Topic on Extension talk:LDAPGroups

User stays in Mediawiki group after deletion from LDAP group

10 comments • 08:53, 15 June 2020 3 years ago

10

80.245.147.81 (talkcontribs)

Hi,

I have a problem with syncing of LDAP (Microsoft AD) group memberships to local wiki groups.

Mediawiki version: 1.34

LDAPGroups version:

LDAPGroups: master

2020-03-02T07:11:00

c76e11b

I have this user, let's call him Example-user, that has been in both groups wiki-read and wiki-write for a while.

Now our AD team has removed this guy from the corresponding AD group Wiki_ReadWrite but somehow, he still pops up as a member of wiki-write on Special:ListUsers and, even worse, still has the permission to edit and save pages.

Special:Listgrouprights has wiki-read with only one permission (read) and wiki-write with three permissions (read, edit and delete).

Permissions of the group "users" have been trimmed to only read and editmyusercss.

I suspect, there is an error with syncing the groups of this user for some reason.

Output of maintenance script ShowUserGroups.php shows his correct groups:

root# php extensions/LDAPProvider/maintenance/ShowUserGroups.php --username Example-user --domain mydomain.net

Full DNs:

<some omitted>

CN=Wiki_ReadOnly,OU=Groups,DC=mydomain,DC=net

Short names:

<some omitted>

wiki_readonly

Notice the explicitly missing group of Wiki_ReadWrite!

When running the maintenance script SyncUserGroups.php of LDAPGroups extension, I get the following output:

root# php extensions/LDAPGroups/maintenance/SyncGroups.php --user Example-user

PHP Notice: Undefined property: MediaWiki\Extension\LDAPGroups\Maintenance\SyncGroups::$config in /opt/rh/httpd24/root/var/www/html/wiki/extensions/LDAPGroups/maintenance/SyncGroups.php on line 77

Syncing groups for 'Example-user' (ID:11) ...

Old groups:

* wiki-read

* wiki-write

ConfigException from line 53 of /opt/rh/httpd24/root/var/www/html/wiki/includes/config/GlobalVarConfig.php: GlobalVarConfig::get: undefined option: 'LDAPGroupsSyncMechanismRegistry'

#0 /opt/rh/httpd24/root/var/www/html/wiki/extensions/LDAPGroups/maintenance/SyncGroups.php(61): GlobalVarConfig->get('LDAPGroupsSyncM...')

#1 /opt/rh/httpd24/root/var/www/html/wiki/maintenance/doMaintenance.php(99): MediaWiki\Extension\LDAPGroups\Maintenance\SyncGroups->execute()

#2 /opt/rh/httpd24/root/var/www/html/wiki/extensions/LDAPGroups/maintenance/SyncGroups.php(87): require_once('/opt/rh/httpd24...')

#3 {main}

So it correctly grasps the old groups the user was in, but doesn't seem to be able to sync the current groups correctly.

Here's my ldap.json:

ldap.json

{

"mydomain.net": {

"connection": {

"server": "dc.mydomain.net",

"port": "389",

"user": "CN=MyBindUser,OU=Users,DC=mydomain,DC=net",

"pass": "omittedPassword",

"enctype": "clear",

"options": {

"LDAP_OPT_DEREF": 1

},

"basedn": "DC=mydomain,DC=net",

"userbasedn": "DC=mydomain,DC=net",

"groupbasedn": "DC=mydomain,DC=net",

"searchstring": "USER-NAME@mydomain.net",

"searchattribute": "samaccountname",

"usernameattribute": "samaccountname",

"realnameattribute": "displayname",

"emailattribute": "mail",

"grouprequest": "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\GroupMember::factory"

},

"userinfo": [],

"groupsync": {

"mapping": {

"sysop": "CN=Wiki_Admin,OU=Groups,DC=mydomain,DC=net",

"wiki-read": "CN=Wiki_ReadOnly,OU=Groups,DC=mydomain,DC=net",

"wiki-write": "CN=Wiki_ReadWrite,OU=Groups,DC=mydomain,DC=net"

}

},

"authorization": {

"rules": {

"groups": {

"required":[ "CN=Wiki_Admin,OU=Groups,DC=mydomain,DC=net",

"CN=Wiki_ReadOnly,OU=Groups,DC=mydomain,DC=net",

"CN=Wiki_ReadWrite,OU=Groups,DC=mydomain,DC=net" ]

}

Real values have been omitted for security reasons :)

SyncUserGroups.php says undefined option: 'LDAPGroupsSyncMechanismRegistry' but I think that should be the default value of mappedgroups as stated on Extension:LDAPGroups as I have not defined this explicitly in my ldap.json.

Any help is much appreciated :)

Reply 08:56, 29 May 2020 3 years ago

80.245.147.81 (talkcontribs)

I just found out, this is already being tracked as a bug: https://phabricator.wikimedia.org/T252793

This might be a solution to my syncing problem... I'll test the proposed workaround.

Reply 09:02, 29 May 2020 3 years ago

80.245.147.81 (talkcontribs)

Proposed workaround applied:

# Load LDAP Config from JSON

$ldapJsonFile = "$IP/ldap.json";

$ldapConfig = false;

if (is_file($ldapJsonFile) && is_dir("$IP/extensions/LDAPProvider")) {

$testJson = @json_decode(file_get_contents($ldapJsonFile),true);

if (is_array($testJson)) {

$ldapConfig = true;

} else {

error_log("Found invalid JSON in file: $IP/ldap.json");

}

$LDAPProviderDomainConfigs = $ldapJsonFile;

$wgLDAPGroupsSyncMechanismRegistry = 'ignoreme';

No changes in ldap.json.

root# php extensions/LDAPGroups/maintenance/SyncGroups.php --user Example-user

PHP Notice: Undefined property: MediaWiki\Extension\LDAPGroups\Maintenance\SyncGroups::$config in /opt/rh/httpd24/root/var/www/html/wiki/extensions/LDAPGroups/maintenance/SyncGroups.php on line 77

Syncing groups for 'Example-user' (ID:11) ...

Old groups:

* wiki-read

* wiki-write

New groups:

* wiki-read

* wiki-write

ShowUserGroups.php still only shows Wiki_ReadOnly membership for Example-user (yes, the original is with a - as well if this is a problem)

Reply 11:12, 29 May 2020 3 years ago

80.245.147.81 (talkcontribs)

Help me @Osnard-Wan Kenobi, you're my only hope :)

Reply 11:07, 3 June 2020 3 years ago

Osnard (talkcontribs)

There actually seems to be a little bug in the `SyncGroups` mainenance script. Pleas obtain a updated version from and try again.

But actually groups should be removed when a user logs in also. No maintenance script would be required.

Your domain configruation looks good so far. So if `CN=Wiki_ReadWrite,OU=Groups,DC=mydomain,DC=net` not shows up in the list from `ShowUserGroups` script the `wiki-write` group should be removed on the next login.

Reply 15:35, 3 June 2020 3 years ago

80.245.147.81 (talkcontribs)

First of all thanks for the reply :)

Unfortunately I don't have the credentials of this particular user, so I can't really test if the groups get synced correctly when they log in without bothering them everytime.

They should sync correctly with the maintenance script as well though, right?

Now, when trying to sync with your updated SyncGroups script, I get the same output only without the php notice:

Old script:

# php extensions/LDAPGroups/maintenance/SyncGroups.php --user Example-user

PHP Notice: Undefined property: MediaWiki\Extension\LDAPGroups\Maintenance\SyncGroups::$config in /opt/rh/httpd24/root/var/www/html/wiki/extensions/LDAPGroups/maintenance/SyncGroups.php on line 77

Syncing groups for 'Example-user' (ID:11) ...

Old groups:

* wiki-read

* wiki-write

New groups:

* wiki-read

* wiki-write

Updated script:

# php extensions/LDAPGroups/maintenance/SyncGroups_new.php --user Example-user

Syncing groups for 'Example-user' (ID:11) ...

Old groups:

* wiki-read

* wiki-write

New groups:

* wiki-read

* wiki-write

No change :(

For testing purposes I removed this user manually from the wiki-write group via Special:UserRights and tried both versions of the maintenance script again:

# php extensions/LDAPGroups/maintenance/SyncGroups.php --user Example-user

PHP Notice: Undefined property: MediaWiki\Extension\LDAPGroups\Maintenance\SyncGroups::$config in /opt/rh/httpd24/root/var/www/html/wiki/extensions/LDAPGroups/maintenance/SyncGroups.php on line 77

Syncing groups for 'Example-user' (ID:11) ...

Old groups:

* wiki-read

New groups:

* wiki-read

# php extensions/LDAPGroups/maintenance/SyncGroups_new.php --user Example-user

Syncing groups for 'Example-user' (ID:11) ...

Old groups:

* wiki-read

New groups:

* wiki-read

So the user does not get added to wiki-write when they have previously been removed from the group manually.

So we can rule out wrong AD memberships or mappings that lead to this. If the sync mechanism worked and that were the case, the user would have been added to wiki-write again.

Reply 06:14, 4 June 2020 3 years ago

80.245.147.81 (talkcontribs)

@Osnard

Okay, so we could recreate this problem with a new user as well.

Here's what we did:

- created a new user in AD (Example-User2)

- added this user to Wiki_ReadOnly in AD

- logged into MediaWiki successfully with this user and were only able to read (only group membership was wiki-read)

- added this user to Wiki_Write in AD

- upon logging out of MediaWiki, I could see under the admin account (refreshing Special:UserRights for that user) that the group sync took place and the user was added to wiki-write MW group

- successfully logged back in with Example-User2 and were able to write/edit

- removed user Example-User2 from AD group Wiki_Write

- Example-User2 is still member of MW group mw-write and is able to edit stuff

Special:UserRights says the groups of Example-User2 have no expiry date (this should not be a problem though?).

When running SyncGroups_new.php, it shows the same output as before.

Debug log of extension LDAPGroups says the following, when executing SyncGroups_new.php:

2020-06-04 14:18:27 wikiserver wiki: Adding 'wiki-read' to 'Example-User2'.

2020-06-04 14:18:27 wikiserver wiki: Problem adding user 'Example-User2' to the group 'wiki-read'.

Maybe LDAPGroups tries to add the user to wiki-read but fails as the user already is a member of wiki-read and then doesn't even try to remove the user from wiki-write?

Reply 14:30, 4 June 2020 3 years ago

Osnard (talkcontribs)

Looks like there was indeed a bug in the logic! Thanks for reporting. I have created a patch and included a test case that reflects your settings: https://gerrit.wikimedia.org/r/#/c/mediawiki/extensions/LDAPGroups/+/602679

Once this is merged, could you please update your "LDAPGroups" extension and give quick feedback if this works?

Reply 13:02, 5 June 2020 3 years ago