Topic on Project:Support desk

LDAP query works with script but not on MediaWiki.

5
Summary by Kittencorn

I missed $wgGroupPermissions['*']['autocreateaccount'] = true;

Kittencorn (talkcontribs)

I am trying to migrate from IIS to CentOS apache, but I am having issues with LDAP. My original config worked with Remote Auth, but this seems more complicated in Linux.

If I run ' php extensions/LDAPProvider/maintenance/ShowUserInfo.php --domain mydomain --username 1234567' I get results back fine. But if I try and sign in with pluggable auth I get the error 'Could not fetch required user info to complete login' and no LDAP logs are generated.


wfLoadExtension( 'PluggableAuth' );

wfLoadExtension( 'LDAPAuthentication2' );

wfLoadExtension( 'LDAPAuthorization' );

wfLoadExtension( 'LDAPProvider' );

wfLoadExtension( 'LDAPUserInfo' );

wfLoadExtension( 'LDAPGroups' );

$LDAPAuthorizationAutoAuthRemoteUserStringParser = 'domain-backslash-username';

$LDAPAuthentication2UsernameNormalizer = 'strtolower';

$LDAPAuthentication2AllowLocalLogin = false;

# $wgAuthRemoteuserAllowUserSwitch = false;

$wgPluggableAuth_EnableLocalLogin = false;

$wgDebugLogGroups['LDAPUserInfo'] = "/var/www/mydomain.my.com/log/DAPUserInfo.log";

$wgDebugLogGroups['LDAPGroups'] = "/var/www/mydomain.my.com/log/LDAPGroups.log";

$LDAPProviderDomainConfigProvider = function() {

        $config = [

                'mydomain' => [

                        'connection' => [

                                "server" => "dc.mydomain.my.com",

                                "user" => "CN=Media Wiki,CN=Managed Service Accounts,DC=mydomain,DC=my,DC=com",

                                "pass" => "xxxxxxxxxxx",

                                "options" => [

                                        "LDAP_OPT_DEREF" => 1

                                ],

                                "basedn" => "DC=mydomain,DC=my,DC=com",

                                "groupbasedn" => "DC=mydomain,DC=my,DC=com",

                                "userbasedn" => "DC=mydomain,DC=my,DC=com",

                                "searchattribute" => "samaccountname",

                                "usernameattribute" => "samaccountname",

                                "realnameattribute" => "displayname",

                                "grouprequest" => "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\UserMemberOf::factory"

                        ],

                                'authorization' => [

                                'rules' => [

                                        'groups' => [

                                                'required' => [

                                                        "CN=My Grup,DC=mydomain,DC=my,DC=com"

                                                ]

                                        ]

                                ]

                        ],

                        'userinfo' => [

                                'attributes-map' => [

                                        'realname' => 'fullname'

                                ]

                        ],

           'groupsync' => [

               "mechanism" => "mappedgroups",

               "mapping" => [

                                        "sysop" => "CN=My Grup,DC=mydomain,DC=my,DC=com"

                                ]

                        ]

                ]

        ];

        return new \MediaWiki\Extension\LDAPProvider\DomainConfigProvider\InlinePHPArray( $config );

};

Any ideas?


Osnard (talkcontribs)

You config looks fine and it is a good sign that the ShowUserInfo.php script works. If this particular error message occurs there must be an entry in the "LDAPAuthentication2" log. Please add $wgDebugLogGroups['LDAPAuthentication2'] = "/var/www/mydomain.my.com/log/LDAPAuthentication2.log"; to your LocalSettings.php. Please also see LDAP_hub#Debugging (entry for "LDAPAuthentication2" was missing there, sorry).

Kittencorn (talkcontribs)

Thanks - I have added them but for some reason I only get any logs if I run the script.

I also tried logging in with MYDOMAIN\1234567 and get the error 'Could not authenticate against domain 'mydomain'.

Bawolff (talkcontribs)

check permissions on your log file - the cli usually runs as a different user than the webserver.


Not specific to this, but generally when the cli behaves differently than web its due to: different versions of php, different php extensions installed or different selinux rules applied.

Kittencorn (talkcontribs)

Ive checked every permissions that I could find, they all look correct. I changed to using kerberos and remote_auth and I am now getting logs.

Changes above: $LDAPAuthorizationAutoAuthRemoteUserStringParser = 'username-at-domain';


error.log:

'php notice 1234567@MY.DOMAIN.COM'


client.log:

2020-06-01 09:19:25 mysite.my.domain.com my_wiki: Setting LDAP_OPT_PROTOCOL_VERSION to 3

2020-06-01 09:19:25 mysite.my.domain.com my_wiki: Setting LDAP_OPT_REFERRALS to 0

2020-06-01 09:19:25 mysite.my.domain.com my_wiki: Setting LDAP_OPT_DEREF to 1


LDAP.log

2020-06-01 09:26:00 mysite.my.domain.com my_wiki: ldap_connect( $hostname = 'ldap://mydc.my.domain.com,:389', $port = 389 );

2020-06-01 09:26:00 mysite.my.domain.com my_wiki: # __METHOD__ returns Resource id #195

2020-06-01 09:26:00 mysite.my.domain.com my_wiki: ldap_set_option( $linkID, $option = 17, $newval = 3 );

2020-06-01 09:26:00 mysite.my.domain.com my_wiki: # returns 1

2020-06-01 09:26:00 mysite.my.domain.com my_wiki: ldap_set_option( $linkID, $option = 8, $newval = 0 );

2020-06-01 09:26:00 mysite.my.domain.com my_wiki: # returns 1

2020-06-01 09:26:00 mysite.my.domain.com my_wiki: ldap_set_option( $linkID, $option = 2, $newval = 1 );

2020-06-01 09:26:00 mysite.my.domain.com my_wiki: # returns 1

2020-06-01 09:26:00 mysite.my.domain.com my_wiki: ldap_bind( $linkID, $bindRDN = 'CN=ServiceAccount,DC=my,DC=domain,DC=com’, $bindPassword = 'XXXX' );

2020-06-01 09:26:00 mysite.my.domain.com my_wiki: # returns 1

+ the ldap search itself returning all my info


But it doesn't create me an account for the wiki and log me in.