Topic on Talk:LDAP hub/Migration from extension LDAPAuthentication

Gektor93 (talkcontribs)

Hi to all MediaWiki community,


I got a task to configure MediaWiki with LDAP authorization true Windows Server 2019 Active Directory. Please note that it is the first time when I do something that looks like. Before it, I never did any integration with LDAP. I just reed about extensions on the MediaWiki site, read other topics and tried to do my best. I read other topics where was the same issue, but it didn't help me with resolve mine.


I got an issue and I want to ask your help with solving it.


My lab bellow:

CentOS 8.2.2

PostgreSQL 12.3

NGINX 1.14.1

PHP 7.4.8


Windows Server 2019

Active Directory installed

Firewall disabled


Please note that telnet successful from CentOS to WS19 on 389 port

#Connected to 192.168.0.100

#Escape character is '^]' .

As I understood it is mean that telnet to 389 port successful.


When I am trying to login with my domain user I got an error below:


[b932cd5d151b528a1846bc00] /index.php?title=Special:PluggableAuthLogin MWException from line 169 of /var/www/html/mediawiki/extensions/LDAPProvider/src/Client.php: Could not bind to LDAP: (-1) Can't contact LDAP server


#0 /var/www/html/mediawiki/extensions/LDAPProvider/src/Client.php(92): MediaWiki\Extension\LDAPProvider\Client->establishBinding()

#1 /var/www/html/mediawiki/extensions/LDAPProvider/src/Client.php(329): MediaWiki\Extension\LDAPProvider\Client->init()

#2 /var/www/html/mediawiki/extensions/LDAPAuthentication2/src/PluggableAuth.php(77): MediaWiki\Extension\LDAPProvider\Client->canBindAs()

#3 /var/www/html/mediawiki/extensions/PluggableAuth/includes/PluggableAuthLogin.php(30): MediaWiki\Extension\LDAPAuthentication2\PluggableAuth->authenticate()

#4 /var/www/html/mediawiki/includes/specialpage/SpecialPage.php(575): PluggableAuthLogin->execute()

#5 /var/www/html/mediawiki/includes/specialpage/SpecialPageFactory.php(611): SpecialPage->run()

#6 /var/www/html/mediawiki/includes/MediaWiki.php(296): MediaWiki\Special\SpecialPageFactory->executePath()

#7 /var/www/html/mediawiki/includes/MediaWiki.php(900): MediaWiki->performRequest()

#8 /var/www/html/mediawiki/includes/MediaWiki.php(527): MediaWiki->main()

#9 /var/www/html/mediawiki/index.php(44): MediaWiki->run()

#10 {main}


Here is my Localsettings.php config below:


wfLoadExtension( 'LDAPProvider' );

$LDAPProviderDomainConfigs = "/etc/mediawiki/ldapprovider.json";

wfLoadExtension( 'PluggableAuth' );

$wgPluggableAuth_EnableLocalLogin = true;

$wgGroupPermissions['user']['autocreateaccount'] = true;

$wgGroupPermissions['user']['createaccount'] = true;

wfLoadExtension( 'LDAPAuthorization' );

wfLoadExtension( 'LDAPAuthentication2' );

$LDAPAuthentication2UsernameNormalizer = 'strtolower';

$LDAPAuthentication2AllowLocalLogin = true;


Here is my ldapprovider.json config bellow:

{

    "lenovo.local": {

            "connection": {

                "server": "ldap.lenovo.local",

"user": "cn=admin.mediawiki,dc=lenovo,dc=local",

"pass": "P@ssw0rd",

                "options": {

                          "LDAP_OPT_DEREF": 1

                },

                "port": 389,

                "enctype": "clear",

                "basedn": "dc=lenovo,dc=local",

                "userbasedn": "ou=Users,dc=lenovo,dc=local",

                "searchattribute": "uid",

                "usernameattribute": "uid",

                "realnameattribute": "cn",

                "emailattribute": "mail",

                "searchstring": "uid=USER-NAME,ou=Users,dc=lenovo,dc=local",

                "groupbasedn": "ou=Users,dc=lenovo,dc=local",

                "groupobjectclass": "posixgroup",

                "groupattribute": "memberuid",

                "grouprequest": "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\Configurable::factory"

            }

        }

}

As I understood on the ldapprovider.json the "username" and "pass" using to get into Active Directory with these credentials and retrieve information about users in the Active Directory catalog.I created the user "admin.mediawiki" and added him to the admin groups for some reason.


The "ou" is an Organization Unit where located users, groups, or another OU and etc., for a test I indicate a default OU=Users, which created after installing AD and contain a test user.


Could you please help me with this issue or maybe provide working examples of Localsettings.php and ldapprovider.json or there is maybe another FAQ on MediaWiki which I should read.


I can describe everything in more detail in personal correspondence, if you suddenly need any detailed information.


Thank you in advance.


For Russian speakers:


Могу более подробно все описать в личной переписке , если вдруг понадобится какая либо подробная информация.

Заранее спасибо.

Osnard (talkcontribs)

In general this looks good. Please enable debugging and try to use the commandline scripts like extensions/LDAPProvider/maintenance/ShowUserInfo.php or extensions/LDAPProvider/maintenance/CheckLogin.php first.

"Can't contact LDAP server" indicates that you might have a wrong username or password set or, that you LDAP/AD might not allow insecure connection (without TLS). Actually the "enctype": "clear" could be the best guess. I believe MS AD does not allow this anymore.

Gektor93 (talkcontribs)

Dear Osnard,

Thanks for your respond.


Here is a result of ShowUserInfo.php


MWException from line 169 of /var/www/html/mediawiki/extensions/LDAPProvider/src/Client.php: Could not bind to LDAP: (-1) Can't contact LDAP server

#0 /var/www/html/mediawiki/extensions/LDAPProvider/src/Client.php(92): MediaWiki\Extension\LDAPProvider\Client->establishBinding()

#1 /var/www/html/mediawiki/extensions/LDAPProvider/src/Client.php(230): MediaWiki\Extension\LDAPProvider\Client->init()

#2 /var/www/html/mediawiki/extensions/LDAPProvider/maintenance/ShowUserInfo.php(48): MediaWiki\Extension\LDAPProvider\Client->getUserInfo()

#3 /var/www/html/mediawiki/maintenance/doMaintenance.php(99): MediaWiki\Extension\LDAPProvider\Maintenance\ShowUserInfo->execute()

#4 /var/www/html/mediawiki/extensions/LDAPProvider/maintenance/ShowUserInfo.php(71): require_once('/var/www/html/m...')

#5 {main}


and CheckLogin.php



root@localhost maintenance]# php CheckLogin..php --domain lenovo.local --username mikhail

Could not open input file: CheckLogin..php

[root@localhost maintenance]# php CheckLogin.php --domain lenovo.local --username mikhail

Password:P@ssw0rd

MWException from line 169 of /var/www/html/mediawiki/extensions/LDAPProvider/src/Client.php: Could not bind to LDAP: (-1) Can't contact LDAP server

#0 /var/www/html/mediawiki/extensions/LDAPProvider/src/Client.php(92): MediaWiki\Extension\LDAPProvider\Client->establishBinding()

#1 /var/www/html/mediawiki/extensions/LDAPProvider/src/Client.php(329): MediaWiki\Extension\LDAPProvider\Client->init()

#2 /var/www/html/mediawiki/extensions/LDAPProvider/maintenance/CheckLogin.php(50): MediaWiki\Extension\LDAPProvider\Client->canBindAs()

#3 /var/www/html/mediawiki/maintenance/doMaintenance.php(99): MediaWiki\Extension\LDAPProvider\Maintenance\CheckLogin->execute()

#4 /var/www/html/mediawiki/extensions/LDAPProvider/maintenance/CheckLogin.php(76): require_once('/var/www/html/m...')

#5 {main}

Gektor93 (talkcontribs)

Dear Osnard,


This is a debbug log i think:


2020-07-21 23:12:29 localhost.localdomain wikidb: ldap_connect( $hostname = 'ldap://lenovo.local:389', $port = 389 );

2020-07-21 23:12:29 localhost.localdomain wikidb: # __METHOD__ returns Resource id #213

2020-07-21 23:12:29 localhost.localdomain wikidb: Setting LDAP_OPT_PROTOCOL_VERSION to 3

2020-07-21 23:12:29 localhost.localdomain wikidb: ldap_set_option( $linkID, $option = 17, $newval = 3 );

2020-07-21 23:12:29 localhost.localdomain wikidb: # returns 1

2020-07-21 23:12:29 localhost.localdomain wikidb: Setting LDAP_OPT_REFERRALS to 0

2020-07-21 23:12:29 localhost.localdomain wikidb: ldap_set_option( $linkID, $option = 8, $newval = 0 );

2020-07-21 23:12:29 localhost.localdomain wikidb: # returns 1

2020-07-21 23:12:29 localhost.localdomain wikidb: Setting LDAP_OPT_DEREF to 1

2020-07-21 23:12:29 localhost.localdomain wikidb: ldap_set_option( $linkID, $option = 2, $newval = 1 );

2020-07-21 23:12:29 localhost.localdomain wikidb: # returns 1

2020-07-21 23:12:29 localhost.localdomain wikidb: ldap_bind( $linkID, $bindRDN = 'cn=admin.mediawiki,ou=Users,dc=lenovo,dc=local', $bindPassword = 'XXXX' );

2020-07-21 23:12:29 localhost.localdomain wikidb: # returns

2020-07-21 23:12:29 localhost.localdomain wikidb: ldap_error( $linkID );

2020-07-21 23:12:29 localhost.localdomain wikidb: # returns Can't contact LDAP server

2020-07-21 23:12:29 localhost.localdomain wikidb: ldap_errno( $linkID );

2020-07-21 23:12:29 localhost.localdomain wikidb: # returns -1

Osnard (talkcontribs)

Okay, so it clearly fails with the connection. Try using "enctype": "ssl". You can also write up a little test script to check which connection parameters are required in your setup. As it is AD "clear" will not work.

Gektor93 (talkcontribs)

Dear Osnard,


But why with first version of LDAPAuthentication it works?I had different config which work, but only with MediaWiki 1.30

Gektor93 (talkcontribs)

It was on my old Localsettings.php file. And it work correctly. I could login with AD user.

What the difference ?


$wgGroupPermissions['*']['autocreateaccount'] = true;

$wgGroupPermissions['*']['createaccount'] = false;

if ( !isset( $_SERVER['REMOTE_ADDR'] ) OR $_SERVER['REMOTE_ADDR'] == '192.168.7.30') {

$wgGroupPermissions['*']['read'] = true;

$wgGroupPermissions['*']['edit'] = true;

}

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

# LDAP ---------------------------------------------------------------------------------------

require_once('extensions/LdapAuthentication/LdapAuthentication.php');

require_once ('includes/AuthPlugin.php');

$wgAuth = new LdapAuthenticationPlugin();


$wgLDAPDomainNames = array('JAKONDA.LOCAL');

$wgLDAPServerNames = array('JAKONDA.LOCAL' => 'dc1.jakonda.local');

$wgLDAPPort = array('JAKONDA.LOCAL' => 389);

$wgLDAPEncryptionType = array('JAKONDA.LOCAL' => 'false');


$wgLDAPUseLocal = true;


$wgLDAPSearchStrings = array('JAKONDA.LOCAL' => 'USER-NAME@JAKONDA.LOCAL',);

$wgLDAPProxyAgent = array('JAKONDA.LOCAL' => 'admin.mediawiki');

$wgLDAPProxyAgentPassword = array('JAKONDA.LOCAL' => 'Aa1234567');

$wgLDAPSearchAttributes = array('JAKONDA.LOCAL' => 'sAMAccountName');

$wgLDAPBaseDNs = array('JAKONDA.LOCAL' => 'dc=jakonda,dc=local');

$wgLDAPGroupBaseDNs = array('JAKONDA.LOCAL' => 'dc=jakonda,dc=local');

$wgLDAPUserBaseDNs = array('JAKONDA.LOCAL' => 'dc=jakonda,dc=local');


$wgLDAPRetrievePrefs = array('JAKONDA.LOCAL' => 'true');

$wgLDAPPreferences = array('JAKONDA.LOCAL' => array('email' => 'mail','realname' => 'displayname'));


$wgLDAPDisableAutoCreate = array('JAKONDA.LOCAL' => true);


$wgLDAPGroupUseFullDN = array('JAKONDA.LOCAL' => true);

$wgLDAPLowerCaseUsername = array('JAKONDA.LOCAL' => true);

$wgLDAPGroupObjectclass = array('JAKONDA.LOCAL' => 'group');

$wgLDAPGroupAttribute = array('JAKONDA.LOCAL' => 'member');

$wgLDAPGroupNameAttribute = array('JAKONDA.LOCAL' => 'cn');

$wgLDAPGroupsUseMemberOf = array('JAKONDA.LOCAL' => true);


# Можно задать члены групп AD, каким разрешать доступ к MediaWiki

$wgLDAPRequiredGroups = array('JAKONDA.LOCAL' => array('cn=evilgroup,ou=groups,dc=AD,dc=jakonda,dc=local'));


# Можно задать члены групп AD, каким запрещать доступ к MediaWiki 

#$wgLDAPExcludedGroups = array('JAKONDA.LOCAL' => array('cn=evilgroup,ou=groups,dc=AD,dc=jakonda,dc=local'));

$wgLDAPGroupSearchNestedGroups = array('JAKONDA.LOCAL' => true);

$wgLDAPActiveDirectory = array('JAKONDA.LOCAL' => true);


$wgLDAPDebug = 99;

$wgDebugLogGroups["ldap"] = "/tmp/ldap.log";

#-----------------------------------------------------------------------------------------------------

Osnard (talkcontribs)

Have you changed the new JSON config from above, before you posted it? E.G. replaced "dc1.jakonda.local" with "ldap.lenovo.local". Because if not, I need to assume, your new config and the old working config are very different as they have different servers configured.

Could you please create a nee PHP file with the contents from "Example 1" on https://www.php.net/manual/en/function.ldap-bind.php and fill in your credentials. Then run it and share the results.

Gektor93 (talkcontribs)

Dear Osnard,

Yes, they are different. I just shared it, which was working in the past. Let's imagine that domain name the same. Please note that it totally different configs. And I had two separate domain controllers. Just share it to show you that it was work without any encryption.

Osnard (talkcontribs)

So two separate domain controllers. And the old config (the one without encryption) worked with both?

Gektor93 (talkcontribs)

Old config worked with WS2012R2 without encryption. New config didn`t work with WS19 and WS2012R2 also without encrypt.

@Osnard could you please share links on how to config Localsettings.php or ldapprovider.json from the beginning.

I think that I do some stupid mistakes and walking around it.


Many thanks,

Osnard (talkcontribs)
Gektor93 (talkcontribs)

Hi Osnard,


I started with new config . And encountered with the issue below :


[root@localhost ~]# php /var/www/html/mediawiki/maintenance/update.php


[6932f3de4fc05b2ba466fa5f] [no req]   MWException from line 42 of /var/www/html/mediawiki/extensions/LDAPProvider/src/DomainConfigProvider/LocalJSONFile.php:

Could not access configuration file '/etc/mediawiki/ldapprovider.json'!

Please set up a domain configuration file for the LDAPProvider extension.


Backtrace:

#0 /var/www/html/mediawiki/extensions/LDAPProvider/src/DomainConfigProvider/LocalJSONFile.php(73): MediaWiki\Extension\LDAPProvider\DomainConfigProvider\LocalJSONFile->__construct()

#1 [internal function]: MediaWiki\Extension\LDAPProvider\DomainConfigProvider\LocalJSONFile::newInstance()

#2 /var/www/html/mediawiki/extensions/LDAPProvider/src/DomainConfigFactory.php(106): call_user_func_array()

#3 /var/www/html/mediawiki/extensions/LDAPAuthentication2/src/Setup.php(12): MediaWiki\Extension\LDAPProvider\DomainConfigFactory::getInstance()

#4 /var/www/html/mediawiki/includes/Setup.php(906): MediaWiki\Extension\LDAPAuthentication2\Setup::init()

#5 /var/www/html/mediawiki/maintenance/doMaintenance.php(83): require_once(string)

#6 /var/www/html/mediawiki/maintenance/update.php(277): require_once(string)

#7 {main}


Last time when it happened I just create a folder mediawiki int /etc and add ldapprovider.json file in with config bellow:


{

"acme.com": {

"connection": {

"server": "ldap.acme.com",

"port": "389",

"user": "CN=mikhail,OU=Users,DC=acme,DC=com",

"pass": "P@ssw0rd",

"enctype": "clear",

"options": {

"LDAP_OPT_DEREF": 1

},

"basedn": "dc=acme,dc=com",

"userbasedn": "dc=acme,dc=com",

"groupbasedn": "dc=acme,dc=com",

"searchattribute": "samaccountname",

"usernameattribute": "samaccountname",

"realnameattribute": "cn",

"emailattribute": "mail",

"grouprequest": "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\UserMemberOf::factory",

"presearchusernamemodifiers": [ "spacestounderscores", "lowercase" ]

},

"userinfo": [],

"authorization": [],

"groupsync": {

"mapping": {

"engineering": "CN=EngineeringCoreTeam,OU=Groups,DC=acme,DC=com",

"bureaucrat": "CN=Mediawiki Admins,OU=Groups,DC=acme,DC=com",

"interface-admin": "CN=Mediawiki Admins,OU=Groups,DC=acme,DC=com",

"sysop": "CN=Mediawiki Admins,OU=Groups,DC=acme,DC=com"

}

}

}

}


It is the OK ? Because in

Create an LDAP configuration file. For simplicity, we place this new file at /var/www/ldap.json then protect it for reading by the web-server.

Gektor93 (talkcontribs)

Dear Osnard,

As I said early it was very stupid mistake. The problem was in the IP of the AD\DNS server. It was indicated by mistake and after I change it ... it works! After more than one month)))) Thank you very much for your support in my case.


P.S. And yes, it works without encryption. But I will enable it in my final config)

Osnard (talkcontribs)

Glad to hear this!

Reply to "LDAP login issue"