Topic on Extension talk:ConfirmAccount

Hello Together

We have updated the mediawiki in our company from version 1.23.15 to version 1.27 and then to 1.34.

After we changed the login to LDAPAuthentication2 we could log in. Now we have the following problems:

1. the matching between "User" ==> "Groups" does not work correctly

2. new users can no longer register.

Below I have our LocalSettings.php, the error message when logging in is the following:

"Auto-creation of a local account failed: You have not specified a valid username"

Side note:

We want the login with the e-mail address firstname.lastname@domain

Sometime users could log in, but then the correct value was not entered into the database (Firstname Lastname) instead of (firstname.lastname@domain)

Has anyone an idea what we did wrong?

$wgDebugLogFile = '/var/www/html/wiki/debug_log.log';

$wgShowExceptionDetails;

$wgDebugToolbar;

$wgDebugLogGroups['LDAPGrops'] = '/var/www/html/wiki/LDAPGroups.log';

error_reporting( -1 );

ini_set( 'display_errors', 1 );

ini_set( 'display_startup_errors', 1 );

$wgDebugLogGroups['LDAPAuthentication2'] = "/var/www/html/wiki/LDAPAuthentication2.log";

  wfLoadExtension( 'WikiEditor' );

  wfLoadExtension( 'PluggableAuth' );

  wfLoadExtension( 'LDAPProvider' );

  wfLoadExtension( 'LDAPAuthentication2' );

  wfLoadExtension( 'LDAPAuthorization' );

  wfLoadExtension( 'LDAPUserInfo' );

  wfLoadExtension( 'LDAPGroups' );


$wgEmailConfirmToEdit = false;

$wgGroupPermissions['*']['edit'] = false;

$wgGroupPermissions['*']['autocreateaccount'] = true;

$wgBlockDisablesLogin = true;

$LDAPAuthorizationAutoAuthRemoteUserStringParser = 'ldapuser@some.domain';

$LDAPAuthentication2AllowLocalLogin = true;

$wgAuthRemoteUserAllowUserSwitch = true;

$wgPluggableAuth_ButtonLabel = "Log In";

$LDAPProviderDomainConfigProvider = function(){

       $config = [

               'some.domain' => [

                       'connection' => [

                               "server" => "ADServer.some.domain",

               "user" => "ldapuser@some.domain",

               "pass" => "LDAPPasswd",

               "port" => "636",

               "enctype" => "ssl",

               "options" => [

                                       "LDAP_OPT_DEREF" => 1

                               ],

                               "basedn" => "dc=some,dc=domain",

                               "groupbasedn" => "dc=some,dc=domain",

                               "userbasedn" => "dc=some,dc=domain",

                               "searchattribute" => "userprincipalname",

                               "searchstring" => "",

                               "realnameattribute" => "cn",

                               "usernameattribute" => "userprincipalname",

                               "emailattribute" => "mail",

                               "grouprequest" => "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\GroupMember::factory"

                       ],

           "authorization" =>

           [

               "rules" =>

               [

                   "required" =>

                   [

                           "wiki-admin",

                           "wiki-user"

                   ]

               ]

           ],

           "userinfo" =>

           [

               "attributes-map" =>

               [

                   "email" => "mail",

                   "realname" => "userprincipalname"

               ]

           ],

           "groupsync" => 

           [

               "mechanism" => "mappedgroups",

               "mapping" =>

               [

                   "sysop" =>  "wiki-admin",

                   "user" =>  "wiki-user" 

               ]

           ]  

       ]

   ];

   return new \MediaWiki\Extension\LDAPProvider\DomainConfigProvider\InlinePHPArray( $config );

};

Best regards

@Osnard

sorry i first wrote this Topic (as 213.55.220.217) and after that i created a login.

i found out, that the login with an email address is not supported. and now i've tried to change the login with other AD Credentials.

But now i can't login in the log i see that the user is authenticated but after that the autocreate user account wants to create an user with the ip as username.

have anyone an idea, where i have the failure?

i now use a file for the connection (ldap.json).

Best regards

This is probably because the "authorization" part fails. The values "wiki-admin" and "wiki-user" in "authorization.rules.required.groups" should be DNs, like "CN=wiki-admin,OU=Groups,OU=Company,...". Check the output of "extensions/LDAPProvider/maintenance/ShowUserGroups.php" to see what you need to put in there. For testing you can also make "authorization.rules.required.groups" empty.

Hi Osnard

Thanks for the reply. I checked the output, i got some Full DNs and Short names. I copied the output from the ShowUserGroup.php but it still doesen't work.

Sorry but im new in json, so i hope this one is correct when you mean empty:

{

   "my.domain": {

       "connection": {

           "server": "ADServer.my.domain",

           "port": "636",

           "user": "CN=ldapuser,OU=ServiceAccounts,DC=domain,DC=my",

           "pass": "somePassword",

           "enctype": "ssl",

           "options": {

               "LDAP_OPT_DEREF": "1"

           },

           "basedn": "dc.domain,dc=my",

           "groupbasedn": "dc.domain,dc=my",

           "userbasedn": "dc.domain,dc=my",

           "searchattribute": "userprincipalname",

           "usernameattribute": "samaccountname",

           "realnameattribute": "cn",

           "emailattribute": "mail",

           "grouprequest": "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\UserMemberOf::factory"

       },

       "userinfo": {

           "attributes-map": {

               "email": "mail",

               "realname": "cn"

           }

       },

       "authorization": {

           "rules": {

               "required": {

                   "groups": []

               }

           }

       },

       "groupsync": {

           "mapping": {

               "sysop": "CN=WikiAdmin,OU=Groups,DC=domain,DC=my",

               "user": "CN=WikiUser,OU=Groups,DC=domain,DC=my",

           }

       }

   }

}

Okay. Well, the config looks good. If ShowUserGroup.php shows an output, at least we can be sure the connection is working in general. Does "CheckLogin.php" also work? Please enable debug logging and share the output here. Do you have Extension:Auth_remoteuser enabled? If not, try to disable Extension:LDAPAuthorization.

Yes the "CheckLogin.php" returns OK

Output from ldap.log whit disabled LDAPAuthorization

2020-07-22 09:15:08 srv-wiki-1 wiki_db: In execute()
2020-07-22 09:15:08 srv-wiki-1 wiki_db: Getting PluggableAuth singleton
2020-07-22 09:15:08 srv-wiki-1 wiki_db: Class name: MediaWiki\Extension\LDAPAuthentication2\PluggableAuth
2020-07-22 09:15:08 srv-wiki-1 wiki_db: ldap_connect( $hostname = 'ldaps://ADServer.my.domain:636', $port = 389 );
2020-07-22 09:15:08 srv-wiki-1 wiki_db: # __METHOD__ returns Resource id #259
2020-07-22 09:15:08 srv-wiki-1 wiki_db: Setting LDAP_OPT_PROTOCOL_VERSION to 3
2020-07-22 09:15:08 srv-wiki-1 wiki_db: ldap_set_option( $linkID, $option = 17, $newval = 3 );
2020-07-22 09:15:08 srv-wiki-1 wiki_db: # returns 1
2020-07-22 09:15:08 srv-wiki-1 wiki_db: Setting LDAP_OPT_REFERRALS to 0
2020-07-22 09:15:08 srv-wiki-1 wiki_db: ldap_set_option( $linkID, $option = 8, $newval = 0 );
2020-07-22 09:15:08 srv-wiki-1 wiki_db: # returns 1
2020-07-22 09:15:08 srv-wiki-1 wiki_db: Setting LDAP_OPT_DEREF to 1
2020-07-22 09:15:08 srv-wiki-1 wiki_db: ldap_set_option( $linkID, $option = 2, $newval = 1 );
2020-07-22 09:15:08 srv-wiki-1 wiki_db: # returns 1
2020-07-22 09:15:08 srv-wiki-1 wiki_db: ldap_bind( $linkID, $bindRDN = 'CN=ldapuser,OU=ServiceAccounts,OU=someOU,DC=my,DC=domain', $bindPassword = 'XXXX' );
2020-07-22 09:15:08 srv-wiki-1 wiki_db: # returns 1
2020-07-22 09:15:08 srv-wiki-1 wiki_db: MediaWiki\Extension\LDAPProvider\Client::getUserDN: search with array (
  'base' => 'DC=my,DC=domain',
  'filter' => '(userprincipalname=fred@my.domain)',
  'attributes' => 
  array (
    0 => '*',
    1 => 'memberof',
  ),
)
2020-07-22 09:15:08 srv-wiki-1 wiki_db: ldap_search( $linkID, $baseDN = 'DC=my,DC=domain', $filter = '(userprincipalname=fred@my.domain)', $attributes = [ '*', 'memberof' ], $attrsonly = , $sizelimit = , $timelimit = , $deref =  );
2020-07-22 09:15:08 srv-wiki-1 wiki_db: # returns Resource id #275
2020-07-22 09:15:08 srv-wiki-1 wiki_db: ldap_count_entries( $linkiID, $result = 'Resource id #275' );
2020-07-22 09:15:08 srv-wiki-1 wiki_db: # returns 1
2020-07-22 09:15:08 srv-wiki-1 wiki_db: ldap_get_entries( $linkID, $resultID );
2020-07-22 09:15:08 srv-wiki-1 wiki_db: # returns: array (
  'count' => 1,
  0 => 
  array (
    'objectclass' => 
    array (
      'count' => 4,
      0 => 'top',
      1 => 'person',
      2 => 'organizationalPerson',
      3 => 'user',
    ),
    0 => 'objectclass',
    'cn' => 
    array (
      'count' => 1,
      0 => 'tester',
    ),
    1 => 'cn',
    'sn' => 
    array (
      'count' => 1,
      0 => 'tester',
    ),
    2 => 'sn',
    'description' => 
    array (
      'count' => 1,
      0 => 'Test User',
    ),
    3 => 'description',
    'telephonenumber' => 
    array (
      'count' => 1,
      0 => '4 52 41',
    ),
    4 => 'telephonenumber',
    'givenname' => 
    array (
      'count' => 1,
      0 => 'hp',
    ),
    5 => 'givenname',
    'initials' => 
    array (
      'count' => 1,
      0 => 'fred',
    ),
    6 => 'initials',
    'distinguishedname' => 
    array (
      'count' => 1,
      0 => 'CN=tester,OU=Test,OU=Users,OU=someOU,DC=my,DC=domain',
    ),
    7 => 'distinguishedname',
    'instancetype' => 
    array (
      'count' => 1,
      0 => '4',
    ),
    8 => 'instancetype',
    'whencreated' => 
    array (
      'count' => 1,
      0 => '20131218141516.0Z',
    ),
    9 => 'whencreated',
    'whenchanged' => 
    array (
      'count' => 1,
      0 => '20200716080258.0Z',
    ),
    10 => 'whenchanged',
    'displayname' => 
    array (
      'count' => 1,
      0 => 'tester',
    ),
    11 => 'displayname',
    'usncreated' => 
    array (
      'count' => 1,
      0 => '30230',
    ),
    12 => 'usncreated',
    'memberof' => 
    array (
      'count' => 10,
      0 => 'CN=WikiAdmin,OU=Application_Groups,OU=Groups,OU=someOU,DC=my,DC=domain',
      1 => '####',
      2 => '####',
      3 => '####',
      4 => '####',
      5 => 'CN=WikiUsers,OU=Application_Groups,OU=Groups,OU=someOU,DC=my,DC=domain',
      6 => '####',
      7 => '####',
      8 => '####',
      9 => '####',
    ),
    13 => 'memberof',
    'usnchanged' => 
    array (
      'count' => 1,
      0 => '3982289',
    ),
    14 => 'usnchanged',
    'proxyaddresses' => 
    array (
      'count' => 7,
      0 => 'smtp:####',
      1 => 'smtp:####',
      2 => 'smtp:####',
      3 => 'SMTP:####',
      4 => 'sip:####',
      5 => 'smtp:####',
      6 => 'smtp:####',
    ),
    15 => 'proxyaddresses',
    'homemdb' => 
    array (
      'count' => 1,
      0 => '####',
    ),
    16 => 'homemdb',
    'mdbusedefaults' => 
    array (
      'count' => 1,
      0 => 'TRUE',
    ),
    17 => 'mdbusedefaults',
    'mailnickname' => 
    array (
      'count' => 1,
      0 => 'fred',
    ),
    18 => 'mailnickname',
    'name' => 
    array (
      'count' => 1,
      0 => 'tester',
    ),
    19 => 'name',
    'objectguid' => 
    array (
      'count' => 1,
      0 => '<2‹.Àª	EœÌÅï��oî',
    ),
    20 => 'objectguid',
    'useraccountcontrol' => 
    array (
      'count' => 1,
      0 => '66048',
    ),
    21 => 'useraccountcontrol',
    'badpwdcount' => 
    array (
      'count' => 1,
      0 => '0',
    ),
    22 => 'badpwdcount',
    'codepage' => 
    array (
      'count' => 1,
      0 => '0',
    ),
    23 => 'codepage',
    'countrycode' => 
    array (
      'count' => 1,
      0 => '0',
    ),
    24 => 'countrycode',
    'badpasswordtime' => 
    array (
      'count' => 1,
      0 => '132397147069218117',
    ),
    25 => 'badpasswordtime',
    'lastlogoff' => 
    array (
      'count' => 1,
      0 => '0',
    ),
    26 => 'lastlogoff',
    'lastlogon' => 
    array (
      'count' => 1,
      0 => '132397149483435657',
    ),
    27 => 'lastlogon',
    'pwdlastset' => 
    array (
      'count' => 1,
      0 => '132393601472194926',
    ),
    28 => 'pwdlastset',
    'primarygroupid' => 
    array (
      'count' => 1,
      0 => '513',
    ),
    29 => 'primarygroupid',
    'profilepath' => 
    array (
      'count' => 1,
      0 => '####',
    ),
    30 => 'profilepath',
    'objectsid' => 
    array (
      'count' => 1,
      0 => '��' . "\0" . '' . "\0" . '' . "\0" . '' . "\0" . '' . "\0" . '��' . "\0" . '' . "\0" . '' . "\0" . '¶Dä#�Àê2Ûë�P}-' . "\0" . '' . "\0" . '',
    ),
    31 => 'objectsid',
    'admincount' => 
    array (
      'count' => 1,
      0 => '1',
    ),
    32 => 'admincount',
    'accountexpires' => 
    array (
      'count' => 1,
      0 => '9223372036854775807',
    ),
    33 => 'accountexpires',
    'logoncount' => 
    array (
      'count' => 1,
      0 => '0',
    ),
    34 => 'logoncount',
    'samaccountname' => 
    array (
      'count' => 1,
      0 => 'fred',
    ),
    35 => 'samaccountname',
    'samaccounttype' => 
    array (
      'count' => 1,
      0 => '805306368',
    ),
    36 => 'samaccounttype',
    'showinaddressbook' => 
    array (
      'count' => 4,
      0 => '####',
      1 => '####',
      2 => '####',
      3 => '####',
    ),
    37 => 'showinaddressbook',
    'legacyexchangedn' => 
    array (
      'count' => 1,
      0 => '####',
    ),
    38 => 'legacyexchangedn',
    'userprincipalname' => 
    array (
      'count' => 1,
      0 => 'fred@my.domain',
    ),
    39 => 'userprincipalname',
    'lockouttime' => 
    array (
      'count' => 1,
      0 => '0',
    ),
    40 => 'lockouttime',
    'lastknownparent' => 
    array (
      'count' => 1,
      0 => 'OU=Test,OU=Users,OU=someOU,DC=my,DC=domain',
    ),
    41 => 'lastknownparent',
    'objectcategory' => 
    array (
      'count' => 1,
      0 => 'CN=Person,CN=Schema,CN=Configuration,DC=my,DC=domain',
    ),
    42 => 'objectcategory',
    'dscorepropagationdata' => 
    array (
      'count' => 1,
      0 => '16010101000000.0Z',
    ),
    43 => 'dscorepropagationdata',
    'lastlogontimestamp' => 
    array (
      'count' => 1,
      0 => '132393601780066773',
    ),
    44 => 'lastlogontimestamp',
    'msds-supportedencryptiontypes' => 
    array (
      'count' => 1,
      0 => '0',
    ),
    45 => 'msds-supportedencryptiontypes',
    'msds-lastknownrdn' => 
    array (
      'count' => 1,
      0 => 'tester',
    ),
    46 => 'msds-lastknownrdn',
    'mail' => 
    array (
      'count' => 1,
      0 => 'fred@my.domain',
    ),
    47 => 'mail',
    'thumbnailphoto' => 
    array (
      'count' => 1,
      0 => '####	
),
    48 => 'thumbnailphoto',
    'msexchhomeservername' => 
    array (
      'count' => 1,
      0 => '####',
    ),
    49 => 'msexchhomeservername',
    'msexchmailboxsecuritydescriptor' => 
    array (
      'count' => 1,
      0 => ####
	),
    50 => 'msexchmailboxsecuritydescriptor',
    'msexchuseraccountcontrol' => 
    array (
      'count' => 1,
      0 => '0',
    ),
    51 => 'msexchuseraccountcontrol',
    'msexchmailboxguid' => 
    array (
      'count' => 1,
      0 => 'I©�„¥CJ°ùX„Nùi',
    ),
    52 => 'msexchmailboxguid',
    'msexchpoliciesincluded' => 
    array (
      'count' => 2,
      0 => '4dde4918-7608-4c22-b276-64f5eb00c3e4',
      1 => '{26491cfc-9e50-4857-861b-0cb8df22b5d7}',
    ),
    53 => 'msexchpoliciesincluded',
    'msrtcsip-internetaccessenabled' => 
    array (
      'count' => 1,
      0 => 'TRUE',
    ),
    54 => 'msrtcsip-internetaccessenabled',
    'msexchmailboxtemplatelink' => 
    array (
      'count' => 1,
      0 => '####',
    ),
    55 => 'msexchmailboxtemplatelink',
    'msexchdelegatelistlink' => 
    array (
      'count' => 1,
      0 => '####',
    ),
    56 => 'msexchdelegatelistlink',
    'msrtcsip-optionflags' => 
    array (
      'count' => 1,
      0 => '2305',
    ),
    57 => 'msrtcsip-optionflags',
    'msrtcsip-userpolicies' => 
    array (
      'count' => 1,
      0 => '0=666577031',
    ),
    58 => 'msrtcsip-userpolicies',
    'msexchumdtmfmap' => 
    array (
      'count' => 4,
      0 => 'reversedPhone:14254',
      1 => 'emailAddress:3733',
      2 => 'lastNameFirstName:83783747',
      3 => 'firstNameLastName:47837837',
    ),
    59 => 'msexchumdtmfmap',
    'msexchmdbrulesquota' => 
    array (
      'count' => 1,
      0 => '256',
    ),
    60 => 'msexchmdbrulesquota',
    'msexchprevioushomemdb' => 
    array (
      'count' => 1,
      0 => '####',
    ),
    61 => 'msexchprevioushomemdb',
    'msexchrecipientdisplaytype' => 
    array (
      'count' => 1,
      0 => '1073741824',
    ),
    62 => 'msexchrecipientdisplaytype',
    'msrtcsip-primaryuseraddress' => 
    array (
      'count' => 1,
      0 => 'sip:fred@my.domain',
    ),
    63 => 'msrtcsip-primaryuseraddress',
    'msrtcsip-deploymentlocator' => 
    array (
      'count' => 1,
      0 => 'SRV:',
    ),
    64 => 'msrtcsip-deploymentlocator',
    'msexchpublicfoldermailbox' => 
    array (
      'count' => 1,
      0 => '####',
    ),
    65 => 'msexchpublicfoldermailbox',
    'msrtcsip-userroutinggroupid' => 
    array (
      'count' => 1,
      0 => 'yôn×Ä�-_¬¤TòíÔ³�',
    ),
    66 => 'msrtcsip-userroutinggroupid',
    'msrtcsip-userenabled' => 
    array (
      'count' => 1,
      0 => 'TRUE',
    ),
    67 => 'msrtcsip-userenabled',
    'msexchelcmailboxflags' => 
    array (
      'count' => 1,
      0 => '2',
    ),
    68 => 'msexchelcmailboxflags',
    'msexchwhenmailboxcreated' => 
    array (
      'count' => 1,
      0 => '20160115162536.0Z',
    ),
    69 => 'msexchwhenmailboxcreated',
    'msexchrbacpolicylink' => 
    array (
      'count' => 1,
      0 => '####',
    ),
    70 => 'msexchrbacpolicylink',
    'msrtcsip-primaryhomeserver' => 
    array (
      'count' => 1,
      0 => '####',
    ),
    71 => 'msrtcsip-primaryhomeserver',
    'msexchsafesendershash' => 
    array (
      'count' => 1,
      0 => 't¨¤§',
    ),
    72 => 'msexchsafesendershash',
    'msexchversion' => 
    array (
      'count' => 1,
      0 => '88218628259840',
    ),
    73 => 'msexchversion',
    'msrtcsip-federationenabled' => 
    array (
      'count' => 1,
      0 => 'TRUE',
    ),
    74 => 'msrtcsip-federationenabled',
    'msexchrecipienttypedetails' => 
    array (
      'count' => 1,
      0 => '1',
    ),
    75 => 'msexchrecipienttypedetails',
    'count' => 76,
    'dn' => 'CN=tester,OU=Test,OU=Users,OU=someOU,DC=my,DC=domain',
  ),
)
2020-07-22 09:15:08 srv-wiki-1 wiki_db: Found user DN: 'CN=tester,OU=Test,OU=Users,OU=someOU,DC=my,DC=domain'
2020-07-22 09:15:08 srv-wiki-1 wiki_db: MediaWiki\Extension\LDAPProvider\Client::getSearchString: User DN is: 'CN=tester,OU=Test,OU=Users,OU=someOU,DC=my,DC=domain'
2020-07-22 09:15:08 srv-wiki-1 wiki_db: ldap_bind( $linkID, $bindRDN = 'CN=tester,OU=Test,OU=Users,OU=someOU,DC=my,DC=domain', $bindPassword = 'XXXX' );
2020-07-22 09:15:08 srv-wiki-1 wiki_db: # returns 1
2020-07-22 09:15:08 srv-wiki-1 wiki_db: ldap_bind( $linkID, $bindRDN = 'CN=srvwikiadauth,OU=ServiceAccounts,OU=someOU,DC=my,DC=domain', $bindPassword = 'XXXX' );
2020-07-22 09:15:08 srv-wiki-1 wiki_db: # returns 1
2020-07-22 09:15:08 srv-wiki-1 wiki_db: ldap_search( $linkID, $baseDN = 'DC=my,DC=domain', $filter = '(userprincipalname=fred@my.domain)', $attributes = [ '*', 'memberof' ], $attrsonly = , $sizelimit = , $timelimit = , $deref =  );
2020-07-22 09:15:08 srv-wiki-1 wiki_db: # returns Resource id #289
2020-07-22 09:15:08 srv-wiki-1 wiki_db: ldap_get_entries( $linkID, $resultID );
2020-07-22 09:15:08 srv-wiki-1 wiki_db: # returns: array (
  'count' => 1,
  0 => 
  array (
    'objectclass' => 
    array (
      'count' => 4,
      0 => 'top',
      1 => 'person',
      2 => 'organizationalPerson',
      3 => 'user',
    ),
    0 => 'objectclass',
    'cn' => 
    array (
      'count' => 1,
      0 => 'tester',
    ),
    1 => 'cn',
    'sn' => 
    array (
      'count' => 1,
      0 => 'tester',
    ),
    2 => 'sn',
    'description' => 
    array (
      'count' => 1,
      0 => 'Test User',
    ),
    3 => 'description',
    'telephonenumber' => 
    array (
      'count' => 1,
      0 => '4 52 41',
    ),
    4 => 'telephonenumber',
    'givenname' => 
    array (
      'count' => 1,
      0 => 'hp',
    ),
    5 => 'givenname',
    'initials' => 
    array (
      'count' => 1,
      0 => 'fred',
    ),
    6 => 'initials',
    'distinguishedname' => 
    array (
      'count' => 1,
      0 => 'CN=tester,OU=Test,OU=Users,OU=someOU,DC=my,DC=domain',
    ),
    7 => 'distinguishedname',
    'instancetype' => 
    array (
      'count' => 1,
      0 => '4',
    ),
    8 => 'instancetype',
    'whencreated' => 
    array (
      'count' => 1,
      0 => '20131218141516.0Z',
    ),
    9 => 'whencreated',
    'whenchanged' => 
    array (
      'count' => 1,
      0 => '20200716080258.0Z',
    ),
    10 => 'whenchanged',
    'displayname' => 
    array (
      'count' => 1,
      0 => 'tester',
    ),
    11 => 'displayname',
    'usncreated' => 
    array (
      'count' => 1,
      0 => '30230',
    ),
    12 => 'usncreated',
    'memberof' => 
    array (
      'count' => 10,
      0 => 'CN=WikiAdmin,OU=Application_Groups,OU=Groups,OU=someOU,DC=my,DC=domain',
      1 => '####',
      2 => '####',
      3 => '####',
      4 => '####',
      5 => 'CN=WikiUsers,OU=Application_Groups,OU=Groups,OU=someOU,DC=my,DC=domain',
      6 => '####',
      7 => '####',
      8 => '####',
      9 => '####',
    ),
    13 => 'memberof',
    'usnchanged' => 
    array (
      'count' => 1,
      0 => '3982289',
    ),
    14 => 'usnchanged',
    'proxyaddresses' => 
    array (
      'count' => 7,
      0 => '####',
      1 => '####',
      2 => '####',
      3 => '####',
      4 => '####',
      5 => '####',
      6 => '####',
    ),
    15 => 'proxyaddresses',
    'homemdb' => 
    array (
      'count' => 1,
      0 => '####',
    ),
    16 => 'homemdb',
    'mdbusedefaults' => 
    array (
      'count' => 1,
      0 => 'TRUE',
    ),
    17 => 'mdbusedefaults',
    'mailnickname' => 
    array (
      'count' => 1,
      0 => 'fred',
    ),
    18 => 'mailnickname',
    'name' => 
    array (
      'count' => 1,
      0 => 'tester',
    ),
    19 => 'name',
    'objectguid' => 
    array (
      'count' => 1,
      0 => '<2‹.Àª	EœÌÅï��oî',
    ),
    20 => 'objectguid',
    'useraccountcontrol' => 
    array (
      'count' => 1,
      0 => '66048',
    ),
    21 => 'useraccountcontrol',
    'badpwdcount' => 
    array (
      'count' => 1,
      0 => '0',
    ),
    22 => 'badpwdcount',
    'codepage' => 
    array (
      'count' => 1,
      0 => '0',
    ),
    23 => 'codepage',
    'countrycode' => 
    array (
      'count' => 1,
      0 => '0',
    ),
    24 => 'countrycode',
    'badpasswordtime' => 
    array (
      'count' => 1,
      0 => '132397147069218117',
    ),
    25 => 'badpasswordtime',
    'lastlogoff' => 
    array (
      'count' => 1,
      0 => '0',
    ),
    26 => 'lastlogoff',
    'lastlogon' => 
    array (
      'count' => 1,
      0 => '132397149483435657',
    ),
    27 => 'lastlogon',
    'pwdlastset' => 
    array (
      'count' => 1,
      0 => '132393601472194926',
    ),
    28 => 'pwdlastset',
    'primarygroupid' => 
    array (
      'count' => 1,
      0 => '513',
    ),
    29 => 'primarygroupid',
    'profilepath' => 
    array (
      'count' => 1,
      0 => '####',
    ),
    30 => 'profilepath',
    'objectsid' => 
    array (
      'count' => 1,
      0 => '��' . "\0" . '' . "\0" . '' . "\0" . '' . "\0" . '' . "\0" . '��' . "\0" . '' . "\0" . '' . "\0" . '¶Dä#�Àê2Ûë�P}-' . "\0" . '' . "\0" . '',
    ),
    31 => 'objectsid',
    'admincount' => 
    array (
      'count' => 1,
      0 => '1',
    ),
    32 => 'admincount',
    'accountexpires' => 
    array (
      'count' => 1,
      0 => '9223372036854775807',
    ),
    33 => 'accountexpires',
    'logoncount' => 
    array (
      'count' => 1,
      0 => '0',
    ),
    34 => 'logoncount',
    'samaccountname' => 
    array (
      'count' => 1,
      0 => 'fred',
    ),
    35 => 'samaccountname',
    'samaccounttype' => 
    array (
      'count' => 1,
      0 => '805306368',
    ),
    36 => 'samaccounttype',
    'showinaddressbook' => 
    array (
      'count' => 4,
      0 => '####',
      1 => '####',
      2 => '####',
      3 => '####',
    ),
    37 => 'showinaddressbook',
    'legacyexchangedn' => 
    array (
      'count' => 1,
      0 => '####',
    ),
    38 => 'legacyexchangedn',
    'userprincipalname' => 
    array (
      'count' => 1,
      0 => 'fred@my.domain',
    ),
    39 => 'userprincipalname',
    'lockouttime' => 
    array (
      'count' => 1,
      0 => '0',
    ),
    40 => 'lockouttime',
    'lastknownparent' => 
    array (
      'count' => 1,
      0 => 'OU=Test,OU=Users,OU=someOU,DC=my,DC=domain',
    ),
    41 => 'lastknownparent',
    'objectcategory' => 
    array (
      'count' => 1,
      0 => '####',
    ),
    42 => 'objectcategory',
    'dscorepropagationdata' => 
    array (
      'count' => 1,
      0 => '16010101000000.0Z',
    ),
    43 => 'dscorepropagationdata',
    'lastlogontimestamp' => 
    array (
      'count' => 1,
      0 => '132393601780066773',
    ),
    44 => 'lastlogontimestamp',
    'msds-supportedencryptiontypes' => 
    array (
      'count' => 1,
      0 => '0',
    ),
    45 => 'msds-supportedencryptiontypes',
    'msds-lastknownrdn' => 
    array (
      'count' => 1,
      0 => 'tester',
    ),
    46 => 'msds-lastknownrdn',
    'mail' => 
    array (
      'count' => 1,
      0 => 'fred@my.domain',
    ),
    47 => 'mail',
    'thumbnailphoto' => 
    array (
      'count' => 1,
      0 =>####
    ),
    48 => 'thumbnailphoto',
    'msexchhomeservername' => 
    array (
      'count' => 1,
      0 => '####',
    ),
    49 => 'msexchhomeservername',
    'msexchmailboxsecuritydescriptor' => 
    array (
      'count' => 1,
      0 => '�' . "\0" . '�Œ�' . "\0" . '' . "\0" . '' . "\0" . ' ' . "\0" . '' . "\0" . '' . "\0" . '' . "\0" . '' . "\0" . '' . "\0" . '' . "\0" . ',' . "\0" . '' . "\0" . '' . "\0" . '��' . "\0" . '' . "\0" . '' . "\0" . '' . "\0" . '' . "\0" . '�
' . "\0" . '' . "\0" . '' . "\0" . '��' . "\0" . '' . "\0" . '' . "\0" . '' . "\0" . '' . "\0" . '�
' . "\0" . '' . "\0" . '' . "\0" . '�' . "\0" . '@' . "\0" . '�' . "\0" . '' . "\0" . '' . "\0" . '' . "\0" . '��' . "\0" . '�' . "\0" . '�' . "\0" . '��' . "\0" . '' . "\0" . '' . "\0" . '' . "\0" . '' . "\0" . '�
' . "\0" . '' . "\0" . '' . "\0" . '' . "\0" . '�$' . "\0" . '�' . "\0" . '' . "\0" . '' . "\0" . '��' . "\0" . '' . "\0" . '' . "\0" . '' . "\0" . '' . "\0" . '��' . "\0" . '' . "\0" . '' . "\0" . '¶Dä#�Àê2Ûë�PÎ+' . "\0" . '' . "\0" . '',
    ),
    50 => 'msexchmailboxsecuritydescriptor',
    'msexchuseraccountcontrol' => 
    array (
      'count' => 1,
      0 => '0',
    ),
    51 => 'msexchuseraccountcontrol',
    'msexchmailboxguid' => 
    array (
      'count' => 1,
      0 => 'I©�„¥CJ°ùX„Nùi',
    ),
    52 => 'msexchmailboxguid',
    'msexchpoliciesincluded' => 
    array (
      'count' => 2,
      0 => '4dde4918-7608-4c22-b276-64f5eb00c3e4',
      1 => '{26491cfc-9e50-4857-861b-0cb8df22b5d7}',
    ),
    53 => 'msexchpoliciesincluded',
    'msrtcsip-internetaccessenabled' => 
    array (
      'count' => 1,
      0 => 'TRUE',
    ),
    54 => 'msrtcsip-internetaccessenabled',
    'msexchmailboxtemplatelink' => 
    array (
      'count' => 1,
      0 => '####',
    ),
    55 => 'msexchmailboxtemplatelink',
    'msexchdelegatelistlink' => 
    array (
      'count' => 1,
      0 => '####',
    ),
    56 => 'msexchdelegatelistlink',
    'msrtcsip-optionflags' => 
    array (
      'count' => 1,
      0 => '2305',
    ),
    57 => 'msrtcsip-optionflags',
    'msrtcsip-userpolicies' => 
    array (
      'count' => 1,
      0 => '0=666577031',
    ),
    58 => 'msrtcsip-userpolicies',
    'msexchumdtmfmap' => 
    array (
      'count' => 4,
      0 => 'reversedPhone:14254',
      1 => 'emailAddress:3733',
      2 => 'lastNameFirstName:83783747',
      3 => 'firstNameLastName:47837837',
    ),
    59 => 'msexchumdtmfmap',
    'msexchmdbrulesquota' => 
    array (
      'count' => 1,
      0 => '256',
    ),
    60 => 'msexchmdbrulesquota',
    'msexchprevioushomemdb' => 
    array (
      'count' => 1,
      0 => '####',
    ),
    61 => 'msexchprevioushomemdb',
    'msexchrecipientdisplaytype' => 
    array (
      'count' => 1,
      0 => '1073741824',
    ),
    62 => 'msexchrecipientdisplaytype',
    'msrtcsip-primaryuseraddress' => 
    array (
      'count' => 1,
      0 => 'sip:fred@my.domain',
    ),
    63 => 'msrtcsip-primaryuseraddress',
    'msrtcsip-deploymentlocator' => 
    array (
      'count' => 1,
      0 => 'SRV:',
    ),
    64 => 'msrtcsip-deploymentlocator',
    'msexchpublicfoldermailbox' => 
    array (
      'count' => 1,
      0 => '####',
    ),
    65 => 'msexchpublicfoldermailbox',
    'msrtcsip-userroutinggroupid' => 
    array (
      'count' => 1,
      0 => 'yôn×Ä�-_¬¤TòíÔ³�',
    ),
    66 => 'msrtcsip-userroutinggroupid',
    'msrtcsip-userenabled' => 
    array (
      'count' => 1,
      0 => 'TRUE',
    ),
    67 => 'msrtcsip-userenabled',
    'msexchelcmailboxflags' => 
    array (
      'count' => 1,
      0 => '2',
    ),
    68 => 'msexchelcmailboxflags',
    'msexchwhenmailboxcreated' => 
    array (
      'count' => 1,
      0 => '20160115162536.0Z',
    ),
    69 => 'msexchwhenmailboxcreated',
    'msexchrbacpolicylink' => 
    array (
      'count' => 1,
      0 => '####',
    ),
    70 => 'msexchrbacpolicylink',
    'msrtcsip-primaryhomeserver' => 
    array (
      'count' => 1,
      0 => '####',
    ),
    71 => 'msrtcsip-primaryhomeserver',
    'msexchsafesendershash' => 
    array (
      'count' => 1,
      0 => 't¨¤§',
    ),
    72 => 'msexchsafesendershash',
    'msexchversion' => 
    array (
      'count' => 1,
      0 => '88218628259840',
    ),
    73 => 'msexchversion',
    'msrtcsip-federationenabled' => 
    array (
      'count' => 1,
      0 => 'TRUE',
    ),
    74 => 'msrtcsip-federationenabled',
    'msexchrecipienttypedetails' => 
    array (
      'count' => 1,
      0 => '1',
    ),
    75 => 'msexchrecipienttypedetails',
    'count' => 76,
    'dn' => '####',
  ),
)
2020-07-22 09:15:08 srv-wiki-1 wiki_db: Ran LDAP search for '(userprincipalname=fred@my.domain)' in 0.0019741058349609 seconds.

2020-07-22 09:15:08 srv-wiki-1 wiki_db: Authenticated new user: fred
2020-07-22 09:15:09 srv-wiki-1 wiki_db: User is authorized.

So the last two lines look good. So there is still the message "Auto-creation of a local account failed: You have not specified a valid username"? In which context?

This message appears when i try to login with <username>@<my.domain>

And if you don't use a username with "@"? Which error do you get then? Because

2020-07-22 09:15:08 srv-wiki-1 wiki_db: Authenticated new user: fred
2020-07-22 09:15:09 srv-wiki-1 wiki_db: User is authorized.

looks good.

Whit the config as is i get following error Could not authenticate credentials against domain "my.domain" when i change the searchattribute setting to samaccountname i get the same error as before.

If you are getting Could not authenticate credentials against domain "my.domain" then it is form based authentication (FBA). This should be the exact same mechanism as the CheckLogin.php CLI script.

The message Could not authenticate credentials against domain "my.domain" i get only when i have a missmatch to what i check for login and what i use. When i use the right credentials i always get Auto-creation of a local account failed: You have not specified a valid username .

I have noticed a difference in the two contigutations you have shared (#1: PHP, #2: JSON): In the PHP configuration you have "usernameattribute" => "userprincipalname", , while in the JSON you have "usernameattribute": "samaccountname", .

Can you tell which one of them is currently used?

Because the one from the JSON file seems to be correct (samaccountname ), while the one from PHP will result in a username with an "@", which could lead to Auto-creation of a local account failed: You have not specified a valid username</could>.

currently used is the JSON, with the samaccountname

Which element example: usernameattribute is used for the DB column user_name? Have i mixed up something so that the authorization works but it uses the wrong attribute for the DB?

From what I see in your logs, samaccountname should be fine. It should be used to set the username for the database here: https://github.com/wikimedia/mediawiki-extensions-LDAPAuthentication2/blob/1.0.1/src/PluggableAuth.php#L86

You can try debugging this part of the code. Maybe this gives you more insight.

i can now login with an administrator accoutn samaccountname=admintest but with an normal user samaccountname=u12345678 i still have the error Auto-creation of a local account failed: You have not specified a valid username. i've searched this wiki i didn't found any restriction that the username can't be with a letter and numbers.

Please check the value of $username just before the return true; in https://github.com/wikimedia/mediawiki-extensions-LDAPAuthentication2/blob/1.0.1/src/PluggableAuth.php#L112

You can do so by adding error_log( var_export( $username, true ) );

in the error log i see the correct username and in the ldap.log i get following output: MediaWiki\Extension\LDAPProvier\Client::getSearchString: User DN is 'BASE DN'

ldap_bind( $linkID, $bindRDN = 'BASE DN', $bindPasswor = 'XXXX' );

#returns 1

Authenticated new user: username

User is authorized

So everything is okay. Sorry, I can not spot an error.

hmm ok.

Then i have only one question, is it possible, that the old users with an "@" in the username can make some problems?

I think they wount be a problem but this is the last thing i can imagen.

Best regards and thanks for the perfect support!

Okay. Can you please again share you complete current configuration (PHP and JSON, is used). Don't forget to remove sensitive data of course. Also please tell me what username you enter into the "Special:Login" field and how the command line for the working "CheckLogin.php" and "ShowUserInfo.php" looks like. Thanks.

I have the similar problem (Auto-creation of a local account failed: You have not specified a valid username) when a try login in a existent dababase, but in a new database created with the 1.34.2 version that's work. I use the same configuration file, changing only the database config.

I have found a ugly workarround i added folowing line to the LocalSettings.php $wgInvalidUsernameCharacters = '#€'; The "ShowUserInfo.php" returns the user informations and the "CheckLogin.php" returns OK.

Here is my LocalSettings.php:

<?php
#This file was automatically generated by the MediaWiki 1.23.15
#installer. If you make manual changes, please keep track in case you
#need to recreate them later.
#
#See includes/DefaultSettings.php for all configurable settings
#and their default values, but don't forget to make changes in _this_
#file, not there.
#
#Further documentation for configuration settings may be found at:
#https://www.mediawiki.org/wiki/Manual:Configuration_settings

#Protect against web entry
if ( !defined( 'MEDIAWIKI' ) ) {
	exit;
}

##Uncomment this to disable output compression
#$wgDisableOutputCompression = true;

$wgSitename = "Wiki";
$wgOverrideHostname = "MediaWiki-Server";
##The URL base path to the directory containing the wiki;
##defaults for all runtime URL paths are based off of this.
##For more information on customizing the URLs
##(like /w/index.php/Page_title to /wiki/Page_title) please see:
##https://www.mediawiki.org/wiki/Manual:Short_URL
$wgScriptPath = "";
$wgScriptExtension = ".php";

##The protocol and server name to use in fully-qualified URLs
$wgServer = "https://MediaWiki-Server";

##The relative URL path to the skins directory
$wgStylePath = "$wgScriptPath/skins";

##The relative URL path to the logo.  Make sure you change this from the default,
##or else you'll overwrite your logo when you upgrade!
$wgLogo = "$wgStylePath/common/images/logo.png";

##UPO means: this is also a user preference option

$wgEnableEmail = false;
$wgEnableUserEmail = false; # UPO

$wgEmergencyContact = "apache@MediaWiki-Server";
$wgPasswordSender = "apache@MediaWiki-Server";

$wgEnotifUserTalk = false; # UPO
$wgEnotifWatchlist = false; # UPO
#$wgEmailAuthentication = true;

##Database settings
$wgDBtype = "mysql";
$wgDBserver = "MediaWiki-DB";
$wgDBname = "WikiDB";
$wgDBuser = "WikiDBUser";
$wgDBpassword = "SecretPassword";

#MySQL specific settings
$wgDBprefix = "";

#MySQL table options to use during installation or update
$wgDBTableOptions = "ENGINE=InnoDB, DEFAULT CHARSET=binary";

#Experimental charset support for MySQL 5.0.
$wgDBmysql5 = false;

##Shared memory settings
$wgMainCacheType = CACHE_NONE;
$wgMemCachedServers = array();
##To enable image uploads, make sure the 'images' directory
##is writable, then set this to true:
$wgEnableUploads = true;
#$wgUseImageMagick = true;
#$wgImageMagickConvertCommand = "/usr/bin/convert";

#InstantCommons allows wiki to use images from http://commons.wikimedia.org
$wgUseInstantCommons = false;

##If you use ImageMagick (or any other shell command) on a
##Linux server, this will need to be set to the name of an
##available UTF-8 locale
$wgShellLocale = "en_US.utf8";

##If you want to use image uploads under safe mode,
##create the directories images/archive, images/thumb and
##images/temp, and make them all writable. Then uncomment
##this, if it's not already uncommented:
#$wgHashedUploadDirectory = false;

##Set $wgCacheDirectory to a writable directory on the web server
##to make your wiki go slightly faster. The directory should not
##be publically accessible from the web.
#$wgCacheDirectory = "$IP/cache";

#Site language code, should be one of the list in ./languages/Names.php
$wgLanguageCode = "en";

$wgSecretKey = "SomeSecretKey";

#Site upgrade key. Must be set to a string (default provided) to turn on the
#web installer while LocalSettings.php is in place
$wgUpgradeKey = "SomeUpgradeKey";

##Default skin: you can change the default skin. Use the internal symbolic
##names, ie 'cologneblue', 'monobook', 'vector':
$wgDefaultSkin = "vector";

##For attaching licensing metadata to pages, and displaying an
##appropriate copyright notice / icon. GNU Free Documentation
##License and Creative Commons licenses are supported so far.
$wgRightsPage = ""; # Set to the title of a wiki page that describes your license/copyright
$wgRightsUrl = "";
$wgRightsText = "";
$wgRightsIcon = "";

#Path to the GNU diff3 utility. Used for conflict resolution.
$wgDiff3 = "/usr/bin/diff3";

###Debug Log Path ###

$wgShowExceptionDetails;

 
$wgDebugLogGroups['PluggableAuth'] =
$wgDebugLogGroups['LDAP'] =
$wgDebugLogGroups['MediaWiki\\Extension\\LDAPProvider\\Client'] =
$wgDebugLogGroups['LDAPUserInfo'] =
$wgDebugLogGroups['LDAPAuthentication2'] =
$wgDebugLogGroups['LDAPAuthorization'] = '/var/www/html/wiki/ldap.log';



$wgGroupPermissions['*']['edit'] = false;
$wgGroupPermissions['*']['read'] = true;


$wgGroupPermissions['user']['edit'] = true;
$wgGroupPermissions['user']['editsemiprotected'] = false;
$wgGroupPermissions['user']['editprotected'] = false;
$wgEmailConfirmToEdit = false;


$wgGroupPermissions['Media-Wiki-Admin'] = $wgGroupPermissions['sysop'];

$wgGroupPermissions['*']['createaccount'] = false;
$wgGroupPermissions['*']['autocreateaccount'] = true;


$wgBlockDisablesLogin = true;


$ldapJsonFile = "$IP/ldap.json";
$ldapConfig = false;
if (is_file($ldapJsonFile) && is_dir("$IP/extensions/LDAPProvider")) {
	$testJson = @json_decode(file_get_contents($ldapJsonFile),true);
	if (is_array($testJson)) {
		$ldapConfig = true;
	} else {
		error_log("Found invalid JSON in file: $IP/ldap.json");
	}
}
if ( $ldapConfig ) {
####Load Extensions ###
  wfLoadExtension( 'Auth_remoteuser' );
  wfLoadExtension( 'WikiEditor' );
  wfLoadExtension( 'PluggableAuth' );
  wfLoadExtension( 'LDAPProvider' );
  wfLoadExtension( 'LDAPAuthentication2' );
  #wfLoadExtension( 'LDAPAuthorization' );
  #wfLoadExtension( 'LDAPUserInfo' );
  wfLoadExtension( 'LDAPGroups' );
  $LDAPProviderDomainConfigs = $ldapJsonFile;
  $wgPluggableAuth_ButtonLabel = "Json works";
#if ($wikiRequestSafe) {$LDAPAuthentication2AllowLocalLogin = true; }
}

$LDAPAuthentication2AllowLocalLogin = true;

$wgAuthRemoteuserUserNameReplaceFilter = [
	'@some.domain$' => 
];
$wgInvalidUsernameCharacters = '#'; #Now the login and autocreate of User works ==> but the e-mail is in the user_name field which is not recomended by WIKI


$LDAPAuthentication2UsernameNormalizer = 'strtolower';
$LDAPProviderDomainConfigs = "$IP/ldap.json";

wfLoadSkin( 'CologneBlue' );
wfLoadSkin( 'Modern' );
wfLoadSkin( 'MonoBook' );
wfLoadSkin( 'Timeless' );
wfLoadSkin( 'Vector' );

and here is my ldap.json:

{
	"some.domain": {
		"connection": {
			"server": "adserver.some.domain",
			"port": "636",
                        "user": "CN=srvwikiadauth,OU=ServiceAccounts,OU=other,DC=some,DC=domain",
                        "pass": "SecretPassword",
			"enctype": "ssl",
			"options": {
				"LDAP_OPT_DEREF": "1"
			},
			"basedn": "dc=some,dc=domain",
                        "groupbasedn": "dc=some,dc=domain",
                        "userbasedn": "dc=some,dc=domain",
                        "searchattribute": "userprincipalname",
			"usernameattribute": "userprincipalname",
			"realnameattribute": "cn",
			"emailattribute": "userprincipalname",
			"grouprequest": "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\UserMemberOf::factory"

		},
                "userinfo": {
                        "attributes-map": {
                                "email": "mail",
                                "realname": "cn"
                        }
                },
		"authorization": {
			"rules": {
				"groups": {
					"required": 
						["CN=Media-Wiki-Admin,OU=Application_Groups,OU=Groups,OU=other,DC=some,DC=domain", "CN=Media-Wiki-User,OU=Application_Groups,OU=Groups,OU=other,DC=some,DC=domain"]
				}
			}
		},

		"groupsync": {
			"mapping": {
				"Media-Wiki-Admin": "CN=Media-Wiki-Admin,OU=Application_Groups,OU=Groups,OU=other,DC=some,DC=domain",
				"user": "CN=Media-Wiki-User,OU=Application_Groups,OU=Groups,OU=other,DC=some,DC=domain"
			}
		}
	}
}

best regards

1. You should not have your "ldap.json" witin $IP. The webserver might make it public.
2. There is no need to have "user" in the "groupsync.mapping", as everybody that gets logged in is automatically in "user"
3. You have "Extension:LDAPAuthorization" disabled, so the "authorization" section in the domain config will have no effect
4. "connection.usernameattribute", as well as "connection.searchattribute" should be "samaccountname", not "userprincipalname". Users must then use "Fred" instead of "fred@some.domain" in the login form
   1. Looks like you are using network-based authentication (Kerberos) with "Extension:Auth_remoteuser". You should enable "Extension:LDAPAuthorization" and set $LDAPAuthorizationAutoAuthRemoteUserStringParser = 'username-at-domain';. You can then get rid of the $wgAuthRemoteuserUserNameReplaceFilter setting

I tried your changes, the login works for the adminuser, but when i trie to login with "Fred" i get the same error. When i test with a normal user (samaccountname=B12345678) i get the error Auto-creation of a local account failed: You have not specified a valid username does the wiki check if a username contains a lot of numbers?

Have you re-enabled LDAPAuthorization? Does LDAPProvider/maintenance/ShowUserGroups.php list the group DNs you have configured in the "authorization.rules.groups.required" section?

Yes i have re-enabled LDAPAuthorization, and the result from "ShowUserGroups.php" is like defined in the "authorization.rules.goroups.required" In the "ldap.log" i see Authenticated new user: fred User is authorized

So you are not having $wgAuthRemoteuserUserNameReplaceFilter set anymore? But instead configured$LDAPAuthorizationAutoAuthRemoteUserStringParser = 'username-at-domain';?

Any other Auth_remoteuser related config?

I am running out of ideas. If it says Authenticated new user: fred User is authorized anything should be fine.

i had $LDAPAuthorizationAutoAuthRemoteUserStringParser = 'username-at-domain'; not activated, if i activate this and set "usernameattribute": "samaccountname", in ldap.json i get the message in the UI user u12345678 not authorized and the log says authorization failure and the CheckLogin.php returns OK

Sorry to ask again, but you are sure you have not set $wgAuthRemoteuserUserNameReplaceFilter anymore? Please check if $username that arrives here is actually in the format <username@domain.