Topic on Extension talk:LDAPGroups

Hi

I am running MediaWiki on Windows Server 2016 and have configured Active Directory Integration although users can log in they are not joined to any MedaWiki groups.

CheckLogin.php and ShowUserInfo.php run OK, however when I run ShowUserGroups.php I get the following errors.

Full DNs:
PHP Warning: Invalid argument supplied for foreach() in C:\inetpub\wwwroot\mediawiki\extensions\LDAPProvider\maintenance\ShowUserGroups.php on line 60
Warning: Invalid argument supplied for foreach() in C:\inetpub\wwwroot\mediawiki\extensions\LDAPProvider\maintenance\ShowUserGroups.php on line 60
Short names:
PHP Warning: Invalid argument supplied for foreach() in C:\inetpub\wwwroot\mediawiki\extensions\LDAPProvider\src\GroupList.php on line 52
Warning: Invalid argument supplied for foreach() in C:\inetpub\wwwroot\mediawiki\extensions\LDAPProvider\src\GroupList.php on line 52

My ldap.json is below. Any help would be much appreciated.

{

   "ad.xxx.xx.xx": {

       "connection": {

           "server": "xxx-xxxx-xx",

           "port": "389",

           "user": "CN=xxx,OU=xxx,DC=ad,DC=xxx,DC=xx,DC=xx",

           "pass": "xxxxxxxxxxxxxxxxxx",

           "enctype": "clear",

           "options": {

               "LDAP_OPT_DEREF": 1

           },

           "basedn": "dc=ad,dc=xxx,dc=xx,dc=xx",

           "userbasedn": "dc=ad,dc=xxx,dc=xx,dc=xx",

           "groupbasedn": "OU=Groups,OU=WiKi,OU=xxxx,OU=xxx,OU=xxx,DC=ad,DC=xxx,DC=xx,DC=xx",

           "searchattribute": "samaccountname",

           "usernameattribute": "samaccountname",

           "realnameattribute": "cn",

           "emailattribute": "mail",

           "grouprequest": "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\UserMemberOf::factory",

           "presearchusernamemodifiers": [  "spacestounderscores", "lowercase" ]

       },

       "userinfo": [],

       "authorization": [],

       "groupsync": {

           "mapping": {

               "sdadmins": "CN=xxxx,OU=Groups,OU=WiKi,OU=xxxx,OU=xxx,OU=xxx,DC=ad,DC=xxx,DC=xx,DC=xx",

               "ictonly": "CN=xxxx,OU=Groups,OU=WiKi,OU=xxx,OU=xxx,OU=xxx,DC=ad,DC=xxx,DC=xx,DC=xx"             

           }

       }

   }

}

Does "ShowUserInfo.php" list a field "memberof"? If not you may need to set a different "grouprequest".

Hi Osnard.

Many thanks for taking the trouble to respond. ShowUsrInfo.php does list memberof

memberof => CN=xxxx,OU=Groups,OU=WiKi,OU=Services,OU=xxx,OU=xxx,DC=ad,DC=xxx,DC=xx,DC=xx

which is the group for "ictonly" as expected.

Regards

Sean

This looks like "memberof" was a single value field... Maybe that's the reason. This would also explain the Invalid argument supplied for foreach() messages. Can you try to patch this line https://github.com/wikimedia/mediawiki-extensions-LDAPProvider/blob/1.0.3/src/UserGroupsRequest/UserMemberOf.php#L19

with

   return new GroupList( [ $res['memberof'] ] );

Thank you, Applying the patch worked.

I can also confirm that if I put the user into two groups, ShowUserGroups.php works without the patch. However if the user is in two groups and UserMemebrof.php has the patch I get an 'array to string conversion' error in ShowUsergroups.php (You are probably already be aware of this).

But not worry, I now understand the problem, and have solutions I can work with. I really appreciate you taking the time to help. Many thanks

Awesome! Can you please share all of you modifications? maybe I can add them to the codebase.

In order to handle users being a member of one or multiple groups, I added a check, 'is_array( $res['memberof'] )' to UserMemberOf.php.

/** * @param string $username to get the groups for
*@return GroupList
*/
Public function getUserGroups( $username ) {
 $userInfoRequest = new UserInfoRequest( $this->ldapClient, $this->config );
 $res = $userInfoRequest->getUserInfo( $username );
 if ( is_array( $res['memberof'] ) )
    {
     return new GroupList(  $res['memberof']  );
    }
 else
   {   
    return new GroupList( [ $res['memberof'] ] );
   }
}

Thanks! I have added a patch, so you should be able to update again soon: https://gerrit.wikimedia.org/r/#/c/mediawiki/extensions/LDAPProvider/+/606989/