it stopped coming up.

[php7:warn] [pid 1465] [client 172.21.193.14:54312] PHP Warning: ldap_start_tls(): Unable to start TLS: Connect error in /var/lib/mediawiki/extensions/LdapAuthentication/LdapAuthenticationPlugin.php on line 614, referer: https://SERVER1.domain.com/mediawiki/index.php?title=Special:UserLogin&returnto=Special:ListUsers

Reply 18:49, 2 December 2019 4 years ago

Wrathofmcgrath (talkcontribs)

I just tried the latest version of the extension and I get this error when running the update.php script

PHP Fatal error: Uncaught Error: Class 'LdapAuthenticationPlugin' not found in /var/lib/mediawiki/LocalSettings.php:165

Stack trace:

#0 /var/lib/mediawiki/maintenance/doMaintenance.php(65): require()

#1 /var/lib/mediawiki/maintenance/update.php(249): require_once('/var/lib/mediaw...')

#2 {main}

thrown in /var/lib/mediawiki/LocalSettings.php on line 165

Reply 19:07, 2 December 2019 4 years ago

Ciencia Al Poder (talkcontribs)

Apparently, in LocalSettings.php you should have those lines:

require_once ('extensions/LdapAuthentication/LdapAuthentication.php');
require_once ('includes/AuthPlugin.php');
$wgAuth = new LdapAuthenticationPlugin();

See if any of them are missing.

Reply 10:11, 3 December 2019 4 years ago

Wrathofmcgrath (talkcontribs)

Based on this link [1] I don't need the require_once ('includes/AuthPlugin.php'); line

[1] https://blog.ryandlane.com/2009/03/23/using-the-ldap-authentication-plugin-for-mediawiki-the-basics-part-1/

I re signed the cert and now when I enable this extension no one is able to login, including the local account. I feel like this is progress... I do have a local account that is also an AD account (because I read you needed that) and that account is a bureaucrat, and a wiki administrator. no new information in the /tmp/ldap-debug.log. Is there anything else I should check?

Reply 18:37, 3 December 2019 4 years ago

Wrathofmcgrath (talkcontribs)

ok so I changed /etc/ldap/ldap.conf file to:

TLS_REQCERT never

and now the local wiki account that exists in AD can login...not sure if its actually doing ldap auth though. and the other local account (not in AD) can't login, which I think(maybe) is normal behavior. Now, why can't other AD accounts login? do I have to have users create their AD account on mediawiki and then it'll work with ldap auth? or should this extension automatically check with the ldap server to see its an AD account and create the mediawiki user based on that?

Reply 19:28, 3 December 2019 4 years ago

Ciencia Al Poder (talkcontribs)

Maybe this has something to do with that: Extension:LDAP Authentication/Configuration Options#MediaWiki user creation options

Reply 10:22, 4 December 2019 4 years ago

Wrathofmcgrath (talkcontribs)

That comment is comment is confusing to me...

default is set to false so it should "automatically create an account for a user if the account exists in LDAP, but not in MediaWiki."?

Regardless I've tried both and it didn't change the behavior.

Reply 14:36, 4 December 2019 4 years ago

Reply to "Incorrect username or password entered. Please try again."