Hello,
I recently upgraded the mediawiki package on a debian buster server and i am configuring the ldap authentication with LDAPAuthentication2 instead of the old extension 'LdapAuthentication'.
When i try the ldap authentication, i got the message "The supplied credentials are not associated with any user on this wiki".
This 2 scripts below are ok and retrieve information from our ldap directory.
- php extensions/LDAPProvider/maintenance/ShowUserInfo.php --domain "ldap.sub.mydomain.com" --username Nicolasgo
- php extensions/LDAPProvider/maintenance/CheckLogin.php --domain "ldap.sub.mydomain.com" --username Nicolasgo
Password:mypass OK
Here is my LDAP section from LocalSettings.php
... $wgShowDBErrorBacktrace = false; $wgDebugDumpSql = false; $wgShowSQLErrors = false; $wgShowExceptionDetails = true; $wgDebugToolbar = true; $wgDebugLogFile = "/tmp/wikimedia.log";
wfLoadExtension( 'PluggableAuth' ); wfLoadExtension( 'LDAPProvider' ); wfLoadExtension( 'LDAPAuthentication2' ); wfLoadExtension( 'LDAPAuthorization' ); wfLoadExtension( 'LDAPUserInfo' );
//$LDAPAuthentication2UsernameNormalizer = 'strtolower'; $wgPluggableAuth_EnableAutoLogin = true; $wgPluggableAuth_EnableLocalLogin = false; $wgPluggableAuth_EnableLocalProperties = false; ...
Here is my ldapprovider.json configuration :
{
"ldap.sub.mydomain.com": { "connection": { "server": "ldap.sub.mydomain.com", "user": "loginId=nicolasgo,ou=users,dc=sub,dc=mydomain,dc=com", "pass": "mypass", "options": { "LDAP_OPT_DEREF": 1 }, "port": 636, "enctype": "ssl", "basedn": "dc=sub,dc=mydomain,dc=com", "groupbasedn": "dc=sub,dc=mydomain,dc=com", "userbasedn": "ou=users,dc=sub,dc=mydomain,dc=com", "searchattribute": "loginId", "searchstring": "loginId=USER-NAME,ou=users,dc=sub,dc=mydomain,dc=com", "usernameattribute": "loginId", "realnameattribute": "cn", "emailattribute": "mail" }, "authorization": { "rules": { } }, "userinfo": { "attributes-map": { "email": "mail", "realname": "cn" } } }
}
Here are some lines from /tmp/wikimedia.log when trying to authenticate :
"Start request GET /index.php?title=Sp%C3%A9cial:Connexion HTTP HEADERS: COOKIE: mediawiki_dbUserName=Nicolasgo; mediawiki_db_session=e4gn5jc5la5rbtd82k6ffihsl6isr4ib TE: trailers UPGRADE-INSECURE-REQUESTS: 1 REFERER: h t t p s : / / wiki2.sub.mydomain.com/index.php?title=Sp%C3%A9cial:Connexion ACCEPT-ENCODING: gzip, deflate, br ACCEPT-LANGUAGE: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3 ACCEPT: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 USER-AGENT: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36 HOST: wiki2.sub.mydomain.com CONTENT-LENGTH: CONTENT-TYPE: [caches] cluster: APCUBagOStuff, WAN: mediawiki-main-default, stash: db-replicated, message: APCUBagOStuff, session: APCUBagOStuff [caches] LocalisationCache: using store LCStoreDB [DBConnection] Wikimedia\Rdbms\LoadBalancer::openConnection: calling initLB() before first connection. [DBReplication] Cannot use ChronologyProtector with EmptyBagOStuff. [DBReplication] Wikimedia\Rdbms\LBFactory::getChronologyProtector: using request info { "IPAddress": "10.XX.XX.XX", "UserAgent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/61.0.3163.100 Safari\/537.36", "ChronologyProtection": false, "ChronologyPositionIndex": 0 } [DBConnection] Wikimedia\Rdbms\LoadBalancer::openConnection: connected to database 0 at 'localhost'. [session] Session "e4gn5jc5la5rbtd82k6ffihsl6isr4ib" requested without UserID cookie Unstubbing $wgParser on call of $wgParser::setHook from require_once Parser: using preprocessor: Preprocessor_DOM [CryptRand] 0 bytes of randomness leftover in the buffer. [session] SessionBackend "e4gn5jc5la5rbtd82k6ffihsl6isr4ib" data dirty due to dirty(): AuthManagerSpecialPage->handleReturnBeforeExecute/MediaWiki\Auth\AuthManager->removeAuthenticationSessionData/MediaWiki\Session\Session->setSecret/MediaWiki\Session\Session->set/MediaWiki\Session\SessionBackend->dirty [session] SessionBackend "e4gn5jc5la5rbtd82k6ffihsl6isr4ib" save: dataDirty=1 metaDirty=0 forcePersist=0 [MessageCache] MessageCache::load: Loading fr... local cache is empty, got from global cache Unstubbing $wgLang on call of $wgLang::_unstub from ParserOptions->__construct QuickTemplate::__construct was called with no Config instance passed to it [CryptRand] 0 bytes of randomness leftover in the buffer. [session] SessionBackend "e4gn5jc5la5rbtd82k6ffihsl6isr4ib" data dirty due to dirty(): PluggableAuthContinueAuthenticationRequest->loadFromSubmission/MediaWiki\Auth\AuthManager->removeAuthenticationSessionData/MediaWiki\Session\Session->setSecret/MediaWiki\Session\Session->set/MediaWiki\Session\SessionBackend->dirty [session] SessionBackend "e4gn5jc5la5rbtd82k6ffihsl6isr4ib" save: dataDirty=1 metaDirty=0 forcePersist=0 [authentication] Primary login with PluggableAuthPrimaryAuthenticationProvider succeeded [authentication] Primary login with PluggableAuthPrimaryAuthenticationProvider succeeded, but returned no user [CryptRand] 0 bytes of randomness leftover in the buffer. [session] SessionBackend "e4gn5jc5la5rbtd82k6ffihsl6isr4ib" data dirty due to dirty(): AuthManagerSpecialPage->performAuthenticationStep/MediaWiki\Auth\AuthManager->continueAuthentication/MediaWiki\Session\Session->setSecret/MediaWiki\Session\Session->set/MediaWiki\Session\SessionBackend->dirty [session] SessionBackend "e4gn5jc5la5rbtd82k6ffihsl6isr4ib" save: dataDirty=1 metaDirty=0 forcePersist=0 [authevents] Login attempt QuickTemplate::__construct was called with no Config instance passed to it MediaWiki::preOutputCommit: primary transaction round committed MediaWiki::preOutputCommit: pre-send deferred updates completed MediaWiki::preOutputCommit: LBFactory shutdown completed [MessageCache] MessageCache::load: Loading en... local cache is empty, got from global cache [gitinfo] Computed cacheFile=/usr/share/mediawiki/gitinfo.json for /usr/share/mediawiki [gitinfo] Cache incomplete for /usr/share/mediawiki"
Here are some observation :
- MediaWiki: 1.31.7 PHP: 7.3.14-1~deb10u1 Time: 1.01150 Memory: 20,48 Mio (Peak: 20,66 Mio) - If i comment out '$LDAPAuthentication2UsernameNormalizer = 'strtolower';' i got a backtrace with error 'DomainException from line 616 of /usr/share/mediawiki/includes/auth/AuthManager.php: PluggableAuthPrimaryAuthenticationProvider returned an invalid username'
Could you give me some hints to resolve this please ? Thank you in advance.
Nicolas