Topic on Extension talk:LDAPGroups

Hi

I try to get groups in which user is a member from LDAP serwer.

We use Open LDAP witj GOSA, probably the different schema is the cause of the problem.

extensions/LDAPProvider/maintenance/ShowUserGroups.php can't read the groups.

First at all the the search attribute is memberUid, not uid, but after setting "searchattribute" => "memberUid", ShowUserInfo.php stops to work, and I am not aware, how to use different attributes for searching users and groups.

"searchattribute" => "memberUid" also don't resolves the problem with the groups.

Here is part of my LocalSettings.php

<code>

wfLoadExtension( 'PluggableAuth' );

wfLoadExtension( 'LDAPProvider' );

wfLoadExtension( 'LDAPAuthentication2' );

wfLoadExtension( 'LDAPAuthorization' );

wfLoadExtension( 'LDAPUserInfo' );

wfLoadExtension( 'LDAPGroups' );

$LDAPProviderDomainConfigProvider = function()

{

   $config =

   [

"example.bg" =>

[

   "connection" =>

   [

"server" => "ldap.example.bg",

"port" => "389",

"enctype" => "clear",

"user" => "cn=admin,dc=example,dc=bg",

"pass" => "****",

"options" => [

//                "LDAP_OPT_DEREF" => 1,

"LDAP_DEREF_ALWAYS" => 1

               ],

               "basedn" => "dc=example,dc=bg",

"userbasedn" => "dc=example,dc=bg",

"searchattribute" => "memberUid",

"emailattribute" => "mail",

"groupobjectclass" => "posixGroup",

"groupattribute" => "",

"groupbasedn" => "dc=example,dc=bg",

//"grouprequest" => "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\GroupMember::factory"

"grouprequest" => "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\Configurable::factory",

   ],

   "authorization" =>

   [

           [

"rules" =>

[

   "groups" =>

   [

   ]

]

   ],

   "groupsync" =>

   [

"mechanism" => "allgroups",

   "locally-managed" => [ "local", "wiki", "group", "names" ]

]

   ],

   "userinfo" =>

   [

   ]

   ];

   return new \MediaWiki\Extension\LDAPProvider\DomainConfigProvider\InlinePHPArray( $config );

};

</code>

This non works and in the log file I see:

<code>

Jun 11 16:24:10 gosa slapd[12258]: conn=357601 fd=44 ACCEPT from IP=100.100.10.1:48104 (IP=0.0.0.0:389)

Jun 11 16:24:10 gosa slapd[12258]: conn=357601 op=0 BIND dn="cn=admin,dc=example,dc=bg" method=128

Jun 11 16:24:10 gosa slapd[12258]: conn=357601 op=0 BIND dn="cn=admin,dc=example,dc=bg" mech=SIMPLE ssf=0

Jun 11 16:24:10 gosa slapd[12258]: conn=357601 op=0 RESULT tag=97 err=0 text=

Jun 11 16:24:10 gosa slapd[12258]: conn=357601 op=1 SRCH base="dc=example,dc=bg" scope=2 deref=0 filter="(memberUid=bozhotest)"

Jun 11 16:24:10 gosa slapd[12258]: conn=357601 op=1 SRCH attr=* memberof

Jun 11 16:24:10 gosa slapd[12258]: <= bdb_equality_candidates: (memberUid) not indexed

Jun 11 16:24:10 gosa slapd[12258]: conn=357601 op=1 SEARCH RESULT tag=101 err=0 nentries=5 text=

Jun 11 16:24:10 gosa slapd[12258]: conn=357601 op=2 SRCH base="dc=example,dc=bg" scope=2 deref=0 filter="(&(objectClass=*)(cn=cn=calgroup_example,ou=groups,dc=example,dc=bg))"

Jun 11 16:24:10 gosa slapd[12258]: conn=357601 op=2 SRCH attr=dn

Jun 11 16:24:10 gosa slapd[12258]: <= bdb_equality_candidates: (cn) not indexed

Jun 11 16:24:10 gosa slapd[12258]: conn=357601 op=2 SEARCH RESULT tag=101 err=0 nentries=0 text=

Jun 11 16:24:10 gosa slapd[12258]: conn=357601 op=3 UNBIND

Jun 11 16:24:10 gosa slapd[12258]: conn=357601 fd=44 closed

</code>

With ldapsearch:

ldapsearch -x -a always   -b "dc=example,dc=bg"  "(memberUid=bozhotest)"

returns the groups and the record in the log file is:

<code>

Jun 11 12:12:07 gosa slapd[12258]: conn=354613 fd=268 ACCEPT from IP=127.0.0.1:59392 (IP=0.0.0.0:389)

Jun 11 12:12:07 gosa slapd[12258]: conn=354613 op=0 BIND dn="cn=admin,dc=example,dc=bg" method=128

Jun 11 12:12:07 gosa slapd[12258]: conn=354613 op=0 BIND dn="cn=admin,dc=example,dc=bg" mech=SIMPLE ssf=0

Jun 11 12:12:07 gosa slapd[12258]: conn=354613 op=0 RESULT tag=97 err=0 text=

Jun 11 12:12:07 gosa slapd[12258]: conn=354613 op=1 SRCH base="dc=example,dc=bg" scope=2 deref=3 filter="(memberUid=bozhotest)"

Jun 11 12:12:07 gosa slapd[12258]: conn=354613 op=1 SRCH attr=cn sn uid postalAddress telephoneNumber

Jun 11 12:12:07 gosa slapd[12258]: <= bdb_equality_candidates: (memberUid) not indexed

Jun 11 12:12:07 gosa slapd[12258]: conn=354613 op=1 SEARCH RESULT tag=101 err=0 nentries=5 text=

Jun 11 12:12:07 gosa slapd[12258]: conn=354613 op=2 SRCH base="cn=calgroup_example,ou=groups,dc=example,dc=bg" scope=0 deref=0 filter="(&(objectClass=*))"

Jun 11 12:12:07 gosa slapd[12258]: conn=354613 op=2 SRCH attr=* +

Jun 11 12:12:07 gosa slapd[12258]: conn=354613 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=

Jun 11 12:12:07 gosa slapd[12258]: conn=354613 op=3 SRCH base="cn=calgroup_zastrahovateli,ou=groups,dc=example,dc=bg" scope=0 deref=0 filter="(&(objectClass=*))"

Jun 11 12:12:07 gosa slapd[12258]: conn=354613 op=3 SRCH attr=* +

etc.

</code>

The main differences in the two logs, as I can see are:

Jun 11 16:24:10 gosa slapd[12258]: conn=357601 op=2 SRCH base="dc=example,dc=bg" scope=2 deref=0 filter="(&(objectClass=*)(cn=cn=calgroup_example,ou=groups,dc=example,dc=bg))"

and

Jun 11 12:12:07 gosa slapd[12258]: conn=354613 op=2 SRCH base="cn=calgroup_example,ou=groups,dc=example,dc=bg" scope=0 deref=0 filter="(&(objectClass=*))"

Aslo probably this:

SRCH attr=* memberof

and

SRCH attr=* +

Which parameters have I to change, to achive both searches to work?

Thank you in advacne

Bozho

Have you tried setting different values for `connection.grouprequest`? I believe "UserMemberOf" may work. See Extension:LDAPProvider#Domain_config_settings for details.

I set

"grouprequest" => "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\UserMemberOf::factory",

but I receive

PHP Notice:  Undefined index: memberof in LDAPProvider/src/UserGroupsRequest/UserMemberOf.php on line 19

what other have I to add to the config?

Actually I think, that this case is very complicated. In given LDAP schema there are no any attribute for a user, pointing in which groups he\she is member. Instead in the groups users are listed. Example:

cn=wikiadmins,ou=groups,l=wikiusers,dc=example,dc=bg?memberUid?sub?(objectClass=posixGroup)

memberUid - an array containg UIDs of group members

So the problem seems too difficult to resolve.

Using "searchattribute" => "memberUid"

In log file I can see response from the LDAP - there actually are listed all the groups user is member in with full list of attributes:

...snip...

4 =>

  array (

   'cn' =>

   array (

     'count' => 1,

     0 => 'wikiadmins',

   ),

   0 => 'cn',

   'gidnumber' =>

   array (

     'count' => 1,

     0 => '1027',

   ),

   1 => 'gidnumber',

   'memberuid' =>

   array (

     'count' => 3,

     0 => 'test1',

     1 => 'test2',

     2 => 'bozhotest',

   ),

   2 => 'memberuid',

   'labeleduri' =>

   array (

     'count' => 1,

     0 => 'ldap:///cn=wikiadmins,ou=groups,l=wikiusers,dc=example,dc=bg?memberUid?sub?(objectClass=posixGroup)',

   ),

   3 => 'labeleduri',

   'objectclass' =>

   array (

     'count' => 3,

     0 => 'top',

     1 => 'posixGroup',

     2 => 'labeledURIObject',

   ),

   4 => 'objectclass',

   'count' => 5,

   'dn' => 'cn=wikiadmins,ou=groups,l=wikiusers,dc=example,dc=bg',

  ),

May be I have to try to modify extensions/LDAPProvider/src/UserGroupsRequest/UserMemberOf.php 

instead of return new GroupList( $res['memberof'] ); to set a loop foreach to get 'cn' values

Yes, you will probably need to implement a new `UserGroupsRequest`. Could you please share your solution so I can add it to the extension?

Hi Robert

I have achieved some success, but I need a bit of help.

Of course, I will post all the code I wrote, but there are many things to tune.

I wrote a new file UserGosaMember.php and class UserGosaMember, and now the result from

php extensions/LDAPProvider/maintenance/ShowUserGroups.php --domain  example.bg --username bozhotest

is a list of the names of the groups, having the user as a member:

Full DNs:

   calgroup_test1

   calgroup_zastrahovateli

   calgroup_klienti

   wikiadmins

Short names:

But I suppose this is not the proper output. I have not opportunity to test with another kind of LDAP to see the proper results.

According to the log above, this group names should be in the section Short names I suppose.

My question is, how the other functions which use the result from the 'UserGroupsRequest' functions expect to "see" the result.

Which is the proper format?

Hi

I have some progress

The result now is

php extensions/LDAPProvider/maintenance/ShowUserGroups.php --domain   example.bg --username bozhotest

Full DNs:

   cn=calgroup_example,ou=groups,dc=example,dc=bg

   cn=calgroup_zastrahovateli,ou=groups,dc=example,dc=bg

   cn=calgroup_klienti,ou=groups,dc=example,dc=bg

   cn=wikiadmins,ou=groups,l=wikiusers,dc=example,dc=bg

Short names:

   calgroup_test1

   calgroup_zastrahovateli

   calgroup_klienti

   wikiadmins

This blank line after Full DNs: looks suspicious, but I suppose this is the right format I need to achieve.

But from the wiki page still groups are not visible.

Here I put the code I wrote

First, I found out that function getUserDN from /extensions/LDAPProvider/src/Client.php returns all information about the groups which have the user as a member, if searchattr is set to memberUid. So I copied getUserDN to a new a member function in Client.php where I added $searchattr = "memberUid"; in the begging and instead of return $userdn I set return $this->userInfo;

I know there is wiser ways to do the same, but being in a hurry I leave it at that for now.

So I wrote a class UserGosaMember in extensions/LDAPProvider/src/UserGroupsRequest/UserGosaMember.php -

"grouprequest" => "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\UserGosaMember::factory", should be used in Localsettings.php

namespace MediaWiki\Extension\LDAPProvider\UserGroupsRequest;

             /**
              * @param string $username to get the groups for
              * @return GroupList
              */
             public function getUserGroups( $username ) {

             $userInfo =  $this->ldapClient->getGosaGroups( $username ) ;
                           $baseDN = $this->config->get( ClientConfig::GROUP_BASE_DN );
                           $dn = 'dn';
                           if ( $baseDN ===  ) {
                                         $baseDN = null;
                           }

 $ret = [];
 foreach ($userInfo as $res){
    $ret[] = $res['dn'];
 }

  return new GroupList( $ret );

} //getUserGroups;


}//class

The $userInfo variable contains an array:

array(6) {</nowiki>

 ["count"]=>
 int(5)
 [0]=>
 array(12) {
   ["gidnumber"]=>
   array(2) {
     ["count"]=>
     int(1)
     [0]=>
     string(4) "2010"
   }
   [0]=>
   string(9) "gidnumber"
   ["description"]=>
   array(2) {
     ["count"]=>
     int(1)
     [0]=>
     string(47) "Comment"
   }
   [1]=>
   string(11) "description"
   ["cn"]=>
   array(2) {
     ["count"]=>
     int(1)
     [0]=>
     string(18) "calgroup_test"
   }
   [2]=>
   string(2) "cn"
   ["memberuid"]=>
   array(414) {
     ["count"]=>
     int(413)
     [0]=>
     string(5) "test1"
     [1]=>
     string(5) "test2"

................

     [412]=>
     string(13) "wiki-readonly"
   }
   [3]=>
   string(9) "memberuid"
   ["objectclass"]=>
   array(3) {
     ["count"]=>
     int(2)
     [0]=>
     string(3) "top"
     [1]=>
     string(10) "posixGroup"
   }
   [4]=>
   string(11) "objectclass"
   ["count"]=>
   int(5)
   ["dn"]=>
   string(50) "cn=calgroup_test1,ou=groups,dc=example,dc=bg"
 }
 [1]=>
 array(12) {
   ["cn"]=>
   array(2) {
     ["count"]=>
     int(1)
     [0]=>
     string(23) "calgroup_zastrahovateli"
   }

.......

A step further. I added "presearchusernamemodifiers" => ["lowercase"]

in Localsettings.php

and in the debug info in apache log file now I can see the groups listed. But still synchronization doesn't work. When I try to check is Special pages-> User rights, or Settings, LDAP groups are missing.

First of all, thank you for sharing the code! I will try to incorporate this into the extension, but can not give any timeframe for it.

If "ShowUserGroups.php" properly lists the groups already, then we are almost there. I can see that you are using the "allgroups" mechanism. Please be aware that the groups will only be synced if they are actually available (somewhere configured by `wgGroupPermissions`) in the wiki. Otherwise syncing will not work.

Yes, I know that. I have set $wgGroupPermissions['wikiadmins']['edit'] = true; $wgGroupPermissions['wikiadmins']['read'] = true;

and similar for the other groups, that have to be synchronized. I tried to use

 "mechanism" => "mappedgroups",
 "mapping" => [
        "wbaseaccess" => "cn=wbaseaccess,ou=groups,l=wikiusers,dc=example,dc=bg",
        "wexperts"    => "cn=wexperts,ou=groups,l=wikiusers,dc=example,dc=bg",
        "wikiadmins"  => "cn=wikiadmins,ou=groups,l=wikiusers,dc=example,dc=bg",
        "wstaff"      => "cn=wstaff,ou=groups,l=wikiusers,dc=example,dc=bg"
  ]

instead of all groups. Now I receive "Member of: mapping" which confuses me.

Where do you receive "Member of: mapping"? Can you please share a debug-log of when you log into the wiki?

Sorry This was my mistake! When I switched to "mechanism" => "mappedgroups", I have doubled "mapping" => [ declaration. Now things seem are OK. I'll will make some tests, before mark the case as solved. This variant satisfied me. I'll try to investigate why "allgroups" still doesn't work, probably because another mistake I have made. But I thing that the wiki is now completely usable. Thnak you for your help!

Everything looks good. So I consider the case is solved. For further questions I will open new post. Thank you very much again!

Hi Osnard, Sorry that I opened this discussion again. I found that, if a LDAP(OGSA) user logs in for the firs time in the wiki everything with the groups goes OK, but if the user had logged before the software does not check LDAP groups. I tried, if I delete the user from the MYSQL database and he login again, the groups are properly loaded from LDAP. How is it posible to force wiki to check for LDAP groups every time when user logs. Probably I missed a config parameter, but I can't find which one.

Usually group sync is done on every log in and once an hour during a running user session. Can you please set up debug logging just for the LDAPGroupSync extension and check what is being reported over time?

In my LocalSettings.php I set: $wgDebugLogGroups = array(

  'PluggableAuth' => '/tmp/pa.log',

  'LDAP' => '/tmp/LDAP.log',

  'LDAPAuthentication2' => '/tmp/auth2.log',

  'LDAPAuthorization' => '/tmp/authz.log',

  'MediaWiki\\Extension\\LDAPProvider\\Client' => '/tmp/client.log',

   'LDAPGroups' => '/tmp/grp.log',

  'LDAPUserInfo' => '/tmp/user.log',

);

I tried also

 'MediaWiki\\Extension\\LDAPGroups\\GroupSyncProcess' => '/tmp/grp.log',

in '/tmp/grp.log' appears information only when a user is logged for a first time:

2020-12-15 15:54:58 wikibrokerins wikidb-mw_: Adding 'wiki-admins' to 'Bozhotest'.
2020-12-15 18:14:15 wikibrokerins wikidb-mw_: Adding 'wiki-staff' to 'Wiki-limited'.
2020-12-15 18:24:21 wikibrokerins wikidb-mw_: Adding 'wiki-baseaccess' to 'Wiki-readonly'.

The issue could be, that it can not find the proper domain [1] for the user. Try setting $LDAPProviderDefaultDomain = "<domain-as-configured-in-ldapprovider-settings>"

[1] https://github.com/wikimedia/mediawiki-extensions-LDAPProvider/blob/1.0.4/src/Hook/UserLoadAfterLoadFromSession.php#L98-L100

Seems that this solved the problem! I will test some days, but I mean that everything is OK now. Thank you. I'd wish ask you, if a user is removed from a group in LDAP, he remains in wiki data base in the same group and should be removed from the sql. Perhaps there is no such function in LdapProvider, or I missed something?

Good to hear! A user disabled in LDAP will not be removed from the wiki DB automatically. Have a look at the extension LDAPSyncAll [1]. It will query the LDAP regularly and disable unauthorized or removed users on the wiki DB. But be aware, this extension is quite new and hat no documentation yet.

[1] https://www.github.com/wikimedia/mediawiki-extensions-LDAPSyncAll

Thank you again!