Hi,
I have a problem with syncing of LDAP (Microsoft AD) group memberships to local wiki groups.
Mediawiki version: 1.34
LDAPGroups version:
LDAPGroups: master
2020-03-02T07:11:00
c76e11b
I have this user, let's call him Example-user
, that has been in both groups wiki-read
and wiki-write
for a while.
Now our AD team has removed this guy from the corresponding AD group Wiki_ReadWrite
but somehow, he still pops up as a member of wiki-write
on Special:ListUsers and, even worse, still has the permission to edit and save pages.
Special:Listgrouprights has wiki-read with only one permission (read
) and wiki-write
with three permissions (read
, edit
and delete
).
Permissions of the group "users" have been trimmed to only read
and editmyusercss
.
I suspect, there is an error with syncing the groups of this user for some reason.
Output of maintenance script ShowUserGroups.php shows his correct groups:
root# php extensions/LDAPProvider/maintenance/ShowUserGroups.php --username Example-user --domain mydomain.net
Full DNs:
<some omitted>
CN=Wiki_ReadOnly,OU=Groups,DC=mydomain,DC=net
Short names:
<some omitted>
wiki_readonly
Notice the explicitly missing group of Wiki_ReadWrite!
When running the maintenance script SyncUserGroups.php
of LDAPGroups extension, I get the following output:
root# php extensions/LDAPGroups/maintenance/SyncGroups.php --user Example-user
PHP Notice: Undefined property: MediaWiki\Extension\LDAPGroups\Maintenance\SyncGroups::$config in /opt/rh/httpd24/root/var/www/html/wiki/extensions/LDAPGroups/maintenance/SyncGroups.php on line 77
Syncing groups for 'Example-user' (ID:11) ...
Old groups:
* wiki-read
* wiki-write
ConfigException from line 53 of /opt/rh/httpd24/root/var/www/html/wiki/includes/config/GlobalVarConfig.php: GlobalVarConfig::get: undefined option: 'LDAPGroupsSyncMechanismRegistry'
#0 /opt/rh/httpd24/root/var/www/html/wiki/extensions/LDAPGroups/maintenance/SyncGroups.php(61): GlobalVarConfig->get('LDAPGroupsSyncM...')
#1 /opt/rh/httpd24/root/var/www/html/wiki/maintenance/doMaintenance.php(99): MediaWiki\Extension\LDAPGroups\Maintenance\SyncGroups->execute()
#2 /opt/rh/httpd24/root/var/www/html/wiki/extensions/LDAPGroups/maintenance/SyncGroups.php(87): require_once('/opt/rh/httpd24...')
#3 {main}
So it correctly grasps the old groups the user was in, but doesn't seem to be able to sync the current groups correctly.
Here's my ldap.json:
ldap.json
{
"mydomain.net": {
"connection": {
"server": "dc.mydomain.net",
"port": "389",
"user": "CN=MyBindUser,OU=Users,DC=mydomain,DC=net",
"pass": "omittedPassword",
"enctype": "clear",
"options": {
"LDAP_OPT_DEREF": 1
},
"basedn": "DC=mydomain,DC=net",
"userbasedn": "DC=mydomain,DC=net",
"groupbasedn": "DC=mydomain,DC=net",
"searchstring": "USER-NAME@mydomain.net",
"searchattribute": "samaccountname",
"usernameattribute": "samaccountname",
"realnameattribute": "displayname",
"emailattribute": "mail",
"grouprequest": "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\GroupMember::factory"
},
"userinfo": [],
"groupsync": {
"mapping": {
"sysop": "CN=Wiki_Admin,OU=Groups,DC=mydomain,DC=net",
"wiki-read": "CN=Wiki_ReadOnly,OU=Groups,DC=mydomain,DC=net",
"wiki-write": "CN=Wiki_ReadWrite,OU=Groups,DC=mydomain,DC=net"
}
},
"authorization": {
"rules": {
"groups": {
"required":[ "CN=Wiki_Admin,OU=Groups,DC=mydomain,DC=net",
"CN=Wiki_ReadOnly,OU=Groups,DC=mydomain,DC=net",
"CN=Wiki_ReadWrite,OU=Groups,DC=mydomain,DC=net" ]
}
}
}
}
}
Real values have been omitted for security reasons :)
SyncUserGroups.php says undefined option: 'LDAPGroupsSyncMechanismRegistry'
but I think that should be the default value of mappedgroups
as stated on Extension:LDAPGroups as I have not defined this explicitly in my ldap.json.
Any help is much appreciated :)