Topic on Extension talk:LDAPProvider

Group sync not working.

22
Kronoct (talkcontribs)

Hello,

I have set a fresh installation of mediawiki with ldap autentication. I have it working users can log in. Main problem is that groups are not been sync, If I uncomment the wfLoadExtension( 'LDAPGroups' ); or LDAPUserInfo one it shows an error:

[cff073f5068a68def791a7c3] 2020-01-08 07:43:39: Fatal exception of type MediaWiki\Extension\LDAPProvider\LDAPNoDomainConfigException

I have test with ShowUserGroups.php and seems to be working:

php extensions/LDAPProvider/maintenance/ShowUserGroups.php --domain ldap-midominio.es --username rpv68m

Full DNs:

        cn=G_usu_dominildap,ou=usuarios,o=ldap

        cn=wikiCPD,ou=CPD,ou=usuarios,o=ldap

        cn=G_usu_wikiCPD_admin,ou=adminsrv,ou=Grupos,ou=usuarios,o=ldap

Short names:

        g_usu_ldapctg

        wikicpd

        g_usu_wikicpd_admin

What I'm doing wrong? Here is my LocalSettings:

wfLoadExtension( 'PluggableAuth' );

#$wgPluggableAuth_EnableAutoLogin="true";

$wgPluggableAuth_EnableLocalLogin="true";

$wgPluggableAuth_ButtonLabelMessage="Dominio Novell";

wfLoadExtension( 'LDAPProvider' );

#wfLoadExtension( 'Auth_remoteuser' );

wfLoadExtension( 'LDAPGroups' );

wfLoadExtension( 'LDAPUserInfo' );

wfLoadExtension( 'LDAPAuthentication2' );

wfLoadExtension( 'LDAPAuthorization' );

$LDAPProviderDomainConfigProvider = function()

{

        $config =

        [

                "ldap-midominio.es" =>

                [

                        "connection" =>

                        [

                                "server" => "dominio-ldap.ldap-midominio.es",

                                "user" => "cn=wikicpd,ou=usuarios,ou=recursos,o=ldap",

                                "pass" => "lahfd.lsab34",

                                "basedn" => "ou=usuarios,o=ldap",

                                "groupbasedn" => "ou=usuarios,o=ldap",

                                "userbasedn" => "ou=usuarios,o=ldap",

                                "searchattribute" => "cn",

                                "searchstring" => "cn=USER-NAME,ou=CPD,ou=usuarios,o=ldap",

                                "usernameattribute" => "cn",

                                "realnameattribute" => "cn",

                                "emailattribute" => "mail",

                                "grouprequest" => "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\GroupMember::factory"                 ],

                        "authorization" =>

                        [

                                "rules" =>

                                [

                                        "groups" =>

                                        [

                                                "required" => [ "cn=G_usu_wikiCPD_admin,ou=adminsrv,ou=Grupos,ou=usuarios,o=ldap",

                                                                "cn=G_usu_wikiCPD_CPD,ou=adminsrv,ou=Grupos,ou=usuarios,o=ldap",

                                                                "cn=G_usu_wikiCPD_programadores,ou=adminsrv,ou=Grupos,ou=usuarios,o=ldap",

                                                                "cn=G_usu_wikiCPD_sistemas,ou=adminsrv,ou=Grupos,ou=usuarios,o=ldap",

                                                                "cn=G_usu_wikiCPD_soporte,ou=adminsrv,ou=Grupos,ou=usuarios,o=ldap",

                                                                "cn=G_usu_wikiCPD_usuarios,ou=adminsrv,ou=Grupos,ou=usuarios,o=ldap"

                                                              ]

                                        ]

                                ]

                        ],

                        "groupsync" =>

                        [

                                "mechanism" => "mappedgroups",

                                "mapping" =>

                                [

                                        "sysop" => "cn=G_usu_wikiCPD_admin,ou=adminsrv,ou=Grupos,ou=usuarios,o=ldap",

                                        "bureaucrat" => "cn=G_usu_wikiCPD_admin,ou=adminsrv,ou=Grupos,ou=usuarios,o=ldap",

                                        "CPD" => "cn=G_usu_wikiCPD_CPD,ou=adminsrv,ou=Grupos,ou=usuarios,o=ldap",

                                        "programadores" => "cn=G_usu_wikiCPD_programadores,ou=adminsrv,ou=Grupos,ou=usuarios,o=ldap",

                                        "sistemas" => "cn=G_usu_wikiCPD_sistemas,ou=adminsrv,ou=Grupos,ou=usuarios,o=ldap",

                                        "soporte" => "cn=G_usu_wikiCPD_soporte,ou=adminsrv,ou=Grupos,ou=usuarios,o=ldap",

                                        "users" => "cn=G_usu_wikiCPD_usuarios,ou=adminsrv,ou=Grupos,ou=usuarios,o=ldap"

                                ]

                        ],

                        "userinfo" =>

                        [

                                "email" => "mail",

                                "realname" => "cn",

                                "properties.gender" => "gender"

                        ]

                ]

        ];

        return new \MediaWiki\Extension\LDAPProvider\DomainConfigProvider\InlinePHPArray( $config );

};

Osnard (talkcontribs)

Does this only happen when "Auth_remoteuser" is enabled? If so, this is a known bug https://phabricator.wikimedia.org/T214147

A workaround would be to patch the file LDAPProvider/src/UserDomainStore.php like this:

/**
* @param User $user to get domain for
* @return string|null
*/
public function getDomainForUser( User $user ) {
    return "ldap-midominio.es";
    $userId = $user->getId();
...

If this also happens without "Auth_remoteuser" the workaround may still work. You might also want set the value of ldap_domains.domain in the database to "ldap-midominio.es" for all users.

Kronoct (talkcontribs)

Sorry for delay in answer I didnt notice there was a reply.

Auth_remoteuser is disabled, If I enable that extensions it directly didnt works.

I have follow instruction and change LDAPProvider/src/UserDomainStore.php adding line

return "ldap-midominio.es";

after

public function getDomainForUser( User $user ) {

Now it didn't give the previos error but now If I try to access to wiki with an LDAP user it shows HTTP ERROR 500 this web page didnt work and in the URL of the browser I can see: https://wiki.ldap-midominio.es/index.php/Especial:PluggableAuthLogin

If I access with a Local user it works right.

Kronoct (talkcontribs)

If I disable both extensions (LDAPGroups and LDAPUserInfo) with the modification on UserDomainStore it shows the same error.

Kronoct (talkcontribs)

I have just disable the modification and I have the same error... maybe I have broke my system in another test. I will inform later.

134.130.45.92 (talkcontribs)

I have a similar problem: The login works but no groups are automatically added to the user.

On the other hand if I manually add the user to a group, for example 'bureaucrat', which is not part of the domain, I get the following:

[LDAPGroups] Removing 'bureaucrat' from 'myuser'.

Ideally, the behaviour would be the other way around: Adding the groups automatically but not removing them.

Tuebel (talkcontribs)

Addition (134.130.45.92 was me): the groups which are part of the domain do not get deleted.

Osnard (talkcontribs)

If using "allgroups" mechanism, the groups must exists in the wiki. Have you set them in $wgGroupPermissions anywhere?

Osnard (talkcontribs)

If you don't want groups like "bureaucrat" to be removed, you need to put them on the list of "locally-managed" groups. See "Domain Config" documentation

Tuebel (talkcontribs)

Thank you, the "locally-managed" groups work as expected now.

I have tried both "allgroups" and "mappedgroups" and the group is part of a $wgGroupPermissions. Still, the group does not get synced when I login.

Osnard (talkcontribs)

Can you please share the output of the CLI script "LDAPProvider/maintenance/ShowUserGroups.php" and your current configuration?

Tuebel (talkcontribs)

The ouput of the script is:

Full DNs:

Short names:


My LDAP configuration is:

{

"my_domain": {

"connection": {

"server": "my_server.de",

"port": 389,

"user": "cn=Wiki,ou=Bot,ou=Benutzer,ou=my_organization,dc=my_domain,dc=de",

"pass": "SECRET",

"enctype": "tls",

"options": {},

"basedn": "ou=my_ou,dc=my_domain,dc=de",

"userbasedn": "ou=Benutzer,ou=my_organization,dc=my_domain,dc=de",

"groupbasedn": "ou=Gruppen,,ou=my_organization,dc=my_domain,dc=de",

"searchattribute": "samaccountname",

"usernameattribute": "samaccountname",

"realnameattribute": "displayname",

"emailattribute": "mail"

},

"userinfo": [],

"authorization": [],

"groupsync": {

"mechanism": "mappedgroups",

"locally-managed": [

"bot",

"user",

"sysop",

"bureaucrat",

"interface-admin"

],

"mapping": {

"g-mitarbeiter": "CN=G-Mitarbeiter,OU=Gruppen,OU=my_organization,DC=my_domain,DC=de"

}

}

}

}


And here the section from LocalSettings.php:

# Permissions

$wgGroupPermissions['*']['edit'] = false;

$wgGroupPermissions['*']['autocreateaccount'] = true;

$wgGroupPermissions['*']['createaccount'] = false;

$wgGroupPermissions['user']['delete'] = true;

# Interner Bereich

$wgGroupPermissions['g-mitarbeiter']['read'] = true;

define('NS_INTERN', 100);

define('NS_INTERN_TALK', 101);

$wgExtraNamespaces[NS_INTERN] = 'Intern';

$wgExtraNamespaces[NS_INTERN_TALK] = 'Intern_Diskussion';

$wgNamespacesToBeSearchedDefault[NS_INTERN] = true;

$wgNamespacePermissionLockdown[NS_INTERN]['read'] = array('g-mitarbeiter');

$wgNamespacePermissionLockdown[NS_INTERN_TALK]['read'] = array('g-mitarbeiter');

$wgNonincludableNamespaces[] = NS_INTERN;

$wgNonincludableNamespaces[] = NS_INTERN_TALK;

# Advanced Editors for Design Issues

$wgGroupPermissions['AdvancedEditors']['editinterface'] = true;


# Load LDAP Config from JSON

$ldapJsonFile = "/var/www/html/ldap.json";

# Activate Extension

wfLoadExtension('LDAPAuthentication2');

wfLoadExtension('LDAPAuthorization');

wfLoadExtension('LDAPProvider');

wfLoadExtension('LDAPGroups');

wfLoadExtension('LDAPUserInfo');

wfLoadExtension('PluggableAuth');


$LDAPProviderDomainConfigs = $ldapJsonFile;

$wgPluggableAuth_ButtonLabel = "Log In";


So I am trying to sync the group g-mitarbeiter .


Osnard (talkcontribs)

Well, as ShowUserGroups.php does not return anything I believe your group-request is configured wrong. By default connection.grouprequest is set to GroupUniqueMember. You might need to set it to GroupMember or more likely UserMemberOf.

Try setting

{
    "connection": {
        ...
        "grouprequest": "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\UserMemberOf::factory"
        ...

Then run ShowUserGroups.php again.

Tuebel (talkcontribs)

Great, now I see all the groups from the active directory! But they still do not get synced.

I also tried

"mechanism": "MediaWiki\\Extension\\LDAPGroups\\SyncMechanism\\AllGroups::factory",

instead of

"mechanism": "allgroups",

The same for mappedgroups.

Osnard (talkcontribs)

The groups to be synced must exist in the wiki. So if you have the AD group CN=G-Mitarbeiter,OU=Gruppen,OU=my_organization,DC=my_domain,DC=de, you need to have a local wiki group called "G-Mitarbeiter". E.g. by adding something like $wgGroupPermissions['G-Mitarbeiter']['read'] = true; to your LocalSettings.php

Tuebel (talkcontribs)

This already the case ....

Osnard (talkcontribs)

That's strange. Can you please share the output of "ShowUserGroups.php", the group related settings in your wiki and the domain config of the LDAP Stack?

Tuebel (talkcontribs)

ShowUserGroups.php:

Full DNs:

   CN=G-LBR,OU=Labor,OU=Gruppen,OU=IRT,DC=win,DC=mydc,DC=de

   CN=G-PLA-Chief,OU=Lehre,OU=Gruppen,OU=IRT,DC=win,DC=mydc,DC=de

   CN=G-MDF-Chief,OU=Gruppen,OU=IRT,DC=win,DC=mydc,DC=de

   CN=G-MRT-Chief,OU=Lehre,OU=Gruppen,OU=IRT,DC=win,DC=mydc,DC=de

   CN=G-Med,OU=Gruppen,OU=IRT,DC=win,DC=mydc,DC=de

   CN=G-Admin,OU=Gruppen,OU=IRT,DC=win,DC=mydc,DC=de

   CN=G-Service,OU=Gruppen,OU=IRT,DC=win,DC=mydc,DC=de

Short names:

   g-lbr

   g-pla-chief

   g-mdf-chief

   g-mrt-chief

   g-med

   g-admin

   g-service


LocalSettings.php (I tried g-mitarbeiter and g-med):

# Permissions

$wgGroupPermissions['*']['edit'] = false;

$wgGroupPermissions['*']['autocreateaccount'] = true;

$wgGroupPermissions['*']['createaccount'] = false;

$wgGroupPermissions['user']['delete'] = true;

# Interner Bereich

$wgGroupPermissions['g-mitarbeiter']['read'] = true;

$wgGroupPermissions['g-med']['read'] = true;

define('NS_INTERN', 100);

define('NS_INTERN_TALK', 101);

$wgExtraNamespaces[NS_INTERN] = 'Intern';

$wgExtraNamespaces[NS_INTERN_TALK] = 'Intern_Diskussion';

$wgNamespacesToBeSearchedDefault[NS_INTERN] = true;

$wgNamespacePermissionLockdown[NS_INTERN]['read'] = array('g-mitarbeiter');

$wgNamespacePermissionLockdown[NS_INTERN_TALK]['read'] = array('g-mitarbeiter');

$wgNonincludableNamespaces[] = NS_INTERN;

$wgNonincludableNamespaces[] = NS_INTERN_TALK;

# Advanced Editors for Design Issues

$wgGroupPermissions['AdvancedEditors']['editinterface'] = true;

# Load LDAP Config from JSON

$ldapJsonFile = "/var/www/html/ldap.json";

# Activate Extension

wfLoadExtension('LDAPAuthentication2');

wfLoadExtension('LDAPAuthorization');

wfLoadExtension('LDAPProvider');

wfLoadExtension('LDAPGroups');

wfLoadExtension('LDAPUserInfo');

wfLoadExtension('PluggableAuth');

$LDAPProviderDomainConfigs = $ldapJsonFile;

$wgPluggableAuth_ButtonLabel = "Log In";


ldap.json:

{

"IRT": {

"connection": {

"server": "mydc.de",

"port": 636,

"user": "myuser",

"pass": "mypass",

"enctype": "ssl",

"options": {},

"basedn": "ou=IRT,dc=win,dc=mydc,dc=de",

"userbasedn": "ou=Benutzer,ou=IRT,dc=win,dc=mydc,dc=de",

"groupbasedn": "ou=Gruppen,ou=IRT,dc=win,dc=mydc,dc=de",

"searchattribute": "samaccountname",

"usernameattribute": "samaccountname",

"realnameattribute": "displayname",

"emailattribute": "mail",

"grouprequest": "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\UserMemberOf::factory"

},

"userinfo": [],

"authorization": [],

"groupsync": {

"mechanism": "MediaWiki\\Extension\\LDAPGroups\\SyncMechanism\\MappedGroups::factory",

"locally-managed": [

"bot",

"user",

"sysop",

"bureaucrat",

"interface-admin",

"widgeteditor"

],

"mapping": {

"g-mitarbeiter": "CN=G-Mitarbeiter,OU=Gruppen,OU=IRT,DC=win,DC=mydc,DC=de",

"g-med": "CN=G-Med,OU=Gruppen,OU=IRT,DC=win,DC=mydc,DC=de"

}

}

}

}

Osnard (talkcontribs)

So from what I can see, "g-med" should be synced, but "g-mitarbeiter" is not in the list the wiki gets from LDAP, so it won't be synced.

Tuebel (talkcontribs)

That's what I thought, too. So, I am in the group g-med and all members of g-med are part of g-mitarbeiter. That is probably why g-mitarbeiter does not show up. With the old LDAP Authentication however, it worked just fine. Moreover, g-med is not synced either.

Osnard (talkcontribs)

"connection.nestedgroups" is currently only possible with "grouprequest": "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\GroupMember::factory"

Tuebel (talkcontribs)

I have let it sit for a while as it was not my top priority. Today I have checked again and it magically seems to work for Mediawiki 1.35.2 again.

Thanks for your help!

Reply to "Group sync not working."