Topic on Extension talk:LDAPAuthentication2

Hello,

I recently upgraded the mediawiki package on a debian buster server and i am configuring the ldap authentication with LDAPAuthentication2 instead of the old extension 'LdapAuthentication'.

When i try the ldap authentication, i got the message "The supplied credentials are not associated with any user on this wiki".

This 2 scripts below are ok and retrieve information from our ldap directory.

1. php extensions/LDAPProvider/maintenance/ShowUserInfo.php --domain "ldap.sub.mydomain.com" --username Nicolasgo
2. php extensions/LDAPProvider/maintenance/CheckLogin.php --domain "ldap.sub.mydomain.com" --username Nicolasgo

Password:mypass OK

Here is my LDAP section from LocalSettings.php

... $wgShowDBErrorBacktrace = false; $wgDebugDumpSql = false; $wgShowSQLErrors = false; $wgShowExceptionDetails = true; $wgDebugToolbar = true; $wgDebugLogFile = "/tmp/wikimedia.log";

wfLoadExtension( 'PluggableAuth' ); wfLoadExtension( 'LDAPProvider' ); wfLoadExtension( 'LDAPAuthentication2' ); wfLoadExtension( 'LDAPAuthorization' ); wfLoadExtension( 'LDAPUserInfo' );

//$LDAPAuthentication2UsernameNormalizer = 'strtolower'; $wgPluggableAuth_EnableAutoLogin = true; $wgPluggableAuth_EnableLocalLogin = false; $wgPluggableAuth_EnableLocalProperties = false; ...

Here is my ldapprovider.json configuration :

{

       "ldap.sub.mydomain.com": {
               "connection": {
                       "server": "ldap.sub.mydomain.com",
                       "user": "loginId=nicolasgo,ou=users,dc=sub,dc=mydomain,dc=com",
                       "pass": "mypass",
                       "options": {
                               "LDAP_OPT_DEREF": 1
                       },
                       "port": 636,
                       "enctype": "ssl",
                       "basedn": "dc=sub,dc=mydomain,dc=com",
                       "groupbasedn": "dc=sub,dc=mydomain,dc=com",
                       "userbasedn": "ou=users,dc=sub,dc=mydomain,dc=com",
                       "searchattribute": "loginId",
                       "searchstring": "loginId=USER-NAME,ou=users,dc=sub,dc=mydomain,dc=com",
                       "usernameattribute": "loginId",
                       "realnameattribute": "cn",
                       "emailattribute": "mail"
               },
               "authorization": {
                       "rules": {
                       }
               },
               "userinfo": {
                       "attributes-map": {
                               "email": "mail",
                               "realname": "cn"
                       }
               }
       }

}

Here are some lines from /tmp/wikimedia.log when trying to authenticate :

"Start request GET /index.php?title=Sp%C3%A9cial:Connexion HTTP HEADERS: COOKIE: mediawiki_dbUserName=Nicolasgo; mediawiki_db_session=e4gn5jc5la5rbtd82k6ffihsl6isr4ib TE: trailers UPGRADE-INSECURE-REQUESTS: 1 REFERER: h t t p s : / / wiki2.sub.mydomain.com/index.php?title=Sp%C3%A9cial:Connexion ACCEPT-ENCODING: gzip, deflate, br ACCEPT-LANGUAGE: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3 ACCEPT: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 USER-AGENT: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36 HOST: wiki2.sub.mydomain.com CONTENT-LENGTH: CONTENT-TYPE: [caches] cluster: APCUBagOStuff, WAN: mediawiki-main-default, stash: db-replicated, message: APCUBagOStuff, session: APCUBagOStuff [caches] LocalisationCache: using store LCStoreDB [DBConnection] Wikimedia\Rdbms\LoadBalancer::openConnection: calling initLB() before first connection. [DBReplication] Cannot use ChronologyProtector with EmptyBagOStuff. [DBReplication] Wikimedia\Rdbms\LBFactory::getChronologyProtector: using request info { "IPAddress": "10.XX.XX.XX", "UserAgent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/61.0.3163.100 Safari\/537.36", "ChronologyProtection": false, "ChronologyPositionIndex": 0 } [DBConnection] Wikimedia\Rdbms\LoadBalancer::openConnection: connected to database 0 at 'localhost'. [session] Session "e4gn5jc5la5rbtd82k6ffihsl6isr4ib" requested without UserID cookie Unstubbing $wgParser on call of $wgParser::setHook from require_once Parser: using preprocessor: Preprocessor_DOM [CryptRand] 0 bytes of randomness leftover in the buffer. [session] SessionBackend "e4gn5jc5la5rbtd82k6ffihsl6isr4ib" data dirty due to dirty(): AuthManagerSpecialPage->handleReturnBeforeExecute/MediaWiki\Auth\AuthManager->removeAuthenticationSessionData/MediaWiki\Session\Session->setSecret/MediaWiki\Session\Session->set/MediaWiki\Session\SessionBackend->dirty [session] SessionBackend "e4gn5jc5la5rbtd82k6ffihsl6isr4ib" save: dataDirty=1 metaDirty=0 forcePersist=0 [MessageCache] MessageCache::load: Loading fr... local cache is empty, got from global cache Unstubbing $wgLang on call of $wgLang::_unstub from ParserOptions->__construct QuickTemplate::__construct was called with no Config instance passed to it [CryptRand] 0 bytes of randomness leftover in the buffer. [session] SessionBackend "e4gn5jc5la5rbtd82k6ffihsl6isr4ib" data dirty due to dirty(): PluggableAuthContinueAuthenticationRequest->loadFromSubmission/MediaWiki\Auth\AuthManager->removeAuthenticationSessionData/MediaWiki\Session\Session->setSecret/MediaWiki\Session\Session->set/MediaWiki\Session\SessionBackend->dirty [session] SessionBackend "e4gn5jc5la5rbtd82k6ffihsl6isr4ib" save: dataDirty=1 metaDirty=0 forcePersist=0 [authentication] Primary login with PluggableAuthPrimaryAuthenticationProvider succeeded [authentication] Primary login with PluggableAuthPrimaryAuthenticationProvider succeeded, but returned no user [CryptRand] 0 bytes of randomness leftover in the buffer. [session] SessionBackend "e4gn5jc5la5rbtd82k6ffihsl6isr4ib" data dirty due to dirty(): AuthManagerSpecialPage->performAuthenticationStep/MediaWiki\Auth\AuthManager->continueAuthentication/MediaWiki\Session\Session->setSecret/MediaWiki\Session\Session->set/MediaWiki\Session\SessionBackend->dirty [session] SessionBackend "e4gn5jc5la5rbtd82k6ffihsl6isr4ib" save: dataDirty=1 metaDirty=0 forcePersist=0 [authevents] Login attempt QuickTemplate::__construct was called with no Config instance passed to it MediaWiki::preOutputCommit: primary transaction round committed MediaWiki::preOutputCommit: pre-send deferred updates completed MediaWiki::preOutputCommit: LBFactory shutdown completed [MessageCache] MessageCache::load: Loading en... local cache is empty, got from global cache [gitinfo] Computed cacheFile=/usr/share/mediawiki/gitinfo.json for /usr/share/mediawiki [gitinfo] Cache incomplete for /usr/share/mediawiki"

Here are some observation :

- MediaWiki: 1.31.7 PHP: 7.3.14-1~deb10u1 Time: 1.01150 Memory: 20,48 Mio (Peak: 20,66 Mio) - If i comment out '$LDAPAuthentication2UsernameNormalizer = 'strtolower';' i got a backtrace with error 'DomainException from line 616 of /usr/share/mediawiki/includes/auth/AuthManager.php: PluggableAuthPrimaryAuthenticationProvider returned an invalid username'

Could you give me some hints to resolve this please ? Thank you in advance.

Nicolas

Please try to remove the "authorization" section from your domain config completely.

Hello,

Thank you for your answer. I removed the "authorization" section from ldapprovider.json file and i don't load LDAPAuthorization extension anymore from LocalSettings.php.

But the result is the same. Do you have an other idea ?

Best regards, Nicolas.

I'm not sure if i am using the right version of php, i notice this PHP warning in the PluggableAuthLogin logs.

"[error] [72c6d20312d838d0d3ef852a] /index.php?title=Sp%C3%A9cial:PluggableAuthLogin ErrorException from line 89 of /var/lib/mediawiki/extensions/PluggableAuth/includes/PluggableAuthLogin.php: PHP Warning: count(): Parameter must be an array or an object that implements Countable"

Do you already seen this error ?

I tried to get around this count function in "PluggableAuth/includes/PluggableAuthLogin.php" (because my $returnToUrl variable is not null, but it seems to be a string instead of array), but always the same result.

Thank you.

If you are getting a DomainException you might set $LDAPProviderDefaultDomain = "ldap.sub.mydomain.com";

Hello, thank you for the hint.

I added "$LDAPProviderDefaultDomain = "ldap.sub.mydomain.com";" in my LocalSettings.php. I still have the Domain Exception.

Here is the full backtrace i didn't post the last time :

[c6dab44f11ea607a1a3646b7] /index.php?title=Sp%C3%A9cial:Connexion DomainException from line 616 of /usr/share/mediawiki/includes/auth/AuthManager.php: PluggableAuthPrimaryAuthenticationProvider returned an invalid username:

Backtrace:

1. 0 /usr/share/mediawiki/includes/specialpage/AuthManagerSpecialPage.php(355): MediaWiki\Auth\AuthManager->continueAuthentication(array)
2. 1 /usr/share/mediawiki/includes/specialpage/AuthManagerSpecialPage.php(482): AuthManagerSpecialPage->performAuthenticationStep(string, array)
3. 2 /usr/share/mediawiki/includes/htmlform/HTMLForm.php(660): AuthManagerSpecialPage->handleFormSubmit(array, VFormHTMLForm)
4. 3 /usr/share/mediawiki/includes/specialpage/AuthManagerSpecialPage.php(416): HTMLForm->trySubmit()
5. 4 /usr/share/mediawiki/includes/specialpage/LoginSignupSpecialPage.php(316): AuthManagerSpecialPage->trySubmit()
6. 5 /usr/share/mediawiki/includes/specialpage/SpecialPage.php(565): LoginSignupSpecialPage->execute(NULL)
7. 6 /usr/share/mediawiki/includes/specialpage/SpecialPageFactory.php(568): SpecialPage->run(NULL)
8. 7 /usr/share/mediawiki/includes/MediaWiki.php(288): SpecialPageFactory::executePath(Title, RequestContext)
9. 8 /usr/share/mediawiki/includes/MediaWiki.php(861): MediaWiki->performRequest()
10. 9 /usr/share/mediawiki/includes/MediaWiki.php(524): MediaWiki->main()
11. 10 /usr/share/mediawiki/index.php(42): MediaWiki->run()
12. 11 {main}

In the "Debug log", i got this line : "[authentication] [Auth] username: , user"

I checked in /usr/share/mediawiki/includes/auth/AuthManager.php, line 612. $res->username is empty

Best regards.

Which version of PluggableAuth are you using? There is no call to count in PluggableAuthLogin.php anymore. Please check whether the field "loginId" is actually listed in the result of LDAPProvider/maintenance/ShowUserInfo.php. Be aware that the extension is case sensitive here. You might check other variants like "loginid" or "loginID".

Thank you Osnard, you find the solution. Authentication works now.

I am using PluggableAuth: REL1_31 (2019-05-20T02:40:46).

The field "loginid" is listed in the result of LDAPProvider/maintenance/ShowUserInfo.php but i was using "loginId" in my ldapprovider.json configuration.