Topic on Extension talk:PluggableAuth

I am doing a major upgrade of our existing Mediawiki.

Product Version MariaDB 1.28.2 PHP 7.0.32 (fpm-fcgi) MariaDB 10.1.37-MariaDB ICU 50.1.2

I'm going to PHP 7.2, MariaDB 10.4 and the latest version of Mediawiki.

As part of the upgrade, I want to replace SimpleRadiusAuth with LDAPProvider, PluggableAuth, and LDAPAuthentication2.

Since this is a big jump, I decided to do 1 round of database updates prior to installing the extensions - so I update the source code of everything else and I run a `php maintenance/update.php`. I then enable the extensions in LocalSettings.php, and I run that command again.

The upgrade goes well until I try to use these new extensions.

(So actually, I don't think there's a problem with the upgrade at all. I think that I'm missing something, hopefully not obvious, in the setup and configuration of the new LDAP extensions).

At the login page, if I enter in invalid credentials, I get the correct message that authentication failed.

If I enter in good credentials, I get directed to index.php?title=Special:PluggableAuthLogin, at which point I see an error message (pasted below).

How can I go about troubleshooting this?

[fabb2665631009df6e11d309] /index.php?title=Special:PluggableAuthLogin Error from line 71 of /var/www/html/extensions/LDAPProvider/src/UserInfoRequest.php: Class 'MediaWiki\Extension\LDAPProvider\MWException' not found

Backtrace:

#0 /var/www/html/extensions/LDAPProvider/src/Client.php(229): MediaWiki\Extension\LDAPProvider\UserInfoRequest->getUserInfo(string)

#1 /var/www/html/includes/libs/objectcache/BagOStuff.php(158): MediaWiki\Extension\LDAPProvider\Client->MediaWiki\Extension\LDAPProvider\{closure}()

#2 /var/www/html/extensions/LDAPProvider/src/Client.php(230): BagOStuff->getWithSetCallback(string, integer, Closure)

#3 /var/www/html/extensions/LDAPAuthentication2/src/PluggableAuth.php(84): MediaWiki\Extension\LDAPProvider\Client->getUserInfo(string)

#4 /var/www/html/extensions/PluggableAuth/includes/PluggableAuthLogin.php(31): MediaWiki\Extension\LDAPAuthentication2\PluggableAuth->authenticate(NULL, string, NULL, NULL, NULL)

#5 /var/www/html/includes/specialpage/SpecialPage.php(569): PluggableAuthLogin->execute(NULL)

#6 /var/www/html/includes/specialpage/SpecialPageFactory.php(558): SpecialPage->run(NULL)

#7 /var/www/html/includes/MediaWiki.php(288): MediaWiki\Special\SpecialPageFactory->executePath(Title, RequestContext)

#8 /var/www/html/includes/MediaWiki.php(865): MediaWiki->performRequest()

#9 /var/www/html/includes/MediaWiki.php(515): MediaWiki->main()

#10 /var/www/html/index.php(42): MediaWiki->run()

#11 {main}

You don't mention what version of the extensions you are using or how they are configured. It sounds like there may be a configuration error, since LDAPProvider cannot find one of its own classes: Class 'MediaWiki\Extension\LDAPProvider\MWException' not found.

Hi Cindy,

Thank you. I'm using the json configuration method as opposed to the php method.

I added a couple of things to the json file (see below), and that changed the original error message (above) very slightly, but I'm still getting an Internal error, this time with:

index.php?title=Special:PluggableAuthLogin Error from line 76 of /var/www/html/extensions/LDAPProvider/src/PlatformFunctionWrapper.php: Call to undefined function MediaWiki\suppressWarnings()

Here are version & configuration details below.

I do agree that this sounds like a configuration issue, but to-date, I've found the documentation on Extension:LDAPProvider to be confusing. I'm sure I'm missing something (hopefully not something obvious!)

LDAPAuthentication2 is version 1.0.1

LDAPProvider is version 1.0.1

PluggableAuth is version 5.7

I have the following in LocalSettings.php:

wfLoadExtension( 'LDAPProvider' );

wfLoadExtension( 'PluggableAuth' );

wfLoadExtension( 'LDAPAuthentication2' );

$LDAPProviderDomainConfigs = "/etc/mediawiki/ldapprovider.json";

$LDAPAuthentication2AllowLocalLogin = false

And in /etc/mediawiki/ldapprovider.json, I have the following:

{

   "LDAP": {

       "connection": {

           "server": "10.10.10.10",

           "user": "uid=wiki,cn=users,cn=compat,dc=lab,dc=example,dc=com",

           "pass": "ACTUAL-PASSWORD",

           "options":[],

           "enctype":"clear",

           "basedn": "dc=lab,dc=example,dc=com",

           "groupbasedn": "dc=lab,dc=example,dc=com",

           "userbasedn": "dc=lab,dc=example,dc=com",

           "searchattribute": "uid",

           "searchstring": "uid=USER-NAME,cn=users,cn=compat,dc=lab,dc=example,dc=com",

           "usernameattribute": "uid",

           "realnameattribute": "cn"

       }

   }

}

@Cindy.cicalese

I'm not positive which extension my problems are (err... were) related to, but I'm going ahead and replying here as this was where I opened up the conversation.

I'm also not sure if I've found a bug in the code somewhere in an extension, but I'm happy to open up an issue in Github, if you'd like.

tl;dr:

In my setup, there's an issue with the LDAP suite of extensions combined with the Echo + WhoIsWatching extensions. There also appears to be an issue with lines 76 and 78 of /extensions/LDAPProvider/src/PlatformFunctionWrapper.php. I currently have Echo & WhoIsWatching turned off, as well as the code on those 2 lines of this file, and everything is working fine.

More details:

I found the check scripts in /LDAPProvider/maintenance/, and ran

`php extensions/LDAPProvider/maintenance/CheckLogin.php --domain LDAP --username my-username`

And I found that I was getting the same error message as the one I posted in my 2nd comment above.

I commented out the code on line 76 and 78 of /extensions/LDAPProvider/src/PlatformFunctionWrapper.php as well as lines 176 and 181:

76                 #\MediaWiki\suppressWarnings();

77                 $ret = \ldap_bind( $this->linkID, $bindRDN, $bindPassword );

78                 #\MediaWiki\restoreWarnings();

(I tried removing the comments from those lines once I narrowed down the issue with Echo + WhoIsWatching, and deactivated those extensions, but after additional testing logging in & logging out, I found that I still needed to have those 4 lines commented out).

... at which point the test worked without any errors:

`php extensions/LDAPProvider/maintenance/CheckLogin.php --domain LDAP --username my-username`

However, when I went to login through the website, I got a different error message, indicating an issue right around line 70 of https://github.com/wikimedia/mediawiki-extensions-LDAPProvider/blob/master/src/UserInfoRequest.php.

I made the following changes to that file:

70                 if ( $count > 1 ) {

71                         #throw new MWException(

72                         #       wfMessage( "ldapprovider-more-than-one" )->params( $filter )->plain();

73                         #        print $count;

74                         #);

75                 }

At which point I was able login without any problems.

It was at this point that I started to notice a problem with the WhoIsWatching extension. I honestly cannot tell you what error message(s) I saw, as I've done a bunch of troubleshooting and editing of different files this morning to try and track down exactly what my issue was.

But after extensive troubleshooting, and trying varying degrees of commenting / uncommenting the code I reference above with the Echo & WhoIsWatching extensions, I've come to the conclusion that there's currently a conflict with those plugins + the LDAP suite of plugins. Even with Echo & WhoIsWatching turned off, I had to comment out some lines in two files related to LDAPProvider before my environment would work properly (UserInfoRequest.php and PlatformFunctionWrapper.php).

I tried removing the comments I added to the LDAPProvider files, but then I was unable to login, even with the Echo & WhoIsWatching extensions turned off.

I have this in my lab, and am happy to do additional tests if you'd like.

To recap, my environment is working with the following conditions:

PHP v7.2

MediaWiki v1.34.0

LDAPAuthentication2 v1.0.1

LDAPProvider v1.0.1 (95d4fd1)

PluggableAuth v5.7 (a69f626)

WhoIsWatching is turned off

Echo is turned off

Lines 76, 78, 176, and 182 of /extensions/LDAPProvider/src/PlatformFunctionWrapper.php are currently commented out.

Lines 71, 72 and 73 of /extensions/LDAPProvider/src/UserInfoRequest.php are currently commented out.

@Osnard, do you have any thoughts on this?

• Lines 76, 78, 176 and 181 (not 182) of /extensions/LDAPProvider/src/PlatformFunctionWrapper.php only disable error suppression.
• Lines 71, 72 and 73 of /extensions/LDAPProvider/src/UserInfoRequest.php disable the error thrown in case the LDAP provider was not able to identify the user entry uniquely. This means you have more than one entry for that particular user in your LDAP, which is very unusual. Can you confirm this?

The underlying ldap database is FreeIPA / Red Hat IdM.

I only created a single user called "wiki" (the uid).

Maybe there's something in my json config that is a little bit off?

In the debugging error log you should be able to see what is being returned by the LDAP backend, when the wiki searches for the user. This should only have one entry, but apparently it does not. Can you share the logs please?

How do I get the debug logs configured?

I tried adding the following to LocalSettings.php:

$wgDebugLogGroups['LDAPAuthentication2'] = "/tmp/LDAP.log";

$wgDebugLogGroups['LDAPProvider'] = "/tmp/LDAP.log";

$wgDebugLogGroups['PluggableAuth'] = "/tmp/LDAP.log";

And then I gave the web server (Nginx) ownership of /tmp/LDAP.log (touch the file, then chown)

But that log remains empty.

Follow the instructions at Manual:How to debug. You'll want something like:

ini_set( 'display_errors', 1 );

$wgShowDBErrorBacktrace = true;

$wgDebugLogFile= "/tmp/MediaWikiDebug.log";

$wgDebugDumpSql = true;

$wgShowSQLErrors = true;

$wgShowExceptionDetails = true;

Thanks.

I don't know if I'm missing code or what, but I always have to keep the suppressWarnings(); lines from /extensions/LDAPProvider/src/PlatformFunctionWrapper.php or else I always get this error message: `Call to undefined function MediaWiki\suppressWarnings()`

Leaving those commented out, but uncommenting lines 71-73 of UserInfoRequest.php, I always get this error message if I enter in correct credentials:

Class 'MediaWiki\Extension\LDAPProvider\MWException' not found. Commenting out 71 and 73, but leaving line 72 uncommented, I see: Fatal error authenticating user -- but in this case, I AM logged in.

In all cases, /tmp/MediaWikiDebug.log is empty. I've even done a chmod 777 on the log file, still nothing.

Checking FreeIPA's access logs, I don't see any errors.

However, running `ldapsearch -x ui=myuser`, I see quite a bit of output, including the following:

# search result

search: 2

result: 0 Success

# numResponses: 3

# numEntries: 2

`numEntries: 2` is is issue here. Can you tell why there are two entries for that user in LDAP?

I have no clue.

I only created the 1 user.

That's probably a question for the folks over at FreeIPA.

@Chattadude - Just wanted to give you a quick "thanks" for showing what changes to make. You've been very helpful!

Glad it was helpful. That said...

It's never a good idea to "hack core" or other extensions, so I wouldn't recommend leaving your code as-is in the state that I described above. I would recommend instead working with the extension maintainers and/or your LDAP provider (AD, FreeIPA, etc...) to figure out the root cause of the issue you are having.

I still intend to contact the FreeIPA maintainers and try to figure out why my ldapsearch query is showing 2 different entries, because I agree with @Osnard -- that's indeed a weird situation.